Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

(1)

Berner Fachhochschule, Technik und Informatik

Advanced Web Technology

10) XSS, CSRF and SQL Injection

Dr. E. Benoist Fall Semester 2010/2011

Advanced Web Technology 10) XSS, CSRF and SQL Injection

1

Cross Site Request Forgery

I Not a new attack, but simple and devastating

I CSRF attack forces a logged-on victim’s browser to send a request to a vulnerable web application

I Target: Perform the chosen action on behalf of the victim

Cross Site Request Forgery - CSRF 3

Sending a request without the

consent of the victim?

I Insert an image in a HTML file

<img src=”http://www.benoist.ch/image/test.gif”> Browser: Downloads an image

GET /image/test.gif HTTP/1.1 ...

I An image can be generated by a PHP program (or any program)

<img src=”http://www.benoist.ch/image/test.php”> Browser: Downloads an image

(2)

Sending a request? (Cont.)

I An image can be generated according to some parameters

<img src=”/barcode.php?number=12345678901”> Browser: Downloads an image

I An image tag can contain something else

Browser ?????

Cross Site Request Forgery - CSRF: Presentation 5

Very widespread vulnerability

Touches any web application that

I has no authorization checks for vulnerable actions

I will process an action if a default login is able to be given in the request

I Authorizes requests based only on credentials that are automatically submitted

• cookies if currently logged into the application

• or “Remember me” functionality if not logged into the application

• or a Kerberos token if part of an Intranet participating in integrated logon with Active Directory.

State of the art

I Most of web applications rely solely on automatically submitted credentials

• cookies

• basic authentication credentials

• source IP addresses

• SSL certificates

• or windows domain credentials

I Vulnerability also known as

• Session Riding, One-Click Attacks, Cross Site Reference Forgery, Hostile Linking, and Automation Attack

• Acronym XSRF is also used together with CSRF

Vulnerability

I A typical CSRF attack directs the user to invoke some function

• for instance application’s logout page

I The following tag can be inserted in any page viewed by the victim

it generates the same request as clicking on a link containing this address!

I Example: Online banking transfer

<img src=”http://www.mybank.de/transfer.do?

frmAcct=document.form.frmAcct&toAcct=4567890&amt& →=3434.43”>

Could transfer the money from the account of the user, to a given account.

(3)

Vulnerability (Cont.)

I Jeremiah Grossman1 Succeeded in making changes in victims DSL routers

I Even if the user doesn’t know that he can configure his router ;-)

I He used the router’s default account name to perform his attack Example

<img src=”http://admin:[email protected]/”> Then you just have to reconfigure the system

I Once DNS changed, user will never be able to access a site securely!

1_{Talk in Blackhat 2006 : “Hacking Intranet Sites from the outside”}

Cross Site Request Forgery - CSRF: Vulnerability 9

How such a link could reach a victim

I Web-site Owner embedded JavaScript malware

I Web page defaced with embedded JavaScript malware

I JavaScript Malware injected into a public area of a website. (persistent XSS)

I Clicked on, a specially-crafted link causing the website to echo JavaScript malware. (non-persistent XSS)

Cross Site Request Forgery - CSRF: Vulnerability 10

CSRF allows to access the intranet

I The attacker sends requests from inside the Intranet

• Doesn’t have to go throw the firewall, the victim is already

I CSRF combined with javascript allows to send many requests sequentially

• javascript adds an image in the DOM (possibly invisible).

• when the request is sent, another image is added

• and so on

Cross Site Request Forgery - CSRF: CSRF allows to access the intranet 11

Internet is protected, but Intranet?

You would never dare doing this on Internet! But what about Intranet?

I Leaving hosts unpatched

• Servers are always patched regularly, but local PC’s?

I Using default passwords

• What the use of changing the password, the IP address can only be reached from inside my network

• 192.168.x.y

I Do not putting a firewall in front of a host

I Everything seams OK because the perimeter firewalls black external access

• So CSRF attacks can be very fruitful

(4)

Why do CSRF attacks work?

I User authorization credential is automatically included in any request by the browse

• Typical: Session Cookie

I The Attacker doesn’t need to supply that credential

• It belongs to the victim’s browser

I Success of CSRF belongs on the probability that the victim is logged in the attacked system

• Idea: attack the site the victim visits

• Mean : XSS

CSRF and XSS

I Combine CSRF and XSS

• The tag is already posted inside the vulnerable application

I Risk is increased by that combination

• Probability to find a logged in user is higher

I CSRF does not require XSS

• One can attack a site from another one

I Any application with XSS flaws is susceptible to CSRF

• CSRF attacks can exploit the XSS flaw to steal any non-automatically submitted credential

I When building defenses against CSRF attacks, you must eliminate XSS vulnerabilities

Protection

I Application must ensure that they are not only relying on credentials or tokens that are automatically

submitted by browsers

• Session Cookies

• Certificates

• Remember me

• . . .

I Application should use a custom token that the browser will not “Remember”

• So it can not be included in the Requests sent automatically

Cross Site Request Forgery - CSRF: Protection 15

Strategies

I Ensure that there are no XSS vulnerabilities in your application

• Otherwise, any protection is useless, since javascript could access the hidden data.

I Insert custom random tokens into every form and URL

• It will not be automatically submitted by the browser

• Example:

... </form>

• Then you have to verify that token

• Token can be unique for a session or even for each page

• The more focused the token is, the higher the security is, but the application is then much more complicated to write

(5)

Strategies (Cont.)

I For sensitive data or value transactions, re-authenticate or use transaction signing

• to ensure that the request is genuine.

• Set up external mechanism to verify requests (phone, e-mail)

• Notify the user of the request using an e-mail

I Do not use GET requests for sensitive data or to perform value transactions

• Use only POST methods when processing sensitive data from the user.

• However the URL may contain the random token as this creates a unique URL, which makes CSRF almost impossible to perform

I POST alone is an insufficient protection

• You must also combine it with random tokens

Verifying Security

I Goal: Verify that the application generates and requires some authorization token that is not resent

automatically by the browser

I Automated approaches:

• Automated approach: few automated scanners can detect CSRF vulnerabilities.

• Manual Approach: Penetration testing and verification of the code

Conclusion - CSRF

I Cross Site Scripting - XSS

• Exploits the trust a user has in a website

I Cross Site Request Forgery - CSRF

• Exploits the trust the site has in a user

• by forging the enactor and making a request appear to come from a trusted user2

2_wikipedia

Cross Site Request Forgery - CSRF: Conclusion 19

Injection Flows

I Principle:

• Occurs when user supplied data is sent to an interpreter as part of a command or a query.

I Injection Flows may be done on:

• SQL (most common) • LDAP • XPath • XSLT • HTML • OS Command injection • . . .

I This vulnerability is very common on Web Application

(6)

How does it work?

I Attacker tricks the interpreter into executing unintended command

I Attacker supplies unexpected content to a site

• Data is especially designed to fool the site

I Attacker may take control of the interpreter, for instance SQL:

• Read data (unintended, of course)

• update, delete or create any arbitrary data

I For the Operating System interpreter

• Attacker may have the opportunity to execute any command

Injection Flows: Presentation 21

Vulnerability

I Environments affected

• Any framework using an interpreter or invoke process

• SQL

• Command line

• . . .

I System is vulnerable when user input is passed without tests

PHP

$query = ”select _{∗ from guestbook”;}

$query .= ” where title like ’”.$ REQUEST[’search’]; $result = mysql query($query , $conn);

Java

String query = ”select _{∗ from user where username=’”;} query += req.getParameter(”userID”);

query += ”’ and password = ’”+req.getParameter(”pwd”)& →+”’”;Advanced Web Technology 10) XSS, CSRF and SQL Injection_{Injection Flows: Vulnerability}

22

Protection

I Avoid the use of interpreter if possible

I Otherwise: Use safe APIs

• Strongly typed parameterized queries

• Object Relational Mapping (ORM) They handle data escaping

I Validation is still recommended

• in order to detect attacks

Injection Flows: Protection 23

Take Extra Care when using

interpreters

I Input Validation

• Validate all input data: length, type, syntax, business rules

• validation is done before displaying or storing any data

• Validation must be done server-side

• Javascript validation doesn’t bring any security

I Use strongly typed parameterized query APIs

• with placeholder substitution markers,

I Enforce least privilege

• Configure your DB such that the web account can’t do more than what is expected

• restrict the rights of your user when executing an OS command

(7)

Take Extra Care (Cont.)

I Avoid detailed error messages

• Give access to versions numbers

• Give access to parts of the code

• Give access to configurations

I Use stored procedures

• They are generally safe from SQL injection

• Can however be injected (for instance using exec())

I Do not use dynamic query interfaces (such as mysql query())

Take Extra Care (Cont.)

I Do not use simple escaping functions such as

• addslashes() in PHP

• str replace("’","’’")

• it is weak and has been successfully exploited

I Prefer following methods

• use mysql real escape string()

• or preferably PDO which does not require escaping

Language Specific recommendations

I Java EE

• use strongly typed PreparedStatement

• or use an ORM (Object Relational Manager) such as Hibernate or Spring

I PHP

• Use PDO with strongly typed parameterized queries (using bindParam()).

Which site is subject to SQL

injection?

I Such a site must access a DB

• The parameter should be given by the user

• This parameter is then used to select data in the DB

• Example www.mysite.com/index.php?id=100

• Means there exists a request for the page number 100

I If the site does not test its input

• You can test it by typing something like: www.mysite.com/index.php?id=%2710

I If the site lets the user see error messages

• Test the output of your input

I Examples

• Search form (SELECT with LIKE)

• Login form (SELECT with two =)

• Insertion of new entries

• . . .

(8)

Example: Presentation

I Suppose we have the following HTML Form <form method=”POST”>

</form>

I and the following PHP line defining a SQL command: $query = ”SELECT _{∗ FROM user WHERE username=’}& →$user’”;

$query .= ” AND password=’$pwd’”;

I For our examples, we disable a security feature from the php.ini file

(normally this option is on, and it quotes all GET, POST and COOKIES parameters, means chars like: ” and ’ are escaped and becomeAdvanced Web Technology 10) XSS, CSRF and SQL Injection_{\” and \’): magic_quotes_gpc = off}

Injection Flows: Examples 29

Example: Select user and password

I We want the select to work in any case

I Following expressions are always true SELECT_{∗ FROM table WHERE 1=1;} SELECT_{∗ FROM table WHERE 1;}

SELECT_{∗ FROM table WHERE ISNULL(NULL)} SELECT∗ FROM table WHERE 1 IS NOT NULL SELECT∗ FROM table WHERE NULL IS NULL ...

Example: Select user and password

(Cont.)

I So we do not need a valid username and password if $user="’ OR ’a’=’a" and $password remains empty then the previous expression becomes:

SELECT_{∗ FROM user WHERE username=’’ OR ’a’=’a’} & →AND \

password=’’”;

• Returns the list of all users

• So we are logged in with the first provided

Login on a specific account

I We can specify the right username and change the password

• If we give $user="Emmanuel"

• And $password="’ OR ’b’ BETWEEN ’a’ AND ’c"

I The previous SQL statement becomes

SELECT_{∗ FROM user WHERE username=’Emmanuel’} & →AND\

password=’’ OR ’b’ BETWEEN ’a’ AND ’c’”;

I So username is OK, but password is not checked!

(9)

Example, using Comments

I Another great principle in SQL injection is Comments It is also very common in all the other injections

I If we inject a #, the rest of the SQL expression is not evaluated

if $user="John’ #" the request becomes

SELECT_{∗ FROM user WHERE username=’John’#’ AND} & →password=’’

which is equal to

SELECT_{∗ FROM user WHERE username=’John’}

I If we use the comments /* comments */ we may escape some tests

More injection in SELECT

I Suppose we have the following query, for displaying the content of one single comment in our guestbook: $query = ”select _{∗ from guestbook where guestbookID=}& →$number”;

I We can copy the content in a file

• suppose we define

$number="11 or 1=1 INTO OUTFILE ’/tmp/test.security.txt’"

• The total content of the table is sent to a file.

I Suppose the Attacker has an account on the system (e.g. foobar).

• It is possible to change the password of foobar

• If we can write the following query:

SELECT password FROM user WHERE login=’foobar’ INTO & →OUTFILE\

’/opt/lampp/htdocs/test.php’

I Attacker could create any php file inside the system!!

Attacks compatible with magic

quotes

I Since most of the server have magic quotes gpc = on

• Attackers can not use ’ or ”

I Use MySQL char() function

• Returns the character denoted by the number,

• For instance char(104,111,112) returns the string hop

I Previous attack becomes

• The following query is used to count one vote:

UPDATE news SET votes=votes+1, score=score+$note& →WHERE\

newsID=’$id’ ,

• We have the following attack $note=”3, title=char(104,111,112)

How to protect yourself

I From SQL injection in PHP

I Configure PHP such that ’ and ” are automatically escaped

magic quotes gpc = on

I Always quote input before sending query to an interpreter

• mysql real escape string()

I Do not use any interpreter at all

• Use PDO

(10)

Conclusion (Injection Flows)

I SQL Injection allows attacker to

• Read data: Access passwords, data stored

• Change Data : Access security level

• Delete data

•

I SQL injection Vulnerabilities opens the door to:

• Privacy breach : Data can be accessed without consent

• Identity theft : idem + failure in authentication

• Compromission of the system : write of new files (maybe PHP)

• . . .

I Easy protection are already exploited

• Adding one (or more) layers between presentation and

database layer is a must (also from the point of view of Design)

• Even this has also been successfully exploited.

I Solution? test your inputs!

Injection Flows: Conclusion 37

Conclusion (Web Security)

I Infrastructure Security is Vital

• Good Network Architecture (Firewals, DMZ, . . . )

I Application Security must not be forgotten

• Test Inputs

• Encode Outputs

I Teach your users

• No security is efficient is users aren’t included

• for instance if they never log-out

I Security is expensive

• in Development time

• or in Usability

Injection Flows: Conclusion 38

References

I OWASP Top 10 - 2007

http://www.owasp.org/index.php/Top_10_2007

I A Guide for Building Secure Web Applications and Web Services

http://www.lulu.com/content/1401012

I Advanced SQL Injection in SQL Server Applications - Chris Anley

http://www.nextgenss.com/papers/advanced_sql_ injection.pdf

I L’injection (My)SQL via PHP - leseulfrog

http://www.phpsecure.info/v2/article/InjSql.php Advanced version:

http://www.phpsecure.info/v2/article/phpmysql.php

I SQLMAP (a SQL Injection Tool) http://sqlmap.sourceforge.net

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2