CS计算机代考程序代写 Java SQL database javascript jquery Web Security SQL Injection, CSRF, XSS

Web Security SQL Injection, CSRF, XSS
ECEN 4133 Feb 11, 2021

Web Review | HTTP
GET / HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …




http://gmail.com/ says: Hi!
gmail.com
GET /img.png HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
<89>PNG^M …

Web Review | Cookies
POST /login HTTP/1.1 Host: gmail.com
user=alice&pass=s3cre7
gmail.com
HTTP/1.1 200 OK
Server: gws
Set-Cookie: foo=“bar” Set-Cookie: token=“8kFmCe…”
…
GET / HTTP/1.1
Host: gmail.com
Cookie: foo=“bar”; token=“8k…”
Ah, it’s alice!

Web Review | AJAX (jQuery style)
HTTP/1.1 200 OK
…

http://gmail.com/ says:
gmail.com
function (data) { alert(data) });
{ new_msgs: 3}
GET / HTTP/1.1 Host: gmail.com
$.get(‘http://gmail.com/msgs.json’,
GET /msgs.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
{ new_msgs: 3 }

Web Review | Same-Origin Policy (SOP)
(evil!) facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK
…

$.get(‘http://gmail.com/msgs.json’, function (data) { alert(data); }
GET /msgs.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
{ new_msgs: 3 }

Web Review | Same-Origin Policy (SOP)
facebook.com
?
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK
…

gmail.com

Web Review | Same-Origin Policy (SOP)
facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK
…

GET /img.png HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
<89>PNG^M …

Web Review | Same-Origin Policy (SOP)
facebook.com
?
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK
…

Web Review | Same-Origin Policy (SOP)
http://gmail.com/ says: {
$.get(‘http://gmail.com/chat.json’,
new_msgs:{ from:“Bob”,
function (data) { alert(data); })
msg: “Hi!”}}
gmail.com
GET /chat.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK
...
{ new_msg:{ from:“Bob”, msg: “Hi!”}}

Cross-site Request Forgery (CSRF)
 Suppose you log in to bank.com
fde874 = bob
bank.com
POST /login?user=bob&pass=abc123 HTTP/1.1 Host: bank.com
HTTP/1.1 200 OK Set-Cookie: login=fde874 ....

Cross-site Request Forgery (CSRF)
fde874 = bob
bank.com
GET /account HTTP/1.1 Host: bank.com Cookie: login=fde874
HTTP/1.1 200 OK ....
$378.42

Cross-site Request Forgery (CSRF)
Click me!!!
http://bank.com/transfer?to=badguy&amt=100
fde874 = bob
bank.com
GET /transfer?to=badguy&amt=100 HTTP/1.1 Host: bank.com
Cookie: login=fde874
HTTP/1.1 200 OK
....
Transfer complete: -$100.00

CSRF Defenses
 Need to “authenticate” each user action originates from our site
 One way: each “action” gets a token associated with it
 On a new action (page), verify the token is present and correct
 Attacker can’t find token for another user,
and thus can’t make actions on the user’s behalf

CSRF Defenses
Pay $25 to Joe: http://bank.com/transfer?to=joe&amt=25&token=8d64
fde874 = bob
bank.com
HTTP/1.1 200 OK Set-Cookie: token=8d64 ....
GET /transfer?to=joe&amt=25&token=8d64 HTTP/1.1 Host: bank.com
Cookie: login=fde874&token=8d64
HTTP/1.1 200 OK
....
Transfer complete: -$25.00

Cross-Site Scripting (XSS)
Bob HTTP/1.1
HTTP/1.1 200 OK ...
Hello, Bob!

Cross-Site Scripting (XSS)
alert(‘XSS’)
GET /?user= HTTP/1.1
HTTP/1.1 200 OK
...
Hello, !

Web Review | Same-Origin Policy (SOP)
(evil!) facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK
...

GET /msgs.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK ...
{ new_msgs: 3 }

Cross-Site Scripting (XSS) Attack
(evil!) facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
$.get(‘http://gmail.com/ msgs.json’, function (data)
{ alert(data); })
HTTP/1.1 200 OK
...

GET /?user= HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK
…
Hello,

Cross-Site Scripting (XSS) Attack
(evil!) facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
h$t.tgpe:t/(/‘ghmttapil:./c/goma/ils.cayosm: / msgs.json’, function (data)
{ new{_amlesrgts(:d3at}a); })
HTTP/1.1 200 OK
…

GET /msgs.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
{ new_msgs: 3 }

Types of XSS
 Reflected XSS
 http://vulnerable.com/?q=
 Stored XSS
 Attacker stores XSS in database
POST /message HTTP/1.1
Host: vulnerable.com
to=victim&message=
 Victim browses to http://vulnerable.com/inbox …
You have 1 new message:
From: attacker
Message:

Cross-Site Scripting (XSS) Attack
 What can an attacker do with an XSS?
 Exfiltrate data back to attacker (HTTP POST)
 Cookies,CSRFtokens,privateinformation
 Perform actions on victims behalf  AnyCSRFattacks!
 Set cookies to attacker’s choosing

XSS Defenses
 Make sure data gets shown as data, not executed as code!
 Escape special characters
 Which ones? Depends what context your $data is presented
 Inside an HTML document?

 $data =
 Inside a tag?  $data = “ onmouseover=“alert(‘XSS!’)” foo=“
 Inside Javascript code? var x = “$data”;  $data = “; alert(‘XSS!’); //
 Inside CSS code? body { color: $data; }
 $data = #000; background:url(“javascript:alert(‘XSS!’)”)
 Make sure to escape every last instance!
 Frameworks can let you declare what’s user-controlled data and automatically escape it