Web Security SQL Injection, CSRF, XSS
ECEN 4133 Feb 11, 2021
Web Review | HTTP
GET / HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
http://gmail.com/ says: Hi!
gmail.com
GET /img.png HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
<89>PNG^M …
Web Review | Cookies
POST /login HTTP/1.1 Host: gmail.com
user=alice&pass=s3cre7
gmail.com
HTTP/1.1 200 OK
Server: gws
Set-Cookie: foo=“bar” Set-Cookie: token=“8kFmCe…”
…
GET / HTTP/1.1
Host: gmail.com
Cookie: foo=“bar”; token=“8k…”
Ah, it’s alice!
Web Review | AJAX (jQuery style)
HTTP/1.1 200 OK
…
http://gmail.com/ says:
gmail.com
function (data) { alert(data) });
{ new_msgs: 3}
GET / HTTP/1.1 Host: gmail.com
$.get(‘http://gmail.com/msgs.json’,
GET /msgs.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
{ new_msgs: 3 }
Web Review | Same-Origin Policy (SOP)
(evil!) facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK
…
$.get(‘http://gmail.com/msgs.json’, function (data) { alert(data); }
GET /msgs.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
{ new_msgs: 3 }
Web Review | Same-Origin Policy (SOP)
facebook.com
?
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK
…
gmail.com
Web Review | Same-Origin Policy (SOP)
facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK
…
GET /img.png HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
<89>PNG^M …
Web Review | Same-Origin Policy (SOP)
facebook.com
?
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK
…
Web Review | Same-Origin Policy (SOP)
http://gmail.com/ says: {
$.get(‘http://gmail.com/chat.json’,
new_msgs:{ from:“Bob”,
function (data) { alert(data); })
msg: “Hi!”}}
gmail.com
GET /chat.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK
...
{ new_msg:{ from:“Bob”, msg: “Hi!”}}
Cross-site Request Forgery (CSRF)
Suppose you log in to bank.com
fde874 = bob
bank.com
POST /login?user=bob&pass=abc123 HTTP/1.1 Host: bank.com
HTTP/1.1 200 OK Set-Cookie: login=fde874 ....
Cross-site Request Forgery (CSRF)
fde874 = bob
bank.com
GET /account HTTP/1.1 Host: bank.com Cookie: login=fde874
HTTP/1.1 200 OK ....
$378.42
Cross-site Request Forgery (CSRF)
Click me!!!
http://bank.com/transfer?to=badguy&amt=100
fde874 = bob
bank.com
GET /transfer?to=badguy&amt=100 HTTP/1.1 Host: bank.com
Cookie: login=fde874
HTTP/1.1 200 OK
....
Transfer complete: -$100.00
CSRF Defenses
Need to “authenticate” each user action originates from our site
One way: each “action” gets a token associated with it
On a new action (page), verify the token is present and correct
Attacker can’t find token for another user,
and thus can’t make actions on the user’s behalf
CSRF Defenses
Pay $25 to Joe: http://bank.com/transfer?to=joe&amt=25&token=8d64
fde874 = bob
bank.com
HTTP/1.1 200 OK Set-Cookie: token=8d64 ....
GET /transfer?to=joe&amt=25&token=8d64 HTTP/1.1 Host: bank.com
Cookie: login=fde874&token=8d64
HTTP/1.1 200 OK
....
Transfer complete: -$25.00
Cross-Site Scripting (XSS)
Bob HTTP/1.1
HTTP/1.1 200 OK ...
Hello, Bob!
Cross-Site Scripting (XSS)
alert(‘XSS’)
GET /?user= HTTP/1.1
HTTP/1.1 200 OK
...
Hello, !
Web Review | Same-Origin Policy (SOP)
(evil!) facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK
...
GET /msgs.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK ...
{ new_msgs: 3 }
Cross-Site Scripting (XSS) Attack
(evil!) facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
$.get(‘http://gmail.com/ msgs.json’, function (data)
{ alert(data); })
HTTP/1.1 200 OK
...
GET /?user= HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK
…
Hello,
Cross-Site Scripting (XSS) Attack
(evil!) facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
h$t.tgpe:t/(/‘ghmttapil:./c/goma/ils.cayosm: / msgs.json’, function (data)
{ new{_amlesrgts(:d3at}a); })
HTTP/1.1 200 OK
…
GET /msgs.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
{ new_msgs: 3 }
Types of XSS
Reflected XSS
http://vulnerable.com/?q=
Stored XSS
Attacker stores XSS in database
POST /message HTTP/1.1
Host: vulnerable.com
to=victim&message=
Victim browses to http://vulnerable.com/inbox …
You have 1 new message:
From: attacker
Message:
Cross-Site Scripting (XSS) Attack
What can an attacker do with an XSS?
Exfiltrate data back to attacker (HTTP POST)
Cookies,CSRFtokens,privateinformation
Perform actions on victims behalf AnyCSRFattacks!
Set cookies to attacker’s choosing
XSS Defenses
Make sure data gets shown as data, not executed as code!
Escape special characters
Which ones? Depends what context your $data is presented
Inside an HTML document?
Code Injection
prepare(
“SELECT * FROM `users` WHERE location=?”);
$pstmt->execute(array($city)); // Data