Computer Security CS 426 Lecture 27 - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Computer Security CS 426 Lecture 27

Description:

User logs in to bank.com. Forgets to sign off. Session cookie remains ... GMail ... Since you are logged in somewhere, your cookie is valid and the ... – PowerPoint PPT presentation

Number of Views:116
Avg rating:3.0/5.0
Slides: 21
Provided by: NINGH7
Category:

less

Transcript and Presenter's Notes

Title: Computer Security CS 426 Lecture 27


1
Computer Security CS 426Lecture 27
  • Secure Web Site Design
  • (Most Slides taken from Prof. Dan Boneh CS 155
    Slides at Stanford)

2
Cross site request forgery
3
Cross site request forgery (abbrev. CSRF or XSRF)
  • Also known as one click attack or session riding
  • Transmits unauthorized commands from a user who
    has logged in to a website to the website.

4
  • Example
  • User logs in to bank.com. Forgets to sign
    off.
  • Session cookie remains in browser state
  • Then user visits another site containing
  • p
  • document.F.submit()
  • Browser sends user auth cookie with request
  • Transaction will be fulfilled
  • Problem
  • browser is a confused deputy

5
Some Attack Methods
  • HTML Methods   IMG SRC  src"http//host/?command"  SCRIPT
    SRC    IFRAM
    E SRC  
  • JavaScript Methods  'Image' Object    
    var foo new Image()  foo.src
    "http//host/?command"  

6
GMail Incidence Jan 2007
  • Google docs has a script that run a callback
    function, passing it your contact list as an
    object. The script presumably checks a cookie to
    ensure you are logged into a Google account
    before handing over the list.
  • Unfortunately, it doesnt check what page is
    making the request. So, if you are logged in on
    window 1, window 2 (an evil site) can make the
    function call and get the contact list as an
    object. Since you are logged in somewhere, your
    cookie is valid and the request goes through.

7
Prevention
  • Server side
  • use cookie hidden fields to authenticate
  • hidden fields values need to be unpredictable and
    user-specific
  • requires the body of the POST request to contain
    cookies
  • User side
  • logging off one site before using others

8
SQL Injection
  • See Slides by Prof. Venkat

9
Another Example of SQL Injection
  • User input is used in SQL query
  • Example login page (ASP)
  • set ok execute(SELECT FROM UserTable
  • WHERE username' form(user)
  • ' AND password' form(pwd) ' )
  • If not ok.EOF
  • login success
  • else fail
  • Is this exploitable?

10
SQL Injections could be used to Run commands on
hosts as well
  • Suppose user
  • ' exec cmdshell
  • 'net user badguy badpwd' / ADD --
  • Then script does
  • ok execute( SELECT
  • WHERE username ' ' exec )
  • If SQL server context runs as sa, attacker gets
    account on DB server.

11
Session Management
  • Cookies, hidden fields, and user authentication

12
Cookies
  • Used to store state on users machine

GET
Server
Browser
HTTP Header Set-cookie NAMEVALUE domain
(who can read) expires (when expires)
secure (only over SSL)
Server
Browser
GET Cookie NAME VALUE
Http is stateless protocol cookies add state
13
Cookies
  • Uses
  • User authentication
  • Personalization
  • User tracking e.g. Doubleclick (3rd party
    cookies)

14
Cookie risks
  • Danger of storing data on browser
  • User can change values
  • Silly example Shopping cart software.
  • Set-cookie shopping-cart-total 150 ()
  • User edits cookie file (cookie poisoning)
  • Cookie shopping-cart-total 15 ()
  • bargain shopping.
  • Similar behavior with hidden fields

15
Not so silly (as of 2/2000)
  • D3.COM Pty Ltd ShopFactory 5.8
  • _at_Retail Corporation _at_Retail
  • Adgrafix Check It Out
  • Baron Consulting Group WebSite Tool
  • ComCity Corporation SalesCart
  • Crested Butte Software EasyCart
  • Dansie.net Dansie Shopping Cart
  • Intelligent Vending Systems Intellivend
  • Make-a-Store Make-a-Store OrderPage
  • McMurtrey/Whitaker Associates Cart32 3.0
  • pknutsen_at_nethut.no CartMan 1.04
  • Rich Media Technologies JustAddCommerce 5.0
  • SmartCart SmartCart
  • Web Express Shoptron 1.2
  • Source http//xforce.iss.net/xforce/xfdb/4621

16
Example dansie.net shopping cart
  • ACTION"http//www.dansie.net/cgi-bin/scripts/car
    t.pl"
  • Black Leather purse with leather
    straps
    Price 20.00
  • leather purse" VALUE"20.00" VALUE"1" VALUE"purse.jpg" NAMEreturn VALUE"http//www.dansie.net/demo.
    html" VALUE"Black leather purse with leather straps"
  • Shopping Cart"
  • CVE-2000-0253 (Jan. 2001), BugTraq ID 1115
  • http//www.dansie.net/demo.html (May, 2006)

17
Solution
  • When storing state on browser MAC data using
    server secret key.
  • .NET 2.0
  • System.Web.Configuration.MachineKey
  • Secret web server key intended for cookie
    protection
  • HttpCookie cookie new HttpCookie(name, val)
    HttpCookie encodedCookie HttpSecureCookie.
    Encode (cookie)
  • HttpSecureCookie.Decode (cookie)

18
Cookie authentication
Browser
Web Server
Auth server
Check val
19
Weak authenticators security risk
  • Predictable cookie authenticator
  • Verizon Wireless - counter
  • Valid user logs in, gets counter, can view
    sessions of other users.
  • Weak authenticator generation Fu et al. 01
  • WSJ.com cookie user, MACk(user)
  • Weak MAC exposes K from few cookies.
  • Apache Tomcat generateSessionID()
  • MD5(PRNG) but weak PRNG GM05.
  • Predictable SessionIDs

20
Coming Attractions
  • December 4
  • DBMS Security
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Computer Security CS 426 Lecture 27" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!