SlideShare une entreprise Scribd logo

7 client-state manipulation

Télécharger en tant que PPT, PDF
D
drewz lin
1  sur  23
CHAPTER 7 Client-State Manipulation Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern, and Anita Kesavan (ISBN 1590597842; http://www.foundationsofsecurity.com). Except as otherwise noted, the content of this presentation is licensed under the Creative Commons 3.0 License.
Agenda  Web application – collection of programs used by server to reply to client (browser) requests  Often accept user input: don’t trust, validate!  HTTP is stateless, servers don’t keep state  To conduct transactions, web apps have state  State info may be sent to client who echoes it back in future requests  Example Exploit: “Hidden” parameters in HTML are not really hidden, can be manipulated
7.1. Pizza Delivery Web Site Example  Web app for delivering pizza  Online order form: order.html – say user buys one pizza @ $5.50  Confirmation form: generated by confirm_order script, asks user to verify purchase, price is sent as hidden form field  Fulfillment: submit_order script handles user’s order received as GET request from confirmation form (pay & price variables embedded as parameters in URL)
7.1. Pizza Web Site Code  Confirmation Form: <HTML><head><title>Pay for Pizza</title></head> <body><form action="submit_order" method="GET"> <p> The total cost is 5.50. Are you sure you would like to order? </p> <input type="hidden" name="price" value="5.50"> <input type="submit" name="pay" value="yes"> <input type="submit" name="pay" value="no"> </form></body></HTML> if (pay = yes) {  Submit success = authorize_credit_card_charge(price); if (success) { Order settle_transaction(price); dispatch_delivery_person(); Script: } else { // Could not authorize card tell_user_card_declined(); } } else { display_transaction_cancelled_page(); // no}
7.1. Buying Pizza Example Order 1 Pizza Credit Web Confirm $5.50 Web Submit Card Browser Server Order Payment (Client) $5.50 Gateway Price Stored in Attacker will modify Hidden Form Variable submit_order?price=5.50
7.1.1. Attack Scenario (1)  Attacker navigates to order form…
7.1.1. Attack Scenario (2)  …then to submit order form
7.1.1. Attack Scenario (3)  And he can View | Source:
7.1.1. Attack Scenario (4)  Changes price in source, reloads page!  Browser sends request: GET /submit_order?price=0.01&pay=yes HTTP/1.1  Hidden form variables are essentially in clear
7.1.1. Attack Scenario (5) Order 1 Pizza Credit Web Confirm $5.50 Web Submit Card Browser Server Order Payment (Client) $0.01 Gateway Attacker modified Price!
7.1.1. Attack Scenario (6)  Command-line tools to generate HTTP requests  curl or Wget automates & speeds up attack: curl https://www.deliver-me-pizza.com/submit_order ?price=0.01&pay=yes  Even against POST, can specify params as arguments to curl or wget command curl -dprice=0.01 -dpay=yes https://www.deliver-me- pizza.com/submit_order wget --post-data 'price=0.01&pay=yes' https://www.deliver-me-pizza.com/submit_order
7.1.2. Solution 1: Authoritative State Stays on Server  Server sends session-id to client  Server has table mapping session-ids to prices  Randomly generated (hard to guess) 128-bit id sent in hidden form field instead of the price. <input type="hidden" name="session-id" value="3927a837e947df203784d309c8372b8e">  New Request GET /submit_order?session-id=3927a837e947df203784d309c8372b8e &pay=yes HTTP/1.1
7.1.2. Solution 1 Changes  submit_order script changes: if (pay = yes) { price = lookup(session-id); // in table if (price != NULL) { // same as before } else { // Cannot find session display_transaction_cancelled_page(); log_client_IP_and_info(); } } else { // same no case }
7.1.2. Session Management  128-bit session-id, n = # of session-ids  Limitchance of correct guess to n/2128.  Time-out idle session-ids  Clear expired session-ids  Session-id: hash random # & IP address – harder to attack (also need to spoof IP)  Con: server requires DB lookup for each request  Performance bottleneck – possible DoS from attackers sending random session-ids  Distribute DB, load balance requests
7.1.3. Solution 2: Signed State To Client  Keep Server stateless, attach a signature to state and send to client  Can detect tampering through MACs  Sign whole transaction (based on all parameters)  Security based on secret key known only to server <input type="hidden" name="item-id" value="1384634"> <input type="hidden" name="qty" value="1"> <input type="hidden" name="address" value="123 Main St, Stanford, CA"> <input type="hidden" name="credit_card_no" value="5555 1234 4321 9876"> <input type="hidden" name="exp_date" value="1/2012"> <input type="hidden" name="price" value="5.50"> <input type="hidden" name="signature" value="a2a30984f302c843284e9372438b33d2">
7.1.3. Solution 2 Analysis  Changes in submit_order script: if (pay = yes) { // Aggregate transaction state parameters // Note: | is concatenation operator, # a delimiter. state = item-id | # | qty | # | address | # | credit_card_no | # | exp_date | # | price; //Compute message authentication code with server key K. signature_check = MAC(K, state); if (signature == signature_check) { // proceed normally } else { // Invalid signature: cancel & log } } else { // no pay – cancel}  Can detect tampered state vars from invalid signature  Performance Hit  Compute MACs when processing HTTP requests  Stream state info to client -> extra bandwidth
7.2. POST Instead of GET  GET: form params (e.g. session-id) leak in URL  Could anchor these links in lieu of hidden form fields  Alice sends Meg URL in e-mail, Meg follows it & continues transaction w/o Alice’s consent  Referers can leak through outlinks:  This <a href="http://www.grocery-store-site.com/"> link  Sends request: GET / HTTP/1.1 Referer: https://www.deliver-me-pizza.com/submit_order? session-id=3927a837e947df203784d309c8372b8e  Session-id leaked to grocery-store-site’s logs!
7.2. Benefits of POST POST /submit_order HTTP/1.1  POST Content-Type: application/x-www-form-urlencoded Request: Content-Length: 45 session-id%3D3927a837e947df203784d309c8372b8e  Session-id not visible in URL  Pasting into e-mail wouldn’t leak it  Slightly inconvenient for user, but more secure  Referers can still leak w/o user interaction  Instead of link, image: <a href=http://www.grocery-store-site.com/banner.gif>  GET request for banner.gif still leaks session-id
7.3. Cookies  Cookie - piece of state maintained by client  Server gives cookie to client  Client returns cookie to server in HTTP requests  Ex: session-id in cookie in lieu of hidden form field HTTP/1.1 200 OK Set-Cookie: session-id=3927a837e947df203784d309c8372b8e; secure  Securedictates using SSL  Browser Replies: GET /submit_order?pay=yes HTTP/1.1 Cookie: session-id=3927a837e947df203784d309c8372b8e
7.3. Problems with Cookies  Cookies are associated with browser  Sent back w/ each request, no hidden field to tack on  If user doesn’t log out, attacker can use same browser to impersonate user  Session-ids should have limited lifetime
7.4. JavaScript (1)  Popular client-side scripting language  Ex: Compute prices of an order: <html><head><title>Order Pizza</title></head><body> <form action="submit_order" method="GET" name="f"> How many pizzas would you like to order? <input type="text" name="qty" value="1" onKeyUp="computePrice();"> <input type="hidden" name="price" value="5.50"><br> <input type="submit" name="Order" value="Pay"> <input type="submit" name="Cancel" value="Cancel"> <script> function computePrice() { f.price.value = 5.50 * f.qty.value; // compute new value f.Order.value = "Pay " + f.price.value // update price } </script> </body></html>
7.4. JavaScript (2)  Evil user can just delete JavaScript code, substitute desired parameters & submit!  Could also just submit request & bypass JavaScript GET /submit_order?qty=1000&price=0&Order=Pay  Warning: data validation or computations done by JavaScript cannot be trusted by server  Attackermay alter script in HTML code to modify computations  Must be redone on server to verify
Summary  Web applications need to maintain state  HTTP stateless  Hidden form fields, cookies  Session-management, server with state…  Don’t trust user input!  keep state on server (space-expensive)  Or sign transaction params (bandwidth-expensive)  Use cookies, be wary of cross-site attacks (c.f. ch.10)  No JavaScript for computations & validations

Recommandé

Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Http
HttpHttp
HttpLuavis Kang
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
 

Recommandé

Web authentication & authorization
Web authentication & authorizationWeb authentication & authorization
Web authentication & authorizationAlexandru Pasaila
 
Cross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesCross Site Request Forgery Vulnerabilities
Cross Site Request Forgery VulnerabilitiesMarco Morana
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsCh 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense MechanismsSam Bowne
 
Understanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryUnderstanding Cross-site Request Forgery
Understanding Cross-site Request ForgeryDaniel Miessler
 
Cross Site Request Forgery
Cross Site Request ForgeryCross Site Request Forgery
Cross Site Request ForgeryTony Bibbs
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCCSRF Attack and Its Prevention technique in ASP.NET MVC
CSRF Attack and Its Prevention technique in ASP.NET MVCSuvash Shah
 
Http
HttpHttp
HttpLuavis Kang
 
New methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsNew methods for exploiting ORM injections in Java applications
New methods for exploiting ORM injections in Java applicationsMikhail Egorov
 
REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web ServicesHalil Burak Cetinkaya
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
HTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeHTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeAbhishek L.R
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementFahad Golra
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWTPrashant Walke
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response StructureBhagyashreeGajera1
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
Ssrf
SsrfSsrf
SsrfIlan Mindel
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect ExplainedVladimir Dzhuvinov
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0Uwe Friedrichsen
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 
URL Class in JAVA
URL Class in JAVAURL Class in JAVA
URL Class in JAVARamasubbu .P
 
WS-Trust
WS-TrustWS-Trust
WS-TrustPrabath Siriwardena
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basicsn|u - The Open Security Community
 
Django
DjangoDjango
DjangoAmanpreet Singh
 
java and javascript api dev guide
java and javascript api dev guidejava and javascript api dev guide
java and javascript api dev guideZenita Smythe
 
https://uii.io/ref/hmaadi
https://uii.io/ref/hmaadihttps://uii.io/ref/hmaadi
https://uii.io/ref/hmaadihmaadi96
 

Contenu connexe

Tendances

Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedValency Networks
 
HTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeHTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeAbhishek L.R
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationMicho Hayek
 
Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementFahad Golra
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response StructureBhagyashreeGajera1
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration Tariq Islam
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...Noppadol Songsakaew
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesSam Bowne
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectLiamWadman
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfigurationJiri Danihelka
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionVishal Kumar
 

Tendances (20)

REST & RESTful Web Services
REST & RESTful Web ServicesREST & RESTful Web Services
REST & RESTful Web Services
 
Cross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting ExplainedCross Site Request Forgery (CSRF) Scripting Explained
Cross Site Request Forgery (CSRF) Scripting Explained
 
HTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status CodeHTTP Request Header and HTTP Status Code
HTTP Request Header and HTTP Status Code
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Lecture 3: Servlets - Session Management
Lecture 3: Servlets - Session ManagementLecture 3: Servlets - Session Management
Lecture 3: Servlets - Session Management
 
Json Web Token - JWT
Json Web Token - JWTJson Web Token - JWT
Json Web Token - JWT
 
HTTP Request and Response Structure
HTTP Request and Response StructureHTTP Request and Response Structure
HTTP Request and Response Structure
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...A2 - broken authentication and session management(OWASP thailand chapter Apri...
A2 - broken authentication and session management(OWASP thailand chapter Apri...
 
Ssrf
SsrfSsrf
Ssrf
 
CNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application TechnologiesCNIT 129S: Ch 3: Web Application Technologies
CNIT 129S: Ch 3: Web Application Technologies
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
OAuth 2.0
OAuth 2.0OAuth 2.0
OAuth 2.0
 
Intro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID ConnectIntro to OAuth2 and OpenID Connect
Intro to OAuth2 and OpenID Connect
 
Security misconfiguration
Security misconfigurationSecurity misconfiguration
Security misconfiguration
 
Deep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL InjectionDeep understanding on Cross-Site Scripting and SQL Injection
Deep understanding on Cross-Site Scripting and SQL Injection
 
URL Class in JAVA
URL Class in JAVAURL Class in JAVA
URL Class in JAVA
 
WS-Trust
WS-TrustWS-Trust
WS-Trust
 
CSRF Basics
CSRF BasicsCSRF Basics
CSRF Basics
 
Django
DjangoDjango
Django
 

Similaire à 7 client-state manipulation

java and javascript api dev guide
java and javascript api dev guidejava and javascript api dev guide
java and javascript api dev guideZenita Smythe
 
https://uii.io/ref/hmaadi
https://uii.io/ref/hmaadihttps://uii.io/ref/hmaadi
https://uii.io/ref/hmaadihmaadi96
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsTorsten Lodderstedt
 
HTML5 Gaming Payment Platforms
HTML5 Gaming Payment PlatformsHTML5 Gaming Payment Platforms
HTML5 Gaming Payment PlatformsJonathan LeBlanc
 
Micronaut Webinar 2021 - Process Automation Introduction
Micronaut Webinar 2021 - Process Automation IntroductionMicronaut Webinar 2021 - Process Automation Introduction
Micronaut Webinar 2021 - Process Automation IntroductionBernd Ruecker
 
Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119
Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119
Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119Ami Assayag
 
Restaurant Server.pdf
Restaurant Server.pdfRestaurant Server.pdf
Restaurant Server.pdfShaiAlmog1
 
2012 SVCodeCamp: In App Payments with HTML5
2012 SVCodeCamp: In App Payments with HTML52012 SVCodeCamp: In App Payments with HTML5
2012 SVCodeCamp: In App Payments with HTML5Jonathan LeBlanc
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenCodemotion
 
Mắt kính chính hãng trả góp 0%
Mắt kính chính hãng trả góp 0%Mắt kính chính hãng trả góp 0%
Mắt kính chính hãng trả góp 0%Phcng991605
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest ExpectationsIhor Uzhvenko
 
Long running processes in DDD
Long running processes in DDDLong running processes in DDD
Long running processes in DDDBernd Ruecker
 
How to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppHow to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppBen Adida
 
Social Gold in-Flash Webinar Jan 2010
Social Gold in-Flash Webinar Jan 2010Social Gold in-Flash Webinar Jan 2010
Social Gold in-Flash Webinar Jan 2010Social Gold
 
Social Gold In-Flash Payments Webinar
Social Gold In-Flash Payments WebinarSocial Gold In-Flash Payments Webinar
Social Gold In-Flash Payments WebinarSocial Gold
 
Paypal REST api ( Japanese version )
Paypal REST api ( Japanese version )Paypal REST api ( Japanese version )
Paypal REST api ( Japanese version )Yoshi Sakai
 
Monetize your idea! - Pay Pal
Monetize your idea! - Pay PalMonetize your idea! - Pay Pal
Monetize your idea! - Pay PalDroidcon Spain
 

Similaire à 7 client-state manipulation (20)

java and javascript api dev guide
java and javascript api dev guidejava and javascript api dev guide
java and javascript api dev guide
 
https://uii.io/ref/hmaadi
https://uii.io/ref/hmaadihttps://uii.io/ref/hmaadi
https://uii.io/ref/hmaadi
 
NextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security RecommendationsNextGenPSD2 OAuth SCA Mode Security Recommendations
NextGenPSD2 OAuth SCA Mode Security Recommendations
 
HTML5 Gaming Payment Platforms
HTML5 Gaming Payment PlatformsHTML5 Gaming Payment Platforms
HTML5 Gaming Payment Platforms
 
Micronaut Webinar 2021 - Process Automation Introduction
Micronaut Webinar 2021 - Process Automation IntroductionMicronaut Webinar 2021 - Process Automation Introduction
Micronaut Webinar 2021 - Process Automation Introduction
 
Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119
Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119
Sfdc tournyc14 salesforceintegrationwithgoogledoubleclick__final_20141119
 
OAuth 2 Presentation
OAuth 2 PresentationOAuth 2 Presentation
OAuth 2 Presentation
 
Php security
Php securityPhp security
Php security
 
Restaurant Server.pdf
Restaurant Server.pdfRestaurant Server.pdf
Restaurant Server.pdf
 
2012 SVCodeCamp: In App Payments with HTML5
2012 SVCodeCamp: In App Payments with HTML52012 SVCodeCamp: In App Payments with HTML5
2012 SVCodeCamp: In App Payments with HTML5
 
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe FriedrichsenOAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
OAuth 2.0 – A standard is coming of age by Uwe Friedrichsen
 
Mắt kính chính hãng trả góp 0%
Mắt kính chính hãng trả góp 0%Mắt kính chính hãng trả góp 0%
Mắt kính chính hãng trả góp 0%
 
Pentest Expectations
Pentest ExpectationsPentest Expectations
Pentest Expectations
 
Long running processes in DDD
Long running processes in DDDLong running processes in DDD
Long running processes in DDD
 
How to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health AppHow to Build an Indivo X Personal Health App
How to Build an Indivo X Personal Health App
 
Social Gold in-Flash Webinar Jan 2010
Social Gold in-Flash Webinar Jan 2010Social Gold in-Flash Webinar Jan 2010
Social Gold in-Flash Webinar Jan 2010
 
Social Gold In-Flash Payments Webinar
Social Gold In-Flash Payments WebinarSocial Gold In-Flash Payments Webinar
Social Gold In-Flash Payments Webinar
 
Session management
Session management Session management
Session management
 
Paypal REST api ( Japanese version )
Paypal REST api ( Japanese version )Paypal REST api ( Japanese version )
Paypal REST api ( Japanese version )
 
Monetize your idea! - Pay Pal
Monetize your idea! - Pay PalMonetize your idea! - Pay Pal
Monetize your idea! - Pay Pal
 

Plus de drewz lin

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearydrewz lin
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013drewz lin
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrichdrewz lin
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2drewz lin
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2drewz lin
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equaldrewz lin
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21drewz lin
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansendrewz lin
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaoladrewz lin
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsdrewz lin
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentationdrewz lin
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsdrewz lin
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martindrewz lin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowaspdrewz lin
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usadrewz lin
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013drewz lin
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架drewz lin
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈drewz lin
 

Plus de drewz lin (20)

Web security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-kearyWeb security-–-everything-we-know-is-wrong-eoin-keary
Web security-–-everything-we-know-is-wrong-eoin-keary
 
Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013Via forensics appsecusa-nov-2013
Via forensics appsecusa-nov-2013
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13
 
Owasp2013 johannesullrich
Owasp2013 johannesullrichOwasp2013 johannesullrich
Owasp2013 johannesullrich
 
Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2Owasp advanced mobile-application-code-review-techniques-v0.2
Owasp advanced mobile-application-code-review-techniques-v0.2
 
I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2I mas appsecusa-nov13-v2
I mas appsecusa-nov13-v2
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
 
Csrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equalCsrf not-all-defenses-are-created-equal
Csrf not-all-defenses-are-created-equal
 
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
Chuck willis-owaspbwa-beyond-1.0-app secusa-2013-11-21
 
Appsec usa roberthansen
Appsec usa roberthansenAppsec usa roberthansen
Appsec usa roberthansen
 
Appsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaolaAppsec usa2013 js_libinsecurity_stefanodipaola
Appsec usa2013 js_libinsecurity_stefanodipaola
 
Appsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_editsAppsec2013 presentation-dickson final-with_all_final_edits
Appsec2013 presentation-dickson final-with_all_final_edits
 
Appsec2013 presentation
Appsec2013 presentationAppsec2013 presentation
Appsec2013 presentation
 
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitationsAppsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
Appsec 2013-krehel-ondrej-forensic-investigations-of-web-exploitations
 
Appsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martinAppsec2013 assurance tagging-robert martin
Appsec2013 assurance tagging-robert martin
 
Amol scadaowasp
Amol scadaowaspAmol scadaowasp
Amol scadaowasp
 
Agile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usaAgile sdlc-v1.1-owasp-app sec-usa
Agile sdlc-v1.1-owasp-app sec-usa
 
Vulnex app secusa2013
Vulnex app secusa2013Vulnex app secusa2013
Vulnex app secusa2013
 
基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架基于虚拟化技术的分布式软件测试框架
基于虚拟化技术的分布式软件测试框架
 
新浪微博稳定性经验谈
新浪微博稳定性经验谈新浪微博稳定性经验谈
新浪微博稳定性经验谈
 

7 client-state manipulation

  • 1. CHAPTER 7 Client-State Manipulation Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern, and Anita Kesavan (ISBN 1590597842; http://www.foundationsofsecurity.com). Except as otherwise noted, the content of this presentation is licensed under the Creative Commons 3.0 License.
  • 2. Agenda  Web application – collection of programs used by server to reply to client (browser) requests  Often accept user input: don’t trust, validate!  HTTP is stateless, servers don’t keep state  To conduct transactions, web apps have state  State info may be sent to client who echoes it back in future requests  Example Exploit: “Hidden” parameters in HTML are not really hidden, can be manipulated
  • 3. 7.1. Pizza Delivery Web Site Example  Web app for delivering pizza  Online order form: order.html – say user buys one pizza @ $5.50  Confirmation form: generated by confirm_order script, asks user to verify purchase, price is sent as hidden form field  Fulfillment: submit_order script handles user’s order received as GET request from confirmation form (pay & price variables embedded as parameters in URL)
  • 4. 7.1. Pizza Web Site Code  Confirmation Form: <HTML><head><title>Pay for Pizza</title></head> <body><form action="submit_order" method="GET"> <p> The total cost is 5.50. Are you sure you would like to order? </p> <input type="hidden" name="price" value="5.50"> <input type="submit" name="pay" value="yes"> <input type="submit" name="pay" value="no"> </form></body></HTML> if (pay = yes) {  Submit success = authorize_credit_card_charge(price); if (success) { Order settle_transaction(price); dispatch_delivery_person(); Script: } else { // Could not authorize card tell_user_card_declined(); } } else { display_transaction_cancelled_page(); // no}
  • 5. 7.1. Buying Pizza Example Order 1 Pizza Credit Web Confirm $5.50 Web Submit Card Browser Server Order Payment (Client) $5.50 Gateway Price Stored in Attacker will modify Hidden Form Variable submit_order?price=5.50
  • 6. 7.1.1. Attack Scenario (1)  Attacker navigates to order form…
  • 7. 7.1.1. Attack Scenario (2)  …then to submit order form
  • 8. 7.1.1. Attack Scenario (3)  And he can View | Source:
  • 9. 7.1.1. Attack Scenario (4)  Changes price in source, reloads page!  Browser sends request: GET /submit_order?price=0.01&pay=yes HTTP/1.1  Hidden form variables are essentially in clear
  • 10. 7.1.1. Attack Scenario (5) Order 1 Pizza Credit Web Confirm $5.50 Web Submit Card Browser Server Order Payment (Client) $0.01 Gateway Attacker modified Price!
  • 11. 7.1.1. Attack Scenario (6)  Command-line tools to generate HTTP requests  curl or Wget automates & speeds up attack: curl https://www.deliver-me-pizza.com/submit_order ?price=0.01&pay=yes  Even against POST, can specify params as arguments to curl or wget command curl -dprice=0.01 -dpay=yes https://www.deliver-me- pizza.com/submit_order wget --post-data 'price=0.01&pay=yes' https://www.deliver-me-pizza.com/submit_order
  • 12. 7.1.2. Solution 1: Authoritative State Stays on Server  Server sends session-id to client  Server has table mapping session-ids to prices  Randomly generated (hard to guess) 128-bit id sent in hidden form field instead of the price. <input type="hidden" name="session-id" value="3927a837e947df203784d309c8372b8e">  New Request GET /submit_order?session-id=3927a837e947df203784d309c8372b8e &pay=yes HTTP/1.1
  • 13. 7.1.2. Solution 1 Changes  submit_order script changes: if (pay = yes) { price = lookup(session-id); // in table if (price != NULL) { // same as before } else { // Cannot find session display_transaction_cancelled_page(); log_client_IP_and_info(); } } else { // same no case }
  • 14. 7.1.2. Session Management  128-bit session-id, n = # of session-ids  Limitchance of correct guess to n/2128.  Time-out idle session-ids  Clear expired session-ids  Session-id: hash random # & IP address – harder to attack (also need to spoof IP)  Con: server requires DB lookup for each request  Performance bottleneck – possible DoS from attackers sending random session-ids  Distribute DB, load balance requests
  • 15. 7.1.3. Solution 2: Signed State To Client  Keep Server stateless, attach a signature to state and send to client  Can detect tampering through MACs  Sign whole transaction (based on all parameters)  Security based on secret key known only to server <input type="hidden" name="item-id" value="1384634"> <input type="hidden" name="qty" value="1"> <input type="hidden" name="address" value="123 Main St, Stanford, CA"> <input type="hidden" name="credit_card_no" value="5555 1234 4321 9876"> <input type="hidden" name="exp_date" value="1/2012"> <input type="hidden" name="price" value="5.50"> <input type="hidden" name="signature" value="a2a30984f302c843284e9372438b33d2">
  • 16. 7.1.3. Solution 2 Analysis  Changes in submit_order script: if (pay = yes) { // Aggregate transaction state parameters // Note: | is concatenation operator, # a delimiter. state = item-id | # | qty | # | address | # | credit_card_no | # | exp_date | # | price; //Compute message authentication code with server key K. signature_check = MAC(K, state); if (signature == signature_check) { // proceed normally } else { // Invalid signature: cancel & log } } else { // no pay – cancel}  Can detect tampered state vars from invalid signature  Performance Hit  Compute MACs when processing HTTP requests  Stream state info to client -> extra bandwidth
  • 17. 7.2. POST Instead of GET  GET: form params (e.g. session-id) leak in URL  Could anchor these links in lieu of hidden form fields  Alice sends Meg URL in e-mail, Meg follows it & continues transaction w/o Alice’s consent  Referers can leak through outlinks:  This <a href="http://www.grocery-store-site.com/"> link  Sends request: GET / HTTP/1.1 Referer: https://www.deliver-me-pizza.com/submit_order? session-id=3927a837e947df203784d309c8372b8e  Session-id leaked to grocery-store-site’s logs!
  • 18. 7.2. Benefits of POST POST /submit_order HTTP/1.1  POST Content-Type: application/x-www-form-urlencoded Request: Content-Length: 45 session-id%3D3927a837e947df203784d309c8372b8e  Session-id not visible in URL  Pasting into e-mail wouldn’t leak it  Slightly inconvenient for user, but more secure  Referers can still leak w/o user interaction  Instead of link, image: <a href=http://www.grocery-store-site.com/banner.gif>  GET request for banner.gif still leaks session-id
  • 19. 7.3. Cookies  Cookie - piece of state maintained by client  Server gives cookie to client  Client returns cookie to server in HTTP requests  Ex: session-id in cookie in lieu of hidden form field HTTP/1.1 200 OK Set-Cookie: session-id=3927a837e947df203784d309c8372b8e; secure  Securedictates using SSL  Browser Replies: GET /submit_order?pay=yes HTTP/1.1 Cookie: session-id=3927a837e947df203784d309c8372b8e
  • 20. 7.3. Problems with Cookies  Cookies are associated with browser  Sent back w/ each request, no hidden field to tack on  If user doesn’t log out, attacker can use same browser to impersonate user  Session-ids should have limited lifetime
  • 21. 7.4. JavaScript (1)  Popular client-side scripting language  Ex: Compute prices of an order: <html><head><title>Order Pizza</title></head><body> <form action="submit_order" method="GET" name="f"> How many pizzas would you like to order? <input type="text" name="qty" value="1" onKeyUp="computePrice();"> <input type="hidden" name="price" value="5.50"><br> <input type="submit" name="Order" value="Pay"> <input type="submit" name="Cancel" value="Cancel"> <script> function computePrice() { f.price.value = 5.50 * f.qty.value; // compute new value f.Order.value = "Pay " + f.price.value // update price } </script> </body></html>
  • 22. 7.4. JavaScript (2)  Evil user can just delete JavaScript code, substitute desired parameters & submit!  Could also just submit request & bypass JavaScript GET /submit_order?qty=1000&price=0&Order=Pay  Warning: data validation or computations done by JavaScript cannot be trusted by server  Attackermay alter script in HTML code to modify computations  Must be redone on server to verify
  • 23. Summary  Web applications need to maintain state  HTTP stateless  Hidden form fields, cookies  Session-management, server with state…  Don’t trust user input!  keep state on server (space-expensive)  Or sign transaction params (bandwidth-expensive)  Use cookies, be wary of cross-site attacks (c.f. ch.10)  No JavaScript for computations & validations

Notes de l'éditeur

  1. Welcome to SEC103 on Secure Programming Techniques. In this course, I assume that you have some background in computer security, but now you want to put that background to use. For example, in the Computer Security Principles and Introduction To Cryptography courses, we cover topics such concerning trust and encryption. In this course, we put these principles into to practice, and I’ll show you have to write secure code that builds security into your applications from the ground up.
  2. Also, validating input at client (i.e., with JavaScript) is ineffective for security