280 likes | 390 Vues
This Material Will Not be In Final Exam. Cross-Site Scripting (XSS). What is XSS?. A vulnerability in Web applications that lets attackers inject client-side scripts into third-party Web pages Browsers of other visitors of compromised Web page run the script – expose any data browser handles
E N D
What is XSS? • A vulnerability in Web applications that lets attackers inject client-side scripts into third-party Web pages • Browsers of other visitors of compromised Web page run the script – expose any data browser handles • Popularity of these exploits grows and has surpassed buffer overflow exploits
Non-persistent XSS Vulnerability • Web server does not properly sanitize user input but uses it “as is” to generate a dynamic reply (Web page) • This reply contains attacker’s script code • Attacker can craft the URL with his script embedded in it • URL points to the target site, supplies some input + script • Entice user to click on URL • Script will steal some user info that user shares with the site, e.g. a cookie
Example Attacker Google 3. Attacker’s script executes with Google’s privs 1. Click here:http://www.google.com?something</FORM><SCRIPT>…. 2. Send in HTTP GET as argument to Google homepage: something</FORM><SCRIPT>…. User
Persistent XSS Vulnerability • Data provided by attacker is stored by server and displayed to any future user • E.g. when posts to online message boards are not properly sanitized • Such a script can access any content the compromised server can
Where Do Vulnerabilities Occur • In server code that processes user input and dynamically renders the resulting page • In client code that runs in browser and renders Web pages with data from the server • JavaScript mostly • Document Object Model (DOM) – standard model for representing HTML and XML content
Defense: Escape User Input • Ensure that characters of input are treated as data, not as code • Translate any dangerous characters into another form of the same characters that cannot be interpreted as code • E.g., translate “<“ into “<” • Some input could be encoded into different charset • Enforce charset in each server reply so that interpretation of user’s input is fixed
Defense: Validate User Input • Some Web sites want to allow users to input and render HTML • E.g., use HTML markup in emails and online posts • Escaping doesn’t help here since it would destroy HTML markup • User input must pass through the HTML policy engine to ensure it does not contain XSS
Defense: Cookie Security • Because XSS can be used to steal cookies, sites cannot rely only on cookies for authentication • Tie cookies to specific IPs • HTTP Only flag in browsers allows access to cookies from HTML documents only (scripts cannot access them)
Defense: Disabling Scripts • Browser-side defense • Makes some Web pages not render • Could be turned off for some sites which are trusted to be well secured against XSS
XML Randomization XSS Defense • Web application randomizes XML tag prefixes before delivering a document to client • Hard for attacker to predict randomized prefixes • Cannot inject scripts into application input “Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks”, Matthew Van Gundy and Hao Chen. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.
Insertion Vectors • Tag body • review.text = <script>attack()</script> • Node splitting • review.text = </p></div><script>attack()</script><div><p> • Attribute value • review.contact = javascript:attack() • Attribute splitting • review.contact = ’ onclick=’javascript:attack() • Tag splitting • review.contact = ’><script>attack()</script> “Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks”, Matthew Van Gundy and Hao Chen. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.
Tag Prefix Randomization • XML namespaces • User chooses a prefix for a tag • E.g. for <A> tag: • <p:axmlns:p=’http://www.w3.org/1999/xhtml’> • <q:axmlns:q=’http://www.w3.org/1999/xhtml’> • Leverage XML prefixes to annotate document with trust classes • “Label” of each trust class random and hard to guess by attacker • Prefixes randomly chosen on each document delivery “Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks”, Matthew Van Gundy and Hao Chen. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.
Example From Paper Attack code “Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks”, Matthew Van Gundy and Hao Chen. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.
Trust Policy • Defines tags that are trusted • Defines HTML tags and operations that are allowed in untrusted content • Everything else is denied • Server delivers both the potentially hazardous content and the trust policy • Client browser enforces policy on server-delivered content “Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks”, Matthew Van Gundy and Hao Chen. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.
Deployment • Both client and server need to be modified • Easy add-on to existing software • Client proxy can protect multiple clients in a network “Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks”, Matthew Van Gundy and Hao Chen. In Proceedings of the 16th Annual Network and Distributed System Security Symposium (NDSS), 2009.
What Is MANET? • Mobile Ad-Hoc Network • Wireless nodes • Changing topology • Possibly no trusted authority • Usually battery operated with limited CPU/memory
Security Challenges • Wireless medium • Sniffing and jamming are easy, impersonation too • Peers as routers • No trust in routers, may sniff, drop or fabricate data • Changing topology • Routes are learned, can be manipulated by attackers • No trust infrastructure or trusted entities • How to distribute keys • Limited resources • Algorithms must be simple and cheap
Physical/Link Layer Attacks • Sniffing: attackers can easily pick up wireless transmissions because they are broadcast at specific frequency (MAC spoofing possible too) • Frequency hopping • Directional antennas • Encryption • Jamming is easy • But attacker needs powerful transmitter • Directional antennas • MAC protocol misuse to monopolize shared medium • How to create a distributed protocol that detects and penalizes misbehavior?
Ad-Hoc Routing • Routes are learned when needed (due to mobility) • Dynamic Source Routing (DSR) • Source puts entire route in packet header • Route discovery • Request messages broadcast • Intermediate nodes add themselves to the message • Reply unicast to the source with full path recorded • Nodes can cache overheard routes and may reply from cache • Link breakage results in error messages that delete routes in the network that use the broken link
Ad-Hoc Routing • Ad-hoc On-Demand Distance Vector Routing • Source just specifies destination • Routers on path forward as they see fit • Route discovery • Request messages broadcast • Intermediate nodes repeat the message, cache next hop to the source • Reply unicast to the source, intermediate nodes cache next hop to the destination • Intermediate node may reply from cache • When link breaks intermediate node may attempt to rediscover new route • Error messages remove routes that used the broken link
Routing Attacks • Routing message flooding (DoS) • Routing table overflow • Fill with bogus routes • Routing cache poisoning is easy • Just fabricate requests or replies with spoofed source • Fabricate false error messages
Network Layer Attacks • Drop packets, modify them or replay them • Delay packets • Inject junk traffic • Wormhole Attack • Tunnel packets to another location • Blackhole Attack • Make the node part of many routes • Drop all traffic
Wormhole Attacks • Attacker records traffic at one point in MANET, tunnels it (perhaps selectively) to another point and replays it • Replayed traffic can arrive sooner than original traffic • This leads to an attacker node becoming part of many routes • Attack works even for traffic not going over attacker nodes directly, and for encrypted traffic “Wormhole attacks in wireless networks,” Yih-chunHu , Adrian Perrig , David B. Johnson, IEEE Journal on Selected Areas in Communications, 2006
Detection of Wormhole Attacks • Packet leash • Information added to the packet to restrict the distance it can travel in one hop • Geographical – recipient must be close to sender. Sender records its location and time when packet is sent, recipient checks for validity. • Temporal – packet lifetime ends after certain time. Sender records the time when packet is sent, recipient checks for validity. • Requires synchronized clocks • Recorded information must be signed “Wormhole attacks in wireless networks,” Yih-chunHu , Adrian Perrig , David B. Johnson, IEEE Journal on Selected Areas in Communications, 2006
DoS Attacks • Consume node battery, CPU or memory • Overflow node’s routing table • Flood the node with routing messages • Flood the node with data traffic • Drop node’s data traffic