CSE 190M Web Programming

Lecture 27: Web Security

Reading: 15.1 - 15.5

Except where otherwise noted, the contents of this document are Copyright 2012 Marty Stepp, Jessica Miller, Victoria Kirst and Roy McElmurry IV. All rights reserved. Any redistribution, reproduction, transmission, or storage of part or all of the contents in any form is prohibited without the author's expressed written permission.

Valid HTML5 Valid CSS

Our current view of security

group hug

The real world

orcs (dorks?)

Attackers' goals

burglar

Why would an attacker target my site?

Tools that attackers use

firebug

Assume that the attacker knows about web dev and has the same tools you have:

Some kinds of attacks

burglar

Information leakage

information leakage

when the attacker can look at data, files, etc. that he/she should not be allowed to see

Exercise: Hack turnin page

  • Let's break this turnin page?
    • Our enemy is classmate Felix Chu, from section AD. We want to steal his personal info (password, email, student ID, grade, etc.).
    • Let's also find a way to make sure that Felix will get a low score on Homework 7.
    • We want to cheat on Homework Assignment 7, Song.java. We want to find a way to submit a perfect working solution without doing any real work.

Exercise: Breaking the turnin page

  • Discover/overwrite the teacher's solution by submitting with an invalid section. Then submit as stepp with section of SOLUTION to see the working solution.
  • Steal Felix's personal info by looking at the directory index and finding students.txt.
  • Give Felix a low score on HW7 by turning in a bad solution to the HW using his name / email, overwriting his past submission.

Man-in-the-middle attack

man in the middle

when the attacker listens on your network and reads and/or modifies your data

Secure HTTP (HTTPS)

https

Session hijacking

firesheep

when the attacker gets a hold of your session ID and masquerades as you

Exercise: power-animal.php session hijacking

document.cookie;		// PHPSESSID=ghiarlhec09fu26imrfvh2v5j2
var cookies = "COOKIE_STRING_HERE".split(/\s*;\s*/g);
for (var i = 0; i < cookies.length; i++) {
	document.cookie = cookies[i];
}
  • Open power-animal.php and copy the document.cookie string
  • Use the stolen cookie string to set your cookies on another browser.
  • In a real scenario you would have the cookie string of the person whose session you are trying to hijack.

Other vulnerable sites: secure.paizo.com

HTML injection

a flaw where a user is able to inject arbitrary HTML content into your page

8-ball

Injecting HTML content

8ball.php?question=<em>lololol</em>

Cross-site scripting (XSS)

a flaw where a user is able to inject and execute arbitrary JavaScript code in your page

8ball.php?question=<script src='hacked.js'></script>

Securing against HTML injection / XSS

htmlspecialchars returns an HTML-escaped version of a string
$text = "<p>hi 2 u & me</p>";
$text = htmlspecialchars($text);   # "&lt;p&gt;hi 2 u &amp; me&lt;/p&gt;"

SQL injection

grades

a flaw where the user is able to inject arbitrary SQL into your query

A SQL injection attack

Too true...

bobby tables xkcd comic

Securing against SQL injection

quote returns a SQL-escaped version of a string
$username = $db->quote($_POST["username"]);
$password = $db->quote($_POST["password"]);
$query = "SELECT name, ssn, dob FROM users
WHERE username = $username AND password = $password";

Takeaway Lessons