Lab 8-14
What is Open ID? What is a real-world example that uses Open ID?
1. A popular authentication scheme implemented by web developers who want to use a third-party identity provider. 2. Whenever you see "Login with Google" you are using Open ID.
If you're unable to use a framework, how can you protect your site?
1. Audit your code carefully. 2. Parse JSON carefully. 3. Don't use URI fragments at all. 4. Implement a Content-Security Policy.
Name the three aspects Stan's firm's access control strategy should cover and briefly describe them.
1. Authentication: Correctly identifying a user when they return to the application. 2. Authorization: Deciding what actions a user should and shouldn't be able to perform once they have been authenticated. 3. Permission checking: Evaluating authorization at the point-in-time when a user attempts to perform an action
What are the guidelines that should be followed for designing access control?
1. Decide what the biggest risks are to your organization and focus on mitigating them. 2. Design the document your access control scheme upfront. 3. Attempt to centralize access control decisions on your codebase. 4. Test access control critically.
What are two ways you can make sure your parser configuration disables inline DTDs? Give a brief description of each
1. Disable parsing of inline DTDs: If you use XML parsing, make sure your parser configuration disables this feature. 2. Consider making XML parsing asynchronous: Parsing large XML files can take a lot of time and memory. If your architecture doesn't do so already, consider making the parsing of large XML files asynchronous.
List and describe 5 ways to protect against data leakage.
1. Disable the server HTTP header and similar headers: In your web server configuration, make sure to disable any HTTP response headers that reveal what server technology, language, and version you are running. 2. Use clean URLs: Try to avoid tell-tale file suffixes in URLs like .php, .asp, and .jsp. 3. Ensure cookie parameters are generic: Make sure that nothing is sent back in cookies that gives a clue about the technology stack. This includes tell-tale parameter names which should be made as generic as possible. 4. Ensure correct configuration of your web root directory: Make sure to strictly separate public and configuration directories, and make sure everyone on your team knows the difference. 5. Sanitize template files: Conduct code reviews and use static analysis to make sure sensitive data doesn't end up in comments or dead code passed to the client.
What are the three methods to prevent privilege escalation?
1. Keep critical information on the server side and only send session IDs to the client. 2. Tamper-proof the data sent to the client by using a digital signature. 3. Encrypt the data sent to the client, so it is opaque to the client.
List the areas learned in this lab that need protection from user enumeration and describe ways to protect those areas.
1. Login: Make sure to return a generic message when a login failure occurs and make sure the HTTP response and the time taken to respond are no different when a username does not exist, and an incorrect password is entered. 2. Password reset: Make sure your forgotten password page does not reveal usernames and if your password reset process involves sending an email, have the user enter their email address. Then send an email with a password reset link if the account exists. 3. Registration: Avoid having your site tell people that a supplied username is already taken, if your usernames are email addresses send a password reset email if a user tries to sign-up with an existing address, and if usernames are not email addresses protect your sign-up page with a CAPTCHA. 4. Profile pages: If your users have profile pages make sure they are only visible to other users who are already logged in and if you hide a profile page ensure a hidden profile is indistinguishable from a non-existence profile.
Name four methods of protecting against CSRF?
1. REST: Representation State Transfer (REST) is a series of design principles that assign certain types of actions (view, create, delete, update) to different HTTP verbs. Following REST-ful design will jeep your code clean and help your site scale. 2. Anti-Forgery Tokens: Each time your server renders a page that performs sensitive actions, it should write out an anti-forgery token in a hidden HTML form field. This token must be included with form submissions, or AJAX calls. The server should validate the token when it is returned in subsequent requests and reject any calls with missing or invalid tokens. 3. Ensure Cookies are sent with the SameSite Cookie Attribute: The Google Chrome team added a new attribute to the Set-Cookie header to help prevent CSRF, and it quickly became supported by the other browser vendors. The Same-Site cookie attribute allows developers to instruct browsers to control whether cookies are sent along with the request initiated by third-party domains. 4. Include Addition Authentication for Sensitive Actions: Many sites require a secondary authentication step or require re-confirmation of login details when the user performs a sensitive action. Not only does this protect users when may accidentally leave themselves logged in on publicly accessible computers, but it also greatly reduces the possibility of CSRF attacks.
In a peer review, what 3 pages should you carefully check to help prevent reflected XSS and why?
1. Search results - does the search criteria get displayed back to the user? Is it written out in the page title? Are you sure it is being escaped properly? 2. Error pages - if you have error messages that complain about invalid inputs, does the input get escaped properly when it is displayed back to the user? Does your 404 page mention the path being searched for? 3. Form submissions - if a page POSTs data, does any part of the data being submitted by the form get displayed back to the user? What if the form submission is rejected - does the error page allow injection of malicious code? Does an erroneously submitted form get pre-populated with the values previously submitted?
Name at least 4 methods to protect against file upload vulnerabilities and give a brief description.
1. Segregate your uploads: Unless you are building a very particular type of website, you are typically expecting images, videos, or document files, rather than executable code, If this is the case, making sure uploaded files are kept separate from application code is a key security consideration. 2. Ensure upload files cannot be executed: However you end up storing your uploaded files, if they are written to disk, ensure they are written in such a way that the OS knows not to treat them as executable code. 3. Rename files on upload: Rewriting or obfuscating files names will make it harder for an attacker to locate a malicious file once they have uploaded it. 4. Validate the content-type header: Make sure you check the file extension of uploaded files against a white-list of permitted file types. Do this on the server-side, since client-side checks can be circumvented.
Name the two methods of protecting against weak session IDs and describe them.
1. Use built-in session management: Modern frameworks implement safe, unguessable session IDs. If you are using a recent version of your web toolkit, check to see how the session IDs are generated. 2. Tamper-proof your cookies: Frameworks like Rails and Django allow you to sign your cookies. This means the server will be able to tell if the cookie has been manipulated since it was sent to the browser with the Set-Cookie header. Any indication of the data being tampered with will invalidate the session.
What is the session ID you used to hijack a user's session on this video streaming site?
1234567
When does a CSRF attack occur?
A CSRF attack occurs when a user is tricked into interacting with a page or script on a third-party site that generates a malicious request to your site.
What is a password hash?
A one-way transformation algorithm that allows you to validate a password when re-entered, without storing the literal value.
What kind of scenario is privilege escalation?
A scenario where an attacker is able to fool a system into giving them extra permissions or the permissions of another user.
What is a clean URL?
A semantically consistent, readable URL that is immediately and intuitively meaningful to non-expert users.
What is horizontal escalation?
A vulnerability that allows an attacker to gain access to another user's data.
When do access control decisions need to be evaluated?
Access control decisions need to be evaluated every time a resource is accessed.
How can you prevent cookies from being tampered with?
Add a signature to the cookie.
How does Mal discover the session ID?
After visiting your site, he opens up his browser debugger, and looks at the headers in the HTTP response. He notices that the Set-Cookie header includes a surprisingly small session ID.
What does your server see during a CSRF attack?
All your server will see is an HTTP request from an authenticated user.
How does an XML parsing library work?
An XML parsing library first will check that any document you pass it is well formed: the character encodings are valid, tags are properly closed, tag names are valid identifiers, and so on. Next, the document can be validated. The ordering, naming and nesting tags, and type of data that appears within each tag, can be compared against rules described in a separate grammar file
Why is having guessable session IDs a security risk?
An attacker can hijack your users' sessions
What is vertical escalation?
An attacker can tamper with the field, and attempt to gain administrative access.
What is finger-printing?
Attackers sometimes deploy complex "finger-printing" tools to determine server type. By submitting non-standard HTTP request and broken HTTP headers, they can heuristically determine the likely server type by examining how it responds in these ambiguous situation.
What is the best way to protect communication between server and client?
Buy a certificate, install it, and configure your web server to user it.
How do CSRF attacks spread and how are they used?
CSRF vulnerabilities can be used to trick a user's browser into performing an unwanted action on your site. Any function that your users can perform deliberately is something they can be tricked into performing inadvertently using CSRF. As we see in our example, in the most malign cases, CSRF can spread themselves as a worm. CSRF attacks in the past have been used to steal confidential data, spread worms on social media, or install malware on mobile phones.
What is untrusted input?
Cookies are untrusted input.
What is the key to keeping Stan's firm's data secure?
Correctly applied access control rules are key to keeping your data secure.
What is XSS? Briefly describe it.
Cross-site scripting (XSS) is one of the most common methods hackers use to attack websites. XSS vulnerabilities permit a malicious user to execute arbitrary chunks of JavaScript when other users visit your site.
Is DTD a modern format?
DTD is now q legacy format, having been replaced by the newer schema grammar. XML schemas and DTDs are usually declared as separate files. However, XML 1.0 permitted inline DTDs, so XML documents could be self-describing.
What can inline DTDs be used for in XML Bombs?
Defining macros to be expanded at parse time.
How does Mal execute the hack.php file?
Dropping the URL of the "profile image" in the browser address bar causes the script to be executed.
How can you ensure cookies are not tampered with?
Encrypt them
Why is it important to encrypt communication from server to clients?
Encryption prevents an attacker from intercepting traffic sent between you and your users. It is cheap and easy to implement, and an absolute necessity when transmitting data.
What effect does the keyword Secure have in the Set-Cookie header?
Ensures the cookies can only be passed in HTTPs requests, so sessions can only be established on secure connections.
What kinds of pages are likely to contain reflected XXS vulnerabilities?
Error pages
How can you prevent XSS attacks?
Escape dynamic content when it is written out in HTML
How does escaping dynamic content protect a website from XSS?
Escaping editable content in this way means it will never be treated as executable code by the browser. This closes the door on most XSS attacks.
T or F: Encrypting communication prevents the passing of malicious payloads.
F
T or F: If a page isn't linked to anywhere on your site, it can't be accessed attack.
F
T or F: JavaScript on the client-side is not a concern.
F
T or F: Only only need to implement HTTPs if you are handling financial transactions.
F
T or F: The content of HTML forms can always be trusted.
F
T or F: User enumeration vulnerabilities allow hackers to circumvent your login screen.
F
T or F: You only really need to check pages that interact with your database vulnerabilities.
F
What is a favorite target for hackers and why?
File upload functions are a favorite target for hackers, because they require your site to take a large chunk of data and write it to disk..
What are the risks to unencrypted communication?
Hackers can record the user's sensitive information
Why is it important that uploaded files are not saved as executable programs?
Hackers might upload viruses or other malicious code, and try to run them on your server.
Why does Mal disable JavaScript?
He disables JavaScript in his browser, and uploads hack.php as his profile image. Since JavaScript is disabled, the file type is not checked.
How does Olly circumvent access control?
He notices the quarterly reports predictable naming structure and checks a potential URL before the official publication date. Now Olly knows he can circumvent access control rules and writes a script to periodically check for quarterly reports on all the companies in his portfolio.
Describe how Mal gains access to your server using XML External Entities?
He then hosts the malicious XML file on his own server as part of the trap. Next, he crafts a URL to the social media site mentioning the URL of his malicious XML file. He opens the URL in his browser. The social media site reaches out to find the XML descriptor. During parsing, it expands out the external entity reference, and includes the local user information file, bust as Mal hoped. The first part of the trap is sprung. The expanded XML is now malformed, so the authentication process terminates as you would expect. However, as part of the error reporting back to Mal, the site includes the fully expanded XML file - which incorporates the user information file. The trap is sprung. And now Mal has a foot in the door. He is able to read sensitive data files on the server, and it is likely only a matter of time before he figures out how to smuggle code up there and escalate his attacks
If an attacker manages to store malicious JavaScript in your database what could they do?
Hijack other users' sessions
What does Mal hope will happen with his malicious XML packet?
His hope is that when the XML is parsed the parser will expand this file inline revealing sensitive information to him.
How does an attack take control?
However, an attacker takes control over the form of the data sent in the request to cause mischief.
What happens if the Open ID implementation is insecure?
If the Open ID implementation is insecure this allows harmful XML to be injected
What happens if an attacker is able to execute scripts on your server?
If they can subsequently find a way to execute those scripts, they can compromise your entire system.
How should you handle usernames when user's sign up?
If usernames need to be unique, but are not email addresses, protect your sign-up page with some sore of CAPTCHA. This will make it very difficult for an attacker to mine username information with a script
Where can problems occur in XML external entities?
In the process of resolving external entities, an XML parser may consult various networking protocols depending on the scheme specified in URLs.
Why would a hacker want to know what web server you are running on?
It allows them to research exploits for a particular server version, and probe for vulnerabilities.
Security-wise, why is it a good idea for you to obfuscate your JavaScript code?
It can obscure the meaning of the code and the libraries you are using making it harder for an attacker to spot vulnerabilities.
How should session IDs be generated?
It is important that your session IDs are generated by a strong random number algorithm and are of sufficient length to be unguessable.
What impact does salting your password hashes have?
It makes it harder for a attacker to backwards engineer your users' passwords should they get access to your password hashes.
Session IDs need to be picked from a _________________ and __________.
Large address space (i.e. large enough to make simple enumeration unworkable) and unpredictable.
When should a cookie respond to a login?
Make sure that everything in the HTTP response is identical in all login failure scenarios too. Be sure not to respond with a cookie unless both the username and password are correct.
How did Mal trick Vick?
Mal modifies the post-creation URL to include a malicious payload. Mal has been able to guess Vic's email address. Mal sends Vic an email with a very tempting link, pointing to the crafted URL and Vic clicks the link. Your server interprets the request as Vic writing a post and creates a new item on his timeline. This is not the action that Vic intended, but he may not quite have noticed what just occurred. The post is designed to be enticing enough that others of your site will click on it. When they do, they will be tricked in the same way Vic was.
What happened when Vick clicked on the link?
Mal modifies the post-creation URL to include a malicious payload. Mal has been able to guess Vic's email address. Mal sends Vic an email with a very tempting link, pointing to the crafted URL and Vic clicks the link. Your server interprets the request as Vic writing a post and creates a new item on his timeline. This is not the action that Vic intended, but he may not quite have noticed what just occurred. The post is designed to be enticing enough that others of your site will click on it. When they do, they will be tricked in the same way Vic was. You now have a worm on your site, as each user who clicks the link will open a new set of potential victims.
What happens when Mal uses one of the active session IDs into his browser?
Mal plugs one of these IDs into his browser, and voila, he has hijacked somebody's session.
How does Mal enumerate session IDs and for what purpose is he enumerating session IDs?
Mal puts together a simple script to enumerate session IDs and check the HTTP response code when each one is submitted to your site.
Where can a hacker look to find out what web server you're using?
Many web servers describe this information in HTTP headers which is great advertising for the web server vendor, but bad news for you. Listing the web server in the HTTP headers does nothing for your users but will tell an attacker which exploits they can try
What is defense in depth?
Means that even if an attacker manages to compromise your web server, the damage they can do is limited.
What do content-security policies do?
Modern browsers support Content-Security Policies that allow the author of a web-page to control where JavaScript (and other resources) can be loaded and executed from. XSS attacks rely on the attacker being able to run malicious scripts on a user's web page -
What is security through obscurity? Should it be avoided? Why?
Most web users browse by clicking links or using search functions. Because of this, it is tempting to think anything on your site that is not linked to or indexed will be hidden. However, this attitude is considered security through obscurity, and it best avoided. Even if the path to sensitive data is practically unguessable (say, you are using UUIDs), once a path is discovered it can be widely shared. Worse, if your paths are predictable, a savvy user can write scripts to periodically check potential URLs and see whether new information is available.
Should login error messages provide detailed messages of the problem? Why or why not?
No, because if a hacker is using brute force to try to guess a user's credentials if the error message is too detailed them it makes it easier to try and figure out the username and password.
What is the billion laughs attack?
Notice how the company declaration acts as a simple string substitution macro. This is a safe and helpful use of inline DTDs. A hacker has nested entity definitions within entity definitions within entity definitions. First, we replace the lol9s with the corresponding entity definition then we replace the lol8s with the corresponding entity definition. The whole thing tops out at about 3 gigabytes of data, which will probably crash your server
What is the major security hole in the window.location.hash value?
Notice how the window.location.hash value is written into the DOM as raw HTML - a major security hole.
What is an effective way of protecting yourself from XML bombs?
Parsing XML in an asynchronous process.
How do you protect against DOM-based XSS attacks? What are some example frameworks that will do this for you?
Protecting against DOM-based XSS attacks is a matter of checking that your JavaScript does not interpret URI fragments in an unsafe manner. Frameworks like AngularjS and React use templates that makes construction of ad-hoc HTML an explicit (and rare) action.
What can inline DTSs be used in XML External Entities?
Referencing external files that can expanded during parsing.
What is a reflected XSS and how does it defer from stored XSS attacks?
Reflected XSS attacks are less dangerous than stored XSS attacks, which cause a persistent problem when users visit a particular page, but are much more common. Any page that takes a parameter from a GET or POST request and displays that parameter back to the user in some fashion is potentially at risk. A page that fails to treat query string parameters as untrusted content can allow the construction of malicious URLs. An attacker will spread these malicious URLs in emails, in comments sections, or in forums. Since the link points at a site the user trusts, they are much more likely to click on it, not knowing the harm that it will do.
What is one of the most powerful aspects of how the internet is designed and what does it allow?
Requests can be triggered to the server-side code from anywhere - not just the client-side code we write.
What would you use a GET request in a REST-ful API?
Retrieving a resource.
What is the concern with rich client application?
Rich client applications often pass significant amounts of raw data to the browser. Be careful how much data is exposed in JSON packets for example. Modern frameworks make it easy to serialize data objects as JSON or XML, but you should take care that information is sanitized before being passed back to the client-side.
Describe how you can limit the permissions of your web server process.
Run your server processes with only the permissions they require to function - follow the principle of least privilege. This means restricting which directories in the file-system can be accessed. Consider running in a chroot jail if you are running on Unix.
What is one of the most important things to do correctly when building a website?
Safe treatment of passwords can be one of the hardest things to do correctly when building a website but is also one of the most important things to get right.
What is one of the hardest things to do correctly when building a website or application?
Safe treatment of passwords can be one of the hardest things to do correctly when building a website but is also one of the most important things to get right.
Password reset pages often require the user to enter their old password, even when they are logged in. Why?
So the user can't be locked out of their account if they accidentally leave themselves logged in on a device.
Why do you need to sanitize HTML?
Some sites have a legitimate need to store and render raw HTML, especially now that content Editable has become part of the HTML5 standard. If your site stores and renders rich content, you need to use a HTML sanitization library to ensure malicious users cannot inject scripts in their HTML submissions.
What is the reason Stan's firm gets fined?
Stan's firm is fined for not upholding their obligation to release information at the appropriate time.
Which is more dangerous: stored or reflected XXS attacks?
Stored
What is a good method of generating session IDs?
Strong random numbers
T or F: Authorization - checking what actions a user can perform is an important step in ensuring correct access control.
T
T or F: Making sure uploaded files are saved without the "executable" permissions is a good way of preventing file upload vulnerabilities?
T
T or F: URI fragments are not sent to a server.
T
What are the major factors that should be taken under consideration when implementing an authentication system?
The first thing to consider is: do you really need to build your own authentication system, how to implement password resets, password storage, good password management needs to be paired with good session management, whether you want browsers to cache passwords on your login page, and make sure your site uses HTTPS and marks cookies as secure.
What is a URI fragment?
The part of the URL after a # character.
What is the script looking for?
The script can be run many times in parallel - using a botnet, for instance - so it soon starts to spot session IDs already issued by your server.
How can the structure of an XML document be validated?
The structure of an XML document can be validated against a Document Type Definition (DTD) for correctness. DTDs can be inlined in XML documents and can refer to external entities.
What are the two main methods of describing XML grammars?
The two main methods of describing XML grammars are XML Schemas and Document Type Definition (DTDs). DTD is now a legacy format, having been replaced by the newer schema grammar.
Why should you try to avoid user enumeration vulnerabilities in your codebase?
They open the door to brute-forcing of passwords.
What opportunity do file upload vulnerabilities provide to attackers?
This gives attackers the opportunity to smuggle malicious script onto your server.
Why are rich web applications using URI fragments?
This has proven a convenient method of storing the user's location within a page in a way that keeps browser history readable but does not cause extra round trips to the server.
What is the cause of CSRF?
This is one of the most powerful aspects of how internet is designed: it allows linking between sites. But it also the cause of a common security flaw, cross-site request forgery (CSRF).
What is TLS and what does it do?
Transport Layer Security is a cryptographic protocol that allows client-server applications to communicate across a network in a way designed to prevent eavesdropping and tampering
What is the first aspect of a system the hacker will try to learn?
Try to figure out what web server you are running and the language it is written in.
Why are URI fragments vulnerable to attack?
URI fragments are not sent with HTTP requests, so they need to be interpreted by client-side JavaScript. You should be careful that your treatment of URI fragments does not permit the injection of malicious JavaScript
Where else can a hacker look to find out information about the web server technology?
URLs can also disclose information about the web server technology. Avoid paths ending with file extensions like .php, .jsp, or .asp and design your site to use clean URLs. Cookies can reveal information about the server you are running. The name of the session ID parameter often gives a clue to the server side technology.
Should XML 1.0 be used? Why?
Unfortunately, inline DTDs can be abused by a malicious user if you fail to configure your XML parsing library properly.
Session IDs need to be ___________in order to ensure your authentication scheme can not be bypassed with simple scripts.
Unguessable
Unless you're careful when constructing HTML what can hackers do?
Unless you are careful when constructing the HTML, hackers can abuse the comment function by injecting JavaScript.
How can you detect when an unauthorized user has access to your system?
Unless you deploy a intrusion detection system, you will often not know it is occurring until it's too late.
If you use the html(...) function in JQuery, what should you be wary of?
Untrusted input passed directly to the html(...) function may allow an attacker to inject malicious code in a page.
What did Mal notice about your server's upload functions?
Uploaded files do not get renamed as part of the upload process. The file name appears in the URL of the profile image when it is published. Secondly, filetype checking is done in JavaScript.
What is the purpose of anti-forgery tokens?
Validating that a request is generated by a page that is connected to the same website.
Escape Dynamic Content does what to HTML?
Web pages are made up of HTML, usually described in template files, with dynamic content woven in when the page is rendered. Stored XSS attacks make use of the improper treatment of dynamic content coming from a backend data store. The attacker abuses an editable field by inserting some JavaScript code, which is evaluated in the browser when another user visits that page.
How does HTTPS ensure secure transmission?
Website authors should ensure any sensitive communication is done over HTTPS, which makes use of the TLS protocol.
When passing a state between client and server using HTML forms, what is sent to the server after a form is submitted?
When a form is submitted by the user, a POST request will be sent to the server.
Explain how a man-in-the-middle attack works?
When a hacker is monitoring a user's computer traffic through a wireless hotspot and can record personal information such as credentials if the user isn't using a encrypted HTTPS.
How does the server know which user the browser is representing with each HTTP request?
When a website user is authenticated, the server and browser will exchange a session ID, so the server knows which user the browser is representing with each subsequent HTTP request.
How is the session identifier involved in horizontal escalation?
When an attacker manipulates a cookie to impersonate another user, it is called horizontal escalation. Never make access control decisions on the back of untrusted data.
What is the first goal of an attacker when they've targeted you?
When an attacker targets your website they will try to learn as much as possible about your stack so they can determine how it can be compromised.
How can privilege escalation within a website?
When the server makes access control decisions based on untrusted input returned by the browser.
What does Hack.php do?
When this web shell is executed by PHP, it will run any command passed in the "cmd" parameter.
How does the workflow work with Open ID?
With Open ID the workflow is generally performed by redirects between the site the user is seeking to log into (the relying party) and the identity provider.
Why are XML bombs a vulnerability if inline DTDs are rarely used?
XML bombs are an easy way for an attacker to perform a denial-of-server attack against your server if it accepts XML uploads. Inline DTDs are a rarely used feature. However, XML bombs remain a common vulnerability, because many XML parsing libraries do not disable this feature by default.
Why is XML is a useful data format?
XML documents are a popular way of transferring structured data. XML is a useful data format because data files can be checked for correctness before being processed.
How can you protect against XML external entities?
XML external attacks remain a risk because many XML parsing libraries do not disable this feature by default. Make sure your XML parser configuration disables this feature.
Why is XML a useful data format?
XML is a useful format because data files can be checked for correctness before being processed.
Does the time it takes to perform password-hashing matter? Why or why not?
Yes, make sure all login code-paths take about the same time on average. For instance, perform time-consuming operations like password-hashing even when you know the username is wrong.
If an attacker can abuse your authentication function to test whether _________ exists on your site, it makes exploiting other vulnerabilities much easier.
a username
Privilege escalation occurs when an attacker exploits a vulnerability to _____________________ or gain extra permissions.
impersonate another user
Keep the session state on the server side or ensure cookies are ___________ by using a digital signature.
tamper-proof