Clickjacking is a client vulnerability that malicious websites can exploit.
What is Clickjacking?
Clickjacking occurs when a person visits a web page and clicks on something that they believe is part of the website they are visiting, while in reality they are actually clicking on a different web page that they cannot see. This is done by loading a web page over another one using an iframe, but the top page is made completely invisible. Buttons on the bottom page are strategically placed so that they coincide with actions on the invisible page. Clickjacking has been used to delete all contacts in a user's web mail address book, make a myspace profile completely public, as well as many other things. Click the following link to see an example of clickjacking. Clickjacking Example
How Can I Prevent It?
To my knowledge, there is no native prevention built into any web browsers. However, you can download a plugin for FireFox called NoScript. I currently use it, and it will warn you when you click on something that you cannot see. Also, clickjacking usually needs a user to be logged into a website in order to be vulnerable. It is a good practice to click "log out" when you are finished using a website, and doing that would prevent many of these clickjacking exploits from harming you. Web applications
Resources
Saturday, February 28, 2009
Sunday, February 22, 2009
Cross Site Scripting (XSS)
Another highly exploited web application vulnerability is Cross Site Scripting, or XSS. This weakness is ranked at number 1 on OWASP's Top 10.
What is Cross Site Scripting?
XSS is a type of injection hack - HTML injection to be exact. It occurs when malicious JavaScript is submitted to a web application at point that will allow it to be reprinted on a page. The JavaScript becomes embedded in a page created by the web app and subsequently runs in a user's browswer. Since the script has access to any cookies created by the web app since the script actually came from a page generated by the app. This means that cookie information (like session data) could be sent to the hacker, allowing them to act as you in the application effectively stealing your identity. If an ecommerce site like ebay or Amazon.com was vulnerable to this kind of attack (note - there is no known current vulnerability), an attacker could potentially order merchandise using your credit card and ship it to themselves.
Who is vulnerable?
Any web application that takes user input and re-displays it is potentially vulnerable.
How Can These Attacks be Prevented?
As with SQL injection, the best way to prevent this hack is to validate all user input. If validation is done on the client side, it must also be done on the server side since it is easy to bypass anything that is completed client side. It is also good to run output through functions like htmlentities() or htmlspecialchars() in PHP. Java is a little more difficult. OWASP suggests that you use a struts output mechanism like
Resources
What is Cross Site Scripting?
XSS is a type of injection hack - HTML injection to be exact. It occurs when malicious JavaScript is submitted to a web application at point that will allow it to be reprinted on a page. The JavaScript becomes embedded in a page created by the web app and subsequently runs in a user's browswer. Since the script has access to any cookies created by the web app since the script actually came from a page generated by the app. This means that cookie information (like session data) could be sent to the hacker, allowing them to act as you in the application effectively stealing your identity. If an ecommerce site like ebay or Amazon.com was vulnerable to this kind of attack (note - there is no known current vulnerability), an attacker could potentially order merchandise using your credit card and ship it to themselves.
Who is vulnerable?
Any web application that takes user input and re-displays it is potentially vulnerable.
How Can These Attacks be Prevented?
As with SQL injection, the best way to prevent this hack is to validate all user input. If validation is done on the client side, it must also be done on the server side since it is easy to bypass anything that is completed client side. It is also good to run output through functions like htmlentities() or htmlspecialchars() in PHP. Java is a little more difficult. OWASP suggests that you use a struts output mechanism like
Resources
- Security Now episodes 85 and 86
- CWE/SANS Top 25
- XSS - OWASP
Wednesday, February 18, 2009
SQL Injection
Injection flaws are ranked at number 2 on OWASP's Top 10 2007 list for the most common web application vulnerabilities, and SQL injection is the most commonly exploited injection flaw.
What is SQL Injection?
SQL injection is a type of hack that can be performed when a web application accepts input from a user (such as a user name or password). Instead of typing valid data, the hacker will use characters that are part of the SQL syntax. This way, the hacker can construct his or her own database query, and maybe gain more information about the database that can be used for more harmful attacks. Sometimes it is even possible to log into a system using SQL injection. I found a video example of this on YouTube, and you can view it below.
Video Example
Who is Vulnerable?
Any web application that uses user input as part of a database query is susceptible to a SQL injection hack.
How Can These Attacks be Prevented?
Although SQL injection vulnerabilities are still relatively common , it is easy to fix them. The first rule of thumb is to ALWAYS validate user input on the server side. As the above video demonstrates, client side JavaScript data validation is not enough because users can get around it if they really want to. Second, a query containing user input should never be executed without first being prepared in some way. In Java, this means using a PreparedStatement object. If the web application is written in PHP with a MySQL database, use the mysql_real_escape_string() function. Last, the web server needs to be configured so that error pages do not reveal information about the inner workings of the web application (i.e. table names, row names). Hackers would love to get their hands on this type of information.
Resources
What is SQL Injection?
SQL injection is a type of hack that can be performed when a web application accepts input from a user (such as a user name or password). Instead of typing valid data, the hacker will use characters that are part of the SQL syntax. This way, the hacker can construct his or her own database query, and maybe gain more information about the database that can be used for more harmful attacks. Sometimes it is even possible to log into a system using SQL injection. I found a video example of this on YouTube, and you can view it below.
Video Example
Who is Vulnerable?
Any web application that uses user input as part of a database query is susceptible to a SQL injection hack.
How Can These Attacks be Prevented?
Although SQL injection vulnerabilities are still relatively common , it is easy to fix them. The first rule of thumb is to ALWAYS validate user input on the server side. As the above video demonstrates, client side JavaScript data validation is not enough because users can get around it if they really want to. Second, a query containing user input should never be executed without first being prepared in some way. In Java, this means using a PreparedStatement object. If the web application is written in PHP with a MySQL database, use the mysql_real_escape_string() function. Last, the web server needs to be configured so that error pages do not reveal information about the inner workings of the web application (i.e. table names, row names). Hackers would love to get their hands on this type of information.
Resources
Tuesday, February 17, 2009
MD5
As long as we're still on the subject of cryptography, I thought I would go into a little more detail on what MD5 is and how it can be used.
First it is important to understand what a hash is. A hash is a sort of fingerprint for computer data, and it is composed of a predetermined number of alphanumeric characters. You can determine a hash for any type of data (i.e. text, files like Word documents, images, etc.). A hash could look like this: 5eb63bbbe01eeed093cb22bb8f5acdc3
So how do you find a hash? You have to run a mathematical algorithm on the data from which you would like a hash to be determined. When the algorithm is run, the data are processed with many different mathematical operations that are extremely difficult to undo, and a hash value is created. An algorithm will always produce a hash of the same size every time, no matter how much or how little data are used as input. Different algorithms produce different sized hashes. The example below demonstrates the hash values for two commonly used algorithms. It shows the hash value that was calculated when "Hello world" was the input and when "Hello world!" was the input.
MD5
Hello world: 3e25960a79dbc69b674cd4ec67a72c62
Hello world!: 86fb269d190d2c85f6e0468ceca42a20
SHA-1
Hello world: 7b502c3a1f48c8609ae212cdfb639dee39673f5e
Hello world!: d3486ae9136e7856bc42212385ea797094475802
As you can see from the example, just adding "!" to the end of the input completely changed the hash values. This is important, because we want the hashes to be unpredictable. Also, the longer a hash is, the more secure it is.
So MD5 is an algorithm used to produce hash values. But how can it be used?
One use is to check file integrity after transfer. If you download a large file from the internet, there is a greater chance that some of the file did not transfer correctly, making the file corrupt. If the site you downloaded the file from provides an MD5 hash of the file, you could run the file through MD5 and see what hash value you get. If it matches the provided hash, your file is intact.
MD5 is also used for password storage. Instead of storing a user's password as plain text in a database, it is a better idea to hash it first. This way, anyone with access to the database cannot see all of the passwords. I actually implemented this last week on the Tutoring System. The database stores the hash values of passwords instead of the actual password. When a user logs into the system, the password they entered is hashed using MD5 and then the hash value is compared to the value in the database.
On a final note, I thought that it was important to mention that MD5 is not as strong as some other hashes. Newer applications requiring a high level of security should use an algorithm like SHA-256.
Resources:
First it is important to understand what a hash is. A hash is a sort of fingerprint for computer data, and it is composed of a predetermined number of alphanumeric characters. You can determine a hash for any type of data (i.e. text, files like Word documents, images, etc.). A hash could look like this: 5eb63bbbe01eeed093cb22bb8f5acdc3
So how do you find a hash? You have to run a mathematical algorithm on the data from which you would like a hash to be determined. When the algorithm is run, the data are processed with many different mathematical operations that are extremely difficult to undo, and a hash value is created. An algorithm will always produce a hash of the same size every time, no matter how much or how little data are used as input. Different algorithms produce different sized hashes. The example below demonstrates the hash values for two commonly used algorithms. It shows the hash value that was calculated when "Hello world" was the input and when "Hello world!" was the input.
MD5
Hello world: 3e25960a79dbc69b674cd4ec67a72c62
Hello world!: 86fb269d190d2c85f6e0468ceca42a20
SHA-1
Hello world: 7b502c3a1f48c8609ae212cdfb639dee39673f5e
Hello world!: d3486ae9136e7856bc42212385ea797094475802
As you can see from the example, just adding "!" to the end of the input completely changed the hash values. This is important, because we want the hashes to be unpredictable. Also, the longer a hash is, the more secure it is.
So MD5 is an algorithm used to produce hash values. But how can it be used?
One use is to check file integrity after transfer. If you download a large file from the internet, there is a greater chance that some of the file did not transfer correctly, making the file corrupt. If the site you downloaded the file from provides an MD5 hash of the file, you could run the file through MD5 and see what hash value you get. If it matches the provided hash, your file is intact.
MD5 is also used for password storage. Instead of storing a user's password as plain text in a database, it is a better idea to hash it first. This way, anyone with access to the database cannot see all of the passwords. I actually implemented this last week on the Tutoring System. The database stores the hash values of passwords instead of the actual password. When a user logs into the system, the password they entered is hashed using MD5 and then the hash value is compared to the value in the database.
On a final note, I thought that it was important to mention that MD5 is not as strong as some other hashes. Newer applications requiring a high level of security should use an algorithm like SHA-256.
Resources:
- OWASP Top 10 2007 - A8
- Paj's Home - Cryptography- create hash values with JavaScript
- Wikipedia - MD5
Monday, February 16, 2009
Cryptography Overview
The main purpose of this entry is to provide an overview of securing a web application using encryption. Episode 181 of the Security Now podcast was a great resource, and it goes more into depth.
According to Steve Gibson, there are three main things we want in a secure connection between a client and a host over the internet:
Confidentiality of communication means that nobody who intercepts our network traffic will be able to figure out what we are doing. According to the 2007 OWASP Top 10 Web Application Vulnerabilities, insecure communications 9th most common vulnerability. This can be fixed through encryption (either symmetric or asymmetric). If encryption is not used, anyone intercepting the traffic could easily see and understand the information that is being sent between the client and host.
Protection against message modification means that there are safeguards against accepting a message that has been altered by a hacker. For example, a hacker could potentially intercept a message requesting a payment to be sent to Paypal. They could repeat this message causing multiple payments, or even alter it to be a different amount. Hashes are a good way to protect against this. They are a somewhat like a finger print, and if the message changes at all, the hash would change.
Endpoint authentications means that you know that you are communicating with the right server. This is achieved through certificates, which I blogged about previously.
SSL (Secure Socket Layer) is a common protocol that includes all of this. Using SSL is a quick way to secure many aspects of a web application.
Resources
According to Steve Gibson, there are three main things we want in a secure connection between a client and a host over the internet:
- Confidentiality of communication
- Protection against message modification
- Endpoint authentication
Confidentiality of communication means that nobody who intercepts our network traffic will be able to figure out what we are doing. According to the 2007 OWASP Top 10 Web Application Vulnerabilities, insecure communications 9th most common vulnerability. This can be fixed through encryption (either symmetric or asymmetric). If encryption is not used, anyone intercepting the traffic could easily see and understand the information that is being sent between the client and host.
Protection against message modification means that there are safeguards against accepting a message that has been altered by a hacker. For example, a hacker could potentially intercept a message requesting a payment to be sent to Paypal. They could repeat this message causing multiple payments, or even alter it to be a different amount. Hashes are a good way to protect against this. They are a somewhat like a finger print, and if the message changes at all, the hash would change.
Endpoint authentications means that you know that you are communicating with the right server. This is achieved through certificates, which I blogged about previously.
SSL (Secure Socket Layer) is a common protocol that includes all of this. Using SSL is a quick way to secure many aspects of a web application.
Resources
Subscribe to:
Comments (Atom)