EECS 354 Network Security - Network Penetration and Security

Friday, October 22, 2010 

EECS 354 

Network Security 

Advanced Web Attacks


Encoding Security 

• probably doesn’t work 

• ';alert(String.fromCharCode(88,83,83))//\';alert 

(String.fromCharCode(88,83,83))//";alert(String.fromCharCode 

(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>alert(String.fromCharCode(88,83,83)) 

• Probably does 

• ';alert(&#x53 

;tring.fro 

mCharCod&#x65 

;(88,83,8&#x3 

3;))//\';a&#x6 

C;ert(Stri&#x6 

E;g.fromCh&#x 

61;rCode(8 .... 

• Look ye, mere mortal, and despair


Random Numbers 

• “Random” 

• PRNG 

• /dev/urandom 

• RNG 

• /dev/random 

• CSRNG 

• Know what you need 

• UUID (GUID)


Session Hijacking 

• Random number failure 

• Session information should be as random as possible 

• Hijacking one account isn’t as interesting as 

hijacking 100 accounts 

• Don’t expose in URL 

• Session Fixation 

• Don’t accept user-defined session-ids 

• Use TLS for all session communication 

• Maybe same IP 

• What if there are two people behind the same router? 

• Regenerate SID on every request


Cross-site Cooking 

• Cookies can usually only be set or read by the 

domain they were created by 

• Sometimes browsers have bugs 

• Don’t rely solely on this


Direct Object References 

• Read file: 

f = get_from_user() 

$txt = open(“/var/ww/” . f) 

• Modify file path 

f\$f = “../../../../../../etc/passwd” 

• Check authentication for EVERYTHING 

Text


Cookie Security - Encryption 

• Simple cookie security is hard 

• More complex is exponentially harder 

• What if we want two separate servers to share a 

cookie?

public static string Encrypt(string toEncrypt, string key, bool 

useHashing) 

{ 

byte[] keyArray = UTF8Encoding.UTF8.GetBytes(key); 

byte[] toEncryptArray = UTF8Encoding.UTF8.GetBytes(toEncrypt); 

if (useHashing) 

keyArray = new MD5CryptoServiceProvider().ComputeHash(keyArray); 

var tdes = new TripleDESCryptoServiceProvider() 

{ Key = keyArray, Mode = CipherMode.ECB, Padding = 

PaddingMode.PKCS7 }; 

} 


ICryptoTransform cTransform = tdes.CreateEncryptor(); 

byte[] resultArray = cTransform.TransformFinalBlock( 

toEncryptArray, 0, toEncryptArray.Length); 

return Convert.ToBase64String(resultArray, 0, resultArray.Length);


You Aren’t Smart Enough to 

Do Cryptography 

• DO NOT DO YOUR OWN 

CRYPTOGRAPHY 

• Use a library 

• Even that won’t save you 

• Google Keyczar 

• return self.Sign(msg) == sig_bytes 

• HMAC verification 

• Timing attack 

• SSL, Secure Mode cookies, correct certificate auth


Null Byte Injection 

• Uses a NULL terminator to alter/rewrite the 

query string 

String fn = request.getParameter 

("fn"); 

if (fn.endsWith(".db")) 

{ 

File f = new File(fn); 

//read the contents of “f” file 

… 

} 

• Normal: 

http://www.example.host/mypage.jsp?fn=report.db 

• Attacking: 

http://www.example.host/mypage.jsp?fn=serverlogs.txt%00.db


Fail to Restrict URLs 

• Main app: http://example.com/myapp.php 

• Helper script: http://example.com/helper.php 

• Maybe a backup script http://example.com/backup.php 

• Prints diffs for backup purposes, logging, etc. 

• Navigate to helper.php 

• (?????) 

• Profit


New Stuff 

• ‘Evercookie’ 

• HTML5 cookie that hides in all of the little cracks in 

HTML5 and is practically impossible to remove 

• Java SOP is dumb 

• Doesn’t check domain name if IP addresses resolve the 

same 

• DNS authentication issues (~1 year old) 

• Root recently signed with DNSSEC 

• 7 security researchers given keys to “restart the internet” 

• “Fellowship of the Ring” 

• Android (Marketplace) really, really sucks 

• Wallpaper app steals your data and sends it to China 

• Millions of downloads

EECS 354 Network Security - Network Penetration and Security

Create successful ePaper yourself

Delete template?

Save as template?