Your browser doesn't support the features required by impress.js, so you are presented with a simplified version of this presentation.

For the best experience please use the latest Chrome, Safari or Firefox browser.

Lars Fischer
What could possibly go wrong?


What could possibly go wrong?
Fehler in der IT-Sicherheit

lars.fischer@hs-bremerhaven.de

Prof. Dr. Lars Fischer

Prof. Dr. Lars Fischer

  • Juli 2020: Hochschule Bremerhaven
    • Lern- und Lehrlabor IT-Sicherheit
  • Uni Oldenburg / OFFIS
    • Energieinformatik
    • Adversarial Resilience Learning (ARL)
    • Cyber-Resilient Architectures and Security
  • Forschung:
    • Privatheitsmaße, Fahrzeugnetze, Social Networks
  • Industrie:
    • Sicherheitsanalyse und Beratung
  • Lehre:
    • Capture-the-Flag Teams

Überblick

  • Was ist IT-Sicherheit?
  • Vorfälle und Schwachstellen
  • Beispiel XSS
    1. Platz 3 in OWASP Top 10 / 2017
    2. Platz 7 in 2020
  • Abhilfe

Was ist IT—Sicherheit

Angriffe

WWW in a Nutshell

Protocol Stack

HTTP

HyperText Transfer Protocol

Client Server GET Noodles Noodes
Can we, yes?

Cross-Site Scripting Attack

(Stored XSS)

Attacker Server Victim

Attacker-Client

Input from untrusted source!

Sign-In Webform

  • Username:
  • Password: 

<form action="login">
<ul style="list-style-type:none">
   <li> Username: <input type="text" 
                name="uname" />
   </li>
   <li> Password: <input type="password" 
                name="password" />
   </li>
</ul> 
<input type="submit" value="Login" />
</form>

HTTP-Request

HTTP/1.0 POST login
host: www.example.com

uname=
<uname>
&pass=
<password>

Server Request Handling

Beispiel: Java Servlet

Problem: Speicherung ohne Input Validation 
protected void doPost(HttpServletRequest request, 
                      HttpServletResponse response) {
    String uname = request.getParameter("uname");
    String passwd = request.getParameter("password");
    signInUser(
uname
, 
passwd
);
}
Database Contents:
uname = 
user.getUname()
pass = 
user.getPass()

Server Data Usage

out.println(this.header()+
         "<h1>XSS UserList" + "</h1>\n" + "<ul>\n");
while(users.hasNext()) {
    User user = users.next();
    /* Output Encoding, you are not doing it! */
    out.println("<li>"+ 
user.getUname()
 
          + ":" + 
user.getPass()
 + "</li>"); 
}
out.println("</ul>\n"+ this.footer());

Client Data Usage

<h2>XSS UserList</h2>
<ul>
  <li>Sabine:6da91b75e</li>
  <li>Erika:5ed73af66</li>
  <li>
Evelin
:
123456
</li>
  <li>Solveig:0c07abddde</li>
  <li>Kathrin:1849933d93</li>
  <li>Natalie:e673ded9d9</li>
</ul>

XSS-Effect on Victim

XSS UserList

  • Sabine:6da91b75e51
  • Erika:5ed73af663e
  • Evelin
    :
    123456
  • Solveig:0c07abdddef
  • Kathrin:1849933d93
  • Natalie:e673ded9d9b

Output Encoding (Server Output)

out.println(this.header()+
         "<h1>XSS UserList" + "</h1>\n" + "<ul>\n");
while(users.hasNext()) {
    User user = users.next();
    /* Output Encoding, you are not doing it! */
    out.println("<li>"+ Encode.forHtmlContent(user.getUname()) 
      + ":" + Encode.forHtmlContent(user.getPass()) + "</li>"); 
}
out.println("</ul>\n"+ this.footer());
Example:
Special Characters: "<",">" "&lt;", "&gt;"
[ OWASP Java Encoder Project]

Quellen:
OWASP XSS Flaw
CAPEC-63 XSS

Take Away