230 likes | 371 Views
A Back-Stage Pass: What Every Hacker Wants. Presented by: Art Jones. A Back-Stage Pass. What does the web do? What is its purpose? It is a communications media; like print or paint or clay or even music… only digital. Digital = easy to create, change, copy, move.
E N D
A Back-Stage Pass: What Every Hacker Wants Presented by: Art Jones
A Back-Stage Pass What does the web do? What is its purpose? It is a communications media; like print or paint or clay or even music… only digital. Digital = easy to create, change, copy, move. Easy = cheap to produce, cheap to distribute. As with any medium, “good don’t come cheap.” There are very few masters of more than one medium.
A Back-Stage Pass • A bit of a history lesson • Clarify some terms • Understand how modern web systems work • See where security breaks down Some basics…
User requests URL: http://www.psu.edu/webconference. • Browser / Operating System get the IP address from DNS Server. • Browser opens a connection to the web server’s address, specifying port #80, and issues a message: “GET /webconference”. (Messages use HTTP) • Web service looks in its /webconference directory. Because a specific file was not requested, the service checks its rules, and looks for a default name. • The web service then copies the file from its directory back to the browser, using HTTP. A very general overview of how a web browser gets a web page… Internet Web Service Web Client (browser) Disk Drive DNS Server
Terms • Client = computer that wants data • Server = computer with the data • Service = software that provides the data • DNS = Domain Name Service • IP = Internet Protocol • HTTP = Hyper-Text Transfer Protocol • HTML = Hyper-Text Markup Language
Things you need to keep in mind: DNS lookups take time and network bandwidth (usually not much, but consider scaling factors) and DNS Servers can be hacked to re-direct clients. The web server with the real data is never contacted. Internet Web Service Web Client (browser) • What’s the address for www.psu.edu? • www.psu.edu = 000.000.000.666 • Give me the data • Data: please enter your credit card number… EVIL Web Server Corrupted DNS Server
Things you need to keep in mind: Web servers generally allow anonymous access to their data resources. This is accomplished by aliasing the unknown internet user as an account known to the server. (IUSR_Servername, Apache, Anonymous) Data access uses this account’s permissions in the operating system. This conversation is anonymous (but can be forced to be authenticated, creating intra/extra- nets) Internet Web Service Disk Drive This conversation is aliased with a known account name
Encryption & Authentication • Client requests secure connection to service (https:; port 8080) • Service responds: “here is my public key” • Client to certificate authority: “I am trying to contact a service, here is the key it gave me.” • Certificate authority to client: “looks good to me.” • Client to web service: <our conversation can be encrypted now> Internet Web Service Web Client (browser) Disk Drive Certificate Authority Service
Terms • Encryption • Authentication • PKI • Public Key • Private Key • Certificate • HTTPS
A closer look at web services • CGI programs allow dynamic webpage content; HTML is built when a page is requested, instead of existing statically on disk. • Simple uses would be hit-counters, real-time server reports, generating e-mail from web-based forms, etc. • Compiled program executes quickly, and code can be kept elsewhere. Internet Web Service Compiled Program using The Common Gateway Interface (CGI) Disk Drive
A closer look at web services • Microsoft’s answer to CGI • Programs saved as .DLL files • Web service recognized hits to particular file types as requests for ISAPI-generated data. • Used in MS’s web-based server administration system. Internet Web Service Compiled Program using Internet Services Application Program Interface (ISAPI; sometimes called ISAPI filters) Disk Drive
A closer look at web services • Cold Fusion’s model: put the web service and the command interpreter in one program. • This allowed mixing of HTML and program code within a single file. • Primary use is for database-driven web pages. Internet Web Service Command Interpreter Disk Drive
A closer look at web services • Microsoft introduced Active Server Pages (ASP), which will interpret code in Visual Basic Script (or Java Script) language. • Allowed mixing HTML and programming code. • Implemented as an ISAPI .DLL file, building on their previous system. • Took advantage of their large base of VB programmers. Internet Web Service ISAPI filter that Interprets programming code(ASP, PHP) Disk Drive
Other Options Internet Web Service ISAPI filter that Interprets programming code Disk Drive Compiled Program
Tying to databases Internet Web Service Compiled program or ISAPI filter Disk Drive Database Service
Tying to databases Internet Web Service ISAPI filter that Interprets programming code Disk Drive ODBC/JDBC Database Service (MS-SQL, MySQL, etc.)
Terms • CGI • ISAPI Filter • ASP/PHP/JSP • ODBC/JDBC • CF
Security Concerns Internet Web Service Compiled program or ISAPI filter • Scripts are typically run in the context of the web service user (usually an anonymous account) • Database services usually maintain their own accounts and security permissions (with some really open defaults) • Communication between the script and the DB must use a DB account Disk Drive Database Service
Client-side operations • Web Client • IE, Netscape/Mozilla • Crawlers • Varying platform capabilities(PDA’s, etc.) Internet • Know your audience. • Define your audience & give warnings. • You may have to accommodate non-optimal client platforms (and connections)
Client-side operations Internet • Browser • HTML variants • Scripting languages (JavaScript, VB-Script) • Plug-ins to handle non-HTML files • MIME mappings to launch other applications • Java • Browser & other applications launched through the browser run in the context of the user, and will be constrained by the user’s permissions. • Many e-mail clients work very similarly to web browsers, with scripting, plug-ins, MIME mappings, etc. The big difference is their built-in ability to send messages, allowing worm propagation. • Biggest security concern is the user
What about XML? • XML is just another language like HTML • XML can be used to hold data, independently of presentation Internet • Web Client • Data-seeking programs It is up to the client program to do something with the data. Maybe display it; maybe process it; maybe just store it. Data is transferred in XML-encoded format • Put these technologies together and you get “Web Services” • Allows for authoritative sources of data • Basis for .NET and J2EE architectures.
Lessons: • Know your specific architecture. Web developers, web and DB admins, and network admins must all cooperate to secure the server side. • Don’t tell people who don’t need to know. (“…what every hacker wants!”) • Understand the contexts where programs will run. The servers/services, accounts used at each step, and target clients are all important.