1 / 31

Web Services and Authentication

Web Services and Authentication. IS/CS 698 Min Song Information Systems. What is Web Application Security?.

berke
Download Presentation

Web Services and Authentication

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Web Services and Authentication IS/CS 698 Min Song Information Systems

  2. What is Web Application Security? Web Applications exist in many forms. Some search, some count, others even transfer money within your bank accounts. Web Applications are employed to carry out many mission-critical tasks and if anything on the web is certain, our reliance upon web applications will continue to grow. Simply, the securing of web applications.

  3. Why is web application security important? • Before software functionality was capable of being delivered via the web, software developers security concerns were relatively given: that their user-base was limited to internal or wan networks. All this has now changed. Web developers now create software that runs upon web servers accessed by anyone, anywhere. The scope and magnitude of their software delivery has increased exponentially and in so doing, security issues have also risen. • - Browser Hi-Jacking • - Cookie Theft • - Denial of Service • - Abuse • - User Privacy Invasion

  4. Architecture of the Web server user transaction • Hypertext information model (linking of documents) • Client/Server consultation protocol ? Internet documents

  5. Security problems : confidentiality • Unauthorized release of information ? Internet user ? pirate

  6. Internet Security problems: integrity • Unauthorized modification of information user ? pirate

  7. Security measures firewalls encryption Access control authorization authentication

  8. Encryption: principles • Mathematical transformation of a message Encrypt Decrypt Hello Hel Hello plaintext cyphertext plaintext decryption key encryption key -Server authentication -Client authentication -Document confidentiality -Document integrity

  9. Access control model resources user request guard authorize Reference Monitor noeuds operation deny consult update security database security administrator

  10. Access control: authentication • Verifying the identity of a user identity, proof of identity security database

  11. Web authentication mechanisms

  12. Access control: authorization • Verifying the access rights of a user identity, proof of identity ? security database

  13. Web authorization mechanisms • Access control lists (ACL) • Roles, groups : simple user administration • Capabilities : exchange of access control information in the request

  14. The goal of an attack • Steal data • Blackmail • Beachhead for other attacks • Bragging rights • Vandalism • Demonstrate vulnerability/satisfy curiosity • Damage company reputation • Others?

  15. Commonly attacked services • SMTP servers (port 25) • sendmail: “The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application. “ • RPC servers (port 111 & others) • NetBIOS shares (port 139) • Opasoft worm • FTP servers (ports 20, 21) • wuftpd vulnerabilities • SSH servers (port 22) • OpenSSH vulnerability • Web servers (ports 80, 443) • Apache chunked encoding vulnerability

  16. Web server attack • Scan to find open ports • Find out what’s running on open ports (banner grabbing) • Profile the server • Windows (look for Kerberos, NetBIOS, AD) • Unix • Use TCP fingerprinting • Probe for weaknesses on interesting ports • Default configuration files and settings (e.g. popular IIS ones) • Buffer overflows • Insecure applications • Launch attack • Use exploit code from Internet… • …or build your own

  17. Scanning… What O/S is this system?

  18. Scanning… What O/S is this system?

  19. Example Web Application Internal network Internet DMZ Protected network • AJP • IIOP • T9 • etc. DB Clear-text or SSL Web server App server (optional) HTTP request Web app Web app Web app transport DB Web app Web client: IE, Mozilla, etc. • Apache • IIS • Netscape • etc. • Servlet engine • J2EE server • ColdFusion • Oracle 9iAS • etc. • Perl • C++ • CGI • Java • ASP • PHP • etc. • ADO • ODBC • JDBC • etc. • Oracle • SQL Server • etc. HTTP reply (HTML, JavaScript, VBScript, etc.)

  20. OWASP Top 10 Web Application Security Vulnerabilities • Unvalidated parameters • Broken access control • Broken account/session management • Cross-site scripting flaws • Buffer overflows • Command injection flaws • Error handling problems • Insecure use of cryptography • Remote administration flaws • Web and app server mis-configuration http://www.owasp.org

  21. #10: Web/App Server Misconfiguration • Tension between “work out of the box” and “use only what you need” • Developers ≠ web masters • Examples • Unpatched security flaws (BID example) • Misconfigurations that allow directory traversal • Administrative services accessible • Default accounts/passwords • Countermeasures • Create and use hardening guides • Turn off all unused services • Set up and audit roles, permissions, and accounts • Set up logging and alerts

  22. #9: Remote Administration Flaws • Problems • Weak authentication (username=“admin”) • Weak encryption • Countermeasures • Don’t place admin interface on same server • Use strong authentication: certificates, tokens, strong passwords, etc. • Encrypt entire session (VPN or SSL) • Control who has accounts • IP restrictions

  23. #8: Poor Cryptography • Insecure storage of credit cards, passwords, etc. • Poor choice of algorithm (or invent your own) • Poor randomness • Session IDs • Tokens • Cookies • Improper storage in memory • Countermeasures • Store only what you must • Store a hash instead of the full value (SHA-1) • Use only vetted, public cryptography

  24. #7: Error Handling • Examples: stack traces, DB dumps • Helps attacker know how to target the app • Inconsistencies can be revealing too • “File not found” vs. “Access denied” • Fail-open errors • Need to give enough info to user w/o giving too much info to attacker • Countermeasures • Code review • Modify default error pages (404, 401, etc.)

  25. Error messages example

  26. #6: Command Injection • Allows attacker to relay malicious code in form variables or URL • System commands • SQL • Interpreted code (Perl, Python, etc.) • Many apps use calls to external programs • sendmail • Examples • Path traversal: “../” • Add more commands: “; rm –r *” • SQL injection: • Countermeasures • Taint all input • Avoid system calls (use libraries instead) • Run application with limited privileges

  27. #5: Buffer Overflows • Mostly affects web/app servers • Can affect apps/libraries too • Goal: crash the target app and get a shell • Buffer overflow example • echo “vrfy `perl –e ‘print “a” x 1000’`” |nc www.targetsystem.com 25 • Replace this with something like this… • char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…” • Countermeasures • Keep up with bug reports • Code reviews • Use Java

  28. #4: Cross-Site Scripting (XSS) • Attacker uses a trust application/company to send malicious code to end-user • Attacker can “hide” the malicious code • Unicode encoding • 2 types of attacks • Stored • Reflected • Wide-spread problem! • Countermeasure: input validation • Positive • Negative: “< > ( ) # &” • Don’t forget these: “&lt &gt &#40 &#41 &#35 &#38”

  29. #3: Broken Account and Session Management • Weak authentication • Password-only • Easily guessable usernames (admin, etc.) • Unencrypted secrets are sniffable • How to break in • Guess password • Reset password • Have app email you new password • Sniff password • Backend authentication • How database passwords are stored • Trust relationships between hosts (IP address can be spoofed, etc.)

  30. #2: Broken Access Control • Usually inconsistently defined/applied • Examples • Insecure session IDs or keys • Forced browsing past access control checks • Path traversal • File permissions – may allow access to config/password files • Client-side caching

  31. #1: Unvalidated Parameters • Attacker can easily change any part of the HTTP request before submitting • URL • Cookies • Form fields • Hidden fields • Headers • Encoding is not encrypting • Toasted Spam: http://www.toastedspam.com/decode64 • Input must be validated on the server (not just the client). • CoolCarts: http://www.extremelasers.com • Countermeasures • Tainting (Perl) • Code reviews (check variable against list of allowed values, not vice-versa) • Application firewalls • CodeSeeker: http://www.owasp.org/codeseeker/

More Related