1 / 36

CSC 482/582: Computer Security

CSC 482/582: Computer Security. HTTP Security. Topics. How HTTP works HTTP methods, headers, and responses URIs, URLs, and URNs Statelessness Cookies More HTTP methods and headers Proxying and Caching HTTP Vulnerabilities. HTTP: HyperText Transfer Protocol. Request for Resource.

dcarty
Download Presentation

CSC 482/582: Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSC 482/582: Computer Security HTTP Security CSC 482/582: Computer Security

  2. Topics • How HTTP works • HTTP methods, headers, and responses • URIs, URLs, and URNs • Statelessness • Cookies • More HTTP methods and headers • Proxying and Caching • HTTP Vulnerabilities CSC 482/582: Computer Security

  3. HTTP: HyperText Transfer Protocol Request for Resource Response Web Client Web Server CSC 482/582: Computer Security

  4. Pages Require Many Requests CSC 482/582: Computer Security

  5. HTTP GET Request GET http://www.google.com/ HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (Windows NT 6.2) Gecko/20100101 Firefox/35.0 Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4 Method URL Protocol Version Headers Blank Line No Data for GET method CSC 482/582: Computer Security

  6. HTTP POST Request POST http://www.example.com/ HTTP/1.1 Host: www.example.com User-Agent: Mozilla/5.0 (Windows NT 6.2) Gecko/20100101 Firefox/35.0 Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Method URL Protocol Version Headers Blank Line name=Jane+Doe&sex=female&color=green&over6feet=true&over200pounds=false&athleticability=NA POST data CSC 482/582: Computer Security

  7. HTTP Response HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Server: GWS/2.1 Date: Fri, 13 Oct 2006 03:16:30 GMT <HTML> ... (page data) ... </HTML> Protocol Version HTTP Response Code Headers Blank Line Web Page Data CSC 482/582: Computer Security

  8. Common HTTP Methods CSC 482/582: Computer Security

  9. Idempotence and Safety An operation is safe if making the request will not change any state on the server. • GET, HEAD, and OPTIONS are safe. An operation is idempotent if making one request has the same effect as making a series of identical requests. • PUT and DELETE are idempotent. POST is neither safe nor idempotent. It is possible for servers to misuse requests like GET. • Example: GET https://api.deli.icio.us/posts/delete • If misused, testing tools, spiders, caches can destroy data. CSC 482/582: Computer Security

  10. Common HTTP Response Codes CSC 482/582: Computer Security http://httpstatus.es/

  11. Common Request Headers CSC 482/582: Computer Security

  12. Common Response Headers CSC 482/582: Computer Security

  13. HTTP Header Parsing Handling of duplicate headers. • ~50% of browsers/servers will use first header. • ~50% of browsers/servers will use last header. Mixing of protocol versions • Difficult to predict effect of mixing of 1.0 and 1.1 headers, especially when headers have the same purpose. • Ex: Expires(1.0) and Cache-Control(1.1) headers. Semicolon-delimited header values • Quoted string format values not handled well by IE. • Content-Disposition: attach; filename=“evil.exe;.txt” CSC 482/582: Computer Security

  14. Internet Media Types Standards • Original MIME (Multipurpose Internet Mail Extensions) • IANA maintains official registry of types at https://www.iana.org/assignments/media-types/media-types.xhtml Format • Type/Subtype; Optional Parameters • Example: text/html; charset=UTF-8 Handling in HTTP • Requested in Accept: header. • Specified by server in Content-Type: header. • Browser may view directly, use plug-in, or start an external program.

  15. HTTP Standards Historical Standards • HTTP 0.9 (1991) 1st documented version. • HTTP 1.0 (1996) defined in RFC 1945. • HTTP 1.1 (1999) defined in RFC 2616. Current Standard (well specified HTTP/1.1, 2014) • RFC 7230: Message Syntax and Routing • RFC 7231: Semantics and Content • RFC 7232: Conditional Requests • RFC 7233: Range Requests • RFC 7234: Caching • RFC 7235: Authentication CSC 482/582: Computer Security

  16. HTTP/2 Focused on performance; no semantics changes • Based on Google’s SPDY protocol. • Single TCP connection for each client/server pair. • Allows multiple requests and responses to be sent simultaneously over same connection. • HPACK header compression. • Server can push additional documents (images, stylesheets, scripts, iframes). Status • IETF finished, expected to publish RFC in 1Q2015. • Firefox 36 and Chrome 40 will support draft HTTP/2. CSC 482/582: Computer Security

  17. Uniform Resource Identifiers (URIs) A URI is a string of characters that identify a web resource that come in two types. Uniform Resource Names (URNs) • Identify a resource by name within a specific namespace. • Ex: urn:isbn:0-395-36341-1 Uniform Resource Locators (URLs) • Identify a resource via a representation of its primary access mechanism, e.g. a network address. • Ex: http://www.nku.edu/ CSC 482/582: Computer Security

  18. URL Format <proto>://<user:pw>@<host>:<port>/<path>?<qstr>#<frag> • Proto is the network protocol, e.g. http, ftp, mailto, etc. • User and pw are optional authentication credentials. • Host is the DNS name or IP address of the server. • Port is the TCP port number; defaults to 80 for http. • Path is the name of the resource on the server, which may or may not represent a filesystem path. • Qstr is a query string typically used by GET requests to send parameters to an application. • Frag is a fragment identifier used by the client to identify a location within a web page. It is not sent to the server. Some client apps use fragments for navigation, so their contents may be security sensitive. CSC 482/582: Computer Security

  19. URL Encoding <proto>://<user:pw>@<host>:<port>/<path>?<qstr>#<frag> • Query string is set of key=value pairs separated by & • ?q=cloud&lang=en • Whitespace marks end of URL • Special characters must be URL-encoded. • %HH represents character with hex values, e.g. %20 = space. • Special characters include whitespace : @ ? / # & • Any character may be encoded, including proto, path, etc. • URL encoding is also used in the body of POST requests. http://user:password@www.example.com:8001/a%20spaced%20path?l=en#section2 CSC 482/582: Computer Security

  20. HTTP is a stateless protocol A stateful protocol allows requests to move the server into a different state, in which a request may produce a different result. • Example protocols: FTP, SMTP, TCP • FTP command “get rest.txt” will return a different file when cwd is /public rather than /private. A stateless protocol treats each request as an independent transaction that is unrelated to any previous request so that communication consists of independent pairs of requests and responses. • Examples: HTTP, IP CSC 482/582: Computer Security

  21. Stateless and Stateful Architectures CSC 482/582: Computer Security

  22. Handling Statelessness Store state information directly in the address (URI) • To access second page in google search for “http”: • https://encrypted.google.com/webhp? q=http&safe=off&start=10 • Works best for web services. Store state indirectly in an HTTP header (cookies) • Most common type of state storage. • Some plug-ins can store state. • Flash cookies are the most common type. • HTML 5 provides browser storage features. CSC 482/582: Computer Security

  23. Cookies Maintain state via HTTP headers • State specified is set of name=value pairs. • Set-Cookie header sent from server. • Cookie header sent from browser. • No RFC specification used tilRFC 6265 in 2011. Examples • Set-Cookie: foo=bar; path=/; expires Fri, 20-Feb-2015 23:59:00 GMT • Cookie: foo=bar Encoding • Encode cookies with base64 to avoid metacharacterinterpretation (colons, commas, slashes, quotes, etc.) CSC 482/582: Computer Security

  24. Cookie Fields Expires: if specified, cookie may be saved to disk and persist across sessions. If not, then cookie persists for duration of browser session. Max-age: similar to Expires, but not supported by IE. Domain: scoping mechanism to allow cookie to be scoped to domain broader than host that sent Set-Cookie header. Path: scopes cookie to a specified path prefix. Secure: prevents cookie from being sent over non-encrypted connections. HttpOnly: removes ability to read cookie via document.cookie API in JavaScript to protect against XSS. CSC 482/582: Computer Security

  25. Cookie Security Policy Domain parameter limits which servers are sent cookie in complex ways (see table). Path parameter limits which paths are sent cookies, but JavaScript from any path can read cookies. CSC 482/582: Computer Security

  26. More HTTP Methods

  27. HTTP TRACE Example $ telnet localhost 80 Trying... Connected to 127.0.0.1. Escape character is '^]'. TRACE / HTTP/1.1 Host: foo x-myheader: spam HTTP/1.1 200 OK Date: Mon, 04 Mar 2009 12:34:45 GMT Server: Apache/1.3.13 (Unix) Connection: close Content-Type: message/http TRACE / HTTP/1.0 x-myheader: spam Host: foo Connection closed. CSC 482/582: Computer Security

  28. HTTP Proxies Browser configured to proxy GET request • GET http://www.example.com/ HTTP/1.1 • User-Agent: mybrowser/2.0 • Host: www.example.com URL and Host specifications • Perform same task. • Evolved separately. • Proxy must be careful to avoid being tricked into caching page from one as page from another site GET http://www.example.com/ HTTP/1.1 Host: www.google.com CSC 482/582: Computer Security

  29. HTTP Caching • HTTP/1.1 cache behavior • GETs with 200, 301, &c responses may be cached. • Cache may be returned to any future requests for that URL even if headers differ, including cookies. • Cache may revalidate content (with If-Modified-Since header) before reuse but is not required to do so. • Cache-Control header • Public: document is cacheable publicly. • Private: proxies are not permitted to cache. • No-cache: cache but don’t reuse; only FF supports. • No-store: do not cache this document at all. • Pragma: no-cache from HTTP/1.0 still in use. CSC 482/582: Computer Security

  30. HTTP Headers HTTP headers can be vulnerable to • Injection Attacks, including SQL Injection • Cross-Site Scripting (XSS) Most commonly vulnerable headers • Referer • User-Agent String userAgent = request.getHeader(“user-agent”); String sQuery = “DELETE FROM UP_USER_UA_MAP WHERE USER_ID=“ + userId + “ AND USER_AGENT=‘” + userAgent + “’” ... stmt.executeUpdate(sQuery); CSC 482/582: Computer Security

  31. HTTP Header Injection Add new header + body content to HTTP response. • Client sends input containing end-of-line(EOL) • HTTP EOL is CR/LF (\r\n, %0d%0a URL-encoded) Example Code: String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie); CSC 482/582: Computer Security

  32. HTTP Response Splitting Malicious input submitted via AUTHOR_PARAM form input: Resulting HTTP responses HTTP/1.1 200 OK … Set-Cookie: author=A Hacker HTTP/1.1 200 OK Content-Type: text/html <html>Hacker Content</html> A Hacker\r\nHTTP/1.1 200 OK\r\nContent-Type: text/html\r\n <html>Hacker Content</html>

  33. Response Splitting Impact • Attacker controls page contents • Page defacement. • Can redirect to attacker controlled site. • Script executes in context of legitimate site • JavaScript sent by attacker as part of second response has access to cookies and other data of legitimate site. CSC 482/582: Computer Security

  34. Cache Poisoning Attack • Select a page to poison in proxy cache. • Replace /admin with phishing trojan. • Locate header injection vulnerability. • Inject second response body with trojan. • Connect to proxy and send requests. • First request is header injection described above. • Second request is for page that’s being poisoned. • Proxy talks to app, gets response. • Proxy interprets 2nd response body as response to attacker’s 2nd pipelined request. • Updates cache with trojan version. CSC 482/582: Computer Security

  35. Key Points • Requests • Idempotence • Safety • Stateless architecture • Cookies • HTTP response splitting • Cache poisoning CSC 482/582: Computer Security

  36. References • David Gourley et. Al., HTTP: The Definitive Guide, O’Reilly, 2002. • Krishnamurthy et. Al., Key Differences Between HTTP/1.0 and HTTP/1.1, http://www8.org/w8-papers/5c-protocols/key/key.html. • Mark Nottingham, RFC 2616 is Dead, https://www.mnot.net/blog/2014/06/07/rfc2616_is_dead, 2014. • DafyddStuttart and Marcus Pinto, The Web Application Hacker’s Handbook, 2nd Edition, Wiley, 2011. • HTTP/2 Home Page, https://http2.github.io/. • Sanctum, “HTTP Response Splitting Whitepaper,” http://www.packetstormsecurity.org/papers/general/whitepaper_httpresponse.pdf, 2004. • Michael Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications, No Starch Press, 2011. CSC 482/582: Computer Security

More Related