100 likes | 229 Views
CIT 380: Securing Computer Systems. Web Security. Client-side Attacks. Buffer Overflow 2004 iframe 2004-05 jpeg Remote Code ActiveX Flash Java Javascript. ActiveX. Executable code downloaded from server Activated by HTML object tag. Native code binary format. Security model
E N D
CIT 380: Securing Computer Systems Web Security CIT 380: Securing Computer Systems
Client-side Attacks • Buffer Overflow • 2004 iframe • 2004-05 jpeg • Remote Code • ActiveX • Flash • Java • Javascript CIT 380: Securing Computer Systems
ActiveX Executable code downloaded from server • Activated by HTML object tag. • Native code binary format. • Security model • Digital signature authentication • Zone-based access control • No control once execution starts CIT 380: Securing Computer Systems
Digital signature authentication Sandbox Java • Sandbox Limits • Cannot read/write files. • Cannot start programs. • Network access limited to originating host. • Sandbox Components • Byte-code verifier • Class loader • Security manager CIT 380: Securing Computer Systems
MPack Browser Malware • User visits site. • Response contains iframe. • Iframe code causes browser to make request. • Request redirected to MPack server. • Server identifies OS and browser, sends exploit that will work for client configuration. • Exploit causes browser to send request for code. • Mpack downloader sent to user, begins d/ling other malware. CIT 380: Securing Computer Systems
MPack Commercial underground PHP software • Sold for $700-1000. • Comes with one year technical support. • Can purchase updated exploits for $50-150. Infection Techniques • Hacking into websites and adding iframes. • Sending HTML mail with iframes. • Typo-squatting domains. • Use GoogleAds to draw traffic. CIT 380: Securing Computer Systems
Client Protection • Disable ActiveX and Java. • Use NoScript to limit Javascript. • Run browser with least privilege. • Use a browser sandbox: • VMWare Virtual Browser Appliance • Protected Mode IE (Windows Vista) • Goto sites directly instead of using links. • Use plain text e-mail instead of HTML. • Patch your browser regularly. • Use a personal firewall. CIT 380: Securing Computer Systems
Web Reconnaissance Google Hacking • “Index of” +passwd • “Index of” +password.txt • filetype:htaccess user • allinurl:_vti_bin shtml.exe Web Crawling • wget --mirror http://www.w3.org/ -o /mirror/w3 Santy Worm used Google to find vulnerable servers. CIT 380: Securing Computer Systems
Key Points • All input can be dangerous • URLs, Cookies, Executable content • Consider both client and server security. • SSL is not a panacea • Confidentiality + integrity of data in transit. • Input-based attacks can be delivered via SSL. • Top Vulnerabilities • Cross-Site Scripting • SQL Injection • Remote File Inclusion CIT 380: Securing Computer Systems
References • Chris Anley, “Advanced SQL Injection In SQL Server Applications,” http://www.nextgenss.com/papers/advanced_sql_injection.pdf, 2002. • CERT, “Understanding Malicious Content Mitigation for Web Developers,” http://www.cert.org/tech_tips/malicious_code_mitigation.html, Feb. 2000 • Mark Dowd, John McDonald, Justin Schuh, The Art of Software Security Assessment, Addison-Wesley, 2007. • David Endler, “The Evolution of Cross-Site Scripting Attacks,” http://www.cgisecurity.com/development/xss.shtml, 2002. • Joris Evers, “Paypal fixes Phishing hole,” http://news.com.com/PayPal+fixes+phishing+hole/2100-7349_3-6084974.html, 2006. • Stephen J. Friedl, “SQL Injection Attacks by Example,” http://www.unixwiz.net/techtips/sql-injection.html, 2005. • Johnny Long, Google Hacking for Penetration Testers, Syngress, 2004. • Johnny Long, Google Hacking Database, http://johnny.ihackstuff.com, 2006. • J.D. Meier, et. al., Improving Web Application Security: Threats and Countermeasures, Microsoft, http://msdn2.microsoft.com/en-us/library/aa302418.aspx, 2006. • Mitre, Common Weaknesses – Vulnerability Trends, http://cwe.mitre.org/documents/vuln-trends.html, 2007. • Nate Mook, “Cross-Site Scripting Worm Hits MySpace,” http://www.betanews.com/article/CrossSite_Scripting_Worm_Hits_MySpace/1129232391, 2005. • Gunter Ollman, “HTML Code Injection and Cross-Site Scripting,” http://www.technicalinfo.net/papers/CSS.html, 2002. • OWASP Top 10, http://www.owasp.org/index.php/OWASP_Top_Ten_Project, 2007. • Neils Provos et. al., “The Ghost in the Browser: Analysis of Web-based Malware,” Hotbots 07, http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf, 2007. • Samy, “MySpace Worm Explanation,” http://namb.la/popular/tech.html, 2005. • Stuart McClure, Joel Scambray, and George Kurtz, Hacking Exposed, 5/e, McGraw-Hill, 2005. • Stuart McClure, Saumil Shah and Shreeraj Shah, Web Hacking: Attacks and Defense, Addison-Wesley, 2002. • Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition, McGraw-Hill, 2006. • Ed Skoudis, Counter Hack Reloaded, Prentice Hall, 2006. • SK, “SQL Injection Walkthrough,” http://www.securiteam.com/securityreviews/5DP0N1P76E.html, 2002. • Symantec Weblog, “MPack: Packed full of badness,” http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.html, 2007. CIT 380: Securing Computer Systems