130 likes | 149 Views
Security of Web Applications. Jamshid Shokrollahi E-Commerce Security. Overview. Why Web application security? Some attacks on web applications and corresponding countermeasures. Why Web application security?. Reduce cost of recovery and fixes Ensure customer trust
E N D
Security of Web Applications Jamshid Shokrollahi E-Commerce Security
Overview • Why Web application security? • Some attacks on web applications and corresponding countermeasures
Why Web application security? • Reduce cost of recovery and fixes • Ensure customer trust • Encourage website adoption • Maintain competitive advantages • Manage legal risks
Some attacks on Web Applications • Known vulnerabilities and misconfigurations • Hidden fields • Backdoor and debug options • Cross-site scripting • Cookie poisoning • Buffer overflow
Known vulnerabilities and misconfigurations • October 2000: Microsoft’s IIS • A malformed URL lets the malicious user to navigate in the logical drive of the web server. • Runs under the security context of the IUSR_machinename which is anonymous account for the IIS and belongs to the everyone and guests account. Security Bulletin MS00-078: • … in IIS 4.0 and 5.0, a particular type of malformed URL … enables a malicious user ... to add, change or delete data, run code already on the server, or upload new code to the server and run it. …
Tampering Hidden fields • Hidden fields in forms could contain passwords or prices which must be submitted back to the server. • They can be viewed or modified by clients and submitted back.
Wrong order Web server Database server Form to be filled by orders containing prices as hidden fields Unit prices (hidden fields) are reduced. Web user Tampering Hidden fields The forms should be validated and passwords should not be sent to the clients.
Backdoor and debug options • Backdoor options are built into applications during debugging. • Programmers build shortcuts to avoid logging in for every round of debugging. • Because of time limits debugging versions are put on the web.
Threats caused by scripts • CERT Advisory CA-1997-20 • Impact: Enables monitoring web activities • Cause: Vulnerabilities in browsers (javascript) • Solution: upgrade browser or disable javascript • CERT Vulnerability Note VU#800893 • Impact: Disclosing files • Cause: Vulnerability in the implementation of GetObject in IE (VBscript) • Solution: download patch or disable active scripting in IE especially when visiting untrusted sites.
Cross-site scripting Malicious • Hope browsers are not patched • Put malicious codes on innocent web-pages • Submit texts including: <SCRIPT>malicious code</SCRIPT> Others download the code • Abuse of <FORM> tag • Internet Explorer security "zones" can be subverted by this technique
Cookie-based attacks • Like hidden field attack when parameters are saved in cookies. • Packet-sniffing for to still identities which are saved in cookies • Using digital signatures and cryptography • Using CSS to send cookies to other servers, even cryptography does not help
Buffer overflow • Some kind of denial of service attacks • Malicious users can sometimes run their own program • Overwriting stack with the address of their programs
Bibliography • Gunter Ollmann, HTML Code Injection and Cross-site scripting,http://www.technicalinfo.net/papers/CSS.html • CERT Advisory CA-2000-02, Malicious HTML Tags Embedded in Client Web Requests, http://www.cert.org/advisories/CA-2000-02.html • Wikipedia