Topics. Why Web Application Security? Web Security

Size: px

Start display at page:

Download "Topics. Why Web Application Security? Web Security"

Rhoda Horn
6 years ago
Views:

Web Security CSC 482/582: Computer Security Slide #1 Topics 1. Why web application security? 2. HTTP and web input types 3. Web Application Vulnerabilities 4.

1 Web Security CSC 482/582: Computer Security Slide #1 Topics 1. Why web application security? 2. HTTP and web input types 3. Web Application Vulnerabilities 4. Client-side Attacks 5. Finding Web Vulnerabilities CSC 482/582: Computer Security Slide #2 Why Web Application Security? CSC 482/582: Computer Security Slide #3 1

Security Slide #5 HTTP: HyperText Transfer Protocol Simple request/respond protocol Request methods: GET, POST, HEAD,

2 Why Web Application Security? CSC 482/582: Computer Security Slide #4 Web Transactions Web Server Web Browser OS Network CSC 482/582: Computer Security Slide #5 HTTP: HyperText Transfer Protocol Simple request/respond protocol Request methods: GET, POST, HEAD, etc. Protocol versions: 1.0, 1.1 Stateless Each request independent of previous requests, i.e. request #2 doesn t know you auth d in #1. Applications responsible for handling state. CSC 482/582: Computer Security Slide #6 2

3 HTTP Request Method URL Protocol Version GET HTTP/1.1 Headers Host: User-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/ Firefox/ Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4 Blank Line No Data for GET method CSC 482/582: Computer Security Slide #7 HTTP Response Protocol Version HTTP Response Code Blank Line HTTP/ OK Headers Cache-Control: private Content-Type: text/html Server: GWS/2.1 Date: Fri, 13 Oct :16:30 GMT <HTML>... (page data)... </HTML> Web Page Data CSC 482/582: Computer Security Slide #8 Different Perspectives Client Side HTTP requests may reveal private info. HTTP responses may reveal private info. HTTP responses may include malicious code (Java, ActiveX, Javascript) Server Side HTTP requests may contain malicious input. HTTP requests may have forged authentication. HTTP responses may be intercepted. CSC 482/582: Computer Security Slide #9 3

4 Web-based Input Client and Server Perspectives Types of Input URL parameters HTML Cookies Javascript Cross-Site Scripting CSC 482/582: Computer Security Slide #10 URL Format Whitespace marks end of separates userinfo from host? marks beginning of query string & separates query parameters %HH represents character with hex values ex: %20 represents a space CSC 482/582: Computer Security Slide #11 URL Parameters Client controls query-string Cannot limit values to those specified in form Any character can be URL-encoded Even if it doesn t need to be. Any valid format may be used to disguise true destination of URL CSC 482/582: Computer Security Slide #12 4

5 URL Obfuscation IP address representations Dotted quad (decimal, octal, hexadecimal) Hexadecimal without dots (with left padding) dword (32-bit int) Examples: (dotted quad) 0xDEDA83B7130E (hexadecimal + padding) (dword) CSC 482/582: Computer Security Slide #13 HTML Special Characters < begins a tag > ends a tag some browsers will auto-insert matching < & begins a character entity ex: < represents literal < character Quotes( and ) used to enclose attribute values CSC 482/582: Computer Security Slide #14 Character Set Encoding Default: ISO (Latin-1) Char sets dictate which chars are special UTF-8 allows multiple representations Force Latin-1 encoding of web page with: <META http-equiv= Content-Type content= text/html; charset=iso > CSC 482/582: Computer Security Slide #15 5

6 Hidden Fields <input type= hidden name= user value= james > Used to propagate data between HTTP requests since protocol is stateless Clearly visible in HTML source Form can be copied, modified to change hidden fields, then used to invoke script CSC 482/582: Computer Security Slide #16 Cookies Server to Client Content-type: text/html Set-Cookie: foo=bar; path=/; expires Fri, 20-Feb :59:00 GMT Client to Server Content-type: text/html Cookie: foo=bar CSC 482/582: Computer Security Slide #17 Web Input Summary Client Side Server Side URLs may not lead where they seem to. Cookies can be used to track your browsing. Pages may include malicious code (Java, ActiveX, Javascript) Cookies aren t confidential. Hidden fields aren t secret. Client may use own forms. URLs can have any format. POST data can have any format. Cookies can have any format. CSC 482/582: Computer Security Slide #18 6

interpreter. Interpreters Interpret strings as commands. Ex: SQL, shell (cmd.

7 Web Application Vulnerabilities CSC 482/582: Computer Security Slide #19 Common Vulnerability Types CSC 482/582: Computer Security Slide #20 Injection Injection attacks trick an application into including unintended commands in the data send to an interpreter. Interpreters Interpret strings as commands. Ex: SQL, shell (cmd.exe, bash), LDAP, XPath Key Idea Input data from the application is executed as code by the interpreter. Discussed in detail in its own lecture. CSC 482/582: Computer Security Slide #21 7

8 Cross-Site Attacks Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker s choosing. XSS used to obtain session ID for Bank site (transfer money to attacker) Shopping site (buy goods for attacker) Key ideas Attacker sends malicious code to server. Victim s browser loads code from server and runs it. Discussed in detail in its own lecture. March 4, 2009 SIGCSE Insecure Remote File Inclusion Insecure remote file inclusion vulnerabilities allow an attack to trick the application into executing code provided by the attacker on another site. Dynamic code Includes in PHP, Java,.NET DTDs for XML documents Key Idea Attacker controls pathname for inclusion. CSC 482/582: Computer Security Slide #23 PHP Remote Inclusion Flaw A PHP product uses "require" or "include" statements, or equivalent statements, that use attacker-controlled data to identify code or HTML to be directly processed by the PHP interpreter before inclusion in the script. <?php // index.php include('config.php'); include('include.php'); // Script body?> <?php //config.php $server_root = '/my/path';?> <?php //include.php include($server_root. '/someotherfile.php');?> GET /include.php?server_root= CSC 482/582: Computer Security Slide #24 8

9 Mitigating Remote File Inclusion 1. Turn off remote file inclusion. 2. Do not run code from uploaded files. 3. Do not use user-supplied paths. 4. Validate all paths before loading code. CSC 482/582: Computer Security Slide #25 Authentication Authentication is the process of determining a user s identity. Key Ideas HTTP is a stateless protocol. Every request must be authenticated. Use username/password on first request. Use session IDs on subsequent queries. March 4, 2009 SIGCSE Authentication Attacks Sniffing passwords Guessing passwords Identity management attacks Replay attacks Session ID fixation Session ID guessing CSC 482/582: Computer Security Slide #27 9

10 Identity Management Attacks Auth requires identity management User registration Password changes and resets Mitigations Use CAPTCHAs to protect registration. Don t use easy to guess secret questions. Don t allow attacker to reset address that new password is sent to. CSC 482/582: Computer Security Slide #28 Session ID Guessing Do session IDs show a pattern? How does changing username change ID? How do session IDs change with time? Brute forcing session IDs Use program to try 1000s of session IDs. Mitigating guessing attacks Use a large key space (128+ bits). Use a cryptographically random algorithm. CSC 482/582: Computer Security Slide #29 Mitigating Authentication Attacks Use SSL to prevent sniffing attacks. Require strong passwords. Use secure identity management. Use a secure session ID mechanism. IDs chosen at random from large space. Regenerate session IDs with each request. Expire session IDs in short time. CSC 482/582: Computer Security Slide #30 10

11 Access Control Access control determines which users have access to which system resources. Levels of access control Site URL Function Function(parameters) Data CSC 482/582: Computer Security Slide #31 Mitigating Broken Access Control 1. Check every access. 2. Use whitelist model at every layer. 3. Do not rely on client-level access control. 4. Do not rely on security through obscurity. CSC 482/582: Computer Security Slide #32 Improper Error Handling Applications can unintentionally leak information about configuration, architecture, or sensitive data when handling errors improperly. Errors can provide too much data Stack traces SQL statements Subsystem errors User typos, such as passwords. CSC 482/582: Computer Security Slide #33 11

12 Example of Improper Error Handling mysql error with query SELECT COUNT(*) FROM nucleus_comment as c WHERE c.citem=90: Can't open file: 'nucleus_comment.myi' (errno: 145) Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/exalt2/public_html/username/nucleus/lib s/comments.php on line 124 CSC 482/582: Computer Security Slide #34 Mitigating Improper Error Handling 1. Catch all exceptions. 2. Check all error codes. 3. Wrap application with catch-all handler. 4. Send user-friendly message to user. 5. Store details for debugging in log files. 6. Don t log passwords or other sensitive data. CSC 482/582: Computer Security Slide #35 Insecure Storage Storing sensitive data without encrypting it, or using a weak encryption algorithm, or using a strong encryption system improperly. Problems Not encrypting sensitive data. Using home grown cryptography. Insecure use of weak algorithms. Storing keys in code or unprotected files. CSC 482/582: Computer Security Slide #36 12

13 Storage Recommendations Hash algorithms MD5 and SHA1 look insecure. Use SHA256. Encrypting data Use AES with 128-bit keys. Key generation Generate random keys. Use secure random source. CSC 482/582: Computer Security Slide #37 Mitigating Insecure Storage 1. Use well studied public algorithms. 2. Use truly random keys. 3. Store keys in protected files. 4. Review code to ensure that all sensitive data is being encrypted. 5. Check database to ensure that all sensitive data is being encrypted. CSC 482/582: Computer Security Slide #38 Insecure Communication Applications fail to encrypt sensitive data in transit from client to server and vice-versa. Need to protect User authentication and session data. Sensitive data (CC numbers, SSNs) Key Idea Use SSL for all authentication connections. CSC 482/582: Computer Security Slide #39 13

CSC 482/582: Computer Security Slide #40 Client-side Attacks Buffer Overflow 2004 iframe 2004-05 jpeg Remote Code ActiveX Flash Java Javascript CSC

14 Mitigating Insecure Communication 1. Use SSL for all authenticated sessions. 2. Use SSL for all sensitive data. 3. Verify that SSL is used with automated vulnerability scanning tools. CSC 482/582: Computer Security Slide #40 Client-side Attacks Buffer Overflow 2004 iframe jpeg Remote Code ActiveX Flash Java Javascript CSC 482/582: Computer Security Slide #41 ActiveX Executable code downloaded from server Activated by HTML object tag. Native code binary format. Security model Digital signature authentication Zone-based access control No control once execution starts CSC 482/582: Computer Security Slide #42 14

Java Digital signature authentication Sandbox Sandbox Components Byte-code verifier Class loader Security manager Sandbox Limits Cannot read/write files. Cannot start programs.

15 Java Digital signature authentication Sandbox Sandbox Components Byte-code verifier Class loader Security manager Sandbox Limits Cannot read/write files. Cannot start programs. Network access limited to originating host. CSC 482/582: Computer Security Slide #43 MPack Browser Malware 1. User visits site. 2. Response contains iframe. 3. Iframe code causes browser to make request. 4. Request redirected to MPack server. 5. Server identifies OS and browser, sends exploit that will work for client configuration. 6. Exploit causes browser to send request for code. 7. Mpack downloader sent to user, begins d/ling other malware. CSC 482/582: Computer Security Slide #44 MPack Commercial underground PHP software Sold for $ Comes with one year technical support. Can purchase updated exploits for $ Infection Techniques Hacking into websites and adding iframes. Sending HTML mail with iframes. Typo-squatting domains. Use GoogleAds to draw traffic. CSC 482/582: Computer Security Slide #45 15

Client Protection Disable ActiveX and Java. Use NoScript to limit Javascript. Run browser with least privilege.

Use plain text e-mail instead of HTML. Patch your browser regularly. Use a personal firewall.

txt filetype:htaccess user allinurl:_vti_bin shtml.exe Web Crawling Santy Worm used Google to find vulnerable servers. wget --mirror http://www.

16 Client Protection Disable ActiveX and Java. Use NoScript to limit Javascript. Run browser with least privilege. Use a browser sandbox: VMWare Virtual Browser Appliance Protected Mode IE (Windows Vista) Goto sites directly instead of using links. Use plain text instead of HTML. Patch your browser regularly. Use a personal firewall. CSC 482/582: Computer Security Slide #46 Web Reconnaissance Google Hacking Index of +passwd Index of +password.txt filetype:htaccess user allinurl:_vti_bin shtml.exe Web Crawling Santy Worm used Google to find vulnerable servers. wget --mirror -o /mirror/w3 CSC 482/582: Computer Security Slide #47 Proxies and Vulnerability Scanners Achilles OWASP Web Scarab Paros Proxy SPI Dynamics WebInspect Edit Web Data URL Cookies Form Data Web Browser Web Proxy Web Server CSC 482/582: Computer Security Slide #48 16

Achilles Proxy Screenshot CSC 482/582: Computer Security Slide #49 Key Points All input can be dangerous URLs, Cookies, Executable content Consider both client and server security.

17 Achilles Proxy Screenshot CSC 482/582: Computer Security Slide #49 Key Points All input can be dangerous URLs, Cookies, Executable content Consider both client and server security. SSL is not a panacea Confidentiality + integrity of data in transit. Input-based attacks can be delivered via SSL. Top Vulnerabilities Cross-Site Scripting SQL Injection Remote File Inclusion CSC 482/582: Computer Security Slide #50 References 1. Andreu, Professional Penetration Testing for Web Applications, Wrox, Daswaniet. al., Foundations of Security, Apress, Friedl, SQL Injection Attacks by Example, IBM, IBM X-Force 2010 Mid-Year Trend and Risk Report, OWASP, OWASP Top 10 for 2010, oject 6. Neils Provoset. al., The Ghost in the Browser: Analysis of Webbased Malware, Hotbots 07, s/provos.pdf, Samy, MySpace Worm Explanation, Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition, McGraw-Hill, Stuttartand Pinto, The Web Application Hacker s Handbook, Wiley, CSC 482/582: Computer Security Slide #51 17

CIT 480: Securing Computer Systems

CIT 480: Securing Computer Systems Web Security I Topics 1. HTTP 2. Transport Layer Security (TLS) 3. URLs 4. HTML and the DOM 5. Same Origin Policy 6. Cross-Site Attacks Web Transactions Web Server Web