Pattern Recognition and Applications Lab WEB Security Giorgio Giacinto giacinto@diee.unica.it Computer Security 2018 Department of Electrical and Electronic Engineering University of Cagliari, Italy Threat Landscape 2017 2
Vulnerabilities of Websites Symantec 2018 (Data measured in 2017) Symantec 2016 3 Incident classification patterns for Confirmed Data Breaches Verizon, Data Breach Investigation Report, 2016 4
Exploiting Vulnerable Hosts 5 How to Exploit Vulnerable Hosts? 1. Find a Vulnerable Host Specific Search Engines 2. Download one or more Exploits Specific Repositories 3. Attack the web site Be carefully not to leave traces J ETHICAL HACKING!!! 6
Kill Chain ENISA Threat Landscape 2017 7 Shodan 8
Metasploit 9 Exploit Database 10
Web Application Exploits 11 Web Attack Toolkits Symantec 2016 12
Exploit Kits https://www.mcafee.com/threat-center/threat-landscape-dashboard/exploit_kits.html 13 HTTP Protocol Specification 14
IETF Internet Engineering Task Force The official documentation is maintained by the IETF HTTP working group (http://httpwg.org) The current version is HTTP/1.1 The next version is HTTP/2 (https://http2.github.io) 15 Structure of HTTP Transactions HTTP uses the client-server model A HTTP client opens a connection sends a request message to an HTTP server The server returns a response message containing the requested resource After delivering the response, the server closes the connection (except for persistent connections). Format of HTTP request and response messages an initial line specifying the method zero or more header lines a blank line an optional message body (e.g. a file, or query data, or query output). 16
HTTP Request message 17 Initial Request Line A request line has three parts, separated by spaces a method name the local path of the requested resource and the version of HTTP being used. example: GET /path/to/file/index.html HTTP/1.1 GET is the most common HTTP request It means: give me this resource Other methods include POST and HEAD, etc. Method names are always uppercase. The path is the part of the URL after the host name, also called the request URI (Uniform Resource Identifier) 18
Initial Response Line Status line The HTTP version A response status code: result of the request A reason phrase describing the status code. Response categories 1xx an informational message 2xx success of some kind 3xx redirections 4xx an error on the client's part 5xx an error on the server's part 19 Common status codes 200 OK The request succeeded, and the resulting resource is returned in the message body. 404 Not Found 301 Moved Permanently 302 Moved Temporarily Check RFC 2616 for the complete list 20
The Message Body In a response, it contains the requested resource or an explanatory text if there is an error. In a request, it contains the user-entered data or uploaded files If an HTTP message includes a body, some header lines describe the format of the body. The Content-Type: the MIME-type of the data e.g., text/html or image/gif. The Content-Length: the number of bytes in the body. 21 Sample HTTP Exchange HTTP Request GET /path/f.htm HTTP/1.1 Host: www.host1.com:80 User-Agent: HTTPTool/1.0 [blank line here] HTTP Response HTTP/1.1 200 OK Date: Fri, 31 Dec 1999 23:59:59 GMT Content-Type: text/html Content-Length: 1354 <html> <body> <h1>happy New Millennium!</h1> (more file contents)... </body> </html> 22
The HEAD Method A HEAD request is just like a GET request, except It asks the server to return the response headers only, not the actual resource. (i.e., no message body) This is used to check characteristics of a resource without actually downloading it The response to a HEAD request must never contain a message body, just the status line and headers. 23 The POST Method A POST method is used to send data to the server A POST request is different from a GET request Data is sent with the request, in the message body There are usually extra headers to describe this message body, e.g., Content-Type: and Content-Length: The request URI is not a resource to retrieve, but it's usually a program to handle the data you're sending. The HTTP response is normally the output of a program, not a static file. Examples PHP forms Javascript code 24
The POST Method Example Example POST /login.jsp HTTP/1.1 Host: www.mysite.com User-Agent: Mozilla/4.0 Content-Length: 27 Content-Type: application/x-www-formurlencoded userid=me&password=guessme Form submission POST requests can be used to send whatever data you want The sender and the receiving program must agree on the format. The GET method can also be used to submit forms. The form data is URLencoded and appended to the request URI. 25 Persistent HTTP Connections The server does not immediately close the connection after sending the response The responses should be sent back in the same order as requests The "Connection: close" header in a request indicates the final request for the connection. The server should close the connection after sending the response. The server should close an idle connection after some timeout period. 26
Web Application Attacks 27 OWASP The Open Web Application Security Project (OWASP) is a worldwide not-for-profit charitable organization focused on improving the security of software. Its mission is to make software security visible, so that individuals and organizations are able to make informed decisions. Operating as a community of like-minded professionals, OWASP issues software tools and knowledge-based documentation on application security. http://www.owasp.org 28
Architecture of Information Systems Web pages are created dynamically by querying a database selection of products in e-commerce sites selection of courses in the university etc. Relational databases are the core of many web sites usually part of the information system of the organization How to query the database through the web site? 29 Web Application Exploitation Web pages contains TEXT and Multimedia content Commands and instructions to shape the web page, and provide for dynamic content, are textual tokens embedded within the content of the page. Goal of the attacker: to disguise malicious commands as legitimate content when filling a web form querying a database through a web interface posting a comment in a web forum 30
Web Security Command Injection 31 PHP at work Web Browser display.php URI Web Server Web Page PHP->Web Page display.php: <? echo system( cat.$_get[ file ]);?> system(call,args) performs a system call in the working directory (dot) concatenates string 32
PHP at work command injection Web Browser URI display.php?file=cal.txt Content of cal.txt Web Server system( cat.$_get[ file ] ) Shell Command cat cal.txt What happens if we forge the URI display.php?file=cal.txt%3b%20rm%20-rf%20%2f%3b%0a%0a http://www.url-encode-decode.com 33 Command Injection display.php?file=cal.txt%3b%20rm%20-rf%20%2f%3b%0a%0a translates into display.php?file=cal.txt; rm rf /; and the shell executes cat cal.txt; rm rf; Solutions Input Validation Using less powerful API 34
Input Validation Blacklisting is ineffective we should list all possible invalid input strings Whitelisting checking if the input string has the expected format Input Escaping adding quotes to the input string 35 Using less powerful API The system API is simple to use BUT it is too powerful allows an attacker to run any system command Select the API that performs just what we need 36
OWASP Testing Guide 53 OWASP Testing Guide Application development must follow a clear methodology to avoid known vulnerabilities Generic SDLC Model Testing must take into account People to ensure that there is adequate education and awareness Process to ensure that there are adequate policies and standards and that people know how to follow these policies Technology to ensure that the process has been effective in its implementation. 54
Basic principles of Testing There is No Silver Bullet! Think Strategically, Not Tactically The SDLC is King Test Early and Test Often Understand the Scope of Security Develop the Right Mindset Understand the Subject Use the Right Tools The Devil is in the Details Use Source Code When Available Develop Metrics Document the Test Results 55 OWASP Testing Techniques Manual Inspections & Reviews Threat Modelling Source Code Review Penetration Testing 56
OWASP Testing Framework Phase 1: Before Development Begins Phase 1.1: Define a SDLC Phase 1.2: Review Policies and Standards Phase 1.3: Develop Measurement and Metrics Criteria and Ensure Traceability Phase 2: During Definition and Design Phase 2.1: Review Security Requirements Phase 2.2: Review Design and Architecture Phase 2.3: Create and Review UML Models Phase 2.4: Create and Review Threat Models 57 OWASP Testing Framework Phase 3: During Development Phase 3.1: Code Walk Through Phase 3.2: Code Reviews Phase 4: During Deployment Phase 4.1: Application Penetration Testing Phase 4.2: Configuration Management Testing Phase 5: Maintenance and Operations Phase 5.1: Conduct Operational Management Reviews Phase 5.2: Conduct Periodic Health Checks Phase 5.3: Ensure Change Verification 58
OWASP Web Application Security Testing Information Gathering Configuration and Deployment Management Testing Identity Management Testing Authentication Testing Authorization Testing Session Management Testing Input Validation Testing Testing for Error Handling Testing for weak Cryptography Business Logic Testing Client Side Testing 59 Automated testing tools Code review Commercial: Fortify Software (HP); IBM AppScan Source, Contrast Security, etc. Open Source: OWASP Orizon, OWASP O2, OWASP Codecrawler, etc. Application testing (black box) Commercial: IBM AppScan Standard, HP WebInspect, etc. Open Source: OWASP Zap, SQLMap, etc. 60
Training on Web Attacks 61 Tools available to learn web security Please visit https://www.owasp.org/index.php/owasp_vulnerable_web_applications_directory_project 62