Network Security - ISA 656 Web Security

Similar documents
Architecture. Steven M. Bellovin October 31,

NET 311 INFORMATION SECURITY

P2_L12 Web Security Page 1

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Web Security Computer Security Peter Reiher December 9, 2014

CS 161 Computer Security

Architecture. Steven M. Bellovin October 27,

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Servers and Security

Evaluating the Security Risks of Static vs. Dynamic Websites

Web Servers and Security

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Secure Frame Communication in Browsers Review

Web Application Security. Philippe Bogaerts

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Copyright

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web


WEB SECURITY: XSS & CSRF

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

John Coggeshall Copyright 2006, Zend Technologies Inc.

CSCD 303 Essential Computer Security Fall 2017

Web Security II. Slides from M. Hicks, University of Maryland

e-commerce Study Guide Test 2. Security Chapter 10

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions

Web Security: Vulnerabilities & Attacks

CS 161 Computer Security

Information Security CS 526 Topic 11

Robust Defenses for Cross-Site Request Forgery

The security of Mozilla Firefox s Extensions. Kristjan Krips

Client Side Injection on Web Applications

Base64 The Security Killer

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Security and Privacy

CIS 4360 Secure Computer Systems XSS

Network Security - ISA 656 Review

Security Course. WebGoat Lab sessions

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Information Security CS 526 Topic 8

Vidder PrecisionAccess

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

last time: command injection

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Instructions 1 Elevation of Privilege Instructions

Installation and usage of SSL certificates: Your guide to getting it right

Finding Vulnerabilities in Web Applications

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Sichere Software vom Java-Entwickler

Application vulnerabilities and defences

CSE 127 Computer Security

Web Security: Web Application Security [continued]

CS255 Programming Project: The Authenticator

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Security & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Malware, , Database Security

Reflected XSS Cross-Site Request Forgery Other Attacks

Web Security IV: Cross-Site Attacks

Web Application Penetration Testing

Staying Safe on the Internet. Mark Schulman

Welcome to the OWASP TOP 10

Account Takeover: Why Payment Fraud Protection is Not Enough

CSCD 303 Essential Computer Security Fall 2018

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

CSE361 Web Security. Attacks against the server-side of web applications. Nick Nikiforakis

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

CSCE 120: Learning To Code

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Some Facts Web 2.0/Ajax Security


Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

Progress Exchange June, Phoenix, AZ, USA 1

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Ruby on Rails Secure Coding Recommendations

Web Security: Vulnerabilities & Attacks

Security. 1 Introduction. Alex S. 1.1 Authentication

Information Security. Gabriel Lawrence Director, IT Security UCSD

Cryptography and Network Security

Web Application Vulnerabilities: OWASP Top 10 Revisited

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

SSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1

Robust Defenses for Cross-Site Request Forgery

Transcription:

Network Security - ISA 656 Angelos Stavrou October 30, 2007

Crypto () Client security Server security 2 / 45

Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on Mostly covered last time Crypto is insufficient for Web security One issue: linkage between crypto layer and applications 3 / 45

Trusting Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on What does the server really know about the client? What does the client really know about the server? 4 / 45

The Server s Client Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on What has told the server? Unless client-side certificates are used, absolutely nothing provides a secure pipe. Someone is at the other end; you don t know whom 5 / 45

How Did That Happen? Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on In theory, we could have had digitally-signed purchase orders linked to credit card accounts That would have required that Netscape, when it invented, have some way to issue client-side certificates that were linked to credit card accounts and didn t have the credit card number in the certificate Netscape couldn t have done that; only the banks could have Back in 1994, banks didn t believe in this new-fangled Internet thing (remember that until Windows 95, TCP/IP wasn t included in Windows 6 / 45

SET Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on A few years later, Visa and Master-card (and eventually Amex) tried They developed a protocol called SET (Secure Electronic Transactions) It provided client-side certificates linked to credit cards In theory, merchants wouldn t need to know (and store) credit card numbers Virtually no one used it The reasons were both technical and financial 7 / 45

The Failure of SET Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on It required client-side software Very few people install extra software Client-side certificates are hard to use what if you use several computers? There was too little financial incentive for merchants, so they couldn t give customers a discount for using SET It still permitted merchants to store credit card numbers; in fact, they were present, albeit encrypted, in the certificate Merchants use credit card numbers as customer tracking keys for databases Good crypto alone isn t sufficient! 8 / 45

Aside: The SET Root Certificate Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on Who should control the SET root certificate, used to sign the Visa, Master-card, etc., top-level certificates? (SET certified Visa et al.; they certified banks, who in turn issued customer certificates) It would be catastrophic if the root s private key were compromised Visa didn t trust Master-card, or vice-versa Solution: a sacrificial PC signed all of the second-level certificates, at which point it was physically smashed. Different organizations took home different pieces... 9 / 45

The Client s Server Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on The client receives the server s certificate. Does that help? A certificate means that someone has attested to the binding of some name to a public key. Who has done the certification? Is it the right name? 10 / 45

Who Issues Web Certificates? Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on Every browser has a list of built-in certificate authorities The latest version of Firefox has 138 certificate authorities! Do you trust them all to be honest and competent? Do you even know them all? (Baltimore Cyber-trust is listed. It sold its PKI business in 2003. Are the new owners trustworthy?) 11 / 45

Mountain America Credit Union Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on Early this year, someone persuaded a reputable CA to issue them a certificate for Mountain America, a credit union The DNS name was www.mountain-america.net It looks legitimate, but the real credit union site is at www.mtnamerica.org. (There s also www.mountainamerica.com, a Las Vegas travel site) Which site was intended by the user? 12 / 45

A Fake Certificate Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on 13 / 45

A Technical Attack Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on Usually, you shop via unencrypted pages You click Checkout (or Login on a bank web site) The next page downloaded without protection has the login link, which will use What if an attacker tampers with that page, and changes the link to something different? Will you notice? Note that some small sites out-source payment processing... 14 / 45

Conclusions on Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root Certificate The Client s Server Who Issues Web Certificates? Mountain America Credit Union A Fake Certificate A Technical Attack Conclusions on The cryptography itself seems correct The human factors are dubious Most users don t know what a certificate is, or how to verify one Even when they do know, it s hard to know what it should say in any given situation There is no rational basis for deciding whether or not to trust a given CA 15 / 45

Web Browser Security The Attackers Goals Buggy Code Why Are Browsers So Insecure? 16 / 45

Web Browser Security Web Browser Security The Attackers Goals Buggy Code Why Are Browsers So Insecure? User interface Buggy code Active content 17 / 45

The Attackers Goals Web Browser Security The Attackers Goals Buggy Code Why Are Browsers So Insecure? Steal personal information, especially financial site passwords Turn computers into bots Bots can be used for denial of service attacks, sending spam, hosting phishing web sites, etc. 18 / 45

Buggy Code Web Browser Security The Attackers Goals Buggy Code Why Are Browsers So Insecure? All browsers are vulnerable, and getting worse Browser bugs (Symantec): Browser 1H2005 2H2005 1H2006 IE 25 25 38 Firefox 32 17 47 Opera 7 9 7 Safari 4 6 12 Exposure period (Symantec): Browser 2H2005 1H2006 IE 25 9 Firefox -2 1 Safari 5 Opera 18 2 19 / 45

Why Are Browsers So Insecure? Web Browser Security The Attackers Goals Buggy Code Why Are Browsers So Insecure? Their task is complex They are dealing with many untrusted sites By definition, browser inputs cross protection domains It is likely that no browser is significantly better than any other in this regard they re all bad 20 / 45

Javascript AJAX ActiveX Downloading ActiveX Controls Why ActiveX? 21 / 45

Javascript AJAX ActiveX Downloading ActiveX Controls Why ActiveX? There s worse yet for web users: active content Typical active content: Javascript, Java, Flash, ActiveX Web pages can contain more-or-less arbitrary programs or references to programs To view certain web pages, users are told please install this plug-in, i.e., a program Given a choice between dancing pigs and security, users will pick dancing pigs every time. (Ed Felten) 22 / 45

Javascript Javascript AJAX ActiveX Downloading ActiveX Controls Why ActiveX? No relationship to Java originally called LiveScript (EvilScript?) Source of most recent security holes, in Firefox and IE No clear security model Crucial link in cross-site scripting attacks 23 / 45

AJAX Javascript AJAX ActiveX Downloading ActiveX Controls Why ActiveX? AJAX Asynchronous Javascript and XHTML Permits highly interactive web pages, i.e., Google Maps Security implications for client and server are still quite unclear (but are likely to be bad... ) 24 / 45

ActiveX Javascript AJAX ActiveX Downloading ActiveX Controls Why ActiveX? The biggest active content design error Over 1,000 ActiveX controls on a typical new, out-of-the box, machine Translation: over 1,000 different pieces of code that can be run by almost any web page But wait, there s more! 25 / 45

Downloading ActiveX Controls Javascript AJAX ActiveX Downloading ActiveX Controls Why ActiveX? Any web page can download other controls Translation: any web page can download an arbitrary piece of code to run on a user s machine The only protection is a digital signature on the downloaded code But at best that identifies the author see the previous discussion of certificates! There is no restriction on what the code can do 26 / 45

Why ActiveX? Javascript AJAX ActiveX Downloading ActiveX Controls Why ActiveX? It can be used for some very beneficial things, such as Windows Update It can be used to enhance the user s web experience, i.e., provide dancing pigs Business reasons? Tie web sites to Windows and IE? Only IE has ActiveX. This is the single biggest security difference between IE and Firefox 27 / 45

Untrusted Clients Protecting Identification Information Hidden Values Cookies Protecting Data Sidebar: Cookies and Javascript Cross-Site Scripting (XSS) Why It Works Sanitizing Input 28 / 45

Untrusted Clients Protecting Identification Information Hidden Values Cookies Protecting Data Sidebar: Cookies and Javascript Cross-Site Scripting (XSS) Why It Works Sanitizing Input Initial authentication is usually by password How is continuing authentication done? Two principal ways: cookies and hidden values Both have their limits Fundamental issue: both are sent by untrusted clients 29 / 45

Untrusted Clients Untrusted Clients Protecting Identification Information Hidden Values Cookies Protecting Data Sidebar: Cookies and Javascript Cross-Site Scripting (XSS) Why It Works Sanitizing Input The web site is interested in identifying users (Some) users have incentive to cheat The goal of the web site is to make cheating impossible But the web site doesn t control the client software or behavior 30 / 45

Protecting Identification Information Untrusted Clients Protecting Identification Information Hidden Values Cookies Protecting Data Sidebar: Cookies and Javascript Cross-Site Scripting (XSS) Why It Works Sanitizing Input After the user logs in (somehow), create a string that contains the user-id Encrypt (optional) and MAC this string, using keys known only to the server; pass the string to the client When the string is sent to the server, validate the MAC and decrypt, to see who it is Only the server knows those keys, so only the server could have created those protected strings (similar to Keberos TGT) Optional: include timestamp, IP address, etc. 31 / 45

Hidden Values Untrusted Clients Protecting Identification Information Hidden Values Cookies Protecting Data Sidebar: Cookies and Javascript Cross-Site Scripting (XSS) Why It Works Sanitizing Input Protected user-id string can be embedded in the web page, and returned on clicks Embed in URLs but then they re visible in log files Make them hidden variables passed back in forms: <INPUT TYPE=HIDDEN NAME=REQRENEW> <INPUT TYPE=HIDDEN NAME=PID VALUE="2378"> <INPUT TYPE=HIDDEN NAME=SEQ VALUE="2006092800235 <P><INPUT TYPE=SUBMIT VALUE="Renew Items"><INPUT </FORM> 32 / 45

Cookies Untrusted Clients Protecting Identification Information Hidden Values Cookies Protecting Data Sidebar: Cookies and Javascript Cross-Site Scripting (XSS) Why It Works Sanitizing Input More commonly used Allow you to re-enter site Are sometimes stored on user s disks 33 / 45

Protecting Data Untrusted Clients Protecting Identification Information Hidden Values Cookies Protecting Data Sidebar: Cookies and Javascript Cross-Site Scripting (XSS) Why It Works Sanitizing Input authentication data is frequently unencrypted! Most sites don t want the overhead of for everything Credentials are easily stolen Usual defenses: lifetime; re-authenticate before doing really sensitive stuff 34 / 45

Sidebar: Cookies and Javascript Untrusted Clients Protecting Identification Information Hidden Values Cookies Protecting Data Sidebar: Cookies and Javascript Cross-Site Scripting (XSS) Why It Works Sanitizing Input IE trusts local content more than it trusts downloaded files Content is local if it s coming from a file on the user s disk Each cookie is stored as a separate file Suppose you put a script in a cookie, and then referenced it by filename? Now you know why browsers use random characters in some of their filenames... (Partially changed by Windows XP SP2) 35 / 45

Cross-Site Scripting (XSS) Untrusted Clients Protecting Identification Information Hidden Values Cookies Protecting Data Sidebar: Cookies and Javascript Cross-Site Scripting (XSS) Why It Works Sanitizing Input Problem usually occurs when sites don t sanitize user input to strip HTML Example: chat room (or MySpace or blog sites) that let users enter comments The comments can include Javascript code This Javascript code can transmit the user s authentication cookies to some other site 36 / 45

Why It Works Untrusted Clients Protecting Identification Information Hidden Values Cookies Protecting Data Sidebar: Cookies and Javascript Cross-Site Scripting (XSS) Why It Works Sanitizing Input A Javascript program can only access data for the current web site But Javascript from a site can access that site s cookies Because of the XSS bug, the Javascript from that site contains malicious code It can therefore steal cookies and send them to some other site, via (say) an IMG URL 37 / 45

Sanitizing Input Untrusted Clients Protecting Identification Information Hidden Values Cookies Protecting Data Sidebar: Cookies and Javascript Cross-Site Scripting (XSS) Why It Works Sanitizing Input Very hard to do properly Whitelist instead of blacklist accept <I> instead of blocking <SCRIPT> Watch for encoding: %3C Watch for Unicode: < or < or < or < or... Probably a way to write it in octal, too Unicode is tricky see RFC 3454. What do all of your users browsers understand? 38 / 45

Protecting the Server Standard Defenses Server-Side Scripts Injection Attacks Scrubbing Your Site Users 39 / 45

Protecting the Server Protecting the Server Standard Defenses Server-Side Scripts Injection Attacks Scrubbing Your Site Users Servers are very tempting targets Defacement Steal data (i.e., credit card numbers) Distribute malware to unsuspecting clients 40 / 45

Standard Defenses Protecting the Server Standard Defenses Server-Side Scripts Injection Attacks Scrubbing Your Site Users Check all inputs Remember that nothing the client sends can be trusted Scrub your site 41 / 45

Server-Side Scripts Protecting the Server Standard Defenses Server-Side Scripts Injection Attacks Scrubbing Your Site Users Most interesting web sites use server-side scripts: CGI, ASP, PHP, server-side include, etc. Each such script is a separate network service For a web site to be secure, all of its scripts must be secure What security context do scripts run in? The web server s? How does the server protect its sensitive files against malfunctioning scripts? This latter is a particular problem with server plug-ins, such as PHP Partial defense: use things like suexec 42 / 45

Injection Attacks Protecting the Server Standard Defenses Server-Side Scripts Injection Attacks Scrubbing Your Site Users Often, user-supplied input is used to construct a file name or SQL query Bad guys can send bogus data Example: a script that sends email collects a username and executes /usr/bin/sendmail username The bad guy supplies foo; rm -rf / as the username The actual code executed is /usr/bin/sendmail foo; rm -rf / Oops... 43 / 45

Scrubbing Your Site Protecting the Server Standard Defenses Server-Side Scripts Injection Attacks Scrubbing Your Site Users What is really being served? Web servers often come with default scripts some of these are insecure Example: nph-test-cgi that used to come with Apache Example: proprietary documents; Google for them: filetype:pdf company confidential (By the way, many document have other, hidden data) Can Google for some other vulnerabilities, too 44 / 45

Users Protecting the Server Standard Defenses Server-Side Scripts Injection Attacks Scrubbing Your Site Users If your site permits user web pages this department? you have serious threats Are the user CGI scripts secure? Can users run PHP scripts in the browser s security context? Are all of these secure? 45 / 45

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback