IST 210 Web Application Security

IST 210 Introduction

Security is a process of authenticating users and controlling what a user can see or do

IST 210 3-tier architecture

WebBrowser

WebDB

ServerServer

IST 210

Some Internet Security Protocols Application Layer Security

Electronic mail security PGP (Pretty Good Privacy) S/MIME (Secure Multi-Purpose Internet Mail Extensions)

Transport Layer Security SSL/TLS (Secure Sockets Layer/Transport Layer Security ) SSH (Secure Shell )

Network Layer Security IP Security (IPsec)

Infrastructure protection DNSSEC (DNS Security Extensions) SNMPv3 security (Simple Network Management Protocol

Version 3)

IST 210

How do you measure security?

Does 128-bit encryption make you feel safer?

IST 210 The client Common web browser Communicates to server with HTTP (PUT,

POST, GET) HTML markup language for layout of pages Scripting languages built into client to

control client side content and communications with server dynamically

Cookies to store state

IST 210 The server Analyses HTTP requests from client

and responds accordingly. Either send plain HTML page Process query data and send back

dynamically produced page to client.

IST 210 The web server Common examples: Apache, IIS.

These servers and the host’s have their own security problems

Server side programming Perl, ASP (Jscript/VBScript), PHP, C

IST 210 The DBMS SQL DBMS

Microsoft SQL server Oracle MySQL DB2

These DBMS also have their own security problems

IST 210 Attacks On the server

Using “out of the box” security holes to gain escalated privileges, or execute commands on the server.

Make the server do something it is not supposed to do.

Examples ColdFusion, Showcode.asp,

FrontPage, etc. etc. etc.

IST 210 Attacks Through holes found using a common

security scanner Scanners simply request a fixed file name to

see if the file exists or not Assumes that exploitable files/server have

not been patched, can bring false positives Old techniques, but effective. EASY to protect against.

IST 210 Attacks On out of the box applications

Attacker can setup and audit the application in their own environment

If one goes down, they all do Targets of common scanners

IST 210 Attacks On custom applications

More difficult to audit “Black box” auditing techniques Looks for common stupid mistakes

IST 210 Case one IIS Security hole used to view ASP Database settings extracted SQL server live to internet Information from server-side

scripts used to connect to server

IST 210 Case two ASP not filtering input Able to directly manipulate SQL

query Manipulating the SQL query

extracts a valid cookie and creates the password

IST 210 The problems? Unfiltered user input User data not checked and can be

crafted to manipulate processing on the server to reveal file contents or bypass and gain access

Backdoor straight to the Crown Jewels

IST 210 The enablers Reliance on cryptography for security Security through obscurity Poor development Poor experience Limited resources Awareness Monitoring and plan

IST 210 The solution(s) Good initial setup Programming practices Internal Audits Awareness Updates, patches and hotfixes

IST 210 The solution(s) Intrusion detection Network design System architecture

IST 210

Moat / Main Gate Outer Perimeter Controlling Castle Access

Keep(Last Buildingin Castle to Fall)

Inner Perimeter Stronghold, Higher Walls produce containment area Between Inner / Outer Perimeters

Security Analogy

IST 210

Internet SecurityKeep

Internet

Mission CriticalSystems

InternalFirewall

DMZInternal Network

Outer Perimeter

Inner Perimeter Stronghold

Jewels

Crown