ladd van tol senior software engineer security on the web part one - vulnerabilities
TRANSCRIPT
Ladd Van TolSenior Software Engineer
Security on the Web
Part One - Vulnerabilities
•Client•Browser•Operating System•Secondary Software
•Server•Web Server•Operating System•Secondary Software
•Network•Protocol•Transport
Vulnerabilities
•Web Browsers•Internet Explorer > 90% market share•Mozilla Derivatives < 5% market share
•Operating Systems•Windows > 90% market share•Macintosh < 5% market share•Linux < 1% market share
•Secondary Software•Email clients•Browser add-ons
Types of Clients
•HyperText Transfer Protocol (HTTP)•versions 1.0, 1.1•stateless TCP/IP protocol•cookies•basic authentication features•transfer encodings•keep-alive, pipelining
•Secure Socket Layers (SSL)•encrypts connections•identity verified by server certificate•certificate issued by certification
authority
Browser Protocol
•HTML rendering•HTML 1.0, 2.0, 3.2, 4.01, XHTML 1.0,
1.1•XML + XSL•CSS 1.0, 2.0
•Embedded Dynamic Features•JavaScript, Java, ActiveX•Media Players, other Plug-Ins
Browser Content
•Social engineering•Spoofing•Can exploit DNS, or look-alike URLs
•Embedding Weaknesses•Java, ActiveX security policy•Plug-in Security Policy
•Buffer overflows•Can affect browser, OS, or add-on
software•Could be “remote root exploit”
Client Vulnerabilities
•Scripting Weaknesses•JavaScript security policy
•Cross site scripting (XSS) Attacks•Targeted towards personal info site•Often exploits unfiltered user input
(comment areas, forums, etc)•Inject malicious scripts which can steal
cookies/other info
Client Vulnerabilities
•Privacy Policies•Cookies•Usage tracking•Browser control over advertising•Content Filtering
Privacy/Content
•Estimated 35 million servers on the web•Includes virtual hosts
•Apache•Microsoft IIS*•Sun ONE*
Types of Servers
© 2003, Netcraft
*Business sites more likely using commercial servers
•Linux, BSD variants•Windows flavor-of-the-week•Solaris, other high-end Unixes
Operating Systems
•Database Servers•MySQL, SQL Server, Oracle, DB2
•Web Applications•Implementation platforms•Scripting•PHP, Perl, Python, ASP, JSP, XSP
•Java Frameworks•J2EE, WebSphere, WebLogic,
WebObjects•Other Frameworks•.NET
Secondary Services
•Exploitable Web Applications•Source of many serious targeted exploits•Invalidated Parameters•Broken Access Control•Session Hijacking•Cross-Site Scripting Flaws•Command Injection Flaws•Error Handling Problems•Insecure Use of Cryptography•Remote Administration Flaws•Web and Application Server
Misconfiguration
Server Vulnerabilities
•Other attacks•Denial of Service•Remote Root Exploits•Network Topology, Protocols•Worms•Limited ability to enforce acceptable
use policies
Server Vulnerabilities
•IIS Vulnerability, worm deployed July, 2001•Distributed denial of service (DDOS) attack
Worm ExampleCode Red
•Internet uses TCP/IP, UDP•Connected Networks•Routers•Domain Name Servers (DNS)•Firewalls•Virtual Private Networks (VPN)
•Proxy Servers•Load Balancers
Networks
•Availability•Attacks on key routers•Attacks on DNS
•Confidentiality•Sniffing clear-text traffic
Network Vulnerabilities
• W3 Consortium - http://w3c.org
• w3schools browser stats - http://www.w3schools.com/browsers/browsers_stats.asp
• Thawte - http://thawte.com
• Cross-site scripting FAQ - http://www.cgisecurity.com/articles/xss-faq.shtml
• Netcraft Web Server Survey - http://netcraft.co.uk/survey/
• CERT - http://www.cert.org/
• CAIDA Analysis of Code Red - http://www.caida.org/analysis/security/code-red/
• OWASP Top 10 Vulnerabilities - http://www.serverwatch.com/news/article.php/1568761
• Personal experience, 3+ years at:
• MacFixIt.com
• MacCentral.com
• VersionTracker.com
Bibliography