web security manish mehta 04/16/03. web security problem 3 primary components server-side security...
Post on 18-Dec-2015
220 views
TRANSCRIPT
Web Security
Manish Mehta04/16/03
Web Security Problem
3 Primary Components Server-side security
- Securing Web-server and data hosted on it.
Client-side security- Securing end user’s computer. (Browser specifically)
Connection security- Securing the connection between Client
and server and information exchanged.
User’s view of Security
The remote server is owned and operated by the legitimate organization/person.
The documents returned from the server are free from dangerous viruses and malicious contents.
The remote server will not record or distribute user’s private information without user’s permission.
WebMaster’s view of security
No user can break-in to the system and alter the contents of the web-site.
No user will get access to documents that she is not privy to.
The user will not crash the server making it unavailable to use. (DoS)
If the user has identified herself, she is what she claims to be.
Both parties common view
Network connection is free from third party eavesdroppers.
The integrity of information exchanged is preserved.
Risks
To the End user- Active Contents ( Java Applets, JavaScripts, ActiveX)- Privacy Infringement (Cookies)
To the Website- Webjacking (Server modules/CGI)- Server/LAN break-ins- DoS attacks (OS/CGI holes)
Risks (Contd.)
To Both the Parties- Eavesdropping (sniffers)- Fraud (PKI)
Connection Security
Cryptography reviewed
Symmetric Cryptography- DES, 3DES, DESx, GDES, RDES- RC2, RC4, RC5- IDEA, Blowfish
PKI (Asymmetric)- RSA- El Gamal
Message digest
Generally used to help check the integrity of the data.
Algorithms- MD4 (Rivest)
- MD5 (Rivest)
- SHA (NIST)
Certificate Authorities Certificate Authorities (CAs) are Trusted Third
Parties. Root CA certificates are self-signed and are
provided with software by the vendors. Certificate Chains
- Root CA can sign another CA’s public key granting it signing authority.
- This starts certificate chain- One can walk thru the chain until he reaches
the end-user certificate.
How to get a certificate?
Generate Public/Private key pair. Send Public key and Integrity info. To CA CA verifies your identity and will generate a
certificate with your public key and other identity information.
CA generates message digest from the certificate and signs the hash value with its private key.
Now this certificate can be used to prove your identity.
Certificate Expiration and Revocation List Certificates generally expire in 1 year. Revocation list has to be checked before
starting conversation for invalid certificates (Revoked before expiration)
Master Certificate Revocation List (CRL) is impractical to maintain.
Internet Crypto Protocols
DNSSec - Secure DNS IPSec - Packet Level Encryption PCT – TCP/IP level encryption PGP – E-mail S/MIME – E-mail S-HTTP – web Browsing
Internet Crypto Protocols (Contd.)
Secure RPC – Remote Procedure Calls SET – Electronic funds SSL – TCP/IP level encryption SSH – Remote Login TLS – TCP/IP level Encryption
Roles of Cryptography
Authentication Authorization Confidentiality Integrity Non-repudiation
What Crypto Can’t do?
Protect unencrypted documents Protect against stolen key Protect against most DoS attacks Protect against records of message traffic or the
fact that message was sent. Protect against a booby-trapped encryption
program. Protect against a traitor or a mistake. Protect against a passerby.
Understanding Differences
S-HTTP v/s SSL- S-HTTP: Designed for web protocols only.- SSL: Any TCP/IP protocol can use.
SSL v/s IPSec- SSL: Change the existing software
User level authentication possible.- IPSec: No need to change the existing s/w
Machine level authentication only.
http v/s https
HTTP – Unencrypted traffic (80) HTTPS – Uses SSL (443)
What all is encrypted in https
URL of the requested document. Contents of the requested document. Contents of any submitted fill-out forms. Cookies in both directions. Contents of HTTP header.
Client Side Security
SSL at work
Look for the icon and certificate. Browser Preferences
IE: Internet Options Advanced security Netscape: Preferences SSL
Things to look for
Site name mismatch URL
Mixed pages In-line insecure forms
Certificate Revocation and Expiration Browsers generally don’t check CA’s CRL.
CA and site certificate Browsers come with several CA public keys. These public keys are self signed.
Internet options contents publishers.
Types of certificates
CA certificate Self signed Sometimes cross-certified.
Server certificate Contains public key of the server, Name of the org., DNS
name, … Personal certificate
Individual’s name, public key, e-mail, DOB, … Use : Bank account holder only case, S/MIME
Software publisher certificate To verify signature on software (eg. winzip80.exe)
Active Contents
Not just HTML, ASP, PHP; plug-ins, ActiveX, Visual Basic are also called mobile codes.
There are 2 categoriesUser runs the code ( I Love You worm)Browser runs it.
Helper Applications
They are external viewers. Real Audio, WMP (.asf, .asx) Any application can be used as helper
application. command.com for .bat files? PowerPoint can call external application.
Helper application will have its own window.
Plug-ins
Generally third party codes. Run only in the context of Browser
Window. Manually Downloaded Eg. Macromedia Flash, Adobe Buggy plug-ins can ruin your day.
ActiveX Controls (.ocx)
Think of this as a self-installing plug-in. Comes in <OBJECT> tag in HTML. It can do ANYTHING ! (raw machine code)
Plug-ins v/s Controls
Plug-ins just extend Browser capability and are installed manually.
ControlsCan upgrade your OSPerform flash upgrade to ROM BIOSProviding conventional windows applications
within a “browser” interface. INSTALLED AUTOMATICALLY !!
The <OBJECT> Tag Parameters can be specified for the controls. Eg.
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000“ codebase="http://macromedia.com/cabs/swflash.cab#version=4,0,0"
id="sidemenu" width="142" height="410"> <param name="movie" value="/sidemenu/sidemenu.swf"> <param name="quality" value="high"> <param name="bgcolor" value="#FFFFFF">
<embed name="sidemenu" src="http://manishmehta.com/sidemenu.swf" quality="high" bgcolor="#FFFFFF" width="142" height="410" type="application/x-shockwave-flash"
pluginspage="http://www.macromedia.com/shockwave/download/index.cgi?P1_Prod_Version=ShockwaveFlash">
</embed></object>
Authenticode System
For authenticity of the downloaded code. Requires “Software Publisher’s Certificate” Defines standard for digitally signing windows
executables and .CAB files. Authenticode signatures are checked by IE only
when control is downloaded from the network. Downloaded controls are stored in a directory whose contents are implicitly trusted.
Where does Authenticode fail?
If the ActiveX control contain malicious code put there without the knowledge of responsible signer.
Coding vulnerabilities (Buffer Overflow) If you have people who don’t care if you find
them later. ActiveX control erasing its own signature after
starting execution, leaving no record/proof. Forensics tasks are difficult to trace the doer.
Real-life Examples
Internet ExploderAn ActiveX controlUsed a Personal Publisher Certificate10 Sec countdown and shutdown.
Chaos Computer Club (CCC), GermanyDemo only on TV.Searched for financial software “Quicken” on
the system and transferred sums to CCC a/c.
Flash and Shockwave
A bug found in 1997 could read files from the hard disk of the client.
Java
Safe Language No malloc(), free(), over/underflows in arrays No pointers but “object references” Sophisticated exception handling
Secure Sandbox Security Manager Class Loader Byte Code verifier
Applets can crash your browser/computer. Signed Applets.
JavaScript
Intermediate between HTML and Applets/Controls.
Developed by Netscape. (MS Jscript? ) No formal Security framework was designed.
(If it ain’t broke, why fix it?) Good Thing – There is no JavaScript methods
that can directly access the files on the client computer.
JavaScript security flaws
Loss of Confidentiality and Privacy. Create and submit forms automatically. Access to browser’s “history” Upload file from user’s disk. (Are you smart?) A script running in one window can monitor the URLs
of pages in the other windows. DoS attack with CPU-intensive tasks. Windows System Attack (close 1, open 2)
DISABLE ON IMPORTANT MACHINES.
JavaScript spoofing Attacks
Username/Password pop-ups Browser status line spoofing
microsoft.co.jpmicrosoft.com.attacker.com/setup.exemicrosoft.co…/setup.exe
Web Privacy
What they know about you?
URLs of the sites you visited. (referer) Your IP address Your service Provider (Domain name) Your location, employer, e-mail, etc. Your Browser type Your surfing habits
How they know?
From Client EnvironmentBrowser VariablesCookiesLogs
From user-submitted data (Weblog)On-line Purchase/AuctionOnline Banking
What is in a Weblog?
IP address and name of the computer accessed the page.
Time Exact URL Download time HTTP Authentication (y/n?) Any errors? Referer Web Browser Type
Proxies and Anonymizers
Act as middle man. Basically used by ISPs to reduce traffic.
(Cache) Generally transparent to the end-user.
(Configure once or auto-configure) Some proxies strip the “identifying information”
from web requests, making it impossible to trace the source. (Anonymizing Proxies)
Cookies
Small text files. Original purpose was to track a client thru HTTP.
(Basically HTTP is stateless) Use (nowadays)
Shopping cart (transient) weather.com (persistent) Username/password for subscription sites. Customize sites.
Cookie Abuse
Two different domains can’t share a cookie.
Cookies contain only the information YOU gave to the web server.
Problem?If web servers collude to share info !!(doubleclick.net)
Advice for users
Choose a good service provider. Pick a good password (and don’t write it !) Clean-up the system yourself
Browser cache (temp. Internet files)CookiesHistory
Use Anonymizer if possible.
Advice for Webmasters
Draft a written Privacy PolicyComplete AnonymityUser’s identity recorded for in-house use only Info. Shared with selected sites.Cookies used to track uses anonymouslyBig Brother is watching
Keep yourself updated with legal issues.
Server side Security
Security Aspects for Server
Physical Security Host (OS) security Web application Security Deploying SSL Web Service
Physical Security
Locked Server (Floppy reboot) Locked Server room (Unplug) Dust, Temperature, Humidity Fire, earthquake, lightning Safe cabling/ network connections/ sniffers Sanitizing media Unattended terminals (Auto-logout/Scr. Savers)
Host (OS) Security
Minimize services (BIND and httpd) Keep abreast of new vulnerabilities. Use of Security tools
Snapshot tools (COPS, NAT) Change-detecting tools (Tripwire) Network scanning programs Intrusion Detection Systems Virus Scanners Logging tools
Firewalls (port 80 and 443)
Securing Web Applications
Web servers are fine applications for static contents.
For Dynamic contents, use Extended Support (Web-applications)
4 primary techniques to create web-apps. CGI Plug-ins, loadable modules and APIs Embedded scripting languages (ASP, PHP) Embedded Web-server
Deploying SSL
Know the purpose to deploy SSL Decide the private key location Decide on just SSL or Dual mode. Test system on self-signed certificate Get CA certificate
Securing Web Service
Main objective is Reliable web service.
Know the price & performance v/s redundancy Protect your DNS Protect your Domain Registration
Safe CGI Scripting and Server Modules (SM) Both are executable programs with access
to file system, network and hardware devices as any other program on the host.
Parameters are passed to the programs either in URL or by POST method.
Server modules = CGI + Access to web server’s data structure and internal functions.
Common CGI/SM holes
Misuse of interpreters as CGI scriptsPerl, command.com, Java, TCL, PHP
Flawed memory managementStatically allocated memory (buf[255])
Passing user inputs without validation to command interpreters./bin/mail –s ‘Test’ [email protected]; cat /etc/passwd
Common CGI/SM holes (contd.)
Opening files based on unchecked user input ../../../etc/passwd
Writing unchecked user inputs to diskUser inputs with HTML tags in it.
Access Control
Hidden URLs Host-based (firewall) Domain-based Identity-based (user/pass, smart card) Client certificates (bank) Network security protocols (Kerberos)
Remote Authoring
Main ways to give authors access to the server.Network log-on (telnet, ssh, PcAnywhere)File Sharing (NFS)FTP Access (SSH+FTP ?)Web-server publishing Extensions
HTTP PUT,DELETE Frontpage remote web management tool.
Remote Administration
Via Remote Login (telnet, ssh) Via RPC Via Web-browser (IIS)
Reverse Proxy
Web Server behind firewall. Incoming requests are forwarded by the
firewall. Performance?
What we didn’t discuss
Client-side certificates Code Signing (Authenticode) Legal Issues. Firewall Configuration.
Conclusion
There is no single “Silver bullet” for web security. There are lot of aspects to be considered to achieve higher web security. New technologies provide better features, but they are also adding more permutations to the pool of web security threats.
References
Web Security, Privacy and Commerce, 2nd Editionby Simson Garfinkel Publisher: O'Reilly & Associates; 2nd edition (2002) ISBN: 0596000456
Web Security: A Step-By-Step Reference Guideby Lincoln D. SteinPublisher: Addison-Wesley Pub Co; (1997) ISBN: 0201634899
Questions ?
Thank you !