Upload
kenaz
View
44
Download
0
Embed Size (px)
DESCRIPTION
Web Application and network security. Rishabh Mehan. Saying Hello !!. To start off with the introduction lets go through few basics What is a Web Application ? Where is it Deployed ? How can it be reached ?. Web Application. Protocols. HTTP – HTTPS FTP – SFTP TCP SSH. Request Methods. - PowerPoint PPT Presentation
Citation preview
Web Application and network security
Rishabh Mehan
Saying Hello !!To start off with the introduction lets go through
few basicsWhat is a Web Application ?Where is it Deployed ?How can it be reached ?
Web Application
ProtocolsHTTP – HTTPSFTP – SFTPTCPSSH
Request MethodsGET POST
Form data encoded in the URL Data is included in the body of the request
GET http://www.mysite.com/kgsearch/search.php?catid=1 HTTP/1.1Host: www.mysite.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.mysite.com/
POST http://www.mysite.com/kgsearch/search.php HTTP/1.1Host: www.mysite.comUser-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5Accept-Language: en-us,en;q=0.5Accept-Encoding: gzip,deflateAccept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7Keep-Alive: 300Connection: keep-aliveReferer: http://www.mysite.com/
catid=1
How Request flows
Request
Response
Serverwww.mybank.com(64.58.76.230)Port: 80
Client PC(10.1.0.123)
Words of Wisdom“Every program has at least two purposes: the one
for which it was written, and another for which it wasn't.”
-Alan J. Perlis
infrastructure
Browser
Web ServersPresentation LayerMedia Store
Very complex architectures, multiple platforms, multiple protocols
Database ServerCustomer Identification Access ControlsTransaction InformationCore Business Data
Wireless
Application ServerBusiness LogicContent Services
NetworkHTTP
Web Application
Why vulnerabilities
“As an Application Developer, I can build great features and functions while meeting deadlines, but I don’t know how to develop my web application with security as a feature.”
The Web ApplicationSecurity Gap
“As a Network Security Professional, I don’t know how my companies web applications are supposed to work so I deploy a protective solution…but don’t know if it’s protecting what it’s supposed to.”
Application Developers and QA Professionals Don’t Know Security
Security Professionals Don’t Know The Applications
Common security attacks and their countermeasures
Finding a way into the network Firewalls
Exploiting software bugs, buffer overflows Intrusion Detection Systems
Denial of Service Ingress filtering, IDS
TCP hijacking IPSec
Packet sniffing Encryption (SSH, SSL, HTTPS)
Social problems Education
FirewallsBasic problem – many network applications and
protocols have security problems that are fixed over timeDifficult for users to keep up with changes and
keep host secureSolution
Administrators limit access to end hosts by using a firewall
Firewall is kept up-to-date by administrators
Firewalls
Intranet
DMZInternet
Firewall
Firewall
Web server, email server, web proxy, etc
FirewallsWhat does a firewall rule look like?
Depends on the firewall usedExample: ipfw
/sbin/ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet
Other examples: WinXP & Mac OS X have built in and third party firewallsDifferent graphical user interfacesVarying amounts of complexity and power
Denial of ServicePurpose: Make a network service unusable,
usually by overloading the server or networkMany different kinds of DoS attacks
SYN floodingSMURFDistributed attacks
Denial of ServiceSYN flooding attackSend SYN packets with bogus source address
Why?Server responds with SYN ACK and keeps state
about TCP half-open connectionEventually, server memory is exhausted with this state
Solution: use “SYN cookies” In response to a SYN, create a special “cookie” for the
connection, and forget everything elseThen, can recreate the forgotten information when the
ACK comes in from a legitimate connection
Denial of Service
Denial of ServiceSMURF
Source IP address of a broadcast ping is forgedLarge number of machines respond back to victim,
overloading it
Denial of Service
Denial of ServiceDistributed Denial of Service
Same techniques as regular DoS, but on a much larger scale
Example: Sub7Server Trojan and IRC bots Infect a large number of machines with a “zombie” programZombie program logs into an IRC channel and awaits
commandsExample:
Bot command: !p4 207.71.92.193 Result: runs ping.exe 207.71.92.193 -l 65500 -n 10000 Sends 10,000 64k packets to the host (655MB!)
Read more at: http://grc.com/dos/grcdos.htm
TCP AttacksRecall how IP works…
End hosts create IP packets and routers process them purely based on destination address alone
Problem: End hosts may lie about other fields which do not affect deliverySource address – host may trick destination into
believing that the packet is from a trusted sourceEspecially applications which use IP addresses as a
simple authentication methodSolution – use better authentication methods
TCP AttacksTCP connections have associated state
Starting sequence numbers, port numbersProblem – what if an attacker learns these
values?Port numbers are sometimes well known to begin
with (ex. HTTP uses port 80)Sequence numbers are sometimes chosen in very
predictable ways
TCP AttacksIf an attacker learns the associated TCP state for
the connection, then the connection can be hijacked!
Attacker can insert malicious data into the TCP stream, and the recipient will believe it came from the original sourceEx. Instead of downloading and running new
program, you download a virus and execute it
TCP AttacksSay hello to Alice, Bob and Mr. Big Ears
TCP AttacksAlice and Bob have an established TCP
connection
TCP AttacksMr. Big Ears lies on the path between Alice and
Bob on the networkHe can intercept all of their packets
TCP AttacksFirst, Mr. Big Ears must drop all of Alice’s packets
since they must not be delivered to Bob (why?)
Packets
The Void
TCP AttacksThen, Mr. Big Ears sends his malicious packet
with the next ISN (sniffed from the network)
ISN, SRC=Alice
TCP AttacksWhat if Mr. Big Ears is unable to sniff the packets
between Alice and Bob?Can just DoS Alice instead of dropping her packetsCan just send guesses of what the ISN is until it is
acceptedHow do you know when the ISN is accepted?
Mitnick: payload is “add self to .rhosts”Or, “xterm -display MrBigEars:0”
TCP AttacksWhy are these types of TCP attacks so
dangerous?
Web server
Malicious user
Trusting web client
TCP AttacksHow do we prevent this?IPSec
Provides source authentication, so Mr. Big Ears cannot pretend to be Alice
Encrypts data before transport, so Mr. Big Ears cannot talk to Bob without knowing what the session key is
Packet SniffingRecall how Ethernet works …When someone wants to send a packet to some
else …They put the bits on the wire with the
destination MAC address …And remember that other hosts are listening on
the wire to detect for collisions …It couldn’t get any easier to figure out what data
is being transmitted over the network!
Packet Sniffing How can we protect ourselves? SSH, not Telnet
Many people at CMU still use Telnet and send their password in the clear (use PuTTY instead!)
Now that I have told you this, please do not exploit this information Packet sniffing is, by the way, prohibited by Computing Services
HTTP over SSL Especially when making purchases with credit cards!
SFTP, not FTP Unless you really don’t care about the password or data Can also use KerbFTP (download from MyAndrew)
IPSec Provides network-layer confidentiality
Application MappingCookie Manipulation Custom Application Scripting Parameter ManipulationReverse Directory TransversalBrute ForceApplication MappingCookie Poisoning/TheftBuffer OverflowSQL InjectionCross-site scripting
Web Application Vulnerabilities
Platform
Administration
Application
Known Vulnerabilities
Extension Checking Common File Checks Data Extension Checking Backup CheckingDirectory EnumerationPath TruncationHidden Web PathsForceful Browsing
Web application vulnerabilities occur in multiple areas.
What the #@$& is happening ???
XSSSQL Injection
AuthInput Valdation
File IncludeInfo Disclosure
0 5 10 15 20 25 30 35 40 45 50XSS
SQL Injec-tion
Auth
Input Valda-tion
File Include
Info Dis-closure; 3
%
%
Axis Title
Axis Title
PlatformKnown Vulnerabilities
Web Application Vulnerabilities
Platform:Known vulnerabilities can
be exploited immediately with a minimum amount of skill or experience – “script kiddies”
Most easily defendable of all web vulnerabilities
MUST have streamlined patching procedures
AdministrationExtension Checking Common File Checks Data Extension Checking Backup CheckingDirectory EnumerationPath TruncationHidden Web PathsForceful Browsing
Administration:• Less easily corrected than
known issues• Require increased awareness• More than just configuration,
must be aware of security flaws in actual content
• Remnant files can reveal applications and versions in use
• Backup files can reveal source code and database connection strings
Web Application Vulnerabilities
AdministrationAdministration
Application Programming:• Common coding techniques do not
necessarily include security• Input is assumed to be valid, but not
tested • Unexamined input from a browser can
inject scripts into page for replay against later visitors
• Unhandled error messages reveal application and database structures
• Unchecked database calls can be ‘piggybacked’ with a hacker’s own database call, giving direct access to business data through a web browser
ApplicationApplication MappingCookie Manipulation Custom Application Scripting Parameter ManipulationReverse Directory TransversalBrute ForceApplication MappingCookie Poisoning/TheftBuffer OverflowSQL InjectionCross-site scripting
Web Application Vulnerabilities
Exampleshttp://demo.testfire.net/http://chat.wallhood.com/moving/moving/images
/
How to Secure Web Applications
Incorporate security into the lifecycleApply information security principles
to all software development effortsEducate
Issue awareness, Training, etc…
Are We still Secure ?
LOLNO
Questions ?