PowerPoint Presentation
Web Application Security Example Web Application
WebserverWeb appWeb appWeb appWeb
apptransportDBDBAppserver(optional)Web client: IE, Mozilla,
etc.HTTP reply (HTML, JavaScript, VBScript, etc.)HTTP
requestClear-text or SSL Apache IIS Netscape etc. Servlet engine
J2EE server ColdFusion Oracle 9iAS etc. Perl C++ CGI Java ASP PHP
etc. ADO ODBC JDBC etc. Oracle SQL Server
etc.InternetDMZProtectednetworkInternalnetwork AJP IIOP T9
etc.Basic Web TechnologyURLsGlobal identifiers of
network-retrievable documents Example:
http://stanford.edu:81/class?name=cs155#homework
Special characters are encoded as hex:%0A = newline%20 =
spaceProtocolHostnamePortPathQueryFragment4GET /index.html
HTTP/1.1Accept: image/gif, image/x-bitmap, image/jpeg,
*/*Accept-Language: enUser-Agent: Mozilla/1.22 (compatible; MSIE
2.0; Windows 95)Connection: Keep-AliveHost: www.example.com
HTTP RequestMethodFileHTTP versionHeadersData none for GETBlank
lineHTTP/1.0 200 OKDate: Sun, 21 Apr 1996 02:20:42 GMTServer:
Microsoft-Internet-Information-Server/5.0 Connection:
keep-aliveContent-Type: text/htmlLast-Modified: Thu, 18 Apr 1996
17:39:05 GMTContent-Length: 2543 Some data... blah, blah, blah HTTP
ResponseHTTP versionStatus codeReason phraseHeadersDataSecure
Socket Layer SSL 3 Client & Server Authentication Data
Integrity
SSL Handshake
1.The client sends a Hello message to the server.The message
includes a list of algorithms supported by the client and a random
number that will be used to generate the keys.2.The server responds
by sending a Hello message to the client. This message includes:The
algorithm to use. The server selected this from the list sent by
the client.A random number, which will be used to generate the
keys.3.The server sends its certificate to the client.4.The client
authenticates the server using the server's certificate.5.The
client generates a random value ("pre-master secret"), encrypts it
using the server's public key, and sends it to the server.6.The
server uses its private key to decrypt the message to retrieve the
pre-master secret.7.The client and server separately calculate the
keys that will be used in the SSL session.These keys are not sent
to each other because the keys are calculated based on the
pre-master secret and the random numbers, which are known to each
side. The keys include:Encryption key that the client uses to
encrypt data before sending it to the serverEncryption key that the
server uses to encrypt data before sending it to the clientKey that
the client uses to create a message digest of the dataKey that the
server uses to create a message digest of the dataThe encryption
keys are symmetric, that is, the same key is used to encrypt and
decrypt the data.8.The client and server send a Finished message to
each other. These are the first messages that are sent using the
keys generated in the previous step (the first "secure"
messages).The Finished message includes all the previous handshake
messages that each side sent. Each side verifies that the previous
messages that it received match the messages included in the
Finished message. This checks that the handshake messages were not
tampered with.9.The client and server now transfer data using the
encryption and hashing keys and algorithms.
10Mixed Content: HTTP and HTTPSPage loads over HTTPS, but
contains content over HTTP
IE: displays mixed-content dialog to userFlash files over HTTP
are loaded with no warning (!)Note: Flash can script the embedding
page
Firefox: displays a red slash over lock icon (no dialog)Flash
files over HTTP do not trigger the slash
Safari: does not attempt to detect mixed contentMixed Content:
HTTP and HTTPS
silly dialogsMixed content and network attacksafter login all
content served over HTTPS
Developer error: Somewhere on bank site write Active network
attacker can now hijack any session
Better way to include content: served over the same protocol as
embedding page14Cookies: client stateCookiesUsed to store state on
users machineBrowserServerGET HTTP Header:Set-cookie:NAME=VALUE
;domain = (who can read) ;expires = (when expires) ;secure = (only
over SSL)BrowserServerGET Cookie: NAME = VALUEHTTP is stateless
protocol; cookies add stateIf expires=NULL:this session onlyCookie
authenticationBrowserWeb ServerAuth serverPOST login.cgiUsername
& pwdValidate userauth=valStore valSet-cookie: auth=valGET
restricted.htmlCookie: auth=valrestricted.htmlauth=valYES/NOIf YES,
restricted.htmlCheck valDocument object ModelWhat is the DOM?The
DOM is a platform- and language-neutral interface that will allow
programs and scripts to dynamically access and update the content,
structure and style of documents.
The document can be further processed and the results of that
processing can be incorporated back into the presented page.Ref:
http://www.w3c.org/Fundamental InterfaceExtended InterfaceThe DOM
Interface
HierarchyNodeDocumentDOMImplementationDOMExceptionNodeListNamedNodeMapCharacterDataAttrElementTextCommentCDATASectionDocumentTypeNotationEntityEntityReferenceProcessingInstructionThe
Relation GraphXMLdocumentWeb Client side program (e.g.:
JavaScript)Web Server side program (e.g.: ASP)Console program
(e.g.: C++, Java)OutputDOMDocument Object Model
(DOM)Object-oriented interface used to read and write docsweb page
in HTML is structured dataDOM provides representation of this
hierarchy
ExamplesProperties:
document.alinkColordocument.URLdocument.forms[ ]document.links[
]document.anchors[ ]Methods:
document.write(document.referrer)Document Object Model (DOM)Also
Browser Object Model
(BOM)Windowdocumentframes[]HistoryLocationnavigator (type and
version of browser)
OWASP projectOWASP project (http://www.owasp.org)Open Web
Application Security ProjectMinimum standards for web application
securityInternational membershipInteresting project:Developing and
maintaining secure web applications following the ISO17799
standardWeb application assessment toolsOWASP Top 10Unvalidated
inputBroken access controlBroken authentication and session
managementCross site scriptingBuffer overflowsInjection
flawsImproper error handlingInsecure storageDenial of
serviceInsecure configuration managementHidden Field (View Source)
Tag HIDDEN
Cookie Poisoning Cookie Session cookie Session ID
Weak authenticators: security riskPredictable cookie
authenticatorVerizon Wireless - counter user logs in, gets counter,
can view sessions of other users
Weak authenticator generation: [Fu et al. 01]WSJ.com:cookie =
{user, MACk(user) }Weak MAC exposes K from few cookies.
Apache Tomcat: generateSessionID()MD5(PRNG) but weak PRNG
[GM05]. Predictable SessionIDs28Dont generate your own. Use built
in procedures: ASP, Tomcat, JServStoring data on
browser?Unreliable:User can change/clear valuesSilly example:
Shopping cart software Set-cookie:shopping-cart-total = 150 ($)User
edits cookie file (cookie poisoning): Cookie:shopping-cart-total =
15 ($)
Similar to problem with hidden fields292929Personalization: NY
Times says Hi FredApplication Buffer Overflow Picture-in-picture
attacksTrained users are more likely to fall victim to this
[JSTB07]
31Both inner and outer windows are focusedThe status
BarTrivially spoofable
PayPal
Cross Site Script script Cookie XSS
Forceful Browsing /client /client/client1/data Path Traversal
(../../../)Google keyword : index of parent directory
Hacking Over SSL NIDS SSL NIDS SQL Poisoning & Injections
SQL statement Database Server
SQL
Injectionwww.test.com/cgi-bin/productdesc.asp?category=10;
SQLv_cat = request("category") #v_cat=10;sqlstr="SELECT
description FROM product WHERE category='" & v_cat & "'"set
rs=conn.execute(sqlstr)
DatabaseSELECT description FROM product WHERE category=10; SQL
Injection SQL
Injectionwww.test.com/cgi-bin/productdesc.asp?category=10 UNION
SELECT name,pwd FROM admins;-- SQLv_cat = request("category") #
v_cat= 10 UNION SELECT name, pwd FROMadmins;--sqlstr="SELECT
description FROM product WHERE category='" & v_cat & "'"set
rs=conn.execute(sqlstr) DatabaseSELECT description FROM product
WHERE category=10 UNION SELECT name, pwd FROM admin;--Java Script
Injection Javascript Java Script Injection Session Hidden Field
Session Invalid Java Script
Injectionjavascript:alert(document.cookie);javascript:void(document.cookie="authorization=true");javascript:void(document.cookie="authorization=true");javascript:alert(document.cookie);
Error HandlingError message Debug
Other Modification Technique Proxy HTTP Header Client Web Server
Paros Porxy TemperData Plugin Mozila Firefox HTTP Header Network
ArchitectureSecure Web ApplicationVulnerability ScannerPenetration
TestingSecure Network Architecture Layer Firewall IPS Monitor
Application Proxy Firewall Secure Web Applications Secure
CodingSecure Coding input & output validation SSL HTML forms
Cookies HTTP REFERER Header POST & GET method logout (logout
mechanism)Error Handling input & output validationClient Side
Script NEVER TRUST CLIENT SIDE DATA !!!Sanity Checking Tag
HTML formsHidden element SSL Method Get Method Post Cookies 2
(Persist , Non-Persist) 3 User AuthenticationState ManagementSaving
user preference
Cookie Cookies Plaintext Cookies Cookies Cookies Cookies Token
ID Cookies Timeout Cookies Authentication header User-Agent ,
Accept-Language , Etc. Authentication Cookies HTTP REFERER Header
script attack HTTP REFERER POST & GET methodGET : Proxy ,
Firewall , Web Server Log Post : Web Server logout mechanism
Cookies Cookies session sessionError Handling Error Handling Error
Description Error Description Error Desciption System Scanner and
Security Infrastructure SoftwareNMAPNESSUSOpenVASSQLmapPenetration
Testing HackerBlack box testingWhite box testing
