Embed Size (px)
Citation preview
Application Security: General apps &Web service
(April 11, 2012)
© Abdou Illia – Spring 2012
2
Learning Objectives
Discuss general Application security Discuss Webservice/E-Commerce security [Discuss E-Mail security]
3
General Applications Security Issues
4
Applications Security Issues
Few Operating Systems But Many Applications Because OS are harden, most attacks target
applications installed on servers. Most applications run with administrative or super user
(root) privileges Securing applications is challenging
Computer HardwareOperating System
Web service software (IIS, Apache, ...)Web browser, Photo editors, Movie maker,
Productivity software, etc.
Client & server application programs
5
Which of the following is true about Application Security? If a server application (or service) is no longer needed, it
should be turned off Fewer applications on a computer, fewer attack
opportunities Use good security baselines to install and configure apps Do not install application centrally using group policies Add application layer authentication by requiring users to
provide credentials to run application programs Implement cryptographic authentication for sensitive apps If a server application (or service) is no longer needed, it
should be removed Do not turn on each applications’ automatic update
checking
6
Applications and Buffer Overflow
Buffer Overflow is the biggest issue in application coding
Buffer overflow leads to Buffer Overflow Attacks
Buffers are RAM areas where data is stored temporarily
If an attacker sends more data than the programmer had allocated to a buffer, a buffer might overflow, overwriting an adjacent section of RAM
RAMBuffer1 Buffer2
Buffer7Buffer3 Buffer4 Buffer6Buffer5
7
Buffer Overflow Attack
Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions.
If the data contains malware, the malware could run and creates a DoS
Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD
7
Buffer Instructions
1 2 3 4 5 6
Run Program
Accept input
Buffer Instructions
1 2 3 4 5 6
A B C D E F LET JOHN IN WITHOUT PASSWORD
Run Program
Accept input
8
Stack entry: data buffer & Return address registry
Stack Entry and Buffer Overflow
ReturnAddress
1. Write ReturnAddress
2. Add Datato Buffer
Data Buffer5. Start of
Attacker data
3. Direction ofData Writing
4. OverwriteReturn Address
When a program must put one subprogram on hold to call another, it writes the return address in RAM areas called stack entries
The called subprogram may add data to the buffer to the point it overwrites the return address
If the added buffer data is Attack code, this will be a buffer overflow attack
http://www.metacafe.com/watch/1452134/buffer_overflow_attacks_explained_with_beer/
9
Preventing Buffer Overflow Use Language tools that provide automatic bounds checking
such as Perl, Python, and Java instead lower level language (C, C++, Assembly, etc). However, this is usually not possible or practical because
almost all modern OS are written in the C language. Eliminate The Use Of Flawed Library Functions like gets(),
strcpy, and strcmp that fail to check the length or bounds of their arguments.
Design And Build Security Within Code
Use Source Code Scanning Tools. Example: PurifyPlus Software Suite can perform a
dynamic analysis of Java, C, or C++ source code.
// replace le following line
Strcpy (buffer2, strng2);
// by
Strcpy (buffer2, string2, 8)
For instance, this simple change informs strcpy() that it only has an eight byte destination buffer and that it must discontinue raw
copy at eight bytes.
10
Web service security
11
Webservice & E-Commerce apps
Web applications could be the target of many types of attacks like: Directory browsing
Traversal attacks
Web defacement
Using HTTP proxy to manipulate interaction between client and server
IIS IPP Buffer Overflow
Browser attacks
Time configuration
12
Web sites’ directory browsing
Web server with Directory Browsing disabled User cannot get access to list of files in the directory by
knowing or guessing directory names
13
Web site with directory browsing
Web server with Directory Browsing enabled User can get access to the list of files in the directory by
knowing or guessing directory names
14
Traversal Attack
Normally, paths start at the WWW root directory
Adding ../ (Windows) or ..\ (Unix) in an HTTP request might take the attacker up a level, out of the WWW root directory.
Example: http://website.com ../../
Example: http://castle.eiu.edu/~a_illia/BUS3500/Brief/Case1/../
If attacker traverses to Command Prompt directory in Windows 2000 or NT, he can execute any command with system privileges
15
Traversal Attacks (Cont.) Preventing traversal attacks
Companies filter out ../ and ..\ using URL scanning software
Attackers respond with hexadecimal and UNICODE representations for ../ and ..\
ASCII Character Chart with Decimal, Binary and Hexadecimal Conversions
Name Character Code Decimal Binary HexNull NUL Ctrl @ 0 00000000 00
Start of Heading SOH Ctrl A 1 00000001 01
Space 32 00100000 20
Exclamation Point ! Shift 1 33 00100010 22
Plus + Shift = 43 00101011 2B
Period . . 46 00101110 2E
Forward Slash / / 47 00101111 2F
Tilde ~ Shift’ 126 01111110 7E
16
Website defacement
Taking over a web server and replacing normal web pages by hacker-produced pages
Effect could last because ISP cache of popular web sites
Example of recent website defacements ATTRITION Web Page Hack Mirror:
http://attrition.org/mirror/ Zone-H web site for most recent attacks:
http://www.zone-h.org: Check Onhold and Archive
17
Manipulating HTTP requests
Attackers use proxies to manipulate communications between browsers and web servers
Example using Webscarab
18
IIS IPP Buffer Overflow
The Internet Printing Protocol (IPP) service included in IIS 5.0 and earlier versions is vulnerable to buffer overflow attacks
The jill.c program was developed to launch the attack using:
GET NULL.printer HTTP/1.0
Host: 420-byte jill.c code to launch the command shell
IIS server responds launching the command shell (C:\WINNT\SYSTEM32\>) giving the attacker SYSTEM privileges.
19
IIS IPP Buffer Overflow (cont.)
Link to jill.c code
Code compilable using gcc jill.c –o jill on Linux
Precompiled version (jill-win32.c) and executable (jill-win32.exe) available at ftp://ftp.technotronic.com/
newfiles/jill-win32.exe. This executable file is ready to run on a Windows machine.
20
IIS IPP Buffer Overflow (cont.)
Source: http://puna.net.nz/archives/Hacking/David_Sheridan_GCIH.doc
21
Browser Attacks
Malicious links User must click on them to execute (but not
always)
Common extensions are hidden by default in some operating systems.
attack.txt.exe seems to be attack.txt
22
Browser Attacks (Cont.) Common Attacks
Redirection to unwanted webpage Scripts might change the registry, home page Some scripts might “trojanize” your DNS error-
handling routine when you mistype a URL Pop-up windows Web bugs; i.e. links that are nearly invisible,
can be used to track users at a website
Domain names that are common misspellings of popular domain names
Microsoff.com, www.whitehouse.com (a porn site)
