Embed Size (px)
Citation preview
Application Security: Web service and E-Mail
(April 11, 2011)
© Abdou Illia – Spring 2011
2
Learning Objectives
Discuss general Application security Discuss Webservice/E-Commerce security Discuss E-Mail security
3
General Applications Security Issues
4
RAM
Applications Security Issues Few Operating Systems But Many Applications
Because OS are harden, most attacks target applications installed on servers.
Many applications run with administrative or super user (root) privileges
Securing applications is challenging
Buffer Overflow Attacks
Most widespread vulnerabilities in application programs
Buffers are RAM areas where data is stored temporarily
If an attacker sends more data than the programmer had allocated to a buffer, a buffer might overflow, overwriting an adjacent section of RAM
Buffer1 Buffer2
Buffer7Buffer3 Buffer4 Buffer6Buffer5
5
Buffer Overflow The overflowsample function:
Declares a buffer array capable of holding eight ASCII characters
Places the buffer in an initialization loop
The loop force-feeds 15 “x” into the buffer array through programming error
Only 8 “x” could fit Nine “x” must spill over
void overflowsample (void){ char buffer1[8]; int I; For (I = 0; I < 16; I++) { buffer1[I] = ‘x’; }}
A function written in C
When the program is run… What will be the value of buffer1[3]? _____, Buffer1[15]? _____ What would happen?
a) The part of the function’s code designed to check the bounds of the array will prevent any error from happening.
b) The program will generate an error and terminate.
6
Buffer Overflow
Int main(){ char name[8]; char etc_passwd[8]; char password[8];
// retrieve the user information printf (“Enter your name:”); gets (name); etc_passwd = get_password (name); printf (“Enter your password:”); gets (password); printf (“Your name and password entries were %s and %s.”, name, password); printf (“The password for %s In the /etc/shadow file Is %s”’ name, etc_passwd);
// call procedure to check login authorization authenticate (password, etc_password); return 0;}
void authenticate (char * string1, char string2){ char buffer1[8]; char buffer2[8]; strcpy (buffer1, string1); strcpy (buffer2, string2); if (strcmp (buffer1, buffer2) == 0 permit();
}
7
Buffer Overflow
8
Stack entry: data buffer & Return address registry
Stack Entry and Buffer Overflow
ReturnAddress
1. Write ReturnAddress
2. Add Datato Buffer
Data Buffer5. Start of
Attacker data
3. Direction ofData Writing
4. OverwriteReturn Address
When a program must put one subprogram on hold to call another, it writes the return address in RAM areas called stack entries
The called subprogram may add data to the buffer to the point it overwrites the return address
If the added buffer data is Attack code, this will be a buffer overflow attack
http://www.metacafe.com/watch/1452134/buffer_overflow_attacks_explained_with_beer/
9
Buffer Overflow Attack
Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions.
If the data contains malware, the malware could run and creates a DoS
Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD
9
Buffer Instructions
1 2 3 4 5 6
Run Program
Accept input
Buffer Instructions
1 2 3 4 5 6
A B C D E F LET JOHN IN WITHOUT PASSWORD
Run Program
Accept input
10
Preventing Buffer Overflow Use Language tools that provide automatic bounds checking
such as Perl, Python, and Java instead lower level language (C, C++, Assembly, etc). However, this is usually not possible or practical because
almost all modern OS are written in the C language. Eliminate The Use Of Flawed Library Functions like gets(),
strcpy, and strcmp that fail to check the length or bounds of their arguments.
Design And Build Security Within Code
Use Source Code Scanning Tools. Example: PurifyPlus Software Suite can perform a
dynamic analysis of Java, C, or C++ source code.
// replace le following line
Strcpy (buffer2, strng2);
// by
Strcpy (buffer2, string2, 8)
For instance, this simple change informs strcpy() that it only has an eight byte destination buffer and that it must discontinue raw
copy at eight bytes.
11
General Application Security
Minimize number of applications Fewer applications on a computer, fewer attack opportunities
Use security baselines for installation Security baselines improve security
Add application layer authentication Important for sensitive applications Could be password-based
Implement cryptographic systems
12
Web service security
13
Webservice Versus E-Commerce
E-Commerce Software
SubsidiaryE-Commerce
SoftwareComponent(DHTML, etc.)
Custom Programs (in client-side
scripting)
Webserver Software
(IIS, Apache, etc.)
Webservice includes basic functionalities for Retrieval of static files Creation of dynamic webpages
E-Commerce requires additional software for Online catalogs Shopping carts Connection to back-end database Connection to organizations for payments, etc.
14
Webservice Versus E-Commerce
Web applications could be the target of many types of attacks like: Directory browsing Traversal attacks Web defacement Using HTTP proxy to manipulate interaction between client
and server IIS IPP Buffer Overflow Browser attacks Time configuration
15
Web sites’ directory browsing
Web server with Directory Browsing disabled User cannot get access to list of files in the directory by
knowing or guessing directory names
16
Web site with directory browsing
Web server with Directory Browsing enabled User can get access to the list of files in the directory by
knowing or guessing directory names
17
Traversal Attack
Normally, paths start at the WWW root directory
Adding ../ might take the attacker up a level, out of the WWW root box
If attacker traverses to Command Prompt directory in Windows 2000 or NT, can execute any command with system privileges
18
Traversal Attacks (Cont.) Preventing traversal attacks
Companies filter out / and \ using URL scanning software
Attackers respond with hexadecimal and UNICODE representations for / and \
ASCII Character Chart with Decimal, Binary and Hexadecimal Conversions
Name Character Code Decimal Binary HexNull NUL Ctrl @ 0 00000000 00
Start of Heading SOH Ctrl A 1 00000001 01
Space 32 00100000 20
Exclamation Point ! Shift 1 33 00100010 22
Plus + Shift = 43 00101011 2B
Period . . 46 00101110 2E
Forward Slash / / 47 00101111 2F
Tilde ~ Shift’ 126 01111110 7E
19
Website defacement
Taking over a web server and replacing normal web pages by hacker-produced pages
Effect could last because ISP cache of popular web sites
Example of recent website defacements ATTRITION Web Page Hack Mirror:
http://attrition.org/mirror/ Zone-H web site for most recent attacks:
http://www.zone-h.org: Check Onhold and Archive
20
Manipulating HTTP requests
Attackers use proxies to manipulate communications between browsers and web servers
Example using Webscarab
21
IIS IPP Buffer Overflow
The Internet Printing Protocol (IPP) service included in IIS 5.0 and earlier versions is vulnerable to buffer overflow attacks
The jill.c program was developed to launch the attack using:GET NULL.printer HTTP/1.0
Host: 420 byte jill.c code to launch the command shell
IIS server responds launching the command shell (C:\WINNT\SYSTEM32\>) giving the attacker SYSTEM privileges.
22
IIS IPP Buffer Overflow (cont.)
Link to jill.c code
Code compilable using gcc jill.c –o jill on Linux
Precompiled version (jill-win32.c) and executable (jill-win32.exe) available at ftp://ftp.technotronic.com/
newfiles/jill-win32.exe. This executable file is ready to run on a Windows machine.
23
IIS IPP Buffer Overflow (cont.)
Source: http://puna.net.nz/archives/Hacking/David_Sheridan_GCIH.doc
24
HTTP Requests
GET By far the most common method used Requests data from specified host
GET /index.html HTTP/1.1 Host: www.example.com
Example of request with GET method
HTTP defines 8 methods (or "verbs") indicating the desired action to be performed on a resource
GET HEAD POST PUT DELETE TRACE OPTIONS CONNECT
25
HTTP Requests
HEAD Asks for response identical to a GET request without response
body Useful for retrieving meta-information written in response headers
without having to transport the entire content POST
Submits data to be processed (e.g. from an HTML form) to a server The data is included in the body of the request
PUT Uploads data to the server
DELETE Delete specified file
TRACE Echoes back the received request so that a client can see what
intermediate servers are adding or changing in the request OPTIONS
Returns HTTP methods supported by the server. This can be used to check the functionality of a web server.
26
Browser Attacks
Malicious links User must click on them to execute (but not
always)
Common extensions are hidden by default in some operating systems.
attack.txt.exe seems to be attack.txt
27
Browser Attacks (Cont.) Common Attacks
Redirection to unwanted webpage Scripts might change the registry, home page Some scripts might “trojanize” when your DNS error-
handling routine when you mistype a URL Pop-up windows Web bugs; i.e. links that are nearly invisible,
can be used to track users at a website
Domain names that are common misspellings of popular domain names
Microsoff.com, www.whitehouse.com (a porn site)
28
29
E-Mail Protocols
SMTPTo Send
SMTPTo Send
SendingE-MailClient
ReceivingE-MailClient
Sender’s MailServer
Receiver’s MailServer
Simple Mail Transfer Protocol (SMTP) to transmit mail in real time to a user’s mail server or between mail servers
Sender-initiated
30
E-Mail protocols
Sending E-MailClient
ReceivingE-MailClient
Sender’s MailServer
Receiver’s MailServer
POP orIMAP
To Receive
POP or IMAP to download mail to receiver when the receiver capable of downloading mail.
Receiver-initiated
Internet Message Application Program (IMAP): More powerful, can manage messages on the receiver’s mail server, less widely used
Post Office Protocol (POP): Simple, loosing grounds to IMAP
31
E-Mail Standards
SendingE-MailClient
ReceivingE-MailClient
Sender’s MailServer
Receiver’s MailServer
MessageRFC 822 or 2822HTML bodyUNICODE
Message Body Format Standard
RFC 822 (English ASCII code) or 2822: for all-text bodies UNICODE: for all languages HTML body: for fancy text and graphics
32
E-Mail Security
E-Mail Encryption
Not widely used because of lack of clear standards
IETF has not been able to settle upon a single standard because of in-fighting
Three standards are used in corporations TLS S/MIME PGP
33
E-Mail Security
E-Mail Encryption
TLS only requires a digital certificate for servers
S/MIME requires a PKI for digital certificates
PGP uses trust among circles of friends: If A trusts B, and B trusts C, A may trust C’s list of public keys
Dangerous: Misplaced trust can spread bogus key/name pairs widely
