If you can't read please download the document

Software Security Lecture 2

  • Upload
    lavey

  • View
    41

  • Download
    0

Tags:

Embed Size (px)

DESCRIPTION

Software Security Lecture 2. Fang Yu Dept. of MIS, National Chengchi University Spring 2011. Outline. Today we will discuss web application technologies and mapping web applications ( Ch3, Ch4) We will also briefly introduce some handy tools - PowerPoint PPT Presentation

Citation preview

Software Security

Software SecurityLecture 2Fang Yu

Dept. of MIS, National Chengchi UniversitySpring 2011

OutlineToday we will discuss web application technologies and mapping web applications (Ch3, Ch4)We will also briefly introduce some handy toolsInstead of selecting paper presentation, you can demonstrate how a tool worksThe course website :http://soslab.nccu.edu.tw/Courses.html

Web Application TechnologiesChapter 3The Web Application Hackers HandbookArchitecture

[By Giovnni Vigna, 2011]Architecture

[By Giovnni Vigna, 2011]Architecture

[By Giovnni Vigna, 2011]HTTPHTTP Hypertext Transfer ProtocolCore communications protocol used to access the World Wide Web and is used by all of todays web applicationsOriginally developed for retrieving static text-based resources but has been extended to support more advanced applicationsHTTP is a stateless protocol that uses a request/response transaction, operating over TCP connection.The request and response messages may use different TCP connections.HTTP MethodsThe HTTP method tells the web application what the client is attempting to do.There are six HTTP methods:GETDesigned for retrieval of resourcesUsed to send parameters to the requested resource in the URL query stringPOSTDesigned for performing actionsRequest parameters can be sent both in the URL query string and in the body of the message.HEADFunctions similar to GET, but the server should only return the header of the message and not the message body in its responseHTTP MethodsTRACEDesigned for diagnostic purposesThe server should return the exact contents of the request message, in the response body, that it received.OPTIONSAsks the server to report the HTTP methods that are available for a particular resourcePUTAttempts to upload the specified resource to the server, using the content contained in the body of the requestAttackers may upload an arbitrary script and execute it on the server if this method is enabled.HTTP General HeadersAn HTTP header contains information that is used by applications rather than specifically displayed to a user.General Headers likely on most HTTP messagesConnection informs the other end of the communication whether it should close the TCP connection after the HTTP transmission has completedContent-Encoding specifies the type of encoding being used for the message body, such as gzipContent-Length specifies the length of the message body in bytesContent-Type specifies the type of content contained in the message body, such as text/html for HTML documentsTransfer-Encoding specifies any encoding that was performed on the message body to facilitate its transfer over HTTP, such as chunked encoding when used

HTTP Request HeadersFirst line contains three items separated by spaces the HTTP method, the requested URL, and the HTTP versionThe rest of the lines are different HTTP headers, such as the following:Accept tells the server what kinds of content the client is willing to accept, such as image types and office document formatsAccept-Encoding tells the server what kinds of content encoding the client is willing to acceptAuthorization submits credentials to the server for one of the built-in HTTP authentication typesCookie submits cookies to the server which were previously issued by itHost specifies the hostname that appeared in the full URL being requestedReferer specifies the URL from which the current request originatedUser-Agent provides information about the browser or other client software that generated the requestAn Example of HTTP Request HeadersGET /books/search.asp?q=wahh HTTP/1.1Accept: image/gif, image/xxbitmap, application/msword, */*Referer: http://wahh-app.com/books/default.aspAccept-Language: en-gb,en-us;q=0.5Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)Host: wahh-app.comCookie: lang=en;JSESSIONID=0000tI8rk7joMx44S2Uu85nSWc_:vsnlc502HTTP Response HeadersFirst lines contains three items separated by spaces HTTP version, HTTP status code, textual reason phrase describing the status of the responseThe rest of the lines are different HTTP headers, such as the followingCache-Control pass caching directives to the client, such as no-cacheExpires instructs client how long the contents of the message body are validLocation specifies the target of the redirectPragma passes caching directives to the client, such as no-cacheServer provides information about the web server software being usedSet-Cookie issues cookies to the client that it will submit back to the server in subsequent requestsWWW-Authenticate used in responses with a 401 status code to provide details of the type of authentication supported by the serverAn Example of HTTP Response HeadersHTTP/1.1 200 OKDate: Sat, 19 May 2007 13:49:37 GMTServer: IBM_HTTP_SERVER/1.3.26.2 Apache/1.3.26 (Unix)Set-Cookie: tracking=tI8rk7joMx44S2Uu85nSWcPragma: no-cacheExpires: Thu, 01 Jan 1970 00:00:00 GMTContent-Type: text/html;charset=ISO-8859-1Content-Language: en-USContent-Length: 24246HTTP Status CodesHTTP response messages must contain a status code in its first line indicating the result of the request.HTTP status codes fall into five groups, according to the first digit of the code1xx Informational2xx Successful request3xx Redirection4xx Client error5xx Server errorPopular HTTP status codes100 ContinueThe request headers were received and that the client should continue sending the body200 OKRequest was successful and the response body contains the result304 Not ModifiedInstructs the browser to use its cached copy of the requested resource401 UnauthorizedServer requires HTTP authentication before the request will be granted404 Not FoundIndicates that the requested resource does not exist500 Internal Server ErrorIndicates the server encountered an error fulfilling the requestA complete list can be found on the W3C site http://www.w3.org by searching for HTTP Status Codes

Server-Side FunctionalityThere are three main ways HTTP requests can be used to send parameters to the application:URL query stringHTTP cookiesBody of requests using POST methodServer-Side FunctionalityWeb applications have many different technologies for delivering functionality based on these sources of input:Scripting languagesPHP, VBScript, PerlWeb application platformsASP.NET, JavaWeb serversApache, IIS, Netscape EnterpriseDatabasesMS-SQL, Oracle, MySQLOther back-end componentsFile systems, SOAP-based web services, directory servicesClient-Side FunctionalityAll web applications are accessed via a web browser and share a common core of technologies.HTMLA tag-based language that is used to describe the structure of documents that are rendered within the browserHyperlinksAllow communication from client to server and frequently contain request parametersAn example of hyperlink

After the click, it sends out the HTTP request

Client-Side FunctionalityFormsThe usual mechanism for allowing users to enter arbitrary input via the browser An example of the form

After the user fulfills the form and click the submit bottom, it sends out the HTTP request

Client-Side FunctionalityJavaScriptAllows processing of data on the client side to improve the applications performance and to enhance usability because the user interface can be dynamically updated in response to user actionsValidate user inputsDynamically modify the user interface Query and update the document object model (DOM) to control the browsers behavior AJAX (Asynchronous JavaScript and XML)Thick Client ComponentsJava applets, ActiveX controls, Macromedia Flash moviesUse custom binary code to extend the browsers built-in capabilitiesState and SessionsOften times, applications need to track the state of each users interaction with the application across multiple requests.Data to uniquely identify the user across requests is typically stored in a server-side structure called a session.Applications can store this data on the client in a cookie, but any data transmitted via the client component may be modified by the user.HTTP is stateless, so many applications need a means of re-identifying individual users across multiple requests.Encoding SchemesURL EncodingUsed to encode any problematic characters within the extended ASCII character set so that they can be safely transported over HTTP 8-bit encodingUnicode EncodingDesigned to support all of the writing systems used in the world16-bit encoding:%u2215 /HTML EncodingUsed to represent problematic characters so that they can be safely incorporated into an HTML document" ' & & < < > > Mapping Web ApplicationsChapter 4The Web Application Hackers Handbook

Enumerating ContentIn a typical application, the majority of the content and functionality can be identified via manual browsing.Web spideringVarious web spidering tools work by requesting a web page, parsing it for links to other content, and then requesting these, continuing recursively until no new content is discoveredParos, Burp Spider, WebScarabLimitations to full automated content enumerationUnusual navigation mechanism (complicated JavaScript) are often not handled proplery by these tools.Multistage functionality often implements fine-grained input validation checks which do not accept the values that may be submitted by an automated tool.Automated spiders often use URLS as identifiers of unique content, but many applications use forms-based navigation in which the same URL may return very different content and functions.Some applications place volatile data within URLs that do not actually identify resources or functions, which may cause the spider to run indefinitely.Burp Spider: A web application mapping tool

http://www.portswigger.net/burp/spider.htmlDiscovering Hidden ContentMany applications contain content and functionality which is not directly linked from the main visible content, such as functionality for testing or debugging purposes that was not removed.For example, if you have found:

Then probably you can try:

Discovering Hidden ContentTo find this hidden content, there are a few methods:Brute-force techniqueAttempt to access common pages, such as account.php, account.php, admin.php, agent.php, etc.Inference from published contentBy inferring from the resources already identified within the application, it is possible to fine-tune your automated enumerations exercise to increase the likelihood of discovering further hidden content.Use of public informationThere may be content and functionality that is not presently linked from its main content, but has been linked in the past.Leveraging the web serverVulnerabilities may exist at the web server layer that enable you to discover content and functionality that is not linked within the web application itself, such as listing the contents of a directory or obtaining the raw source for dynamic server-executable pages.Burper Intruder (http://www.portswigger.net/burp/intruder.html) can be used to iterate through a list of common directory names and collect response status

A result of Burp Intruder

Application Pages vs Functional PathsPre-application days of the World Wide Web had web servers function as repositories of static information, with URLs behaving effectively as filenames.Authors would simply create a bunch of files and drop them in a specific directory accessible by the web server.Although the evolution of web application has fundamentally changed, the picture is still applicable to the majority of web application content and functionality.Applications can be identified using a request parameter rather than a URL, and the URL is the same for each request, which is known as a functional path. For example:

An example of functional paths

Analyzing the ApplicationAnalyzing the applications functionality in order to identify key attack surfaces allows a person to probe the application for exploitable vulnerabilities.Key areas to investigate are:Core functionality of the applicationPeripheral behavior of the application, including off-site links, error messages, logging functions, redirects, etc.Core security mechanisms and how they function, including management of session state, access controls, and authentication mechanismsDifferent locations at which user-supplied input is processed by the applicationTechnologies employed on the client sideTechnologies employed on the server sideOther details that may be gleaned about the internal structure and functionality of the server-side applicationAnalyzing the Application (cont.)The majority of ways in which the application captures user input for server-side processing are:Every URL string up to the query string markerEvery parameter submitted within the URL query stringEvery parameter submitted within the body of a POST requestEvery cookieEvery other HTTP header that in rare cases may be processed by the applicationAnalyzing the Application (cont.)Further, the application could get input from:A web mail application which processes and renders email messages received via SMTPA publishing application that contains a function to retrieve content via HTTP from another serverAn intrusion detection application that gathers data using a network sniffer and presents this using a web application interfaceIdentifying Server-Side TechnologiesBanner GrabbingMany web servers disclose fine-grained version information, both about the web server software itself and about other components that have been installed, such as in the HTTP Server header.

Identifying Server-Side TechnologiesHTTP FingerprintingEven if the web server masks the HTTP Server header, it is usually possible to determine information based on the web servers behavior since many web servers deviate from or extend the HTTP specification in various different ways.Httprint is a handy tool that performs a number of tests in an attempt to fingerprint a web servers software.

Identifying Server-Side TechnologiesFile ExtensionsFile extensions often disclose the platform or programming language used to implement the relevant functionality.

Identifying Server-Side TechnologiesDirectory NamesSubdirectory names can indicate the presence of an associated technology.

Identifying Server-Side TechnologiesSession TokensSession tokens often default with names that provide information about the technology in use.

Third-party Code ComponentsMany web applications incorporate third-party code components to implement common functionality such as shopping carts, login mechanisms, and message boards.

Identifying Server-Side FunctionalityDissecting requests

If a page has a .jsp extension, we can assume the application is written using Java Server Pages.If the query string has a parameter named OrderBy, chances are the application is using a database and sorting the data by that value.Extrapolating Application BehaviorAn application often behaves in a similar manner across the range of its functionality because different functions were written by the same developer or to the same design specification.For example, if an attacker has identified a blind SQL injection vulnerability, it may be able to be exploited in other functionalities of the same site

Mapping the Attack SurfaceThe final stage of the mapping process is to identify the various attack surfaces exposed by the application.The following are some key types of behavior and functionality identified:Client-side validationChecks may not be replicated on the serverDatabase interactionSQL injectionFile uploading and downloadingPath traversal vulnerabilitiesDisplay of user-supplied dataCross-site scriptingMapping the Attack SurfaceDynamic redirectsRedirection and header injection attacksLoginUsername enumeration, weak passwords, ability to use brute forceMultistage loginLogic flawsSession statePredictable tokens, insecure handling of tokensAccess controlsHorizontal and vertical privilege escalationUser impersonation functionsPrivilege escalationUse of clear text communicationSession hijacking, capture of credentials and other sensitive dataMapping the Attack Surface (cont.)Off-site linksLeakage of query string parameters in the Referer headerInterfaces to external systemsShortcuts in handling of sessions and/or access controlsError messagesInformation leakageEmail interactionEmail and/or command injectionNative code components or interactionBuffer overflowUse of third-party application componentsKnown vulnerabilitiesIdentifiable web server softwareCommon configuration weaknesses, known software bugs


CS412 Software Security - Mobile Security [width=4.16667in ... · CS412 Software Security MobileSecurity MathiasPayer EPFL,Spring2019 Mathias Payer CS412 Software Security

CS412 Software Security - Mobile Security [width=4.16667in ... · CS412 Software Security MobileSecurity MathiasPayer EPFL,Spring2019 Mathias Payer CS412 Software Security

Documents
Software Security Lecture 2 Fang Yu Dept. of MIS, National Chengchi University Spring 2011

Software Security Lecture 2 Fang Yu Dept. of MIS, National Chengchi University Spring 2011

Documents
Software Security Lecture 3

Software Security Lecture 3

Documents
INF3510 Information Security Lecture 6: Computer Security · Kernelbase.dll Ntdll.dll. OS protections –Software supported Data Execution Prevention (DEP) INF3510 2018 L06 - Computer

INF3510 Information Security Lecture 6: Computer Security · Kernelbase.dll Ntdll.dll. OS protections –Software supported Data Execution Prevention (DEP) INF3510 2018 L06 - Computer

Documents
Software Security Lecture 1

Software Security Lecture 1

Documents
COMS E6998-9: Software Security and Exploitationhthompson/Lecture_b_2_print.pdf · COMS E6998-9: Software Security and Exploitation Lecture 2: ... The CAPTCHA Dilemma ... Lecture_b_2_print.pptx

COMS E6998-9: Software Security and Exploitationhthompson/Lecture_b_2_print.pdf · COMS E6998-9: Software Security and Exploitation Lecture 2: ... The CAPTCHA Dilemma ... Lecture_b_2_print.pptx

Documents
ECE 646 – Lecture 9 RSA: Genesis, operation & security ......Genesis, operation & security. Factoring in Software & Hardware. ECE 646 – Lecture 9 W. Stallings, "Cryptography and

ECE 646 – Lecture 9 RSA: Genesis, operation & security ......Genesis, operation & security. Factoring in Software & Hardware. ECE 646 – Lecture 9 W. Stallings, "Cryptography and

Documents
Software security, secure programmingmounier/Enseignement/Software_Security/sli… · Software security, secure programming Lecture 2: How (un)-secure is a programming language ?

Software security, secure programmingmounier/Enseignement/Software_Security/sli… · Software security, secure programming Lecture 2: How (un)-secure is a programming language ?

Documents
Security Models - Computer Security Lecture 9

Security Models - Computer Security Lecture 9

Documents
Lecture XIV: Cloud Software Security CS 4593 Cloud-Oriented Big Data and Software Engineering

Lecture XIV: Cloud Software Security CS 4593 Cloud-Oriented Big Data and Software Engineering

Documents
COMS E6998-9: Software Security and Exploitationhthompson/slides/Lecture_b_7_print.pdf · COMS E6998-9: Software Security and Exploitation Lecture 8: Fail Secure; DoS Prevention;

COMS E6998-9: Software Security and Exploitationhthompson/slides/Lecture_b_7_print.pdf · COMS E6998-9: Software Security and Exploitation Lecture 8: Fail Secure; DoS Prevention;

Documents
NCC Group - Software Security Austerity - Software security debt in modern software development

NCC Group - Software Security Austerity - Software security debt in modern software development

Documents
Software Security - NJU SecLab: Homeseclab.nju.edu.cn/lecture/lecture1-changed.pdfHacking: The Art of Exploitation 28 Software Security Course Overview Description Goal 8 Text Books

Software Security - NJU SecLab: Homeseclab.nju.edu.cn/lecture/lecture1-changed.pdfHacking: The Art of Exploitation 28 Software Security Course Overview Description Goal 8 Text Books

Documents
Overview - Otago · COSC440 Lecture 10: Virtualization & Security 1 Overview • This Lecture – Virtualization and security – Source: A comparison of software and

Overview - Otago · COSC440 Lecture 10: Virtualization & Security 1 Overview • This Lecture – Virtualization and security – Source: A comparison of software and

Documents
Lecture 19 - Network Securitytrj1/cse443-s12/slides/cse443-lecture-18-network... · Lecture 19 - Network Security CMPSC 443 ... – trojan - malicious software disguised as legitimate

Lecture 19 - Network Securitytrj1/cse443-s12/slides/cse443-lecture-18-network... · Lecture 19 - Network Security CMPSC 443 ... – trojan - malicious software disguised as legitimate

Documents
Security Testing - Software engineering1 Security Testing Checking for what shouldn’t happen Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series2 Agenda

Security Testing - Software engineering1 Security Testing Checking for what shouldn’t happen Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series2 Agenda

Documents
Software Security - University of Colorado Boulderkena/classes/5828/s12/presentation... · Software security is the idea of engineering ... software systems. • Software security

Software Security - University of Colorado Boulderkena/classes/5828/s12/presentation... · Software security is the idea of engineering ... software systems. • Software security

Documents
ECE 646 – Lecture 8 RSA: Genesis, operation & security ...ece.gmu.edu/coursewebpages/ECE/ECE646/F13/... · RSA: Genesis, operation & security. Factoring in Software & Hardware

ECE 646 – Lecture 8 RSA: Genesis, operation & security ...ece.gmu.edu/coursewebpages/ECE/ECE646/F13/... · RSA: Genesis, operation & security. Factoring in Software & Hardware

Documents
Computer Security CS 426...Computer Security CS 426 Lecture 11 Software Vulnerabilities: Input ValidationSoftware Vulnerabilities: Input Validation Issues & Buffer Overflows CS426

Computer Security CS 426...Computer Security CS 426 Lecture 11 Software Vulnerabilities: Input ValidationSoftware Vulnerabilities: Input Validation Issues & Buffer Overflows CS426

Documents
Secure Programming Lecture 1: Introduction · Software security overview Practicalities Structure of course ... 1.Security properties: C, I ... É Updates: automatic, pushed patching

Secure Programming Lecture 1: Introduction · Software security overview Practicalities Structure of course ... 1.Security properties: C, I ... É Updates: automatic, pushed patching

Documents
Lecture 17 Software Security

Lecture 17 Software Security

Documents
Lecture 16: Development Process for Secure Software · G. McGraw, “Software Security: Building Security In” 24" “All software projects produce at least one artifact: source

Lecture 16: Development Process for Secure Software · G. McGraw, “Software Security: Building Security In” 24" “All software projects produce at least one artifact: source

Documents
Software Security

Software Security

Technology
Security Threats and Security Software - breenoconnor.com · network security flaws ... Software Anti-Virus Anti-Malware/Anti-Spyware ... Common antivirus software Microsoft Security

Security Threats and Security Software - breenoconnor.com · network security flaws ... Software Anti-Virus Anti-Malware/Anti-Spyware ... Common antivirus software Microsoft Security

Documents
software lecture

software lecture

Education
CS 356 – Lecture 23 and 24 Software Security

CS 356 – Lecture 23 and 24 Software Security

Documents
Lecture 17 Software Security modified from slides of Lawrie Brown

Lecture 17 Software Security modified from slides of Lawrie Brown

Documents
CSCE 522 Building Secure Software. CSCE 548 - Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

CSCE 522 Building Secure Software. CSCE 548 - Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

Documents
Security Software

Security Software

Technology
AIT 681 Secure Software Engineering touchpoints … · Secure Software Engineering Topic #4. Seven Software Security Touchpoints (I) Instructor: Dr. Kun Sun. Reading •This lecture

AIT 681 Secure Software Engineering touchpoints … · Secure Software Engineering Topic #4. Seven Software Security Touchpoints (I) Instructor: Dr. Kun Sun. Reading •This lecture

Documents