Security of Web Servers and Web Applications

1,091 views

Published on

Presentation for Software Freedom Kosova Conference 2011

Published in: Education, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,091
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
40
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • 2/3/2011 | |
  • Darmstadt University of Technology 2/3/2011 | |
  • http://www.youtube.com/watch?v=9WfXPsR3TMY http://gazetaexpress.com/?cid=1%2C16%2C62759 http://www.gazetaexpress.com/?cid=1%2C13%2C57939 http://www.panorama.com.al/lajmi-i-fundit/yerja-ndaj-shqiptareve-veper-e-nje-hakeri-serb http://articles.cnn.com/2011-07-04/tech/fox.hack_1_tweets-twitter-feed-twitter-users?_s=PM:TECH 2/3/2011 | |
  • *Sympathizers *Think on people who read this and they are so happy about that, so that they could get some kind of heart attack!!!  Keto mund nese shihen holl e holl mund te kete edhe deme shendetsore…..  paramendoje me pas lshu zemra prej Gezimi diken….. 2/3/2011 | |
  • OK, ketu mesa duket nuk ka pasur Probleme me ne WebSecurity/WebServer Security por me perme Phishing Attack kann vjedh passwordin…..por me rendesi eshte efekti i cili do te kishte ndikim shum te madh nese nuk i jepim rendesis Siguris… 2/3/2011 | |
  • http://www.h-online.com/security/news/item/Hackers-breached-Citibank-security-using-simple-URL-manipulation-Update-1260964.html http://www.h-online.com/security/news/item/Citibank-customers-lost-2-7-million-in-recent-attack-1268302.html *Siguria ndikon ne te gjitha drejtimet 2/3/2011 | |
  • 2/3/2011 | |
  • Mbrojtjet 2/3/2011 | |
  • http://www.nsa.gov/ia/_files/factsheets/Best_Practices_Datasheets.pdf http://www.nsa.gov/ia/mitigation_guidance/security_configuration_guides/operating_systems.shtml BSI = Bundesamt für Sicherheit in der Informationstechnik 2/3/2011 | |
  • 2/3/2011 | |
  • 2/3/2011 | |
  • Einmal-Passwörter 2/3/2011 | |
  • 2/3/2011 | |
  • LimitRequestBody can be unlimited (practically up 2 GB to go!) 2/3/2011 | |
  • Question: Do you see any possible Attacks??? A: Yes, because of using HTTP-Protocol and not HTTPS/SSL 2/3/2011 | |
  • 2/3/2011 | |
  • 2/3/2011 | |
  • 2/3/2011 | |
  • 2/3/2011 | |
  • Security of Web Servers and Web Applications

    1. 1. IT-Security Security of Web Servers and Web Applications Software Freedom Kosova 2011
    2. 2. Who‘s Talking? <ul><li>Amir Neziri </li></ul><ul><ul><li>lives and works in Germany </li></ul></ul><ul><li>Double Degree in Master of Science: </li></ul><ul><ul><li>Master in Computer Science </li></ul></ul><ul><ul><li>and Master in IT-Security from TU-Darmstadt/Germany </li></ul></ul><ul><ul><li>Currently I’m writing Master Thesis about Data Security in Cloud Services </li></ul></ul><ul><li>Profession: Software Engineer, Consultant for Web- and Software- Security </li></ul><ul><li>http://www.linkedin.com/in/amirneziri </li></ul><ul><li>https://www.xing.com/profile/Amir_Neziri </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    3. 3. Security of Web Servers and Web Applications <ul><li>Why is it so important today? </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    4. 4. Motivation – Political Damage 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    5. 5. Motivation – Political Damage 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    6. 6. … another shocking news 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    7. 7. … another shocking news 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    8. 8. Motivation – Political Damage 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    9. 9. Motivation – Economic Damage 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    10. 10. Motivation – Economic Damage 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    11. 11. So…. <ul><li>Are we last now???? </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri NO!
    12. 12. Agenda <ul><li>Components and Architecture </li></ul><ul><li>Security Attacks </li></ul><ul><li>Defenses </li></ul><ul><ul><li>Securing (Web) Server </li></ul></ul><ul><ul><li>Securing Web Applications </li></ul></ul><ul><li>Take home message </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    13. 13. Components & Architecture 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    14. 14. Security Attacks 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    15. 15. Security Attacks 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    16. 16. Security Attacks 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    17. 17. Security Attacks 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    18. 18. Security Attacks 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    19. 19. Security Attacks 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    20. 20. Defenses 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri Source: http://www.trigonit.com/tech-blog/bid/57835/IT-Support-Wireless-Network-Security-Secure-Encrypt-and-Be-Safe
    21. 21. Securing the operating system <ul><li>Variety of possible sources of information </li></ul><ul><ul><li>Federal Office for Information Security (BSI, Germany) </li></ul></ul><ul><ul><ul><li>Server Security </li></ul></ul></ul><ul><ul><ul><ul><li>https://www.bsi.bund.de/cln_156/ContentBSI/grundschutz/kataloge/baust/b03/b03.html </li></ul></ul></ul></ul><ul><ul><ul><li>IT-Security Catalog </li></ul></ul></ul><ul><ul><li>National Security Agency (NSA, USA) </li></ul></ul><ul><ul><ul><li>Recommendations and guidelines for installation and Configuration of operating systems with focus on security </li></ul></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    22. 22. Security is a Process 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    23. 23. Example: Linux Systems 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    24. 24. Example: Linux Systems 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    25. 25. Linux Systems - Installation <ul><li>Installation from CD </li></ul><ul><ul><li>Authentic Source </li></ul></ul><ul><ul><li>Contains no updates </li></ul></ul><ul><li>Installation from Network </li></ul><ul><ul><li>Authentic and trustworthy Source is needed </li></ul></ul><ul><li>Minimal Functionality </li></ul><ul><ul><li>Example: Server Systems do not need GUI </li></ul></ul><ul><ul><li>Example Web-Server Installation : </li></ul></ul><ul><ul><ul><li>Web-Server, Secure-Shell, Secure File Transfer </li></ul></ul></ul><ul><li>ATTENTION: Do not use unsecure protocols like FTP </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    26. 26. Example: Linux Systems 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    27. 27. Linux Systems - Configuration <ul><li>Get all running Services </li></ul><ul><ul><li>nmap localhost or </li></ul></ul><ul><ul><li>netstat -lnp --ip </li></ul></ul><ul><ul><li>netstat -lnp --inet6 </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    28. 28. Linux Systems - Configuration <ul><li>Shut down unused Services </li></ul><ul><li>Hide Services with Port Knocking </li></ul><ul><ul><li>Example: </li></ul></ul><ul><ul><ul><li>Web Server Service is public </li></ul></ul></ul><ul><ul><ul><li>hide SFTP-, SSH- Services </li></ul></ul></ul><ul><li>Use Onetime Passwords by generating them with </li></ul><ul><li>Password generators </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    29. 29. Example: Linux Systems 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    30. 30. Linux Systems – Maintenance / Updates <ul><li>Always update the installed Software </li></ul><ul><li>Debian/Ubuntu </li></ul><ul><ul><li>apt-get update && apt-get upgrade or </li></ul></ul><ul><ul><li>apt-get update && apt-get dist-upgrade </li></ul></ul><ul><li>IMPORTANT: The Kernel should be always up-to-date </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    31. 31. Example: Linux Systems 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    32. 32. Linux Systems - Monitoring <ul><li>File System Integrity Checker </li></ul><ul><li>Open Source Tool for checking Integrity: Tripwire </li></ul><ul><ul><li>http://www.tripwire.org/ </li></ul></ul><ul><ul><li>http://sourceforge.net/projects/tripwire/ </li></ul></ul><ul><li>Analyze Log Files </li></ul><ul><ul><li>Authentication Errors /-Problems: /var/log/auth.log </li></ul></ul><ul><ul><li>Web-Access and Errors : /var/log/apache2/*.log </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    33. 33. Linux Systems - Monitoring <ul><li>Automated fraud detection </li></ul><ul><ul><li>Example sshguard ( http://www.sshguard.net/ ) </li></ul></ul><ul><li>SSH-Guard </li></ul><ul><ul><li>Analyzes Log Files of SSH-Services </li></ul></ul><ul><ul><li>Detects Attack Attempts and blocks Attacker temporary ( by setting firewall rules ) </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    34. 34. Securing Web-Server – Main Steps <ul><li>User- /Groups settings for Web Server Processes </li></ul><ul><li>File System Settings </li></ul><ul><li>Permissions for executable Software </li></ul><ul><ul><li>Nobody except root should write into Binary-Folders of Apache </li></ul></ul><ul><li>Reduce functions to your needs </li></ul><ul><ul><li>Apache can be extended with Modules, e.g.: mod_cgi, mod_ssl… </li></ul></ul><ul><li>Suppress Fingerprinting </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    35. 35. Securing Web-Server – Main Steps <ul><ul><li>Restrict used Hardware Resources to avoid DoS-Attacks </li></ul></ul><ul><ul><ul><li>Change Default TimeOut </li></ul></ul></ul><ul><ul><ul><li>Restrict HTTP-Requests </li></ul></ul></ul><ul><ul><li>Restrict access to Web Resources </li></ul></ul><ul><ul><ul><li>Often resources are not to be accessible for everyone </li></ul></ul></ul><ul><ul><ul><li>htaccess is a simple mechanism for access Protection </li></ul></ul></ul><ul><ul><ul><li>htaccess is activated by a file .htaccess to protected directory (or above in one) </li></ul></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri Source: http://www.howtomonster.com/2007/08/12/how-to-restrict-access-to-a-web-site-folder/
    36. 36. Access Control - .htaccess <ul><li>Simple Example </li></ul><ul><li>Site-Configuration controls use of .htaccess files: </li></ul><ul><ul><li>AllowOverride None: .htaccess is ignored </li></ul></ul><ul><ul><li>AllowOverride All: .htaccess may overwrite (almost) all global settings </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    37. 37. Access Control <ul><li>Structure of the password file: </li></ul><ul><ul><li>UserName:Hash </li></ul></ul><ul><ul><li>Example: myUser:GxkVrKPk8WSbM </li></ul></ul><ul><ul><li>Default Hash-Function: crypt </li></ul></ul><ul><ul><li>Created by the tool htpasswd </li></ul></ul><ul><ul><li>Transfer of password: </li></ul></ul><ul><ul><ul><li>As HTTP Header “Authorization” </li></ul></ul></ul><ul><ul><ul><li>UserName:Password Base64 encoded </li></ul></ul></ul><ul><ul><ul><li>Example: Authorization: Basic d2lraTpwZWRpYQ== </li></ul></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    38. 38. Web Application Security <ul><li>Various Sources of Information </li></ul><ul><ul><li>OWASP Top 10 </li></ul></ul><ul><ul><ul><li>The Open Web Application Security Project </li></ul></ul></ul><ul><ul><li>CWE/SANS Top 25 </li></ul></ul><ul><ul><ul><li>Common Weakness Enumeration </li></ul></ul></ul><ul><ul><li>Exploit Databases </li></ul></ul><ul><ul><ul><li>http://www.exploit-db.com/webapps/ </li></ul></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    39. 39. www.exploit-db.com/webapps/ 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    40. 40. Web Application Security <ul><li>2011 CWE/SANS </li></ul><ul><ul><li>Top 25 Most Dangerous Software Errors </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri Source: http://cwe.mitre.org/top25/
    41. 41. Web Application Security <ul><li>Buffer Overflows: Statistics </li></ul><ul><ul><li>Still a major threat (e.g. in Internet Explorer or Acrobat Reader, etc.) </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri <ul><ul><li>Source: http://www.trigonit.com/tech-blog/bid/57835/IT-Support-Wireless-Network-Security-Secure-Encrypt-and-Be-Safe </li></ul></ul>
    42. 42. Web Application Security <ul><li>2010 OWASP Top 10 </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
    43. 43. Web Application Security - BackTrack <ul><li>Operating System based on Ubuntu </li></ul><ul><li>Pentetrating testing and digital forensics </li></ul><ul><li>Available as Live CD or USB </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri Source: http://www.backtrack-linux.org/screenshots/
    44. 44. Web Application Security - BackTrack <ul><li>BackTrack arranges tools into 12 categories: </li></ul><ul><ul><li>Information Gathering </li></ul></ul><ul><ul><li>Vulnerability Assessment </li></ul></ul><ul><ul><li>Exploitation Tools </li></ul></ul><ul><ul><li>Privilege Escalation </li></ul></ul><ul><ul><li>Maintaining Access </li></ul></ul><ul><ul><li>Reverse Engineering </li></ul></ul><ul><ul><li>RFID Tools </li></ul></ul><ul><ul><li>Stress testing </li></ul></ul><ul><ul><li>Forensics </li></ul></ul><ul><ul><li>Reporting Tools </li></ul></ul><ul><ul><li>Services </li></ul></ul><ul><ul><li>Miscellaneous </li></ul></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    45. 45. Take Home Message <ul><li>Web Security is very important for everyone (e.g. e-banking…) </li></ul><ul><li>Server Security information sources </li></ul><ul><ul><li>Federal Office for Information Security (BSI, Germany) </li></ul></ul><ul><ul><li>National Security Agency (NSA, USA) </li></ul></ul><ul><li>Web Applicaiton Security information sources </li></ul><ul><ul><li>The Open Web Application Security Project (OWASP) Top 10 </li></ul></ul><ul><ul><li>CWE/EANS Top 25 </li></ul></ul><ul><ul><li>Exploit Databases </li></ul></ul><ul><li>Security Tool: BackTrack </li></ul>11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    46. 46. Questions??? 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri
    47. 47. 11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri

    ×