Your SlideShare is downloading. ×
0
Web Security Programming I Building Security in from the Start Except where otherwise noted all portions of this work are ...
A Simple Web Server <ul><li>To illustrate what can go wrong if we do not design for security in our web applications from ...
Some Preliminaries… <ul><li>( H yper T ext  T ransfer  P rotocol):  The communications protocol used to connect to servers...
Some Preliminaries… <ul><li>A typical HTTP request that a browser makes to a web server: </li></ul><ul><li>Get / HTTP/1.0 ...
SimpleWebServer: main() <ul><li>/* This method is called when the program is run from the command line. */ </li></ul><ul><...
SimpleWebServer Object <ul><li>public class SimpleWebServer {  </li></ul><ul><li>/* Run the HTTP server on this TCP port. ...
SimpleWebServer: processRequest 1 <ul><li>/* Reads the HTTP request from the client, and </li></ul><ul><li>responds with t...
SimpleWebServer: processRequest 2 <ul><li>/* parse the HTTP request */ </li></ul><ul><li>StringTokenizer st =  </li></ul><...
SimpleWebServer: serveFile 1 <ul><li>public void serveFile (OutputStreamWriter osw,  </li></ul><ul><li>  String pathname) ...
SimpleWebServer: serveFile 2 <ul><li>/* try to open file specified by pathname */ </li></ul><ul><li>try {  </li></ul><ul><...
SimpleWebServer: serveFile 3 <ul><li>/* if the requested file can be successfully opened and read, then return an OK respo...
<ul><li>Can you identify any security vulnerabilities in SimpleWebServer? </li></ul>
What Can Go Wrong? <ul><li>Denial of Service (DoS): </li></ul><ul><li>An attacker makes a web server unavailable. </li></u...
DoS on SimpleWebServer? <ul><li>Just send a carriage return as the first message instead of a properly formatted GET messa...
DoS on SimpleWebServer? <ul><li>processRequest():  </li></ul><ul><li>/* read the HTTP request from the client */ </li></ul...
DoS on SimpleWebServer? <ul><li>The web server crashes </li></ul><ul><li>Service to all subsequent clients is denied until...
How Do We Fix This? <ul><li>The web server should immediately disconnect from any web client that sends a malformed HTTP r...
How would you fix this code? <ul><li>processRequest():  </li></ul><ul><li>/* read the HTTP request from the client */ </li...
A possible solution <ul><li>/* read the HTTP request from the client */ </li></ul><ul><li>String request = br.readLine(); ...
Importance of “Careful” Exception Handling <ul><li>Error messages and observable behavior can tip off an attacker to vulne...
Careful Exception Handling <ul><li>Two possible designs for int checkPassword (String username, String password) </li></ul...
Careful Exception Handling <ul><li>int result = checkPassword ( … ) if (result == ERROR_ACCESS_DENIED) { abort(); } else {...
Fail-Safe <ul><li>int result = checkPassword ( … ) if (result == NO_ERROR) { // Complete login } else { int reason = getEr...
Summary <ul><li>Effective exception handling is essential in designing security in from the start </li></ul><ul><li>Next t...
Sources <ul><li>The content of these slides was adapted from: </li></ul><ul><li>&quot;Foundations of Security: What Every ...
Upcoming SlideShare
Loading in...5
×

Web

765

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
765
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Now we walk through the code… Main() creates a SimpleWebServer object and calls its run() method. The run() method is just an infinite loop that waits for a connection from a client, and then attempts to process the request.
  • Here is the SimpleWebServer object. First we initialize a variable that holds the port number the web server should listen to for connections from clients. Then we initialize a ServerSocket. Socket: The method of directing data to the appropriate application in a TCP/IP network. The combination of the IP address of the station and a port number make up a socket. Think of this like an electrical socket. A web server and a web client both have a “virtual” power strip with many sockets on it. A web client can talk to a server by selecting one of its sockets, and then selecting a server socket and plugging a virtual wire into each end. The run() method has an infinite loop waiting for a connection from a client. The call to ServerSocket accept() returns a socket object that corresponds to a unique socket on the server. This allows the server to communicate with the client. Once the communication is established, the client’s request is processed.
  • processRequest() takes the client socket as input. It uses this socket to create BufferedReader and OutputStreamWriter objects. Once these communication objects are created, the method attempts to read a line of input from the client using the BufferedReader. We expect this line of input to be an HTTP GET request (as discussed earlier).
  • The StringTokenizer object is used to break up the request into its constituent parts: GET, the pathname to the file the client would like to download. If the command is a “GET”, we call the serveFile() method, else we issue an error. Then we close the connection to the client.
  • The first “if” removes the initial slash at the beginning of the pathname, and the second “if” sets the file to be downloaded = index.html, if another file was not specified.
  • Now the method attempts to open the file and read it into the web server’s memory. If the FileReader object is unable to open the file and read a byte from it, it issues an error message.
  • If the file was successfully opened, send the HTTP/1.0 200 OK message and then the method enters a while loop that reads bytes from the file and appends them to a StringBuffer, until the end of the file is reached. Then this StringBuffer is sent to the client.
  • Trace the code, assuming a CR sent from the client. We read the line of input from the client. When we tokenize, the line: command = st.nextToken(); results in an exception. Control is returned to run() which does not handle the exception; then control is returned to main() which does not handle the exception either. Java terminates the application.
  • Close the connection to the client, rather than crash the server…
  • We also need to make sure the function fails in a secure manner.
  • This is also a good example of a fail-safe approach: even if one or more components of a system fail, there is still some level of security.
  • Transcript of "Web"

    1. 1. Web Security Programming I Building Security in from the Start Except where otherwise noted all portions of this work are Copyright (c) 2007 Google and are licensed under the Creative Commons Attribution 3.0 License http://creativecommons.org/licenses/by/3.0/
    2. 2. A Simple Web Server <ul><li>To illustrate what can go wrong if we do not design for security in our web applications from the start, consider a simple web server implemented in Java. </li></ul><ul><li>All this program does is serve documents using HTTP. </li></ul><ul><li>We will walkthrough the code in the following slides. </li></ul>
    3. 3. Some Preliminaries… <ul><li>( H yper T ext T ransfer P rotocol): The communications protocol used to connect to servers on the Web. </li></ul><ul><li>Its primary function is to establish a connection with a Web server and transmit HTML pages to the client browser or any other files required by an HTTP application. </li></ul><ul><li>Addresses of Web sites begin with an http:// prefix. </li></ul>
    4. 4. Some Preliminaries… <ul><li>A typical HTTP request that a browser makes to a web server: </li></ul><ul><li>Get / HTTP/1.0 </li></ul><ul><li>When the server receives this request for filename / (which means the root document on the web server), it attempts to load index.html. It sends back: </li></ul><ul><li>HTTP/1.0 200 OK </li></ul><ul><li>followed by the document contents. </li></ul>
    5. 5. SimpleWebServer: main() <ul><li>/* This method is called when the program is run from the command line. */ </li></ul><ul><li>public static void main (String argv[]) throws Exception { </li></ul><ul><li>/* Create a SimpleWebServer object, and run it */ </li></ul><ul><li>SimpleWebServer sws = new SimpleWebServer(); </li></ul><ul><li>sws.run(); </li></ul><ul><li>} </li></ul>
    6. 6. SimpleWebServer Object <ul><li>public class SimpleWebServer { </li></ul><ul><li>/* Run the HTTP server on this TCP port. */ </li></ul><ul><li>private static final int PORT = 8080; </li></ul><ul><li>/* The socket used to process incoming connections </li></ul><ul><li>from web clients */ </li></ul><ul><li>private static ServerSocket dServerSocket; </li></ul><ul><li>public SimpleWebServer () throws Exception { </li></ul><ul><li> dServerSocket = new ServerSocket (PORT); </li></ul><ul><li>} </li></ul><ul><li>public void run() throws Exception { </li></ul><ul><li> while (true) { </li></ul><ul><li>/* wait for a connection from a client */ </li></ul><ul><li> Socket s = dServerSocket.accept(); </li></ul><ul><li> /* then process the client's request */ </li></ul><ul><li> processRequest(s); </li></ul><ul><li> } </li></ul><ul><li>} </li></ul>
    7. 7. SimpleWebServer: processRequest 1 <ul><li>/* Reads the HTTP request from the client, and </li></ul><ul><li>responds with the file the user requested or </li></ul><ul><li>a HTTP error code. */ </li></ul><ul><li>public void processRequest(Socket s) throws Exception { </li></ul><ul><li>/* used to read data from the client */ </li></ul><ul><li>BufferedReader br = </li></ul><ul><li> new BufferedReader (new InputStreamReader (s.getInputStream())); </li></ul><ul><li>/* used to write data to the client */ </li></ul><ul><li>OutputStreamWriter osw = </li></ul><ul><li> new OutputStreamWriter (s.getOutputStream()); </li></ul><ul><li>/* read the HTTP request from the client */ </li></ul><ul><li>String request = br.readLine(); </li></ul><ul><li>String command = null; </li></ul><ul><li>String pathname = null; </li></ul>
    8. 8. SimpleWebServer: processRequest 2 <ul><li>/* parse the HTTP request */ </li></ul><ul><li>StringTokenizer st = </li></ul><ul><li> new StringTokenizer (request, &quot; &quot;); </li></ul><ul><li>command = st.nextToken(); </li></ul><ul><li>pathname = st.nextToken(); </li></ul><ul><li>if (command.equals(&quot;GET&quot;)) { </li></ul><ul><li> /* if the request is a GET </li></ul><ul><li> try to respond with the file </li></ul><ul><li> the user is requesting */ </li></ul><ul><li> serveFile (osw,pathname); </li></ul><ul><li>} </li></ul><ul><li>else { </li></ul><ul><li> /* if the request is a NOT a GET, </li></ul><ul><li> return an error saying this server </li></ul><ul><li> does not implement the requested command */ </li></ul><ul><li> osw.write (&quot;HTTP/1.0 501 Not Implemented &quot;); </li></ul><ul><li>} </li></ul><ul><li>/* close the connection to the client */ </li></ul><ul><li>osw.close(); </li></ul>
    9. 9. SimpleWebServer: serveFile 1 <ul><li>public void serveFile (OutputStreamWriter osw, </li></ul><ul><li> String pathname) throws Exception { </li></ul><ul><li>FileReader fr=null; </li></ul><ul><li>int c=-1; </li></ul><ul><li>StringBuffer sb = new StringBuffer(); </li></ul><ul><li>/* remove the initial slash at the beginning </li></ul><ul><li> of the pathname in the request */ </li></ul><ul><li>if (pathname.charAt(0)=='/') </li></ul><ul><li> pathname=pathname.substring(1); </li></ul><ul><li>/* if there was no filename specified by the </li></ul><ul><li> client, serve the &quot;index.html&quot; file */ </li></ul><ul><li>if (pathname.equals(&quot;&quot;)) </li></ul><ul><li> pathname=&quot;index.html&quot;; </li></ul>
    10. 10. SimpleWebServer: serveFile 2 <ul><li>/* try to open file specified by pathname */ </li></ul><ul><li>try { </li></ul><ul><li> fr = new FileReader (pathname); </li></ul><ul><li> c = fr.read(); </li></ul><ul><li>} </li></ul><ul><li>catch (Exception e) { </li></ul><ul><li> /* if the file is not found,return the </li></ul><ul><li> appropriate HTTP response code */ </li></ul><ul><li> osw.write (&quot;HTTP/1.0 404 Not Found &quot;); </li></ul><ul><li> return; </li></ul><ul><li>} </li></ul>
    11. 11. SimpleWebServer: serveFile 3 <ul><li>/* if the requested file can be successfully opened and read, then return an OK response code and send the contents of the file */ </li></ul><ul><li>osw.write (&quot;HTTP/1.0 200 OK &quot;); </li></ul><ul><li>while (c != -1) { </li></ul><ul><li> sb.append((char)c); </li></ul><ul><li> c = fr.read(); </li></ul><ul><li>} </li></ul><ul><li>osw.write (sb.toString()); </li></ul>
    12. 12. <ul><li>Can you identify any security vulnerabilities in SimpleWebServer? </li></ul>
    13. 13. What Can Go Wrong? <ul><li>Denial of Service (DoS): </li></ul><ul><li>An attacker makes a web server unavailable. </li></ul><ul><li>Example: an online bookstore’s web server crashes and the bookstore loses revenue </li></ul>
    14. 14. DoS on SimpleWebServer? <ul><li>Just send a carriage return as the first message instead of a properly formatted GET message… </li></ul>
    15. 15. DoS on SimpleWebServer? <ul><li>processRequest(): </li></ul><ul><li>/* read the HTTP request from the client */ </li></ul><ul><li>String request = br.readLine(); </li></ul><ul><li>String command = null; </li></ul><ul><li>String pathname = null; </li></ul><ul><li>/* parse the HTTP request */ </li></ul><ul><li>StringTokenizer st = </li></ul><ul><li> new StringTokenizer (request, &quot; &quot;); </li></ul><ul><li>command = st.nextToken(); </li></ul><ul><li>pathname = st.nextToken(); </li></ul>
    16. 16. DoS on SimpleWebServer? <ul><li>The web server crashes </li></ul><ul><li>Service to all subsequent clients is denied until the web server is restarted </li></ul>
    17. 17. How Do We Fix This? <ul><li>The web server should immediately disconnect from any web client that sends a malformed HTTP request to the server. </li></ul><ul><li>The programmer needs to carefully handle exceptions to deal with malformed requests. </li></ul>
    18. 18. How would you fix this code? <ul><li>processRequest(): </li></ul><ul><li>/* read the HTTP request from the client */ </li></ul><ul><li>String request = br.readLine(); </li></ul><ul><li>String command = null; </li></ul><ul><li>String pathname = null; </li></ul><ul><li>/* parse the HTTP request */ </li></ul><ul><li>StringTokenizer st = </li></ul><ul><li> new StringTokenizer (request, &quot; &quot;); </li></ul><ul><li>command = st.nextToken(); </li></ul><ul><li>pathname = st.nextToken(); </li></ul>
    19. 19. A possible solution <ul><li>/* read the HTTP request from the client */ </li></ul><ul><li>String request = br.readLine(); </li></ul><ul><li>String command = null; </li></ul><ul><li>String pathname = null; </li></ul><ul><li>try { </li></ul><ul><li>/* parse the HTTP request */ </li></ul><ul><li>StringTokenizer st = </li></ul><ul><li> new StringTokenizer (request, &quot; &quot;); </li></ul><ul><li>command = st.nextToken(); </li></ul><ul><li>pathname = st.nextToken(); </li></ul><ul><li>} catch (Exception e) { </li></ul><ul><li>osw.write (“HTTP/1.0 400 Bad Request ”); </li></ul><ul><li>osw.close(); </li></ul><ul><li>return; </li></ul><ul><li>} </li></ul>
    20. 20. Importance of “Careful” Exception Handling <ul><li>Error messages and observable behavior can tip off an attacker to vulnerabilities </li></ul><ul><li>Fault Injection: Providing a program with input that it does not expect (as in the CR for SimpleWebServer) and observing behavior </li></ul>
    21. 21. Careful Exception Handling <ul><li>Two possible designs for int checkPassword (String username, String password) </li></ul><ul><li>The function could fail, so what exception should the function return? </li></ul><ul><li>ERROR_ACCESS_DENIED ERROR_PASS_FILE_NOT_FOUND ERROR_OUT_OF_MEMORY NO_ERROR_ACCESS_ALLOWED </li></ul><ul><li>NO_ERROR ERROR int getError () </li></ul><ul><li>Be careful to not provide more information to a user than is needed. </li></ul>
    22. 22. Careful Exception Handling <ul><li>int result = checkPassword ( … ) if (result == ERROR_ACCESS_DENIED) { abort(); } else { // Complete login </li></ul><ul><li>} </li></ul><ul><li>Problem: result != ERROR_ACCESS_DENIED does not infer ERROR_ACCESS_ALLOWED </li></ul><ul><li>Result could have been: ERROR_PASS_FILE_NOT_FOUND or ERROR_OUT_OF_MEMORY ! </li></ul>
    23. 23. Fail-Safe <ul><li>int result = checkPassword ( … ) if (result == NO_ERROR) { // Complete login } else { int reason = getError(); abort(); </li></ul><ul><li>} </li></ul><ul><li>Much better– less error prone! </li></ul><ul><li>checkPassword failure occurs securely! </li></ul>
    24. 24. Summary <ul><li>Effective exception handling is essential in designing security in from the start </li></ul><ul><li>Next time, we look at other vulnerabilities in the SimpleWebServer </li></ul>
    25. 25. Sources <ul><li>The content of these slides was adapted from: </li></ul><ul><li>&quot;Foundations of Security: What Every Programmer Needs To Know&quot; (ISBN 1590597842) by Neil Daswani, Christoph Kern, and Anita Kesavan. </li></ul><ul><li>http://www.learnsecurity.com/ntk </li></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×