A presentation from the lectures regarding Web Technologies, a discipline taught by Dr. Sabin Buraga at the Faculty of Computer Science, UAIC, Romania: https://profs.info.uaic.ro/~busaco/teach/courses/web/
32. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
data security
Availability
the need for a particular resource
to be accessed at the right time
aspect of interest: service quality
stipulated via SLA (Service-Level Agreement)
uptime, average speed to answer, turn-around time,
abandonment rate, mean time to recover,ā¦
advanced
35. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
data security
Privacy
refers to the rights to be respected regarding
the character (the subject) of the transferred data
http://privacy.org/
often considered similar to confidentiality
Bruce Schneier, Security and Privacy in a Hyper-connected
World (2016) ā www.youtube.com/watch?v=cJMG34UzIyk
37. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
data security
Web security should consider:
client
user interaction
personal data storage: cookies, off-line data, cache,ā¦
asynchronous transfers ā Ajax/Comet or WebSockets
(unauthorized) execution of JavaScript programs
existence of suspicious plugins/extensions
ā¦
51. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Server Side Request Forgery (SSRF)
abusing the Web server functionality
to access or alter internal resources
by using a URL, the attacker could alter parameters used
by an application in order to create malicious requests
modus operandi + counteraction solutions:
www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
www.netsparker.com/blog/web-security/server-side-request-forgery-vulnerability-ssrf/
52. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
SQL injection
involves the writing of SQL queries that allow displaying,
altering, deleting data from databases via Web forms or
directly using URLs
for details, consult Testing for SQL Injection:
www.owasp.org/index.php/Testing_for_SQL_Injection_%28OTG-INPVAL-005%29
real cases: https://laurent22.github.io/so-injections/
55. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
SQL injection ā example:
http://e-banking.org/access_client.php?client=3
in script: select credit_card from clients where client=$client
what happens if the URL is
http://www.sit.org/access_client.php?client=client ?
or if, instead of select, the delete command is used?
57. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
SQL injection ā example:
http://www.site.org/search?id=1+OR+xy=1
we can obtain a message like:
[Microsoft][ODBC SQL Server Driver] [SQL Server] Invalid column name 'xy'.
SELECT group_id, securityName, maxSalesCharge, price,
security_id, trade_date FROM funds
WHERE group_id = 1 OR xy=1 ORDER BY price DESC
58. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
SQL injection ā example:
http://www.site.org/search?id=1+OR+xy=1
we can obtain a message like:
[Microsoft][ODBC SQL Server Driver] [SQL Server] Invalid column name 'xy'.
SELECT group_id, securityName, maxSalesCharge, price,
security_id, trade_date FROM funds
WHERE group_id = 1 OR xy=1 ORDER BY price DESC
the attacker could continue ā for example ā with:
http://www.site.org/search?id=1;DELETE+FROM+funds+--
61. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
NoSQL injection
exploiting the programming language exposed by
NoSQL server, including the weaknesses of the provided
API and/or the data transfer format (JSON, XML)
example: Hacking Node.js and MongoDB (2014)
http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
for details, read
www.owasp.org/index.php/Testing_for_NoSQL_injection
advanced
66. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Path traversal
ability to access unauthorized filesystems
ā e.g., outside the directories
where the Web application resides
example in the XML context (XXE ā XML External Entity):
http://cwe.mitre.org/data/definitions/611.html
<!DOCTYPE doc [ <!ENTITY xxe SYSTEM "file:///tmp/sessions/..."> ]>
advanced
67. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Real example ā attack on PostgreSQL
connecting with low privileges
getting global/pg_auth by using XXE
overwriting this file via XSLT
re-connecting with admin privileges
restoring global/pg_auth with XSLT
launching postgres_payload.rb ā resource provided by
the Metasploit project: www.metasploit.com
advanced
71. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Reflected XSS
the payload script is transmitted by the attackerās Web
server as a part of a HTTP response message
(malicious script is remotely delivered to each victim)
the user is persuaded to visit a special URL via social
engineering techniques (e-mail, social networks,ā¦)
advanced
72. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
DOM-based XSS
the payload is stored ā after an illegal manipulation of
the JS code ā into the DOM tree available on browser
details in the Ferruh Mavitunaās article (2017)
www.netsparker.com/blog/web-security/dom-based-cross-site-scripting-vulnerability/
advanced
73. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
XSS ā typical examples:
<img src="javascript:code" />
redirecting the user to the other URL,
getting cookies or blocking the browser
including malicious code (malware)
to be executed by the Web browser
via elements like <embed>, <img> or <object>
74. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
XSS ā other malevolent actions:
<script type="text/javascript">
setInterval (function () {
var w = window.open ();
w.document.write (document.documentElement.outerHTML ||
document.documentElement.innerHTML);
}, 33);
</script> recursive window
creation via DOM
(Ć la fork bomb)
advanced
76. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
XSS
provides the premises for circumventing the policy
on interaction between client-level scripts and resources
from the same Internet domain: Same Origin Policy
usually, a program belonging to site.org can not obtain
data from a Web page belonging to the othersite.org domain
advanced
77. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
A real example:
exploiting a XSS vulnerability in the HTML filter of
MySpace, when a user viewed Tuxyās profile, the JavaScript
code automatically made him/her a friend of Tuxy + used
Ajax to insert the malevolent script to the current profile
ļ“social network worm (2005)
http://samy.pl/popular/tech.html
after 20 hours, 1005831 requestsļ“MySpace ācrushedā
79. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Cross-Site Request Forgery (CSRF)
forces the authenticated user into an application
to perform unwanted actions ā e.g., data corruption
real cases:
getting the list of contacts
for an authenticated GMail user (2005)
changing postal address + renting films by the persons
having Netflix accounts (2006)
80. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Cross-Site Request Forgery (CSRF)
can also lead to the identify theft (phishing)
or to the injection of malware code on the client
www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
a solution to mitigate the risk of CSRF attacks:
CSRFGuard library
https://github.com/aramrami/OWASP-CSRFGuard
81. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Cross Site History Manipulation (CSHM)
security breach eluding Same Origin Policy,
which allows the navigation history to be manipulated by
a malicious program ā e.g., detecting user authentication
status on a site, user tracking, accessing parameters
associated to a URL,ā¦
http://tinyurl.com/qyurynm
82. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Other phishing Web attacks
using JavaScript code to modify the content presented
to the user by the Web browser or
to manipulate the user to visit hidden links
jeremiahgrossman.blogspot.com/2008/09/cancelled-clickjacking-owasp-appsec.html
clickjacking
84. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Other phishing Web attacks
adopting social engineering techniques
āany act that influences a person to take an action
that may or may not be in their best interestā
manipulating the user ā e.g., theft of passwords ā
by using intimidation, blackmail, authority, flattery,
person substitution, vanity, etc.
www.social-engineer.org
88. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Problems caused by URI/IRIs
using Unicode characters
problems with decoding URLs considered āsafeā
sites adopting IDN ā International Domain Names
ļ“homography-based attacks
details at www.unicode.org/reports/tr36/
example: www.xudongz.com/blog/2017/idn-phishing/
90. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Problems regarding the use of passwords
the more user needs to memorize multiple passwords,
the more the password-based authentication system
is prone to security breaches:
choosing weak passwords, used for a long time
sharing passwords in groups of friends/colleagues
writing down passwords on the paper ā eventually at sight
using the same password for multiple Web applications
91. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Problems regarding the use of passwords
attack example:
using a dictionary or brute-force on Twitter
ļ“discovering the āhappinessā as password
associated to an admin account
https://blog.codinghorror.com/dictionary-attacks-101/
typical prevention solution:
admin accounts separated from regular accounts
97. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Denial of service
exploiting certain application components,
so the functionalities can not be offered to real clients
usually, initiation of a recursive processing
(possibly, through self-reproducing programs)
M. Abliz, Internet Denial of Service Attacks and Defense Mechanisms (2011)
https://people.cs.pitt.edu/~mehmud/docs/abliz11-TR-11-178.pdf
98. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Denial of service
exploiting certain application components,
so the functionalities can not be offered to real clients
usually, initiation of a recursive processing
(possibly, through self-reproducing programs)
fork bomb ā e.g., for Ruby: loop { fork { __FILE__ } }
XML bomb
zip bomb ā http://research.swtch.com/zip
advanced
99. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
Real example (billions of lols)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1; &lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
ā¦
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
B. Sullivan, XML Denial of Service Attacks and Defenses (2009)
msdn.microsoft.com/magazine/ee335713
www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
100. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Ransomware
stopping a type of attack on a Web site ā e.g., DDoS or
content encryption ā only if the owner pays
a āprotection feeā (i.e. using Bitcoin)
actual examples:
blog.sucuri.net/2015/12/ddos-extortions-campaigns.html
blog.sucuri.net/2016/01/ransomware-strikes-websites.html
102. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
Tentatives of accessing allegedly vulnerable resources
or administration sections of a Web site
208.113.197.80 GET /wp-admin/
5.196.16.176 GET /~jromai/romaijournal//images/stories/post.gif
185.22.64.241 GET /~busaco/docs/jdownloads/screenshots/has.php.j?rf
5.196.16.176 POST /index.php?option=com_jce&task=plugin&file=imgmanager&
method=form&cid=20&6bc427c8a7981f4fe1f5ac65c=cf6dd3cf1923c950586
38.87.45.121 GET /~vcosmin/WikiLogica/index.php?title=BuckYoung847
74.220.207.111 GET /wp-admin/admin-ajax.php?action=revslider_ajax_action
74.220.207.111 GET /index.php?gf_page=upload
195.30.97.113 POST //index.php?option=com_jdownloads&Itemid=0&view=upload
5.153.237.232 POST /~flash/wiki/index.php?title=Special:Userlogin&action=submitlogin
46.102.103.137 POST /~flash/wiki/index.php?title=Special:Userlogin&action=submitlogin
103. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
attacks
The detection of possible vulnerabilities ā due to
incorrect/default settings of Web servers and/or
Web applications ā can be accomplished
by using a search engine
see also Google Hack Honeypot project (2007)
ghh.sourceforge.net
other resources of interest at www.honeynet.org
advanced
104. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
Examples of actions:
detecting versions of programs having known bugs:
"Apache/2.0.52 server at"
access to .bak files: inurl:index.php.bak
detecting admin pages: "admin login"
default installations: intitle:"welcome to" intitle:internet IIS
locating database systemsā interfaces:
inurl:main.php phpMyAdmin
searching for applications or log files:
inurl:error.log +filetype:log ācvs
getting error messages generated by applications or
database servers: "ASP.NET_SessionId" "data source="
advanced
106. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
prevention
Use case: securing Apache HTTP server
remove non-essential modules
mod_autoindex, mod_dav, mod_info, mod_includes, mod_status,ā¦
restrict default permissions for various directories:
/, /var/www/html (Website root directory),
(public_)html/ user directories
run server as a user having minimal permissions,
by limiting the access to system resources
advanced
107. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
prevention
Use case: securing Apache HTTP server
āimmunizeā important configuration files
run Apache in a chroot jail
see also github.com/ZenProjects/Apache-mod-chroot
prohibit the creation of server āsignatureā
for the pages generated automatically:
ServerSignature Off and ServerTokens Prod
use mod_ssl module to enable HTTPS connections
advanced
108. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
prevention
Use case: securing Apache HTTP server
check/adjust the permissions of public files
limit/disable file uploads
limit the use of .htaccess file for regular users
prohibit the access to users table of MySQL
configure the application servers to not send
error messages to the browser ā at PHP: display_errors off
advanced
109. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
prevention
Use case: securing Apache HTTP server
run script in āsafeā mode
Perl in taint mode, PHP: safe_mode on, allow_url_fopen off
sign code as being āsafeā ā for Java/.NET
update the sites only with secured methods:
ssh, scp, sftp
for guidelines and good practices, consult
http://httpd.apache.org/docs/2.4/misc/security_tips.html
advanced
110. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
prevention
On Web application servers/platforms
various examples:
ASP.NET ā https://github.com/aspnet/Security
Node.js ā nodesecurity.io
PHP ā http://phpsecurity.readthedocs.org/
Python ā www.pythonsecurity.org
Ruby on Rails ā http://tinyurl.com/pbmzgm8
avansat
112. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
survival
The system must carry out its mission
even if some components/parts of the system
are affected or disused
fulfilling most important functionalities (mission-critical)
ļ“identifying essential services
example:
providing a read-only copy of the content
115. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
survival
Recognizing the attacks and their effects
strategies for restoring data, limiting effects,
maintaining/restoring compromised services
Web farms ā possibly, in the cloud
RAID (Redundant Array of Independent Disks)
SAN (Storage Area Network)
backups: full or incremental
ā¦
advanced
118. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
response to incidents
Aggressive responses ā e.g., hack back ā
are prohibited
commonly, the SANS (System Administration,
Networking, and Security) methodology is adopted
stages:
preparationļ“identificationļ“containment
ļ“eradicationļ“recoveryļ“follow-up
www.sans.org/security-resources/
advanced
120. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
response to incidents
Forensics
usually, is performed after a security incident
involves the analysis of hardware (disks, RAM),
ātrashā (information detritus), logs,
configuration files, and others
various software tools:
www.cert.org/digital-intelligence/tools/
resources.infosecinstitute.com/computer-forensics-tools/
advanced
123. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
monitoring & testing
To be taken into consideration:
Web browser characteristics (+default settings)
platform(s): hardware, operating system,...
user interface: screen resolution, color depth,ā¦
caching policy (+proxy security)
support for various document typesā rendering
(plugin security)
used programming language(s)
(including application server(s), libraries, etc.)
124. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
monitoring & testing
Specific tests regarding programming:
buffer overflow
example: the length of URIs sent by client
real case:
Apple iTunes for Windows (version < 8.2) allowed
the arbitrary code execution when using itms: URL schema
http://www.securitytracker.com/id/1022313
advanced
125. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
monitoring & testing
Specific tests regarding programming:
parsing issues
processing of URIs, data received from Web forms,
cookies, (X)HTML entities, XML data,
HTTP, XML-RPC, and SOAP requests,
SQL statements, JSON data, etc.
advanced
N. Seriot, Parsing JSON is a Minefield (2016)
http://seriot.ch/parsing_json.php
129. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
monitoring & testing
Specific tests regarding programming:
problems of escaping
direct data āinjectionā via URI or by using the Web
interface or via a file (illegal upload) or using a program
(e.g., remote application administration),...
ļ“verify the escaping with dedicated tools
an example: www.htmlescape.net
advanced
132. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
monitoring & testing
Specific tests concerning the privacy:
user data must be treated as safe and confidential
What data will be available in the client cache?
Cookies/LocalStorage data may contain sensitive data,
potentially exploited by malicious people?
How the cache is invalidated?
avansat
134. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
monitoring & testing
Tests regarding component integration:
the security of an application depends on
the security of the most vulnerable component
not verifying the user identity on server,
considering the fact that this verification was already
performed on the browser
real case: www.ifc0nfig.com/dominos-pizza-and-payments/
135. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
monitoring & testing
Tests regarding data obfuscation:
data should not be stored in predictable locations
content itself can lead to security issues
ā information disclosure
e.g., Webcam access ā context: IoT (Internet Of Things)
www.ifc0nfig.com/a-close-look-at-the-philips-in-sight-ip-camera-range/
advanced
138. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
monitoring & testing
Breaches regarding information disclosure:
error messages emitted by Web applications
files having incorrect extensions
ļ“access to source-code of script available on server
visualizing the content of server directories
scanning network traffic
(URIs, asynchronously transmitted XML/JSON data,ā¦)
advanced
140. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
monitoring & testing
Specific tests regarding the deployment:
a suitable preparation for application deployment
detecting flow problems
properly handling the 4xx and 5xx HTTP status codes,
the access to authenticated resources
(e.g., getting data without user authentication),
the abnormal script execution, etc.
advanced
141. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
monitoring & testing
Specific tests regarding the deployment:
testing the interaction with the Web application
ļ“programs simulating virtual visitors
experiment Selenium ā www.seleniumhq.org
performing load testing
ļ“scenarios and result interpretation
advanced
142. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
monitoring & testing
Stressing tools could reveal information aboutā¦
performance
e.g., response time, content generation time, etc.
details at āClient-Side Web Application Developmentā
https://profs.info.uaic.ro/~busaco/teach/courses/cliw/
advanced
149. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
to remember
The vulnerabilities of a Web application
are not necessarily āfamousā and
can often be independent of the security
of the system on which the site is deployed
a list of Internet vulnerabilities, including the Web ones:
www.cve.mitre.org/data/downloads/
156. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
de reČinutRules/good practices (Sverre Huseby, 2004):
Do not underestimate the power of the dark side
Use POST requests when actions have side effects
In a server-side context,
there is no such thing as client-side security
Always generate a new session ID once the user logs in
Never pass detailed error messages to the client
Identify every possible meta-character to a subsystem
When possible, pass data separate from control information
Do not blindly trust the API documentation
Identify all sources of input to the application
When filtering data, use white-listing rather than black-listing
advanced
157. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
de reČinutRules/good practices (Sverre Huseby, 2004):
Create application-level logs
Never use client-side scripts for security
Pass as little internal state information as possible to the client
Donāt assume that requests will come in a certain order
Filter all data before including them in a Web page,
no matter what the origin
Stick to existing cryptographic algorithms, do not create your own
Never store clear-text passwords
Assume that server-side code is available to attackers
Security is not a product; it is a process
advanced
159. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
to remember
Security risks are not a concern only for the owner
of the Web site/application, but also for end-user
typical actions:
spying on user (user tracking)
inserting unwanted messages (ad injection malware)
events + resourses:
www.ieee-security.org ļ www.w3.org/Security/
http://googleonlinesecurity.blogspot.com/
advanced
160. Dr.SabinBuragaļ“profs.info.uaic.ro/~busaco/
to remember
Discomforts caused by an insecure Web site/app:
financial ā loss of money/information
performance ā e.g., blocking/slowing down actions
psychological ā dissatisfactionļ“influence on UX
social ā e.g., work incapacity, lack of communication,ā¦
time ā cumbersome browsing, redirecting, etc.