Experiential Learning Workshop on Basics of Web Security · 2018-07-30 · Experiential Learning...

Experiential Learning Workshop on

Basics of Web Security

June 29, 2018

RPR/DrAIT/Basics of Web Security

Dr. Ram P Rustagi Professor, CSE Dept

KSIT, Bangalore [email protected]

mailto:[email protected]

Resources

• https://rprustagi.com/ELNT/Experiential-Learning.html– Articles in ACCS Journal https://acc.digital

• www.github.com/rprustagi– Source code and examples for articles

• https://www.rprustagi.com/ieee/drait– Slides for this talks– Example web pages– Example programs

• Computer Networks: A Top Down Approach - Kurose, Ross

!2RPR/DrAIT/Basics of Web Security

https://rprustagi.com/ELNT/Experiential-Learning.html

https://rprustagi.com/ELNT/Experiential-Learning.html

https://acc.digital

http://www.github.com/rprustagi

http://www.rprustagi.com/ieee/drait

Day 1: Basics of Networking• Overview• Introduction to basic networking Tools• Hands-on 1: using networking tools• TCP/IP Stack 4 layer model • Analysis of layers in IP, TCP/UDP and HTTP• Handson-2: layers in ping, nc, http• IP addressing, subnetting and routing• Hierchical addressing• Handson-3: Subnet mismatch and reachability• Supernetting, longest prefix match• Handson-4: Overlapping subnets, longest match• Summary


Day 2: Basics of Socket Programming• Overview: sockets• Simple client server programs• Handson-1: Writing TCP and UDP server• Errors in socket programming• Network byte order, buffer mgmt, socket close• Handson-2: Network byte order, socket close• Multiple concurrent client communication• Socket call return value and reliability• Handson-3: Handling concurrent clients, listen• TCP Streaming and UDP Message boundary• Handson-4: TCP streaming & UDP msg boundary• Summary


Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing• Summary


HTTPS Protocol

• Secure web communication requirement– Authentication– Confidentiality– Data Integrity

• Authentication– Client authentication by server by many means

• credentials, biometric, OTP(SMS), …• Certificate based (not prevalent)

– Server authentication by client• Client are not tech savvy• Browser should do automatically and seamlessly


HTTPS Protocol…

• Web communication security: Confidentiality– Communication free from snooping– Responsibility assumed to lie with web application– Client takes it for granted.

• Webv communication security: Integrity– Communication safe from alteration– Responsibility with web application

• Security of web communication– To be intrinsic to browser and web application– Practically impossible to educate all end users.


Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing • Summary


HTTPS Authentication

• Server provides website certificate, having– Website name e.g. mywww.com– Certificate validity period (typically 1 year)– Public key of certificate issuing authority

• Authentication mechanisms– Browser checks for all 3 pieces of information– Any violatation flags a warning

• User has to click-thru to proceed• Examples:

– https://172.217.166.100 #google – https://myweb.com #google IP in /etc/hosts – https://mywww.com #self signed certificate


http://mywww.com

https://172.217.166.100

https://myweb.com

https://mywww.com

HTTPS Communication

• Data confidentiality:– Using SSL protocol, browser sets up a common

encryption key with the web server– This encryption key is used to encrypt/decrypt data

exchanged between browser and web server• Certificate authorities

– Browser is configured with large number of certificate authorities.

– Accepts certificate only from these, e.g.• Amazon, Entrust, Geotrust, GoDaddy, Thawte, Verisign


HTTPS Communication

• SSL procotol supports client certificates– Rarely seen in practice– When used, may not require credentials based

mechanism• Wireshark supports session decryption

– provided session key is known or– private key of certificate autority is known

• possible for self signed certificates


SSL Certificates• General Process

– Create a private and public key for owned website– Generate a Certificate Signing Request (CSR).– Send CSR to a certificate issuing authority(CA)– Pay the money for certificate– CA will verify the request, website ownership

details etc.– CA will issue the certificate– Install the certificate on the web server


SSL Certificates

• Certificate types– DV (Domain Validation) - the basic type

• Webserver authentication and encryption only– OV (Organization Validation) certificate

• Verifies the actual business that is requesting• Organization name is listed in the certificate

– Extended Validation (EV)• Provides a green address bar in the browser• Requires stronger authentication process to

confirm the identity of business


Mixed Content Web Page

• Mixed content web page– A web page having embedded objects with both

HTTP (not HTTPS) but accessed with HTTPS– The object with HTTP is subject to tempering

• An attacker can hijack the request and serve different content

– Browser warns in terms of lock icon status• Mixed content type

– Pure content : no mixed content– Mixed passive content: images– Mixed active content: scripts


Mixed Content Webpage


Secure, No Mixed Content

Potentially Unsecure, Passive Content is not blocked

Potentially Unsecure, Active Content is not blocked

Passive Mixed Contenturl: https://rprustagi.com/accs/mixed.html

<body> <h2>Img01 with inherited security</h2> <h2>Img02 with insecure access.</h2> <img src="//rprustagi.com/img/img-01.jpg" alt="Img 01"> <img src="http://rprustagi.com/img/img-02.jpg" alt="Img 02"> </body>


https://rprustagi.com/accs/mixed.html



Active Mixed Contenturl: https://rprustagi.com/accs/mixed-active.html <body> <script src="http://rprustagi.com/js/mywww.js"> </script> <h1>Mixed Content Demonstration</h2> <button type="button" onclick=“hello()” > insecure access </button> <h2>Image 02 with insecure security access.</h2> <img src="//rprustagi.com/img/img-02.jpg" alt="Img 01”> </body>


https://rprustagi.com/accs/mixed-active.html



Insecure Password Field in Form• Quite often, web

developers use form tag <input type=“password” …> in the form.

• When this form is accessed with HTTP, it becomes in secure access.

• Browsers are by default configured to throw a warning when password field is submitted on HTTP.


HTTPS and Proxy Setup

• HTTPS deployment challenges with proxy and network that requires authentication❖ The network site hijacks the URL

❖ e.g. public hotspots, colleges ❖ Redirects to authentication URL ❖ On successful authentication, user is

permitted access ❖ This setup does not work with HTTPS

❖ On hijack of HTTPS traffic, ❖ Browser throws warning


Setup Requirement


Switch

S1 S2

Hands-On 1• Create two web pages

– one with mixed passive content– other with mixed active content.

• Deploy these web pages on your web server deployed with SSL certificate (self signed)

• Import the certificate into browser storage• Access (Firefox) these URLs with HTTP• Access (Firefox) these URLs with HTTPS.

– Analyze the difference • Create a simple web form with password field.• Access the web form using HTTP i.e. no HTTPS.


What is MITM Attack• An attack where the attacker secretly captures

• Possibly alters the communication between two parties

• While parties believe that they are directly communicating with each other


Typical E-commerce Traffic


User

• Typical Usage: User enters ecomm.site • Gets the web page displayed • Proceeds with transaction

http://ecomm.site

Typical E-commerce Traffic Setup


User-A

User-X

AP/Router

ecomm.site

User-A 1. http://ecomm.site

2. 302 Redirect to https://ecomm.site3. New request to https://ecomm.site

4. Setup of HTTPS Session

5. Secure Data Exchange

1.

2.3..

4, & 5.

ecomm.site

Typical E-commerce Traffic with MITM


• Typical Usage: User enters ecomm.site • MITM attacker hijacks the URLs and changes n/w settings • All the back and forth traffic goes via attackr. • Gets the web page displayed • Proceeds with transaction

http://ecomm.site

ARP Spoofing• Objective:When A & C communicate, B can snoop❖ Use ARP Spoofing to fool A & C go via B❖ Attacker machine

❖ Become a router to forward traffic❖ Run tcpdump to capture traffic

❖ Why ARP Spoofing works?


172.25.4.x 172.25.4.y 172.25.4.z

A CB

LAN

MITM Attack❖ Convert B into a router

❖ sudo sysctl -w net.ipv4.ip_forward=1 ❖ Insstall ARP Sniffer on B

❖ sudo apt install dsniff ❖ Issue ARP Spoof command on B for A & C

❖ arpspoof -i <i/f> -t <Address of A> -r <Address of C>

❖ Run wireshark on B for IP address of A & C❖ capture filter: host <A> or host <C>

❖ Let A & C chat❖ Run tcpdump on B (between A and C)


User-A

User-X

AP/Router

ecomm.site

User-A 1. http://ecomm.site

3. 302 Redirect to https://ecomm.site

4. New request to https://ecomm.site

5. Setup of HTTPS Session

6b Secure Data Exchange with eavesdropping

1.

2.3.

6a

ecomm.site

4.

56b

User-X (MITM Attacker)

2. http://ecomm.site

6a. HTTP Response & Data Exchange

Typical E-commerce Traffic w/ MITM

Traffic Flow with MITM Attacker

• Step 0: Attacker sets up the hostile environment❖ Using ARP Spoofing, and

❖ Open src package dsniff❖ Makes silent ARP changes in victim m/c❖ Makes silent ARP changes in local router❖ All traffic between user and router goes via

attacker❖ Using SSLStrip

❖ Open src package sslstrip❖ Converts HTTPS urls to HTTP and vice versa


Traffic Flow with MITM Attacker• Step 1: User types ecomm.site in browser• Step 2: HTTP packets instead of going to local

router, are delivered to attacker’s system.❖ Pkt still has Src IP of victim, and dst IP of Amazon

• Step 3: Attacker forwards the request via local router to ecomm.site (becomes initiator)

• Step 4: ecomm server sends redirect to using https• Step 5: local router sends HTTP Response (IP

packet) to attacker instead of victim❖ Pkt has Src IP of ecomm, and dest IP of victim

❖ Step 6: Attacker initiates HTTPS request to amazon

❖ Step 7: ecomm site responds with web page


http://ecomm.site

http://ecomm.site

Traffic Flow with MITM Attacker❖ Step 8: Attacker manipulates web page

❖ Replaces all references to HTTPS with HTTP❖ SSLStrip does it automatically

❖ Step 9: Victim sees the same look and feel as before.❖ Does not notice that it is not HTTPS

❖ Step 10: Victim enters credentials and sends❖ Step 11: The HTTP packet with credentials is

delivered to attacker ❖ Attacker records the information (e.g.tcpdump)❖ Forwards the response on HTTPS to amazon

❖ Summary: ecomm site believes everything is HTTPS which is true. Victim is unaware of data stealth.


Why MITM Works?

• User does not enter HTTPS with URL. It just types ecomm.site

• A typical user is not aware that any credential information should be entered ❖ Only if there is Green lock symbol before URL

❖ User has no knowledge of how L3 and L2 of networking works.❖ Has no means of verifying that data is not going to

local router but to an attacker.❖ Any IT dept (of organization) is typically short-

staff and believes that no attacks happening internally.


http://ecomm.site

Web Scenarios for MITM

• Plaintext HTTP mechanism❖ Simple ARPSpoofing is good enough

❖ HTTPS access with HTTP redirection from HTTP❖ SSLStrip is helpful for attacker

❖ Using HSTS❖ First time usage is hackable.


Avoiding MITM Attacks?• Sol 1: Educate the user

❖ User must enter HTTPS before the URL❖ Practically not possible to educate billion users

❖ Sol 2: Enforce the browser vendors to intiate all traffic with HTTPS❖ Proxies won’t work❖ URL hijack for auth won’t work❖ Note: Chrome marks site is not secure

❖ Sol 3: Empowering IT❖ IT dept runs MITM tools, ❖ Detects any MITM activities❖ Challenges: Typical IT is not capable


Avoiding MITM Attacks?

• Sol 4: A responsible website responds only to HTTPS❖ Does not respond to HTTP❖ Challenge: User stills enters HTTP

❖ It will lose business when user does not see response

❖ Entity does not want to lose business.❖ Sol 5: Make ARP entries static in router and

victim m/c❖ Challenge: Practically impossible❖ User needs to understand how ARP works.


HTTP Strict Transport Security❖ HSTS: https://tools.ietf.org/html/rfc6797

❖ A mechanism incorporated by the web server❖ Instructs browser to always initiate requests with

HTTPS❖ Even if user enters http://<website>

❖ Ensures that once a browser receives HSTS header Strict-Transport-Security: max-age=31536000; includeSubDomains

❖ Browser initiates HTTPS always❖ Most useful in public places

❖ Airport, cafes, Malls, Railway stations etc.


https://tools.ietf.org/html/rfc6797

HSTS Deployment• Prominent sites that use HSTS

– Facebook, Amazon, Twitter– Google ??– Airtel (with max-age=0)

• Sites that that are yet to implement HSTS– Ecommerce sites: Flipkart, – Banks e.g. SBI, ICICI Bank, HDFC– Academic institutes: VTU Karnataka, IISc


Inadequacies of HSTS Mechanism

• When user visits website first time, and website responds with HSTS header❖ The MITM attacker can still manipulate the

response and remove HSTS header.❖ User is subject to attack on first time access.


HTTP Headers for Secure Web

• Avoiding XSS❖ use Secure; HttpOnly in Set-Cookie ❖ X-XSS-Protection: 1

❖ Avoid guessing by a browser❖ X-Content-Type: nosniff ❖ Uses content only when Content-Type is

provided❖ Use Content-Security-Policy

❖ https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

❖


https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Content Security Policy (CSP)

• Common form of attack on websites– Interaction with user where some input is taken

• e.g. blog comments, social media sites, forms etc.– User input injects malicious content

• results in website hacking, stealing of user info etc.• CSP: An approach to prevent such attacks

– Implemented via HTTP headers– Tells browser which content can be dangerous

and should be block based on origin of content• e.g. scripts, CSS, images etc.


CSP Examples• Header set Content-Security-Policy – “default-src ‘none’; script-src ‘self’; img-src ‘self’; style-src ‘self’” • Blocks contents from any other site than self

– script-src self https://code.jquery.com; • Allows content from self and one more

website, and no other –Upgrade-Insecure-Requests •Browser access all links with HTTPS


https://code.jquery.com

https://code.jquery.com

Hands-On 2• Implement ARP Spoofing

– Run ARP Spoofing command on X (Attacker)• Spoof MAC address MACA on B to MACX on B• Spoof MAC address MACB on A to MACX on A

– Convert X into a router– Initiate chat between A and B.– Snoop on chat communication between A and B

and see the data of chat communication on X


Hands-On 2• Implement HSTS

– Configure a web server to support HSTS– When done for site with self signed certificate, it is

unlikely to be ignored.– Use browser developer tools or (wget) to verify

that HSTS header comes in the response.– Identify websites that have implemented HSTS e.g.

amazon.com• Access these websites with HTTP and verify that

access is made with HTTPS and not with HTTP.


http://amazon.com

Summary

• HTTPS Overview• Installing SSL certificate• Warnings on invalid certificates• Mixed Content warnings and lock icons• ARP Spoofing• Snooping on someone in the local network


Thank You


Experiential Learning Workshop on Basics of Web Security · 2018-07-30 · Experiential Learning...

Documents

Transcript of Experiential Learning Workshop on Basics of Web Security · 2018-07-30 · Experiential Learning...