1 / 76

Experiential Learning Workshop on Web Security Basics July 18, 2018

Join Dr. Ram P. Rustagi for a hands-on workshop on the fundamentals of web security, covering topics like HTTPS deployment challenges and MITM attacks.

aklatt
Download Presentation

Experiential Learning Workshop on Web Security Basics July 18, 2018

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Dr. Ram P Rustagi Professor, CSE Dept KSIT, Bangalore rprustagi@ksit.edu.in +91-8970000559 Experiential Learning Workshop on Web Security Basics July 18, 2018 • Experiential Learnaing ; Web Security Basics RPR

  2. Resources & Acknowledgements • Resources • https://rprustagi.com/ELNT/Experiential-Learning.html • Articles in ACCS Journal • https://acc.digital/experiential-learning-of-networking-technologies-4/ • www.github.com/rprustagi • https://www.rprustagi.com/workshops/ieee/nita • Slides • https://www.rprustagi.com/workshops/programs • Example web pages, and programs • Experiential Learning - Basics of Web Security • RPR

  3. Day 2:Understanding Web Security • Overview of HTTP/HTTPS • SSL certificate management • HTTPS deployment challenges • HO1: Deploying SSL, click thru browser warnings • HTTP mixed content, lock icons • HO2: Using mixed content • MITM challenges, and ARP spoofing • MITM with browser and information stealing • HO3: Implementing MITM with sslstrip • Understanding HSTS protocol, CSP • HO4: implementing CSP and HSTS • Summary • Experiential Learning - Basics of Web Security • RPR

  4. Internet Experimental Setup-1 S1 1 2 2 3 Ha: 10.1.1.1/24 Hb: 10.1.1.2/24 • Experiential Learnaing ; Web Security Basics RPR

  5. Internet Experimental Setup-2 Ha: 10.1.1.1/24 S1 1 2 2 3 Hb: 10.1.1.2/24 Hc: 10.1.1.3/24 • Experiential Learnaing ; Web Security Basics RPR

  6. Day 1:Understanding Network Layer • Overview • Networking tools: wireshark, nc, wget, ssh • Review of IP and TCP headers • HO1: wireshark, IP and TCP headers • Routing & Forwarding, Subnetting, Unicast/BCast • HO2: Routing, subnetting, traceroute analysis • IP fragmentation, PMTU discovery • Understanding ICMP, NAT • HO3: ICMP errors: Fragmentation, TTL expiry • Unerstanding ARP, Proxy ARP, DHCP, GARP • HO4: Static ARP, Proxy ARP, GARP • Summary • Experiential Learnaing ; Web Security Basics RPR

  7. Day 2:Understanding Web Security • Overview of HTTP/HTTPS • SSL certificate management • HTTPS deployment challenges • HO1: Deploying SSL, click thru browser warnings • HTTP mixed content, lock icons • HO2: Using mixed content • MITM challenges, and ARP spoofing • MITM with browser and information stealing • HO3: Implementing MITM with sslstrip • Understanding HSTS protocol, CSP • HO4: implementing CSP and HSTS • Summary • Experiential Learning - Basics of Web Security • RPR

  8. HTTPS Protocol • Secure web communication requirement • Authentication • Confidentiality • Data Integrity • Authentication • Client authentication by server by many means • Credentials, biometric, OTP(SMS), … • Certificate based (not prevalent) • Server authentication by client • Client are not tech savvy • Browser should do automatically and seamlessly • Experiential Learning - Basics of Web Security • RPR

  9. Web Communication Security • Confidentiality • Communication free from snooping • Responsibility assumed to lie with web application • Client takes it for granted. • Integrity • Communication safe from alteration • Responsibility with web application • Security • To be intrinsic to browser and web application • Practically impossible to educate all end users. • Experiential Learning - Basics of Web Security • RPR

  10. Day 2:Understanding Web Security • Overview of HTTP/HTTPS • SSL certificate management • HTTPS deployment challenges • HO1: Deploying SSL, click thru browser warnings • HTTP mixed content, lock icons • HO2: Using mixed content • MITM challenges, and ARP spoofing • MITM with browser and information stealing • HO3: Implementing MITM with sslstrip • Understanding HSTS protocol, CSP • HO4: implementing CSP and HSTS • Summary • Experiential Learning - Basics of Web Security • RPR

  11. HTTPS Authentication • Server provides website certificate, having • Website name e.g. mywww.com • Certificate validity period (typically 1 year) • Public key of certificate issuing authority • Authentication mechanisms • Browser checks for all 3 pieces of information • Any violatation flags a warning • User has to click-thru to proceed • Examples: • https://172.217.166.100 #google • https://myweb.com #google IP in /etc/hosts • https://mywww.com #self signed certificate • Experiential Learning - Basics of Web Security • RPR

  12. HTTPS Communication • Data confidentiality: • Using SSL protocol, browser sets up a common encryption key with the web server • This encryption key is used to encrypt/decrypt data exchanged between browser and web server • Certificate authorities • Browser is configured with large number of certificate authorities. • Accepts certificate only from these, e.g. • Amazon, Entrust, Geotrust, GoDaddy, Thawte, Verisign • Experiential Learning - Basics of Web Security • RPR

  13. HTTPS Communication • SSL procotol supports client certificates • Rarely seen in practice • When used, may not require credentials based mechanism • Wireshark supports session decryption • Provided session key is known or • Private key of certificate autority is known • Possible for self signed certificates • Experiential Learning - Basics of Web Security • RPR

  14. SSL Certificates • General Process • Create a private and public key for owned website • Generate a Certificate Signing Request (CSR). • Send CSR to a certificate issuing authority(CA) • Pay the money for certificate • CA will verify the request, website ownership details etc. • CA will issue the certificate • Install the certificate on the web server • Experiential Learning - Basics of Web Security • RPR

  15. SSL Certificates • Certificate types • DV (Domain Validation) - the basic type • Webserver authentication and encryption only • OV (Organization Validation) certificate • Verifies the actual business that is requesting • Organization name is listed in the certificate • Extended Validation (EV) • Provides a green address bar in the browser • Requires stronger authentication process to confirm the identity of business • Experiential Learning - Basics of Web Security • RPR

  16. Day 2:Understanding Web Security • Overview of HTTP/HTTPS • SSL certificate management • HTTPS deployment challenges • HO1: Deploying SSL, click thru browser warnings • HTTP mixed content, lock icons • HO2: Using mixed content • MITM challenges, and ARP spoofing • MITM with browser and information stealing • HO3: Implementing MITM with sslstrip • Understanding HSTS protocol, CSP • HO4: implementing CSP and HSTS • Summary • Experiential Learning - Basics of Web Security • RPR

  17. HTTPS and Proxy Setup • HTTPS deployment challenges with proxy and network that requires authentication • The network site hijacks the URL • e.g. public hotspots, colleges • Redirects to authentication URL • On successful authentication, user is permitted access • This setup does not work with HTTPS • On hijack of HTTPS traffic, • Browser throws warning • Experiential Learning - Basics of Web Security • RPR

  18. HTTPS Deployment • Can a single (same) certificate be installed on multiple servers • Need to deploy a wild card certificate for subdomains vs individual subdomain certificate • Can the server be forced to use only HTTPS and disable HTTP • How does cacheing works with HTTPS • Especially for public cache? • Reverse Proxy (LB) and web servers • L7 load balancing • Migrating entire content to HTTPS • Experiential Learnaing ; Web Security Basics RPR

  19. Day 2:Understanding Web Security • Overview of HTTP/HTTPS • SSL certificate management • HTTPS deployment challenges • HO1: Deploying SSL, click thru browser warnings • HTTP mixed content, lock icons • HO2: Using mixed content • MITM challenges, and ARP spoofing • MITM with browser and information stealing • HO3: Implementing MITM with sslstrip • Understanding HSTS protocol, CSP • HO4: implementing CSP and HSTS • Summary • Experiential Learning - Basics of Web Security • RPR

  20. Hands On 1: SSL Enabled Website • Generate an SSL certificate for 1 day • Install the SSL certificate on web server. • Access the web pages using HTTPS and analyze the warning. • Accept the certificate exception in browser • Re-access the web page with HTTPS. • Change the system date to few days (i.e. before the start date certificate validity period e.g. today) • Access web page with HTTPS and analyze • With with a different name (or IP Address) and analyze • Experiential Learnaing ; Web Security Basics RPR

  21. Day 2:Understanding Web Security • Overview of HTTP/HTTPS • SSL certificate management • HTTPS deployment challenges • HO1: Deploying SSL, click thru browser warnings • HTTP mixed content, lock icons • HO2: Using mixed content • MITM challenges, and ARP spoofing • MITM with browser and information stealing • HO3: Implementing MITM with sslstrip • Understanding HSTS protocol, CSP • HO4: implementing CSP and HSTS • Summary • Experiential Learning - Basics of Web Security • RPR

  22. Example Resources • Create your own content or download from following URLs https://rprustagi.com/workshops/web/pure.html https://rprustagi.com/workshops/web/mixed.html https://rprustagi.com/workshops/web/mixed-active.html https://rprustagi.com/js/mywww.js • Experiential Learning - Basics of Web Security • RPR

  23. Mixed Content Webpage Secure, No Mixed Content Potentially Unsecure, Passive Content is not blocked Potentially Unsecure, Active Content is not blocked • Experiential Learning - Basics of Web Security • RPR

  24. Pure Content <body> <h2>Img01 with inherited security</h2> <h2>Img02 with insecure access.</h2> <img src="//rprustagi.com/img/img-01.jpg" alt="Img 01"> <img src="//rprustagi.com/img/img-02.jpg" alt="Img 02"> </body> • Experiential Learning - Basics of Web Security • RPR

  25. Mixed Content <body> <h2>Img01 with inherited security</h2> <h2>Img02 with insecure access.</h2> <img src="//rprustagi.com/img/img-01.jpg" alt="Img 01"> <img src=“http://rprustagi.com/img/img-02.jpg" alt="Img 02"> </body> • Experiential Learning - Basics of Web Security • RPR

  26. Active Mixed Content <body> <script src="http://rprustagi.com/js/mywww.js"> </script> <h1>Mixed Content Demonstration</h2> <button type="button" onclick=“hello()” > insecure access </button> <h2>Image 02 with insecure security access.</h2> <img src="//rprustagi.com/img/img-02.jpg" alt="Img 01”> </body> • Experiential Learning - Basics of Web Security • RPR

  27. Active Mixed Content - javascript url=“http://rprustagi.com/js/mywww.js"> function hello() { alert("Hello"); } • Experiential Learning - Basics of Web Security • RPR

  28. Insecure Password Field in Form • Quite often, web developers use form tag • <input type=“password” …> in the form. • When this form is accessed with HTTP, it becomes in secure access. • Browsers are by default configured to throw a warning when password field is submitted on HTTP. • Experiential Learning - Basics of Web Security • RPR

  29. AICTE Insecure Access: Firefox • Experiential Learnaing ; Web Security Basics RPR

  30. AICTE Insecure Access: Chrome • Experiential Learnaing ; Web Security Basics RPR

  31. AICTE Web Portal: No HTTPS • Experiential Learnaing ; Web Security Basics RPR

  32. Day 2:Understanding Web Security • Overview of HTTP/HTTPS • SSL certificate management • HTTPS deployment challenges • HO1: Deploying SSL, click thru browser warnings • HTTP mixed content, lock icons • HO2: Using mixed content • MITM challenges, and ARP spoofing • HO3: Implementing MITM with sslstrip • Understanding HSTS protocol • Understanding CSP • HO4: implementing CSP and HSTS • Summary • Experiential Learning - Basics of Web Security • RPR

  33. Setup Requirement • Experiential Learning - Basics of Web Security • RPR

  34. Hands-On 2 • Create two web pages • one with mixed passive content • other with mixed active content. • Deploy these web pages on your web server deployed with SSL certificate (self signed) • Import the certificate into browser storage • Access (Firefox) these URLs with HTTP • Access (Firefox) these URLs with HTTPS. • Analyze the difference • Create a simple web form with password field. • Access the web form using HTTP i.e. no HTTPS. • Experiential Learning - Basics of Web Security • RPR

  35. Day 2:Understanding Web Security • Overview of HTTP/HTTPS • SSL certificate management • HTTPS deployment challenges • HO1: Deploying SSL, click thru browser warnings • HTTP mixed content, lock icons • HO2: Using mixed content • MITM challenges, and ARP spoofing • MITM with browser and information stealing • HO3: Implementing MITM with sslstrip • Understanding HSTS protocol, CSP • HO4: implementing CSP and HSTS • Summary • Experiential Learning - Basics of Web Security • RPR

  36. Packet delivery to a host requires two addresses Logical address - IP Address Physical address - MAC address Need to find mapping from logical to physical ARP is used - RFC 826 ARP - Address Resolution Protocol • Fig Src: Forouzan - Data Communication and Networking, SIE • Experiential Learning - Network Layer RPR

  37. ARP - 4 cases Src: Forouzan • Experiential Learning - Network Layer RPR

  38. ARP • ARP Request and Reply • ARP Request is broadcast • ARP Reply is Unicast • Other forms of ARP • Proxy ARP (RFC 1027) • Reverse ARP (RFC 903) • Gratuitous ARP • Experiential Learning - Network Layer RPR

  39. Proxy ARP • Router (Proxy ARP Server) replied to all requests • Used when • splitting a network w/o changing hosts netmask • Taking care of statically configured m/c • Mobile IP Src: Forouzan • Experiential Learning - Network Layer RPR

  40. Reverse ARP • Reverse ARP (RARP) • RFC 903 • Used for diskless stations • Organization does not have enough IP Address • Target as MAC Bcast does not cross the router • Needs one RARP server for each subnet • BOOTP • Improvement over RARP • Has a relay agent to forward across network • has static mapping of MAC to IP • manageability issues • DHCP - replaces BOOTP • Experiential Learning - Network Layer RPR

  41. Gratuitous ARP • Ref: http://wiki.wireshark.org/Gratuitous_ARP • Gratuitous ARP Request • both src and dstn IP is set to that of m/c • dstn MAC is broadcast i.e. ff:ff:ff:ff:ff:ff • Ordinarily, no reply will occur normally • if a m/c exists, it may respond • Gratuitous ARP Reply • a reply to which no request has occurred • Experiential Learning - Network Layer RPR

  42. Gratuitous ARP • Why Gratuitous ARP • help detect IP conflicts • if a m/c receives G-ARP req which is its own, implies IP conflict • helps in updating other m/cs ARP tables • used in clustering solutions, when IP is moved • helps inform the switch to update its port table • each time an i/f comes up (after down), sends G-ARP • Practice: use send_arp or arpspoof(dsniff package) to perform gratuitous arp • Experiential Learning - Network Layer RPR

  43. DHCP: Dynamic Host Configuration Protocol • goal: allow host to dynamically obtain its IP address from network server when it joins network • renew its lease after lease expiry • preferably gets the same address • client can reuse its address • support for mobile users who want to join • guarantee one address will be assigned to only one • retain DHCP client address across reboots • not guaranteed • retain DHCP client configs across server reboots • must coexist with statically assigned addresses • interoperate with BOOTP relay agents • Experiential Learning - Network Layer RPR

  44. DHCP: Dynamic Host Configuration Protocol • DHCP overview: • an extension of BOOTP mechanism • host broadcasts “DHCP discover” msg • DHCP server responds with “DHCP offer” • more than one server can make the offer • client can choose which server to use • host requests IP address: “DHCP request” msg • DHCP server sends address: “DHCP ack” msg • Renewal happens with DHCP request/ack • On completion, client sends DHCP release • practically not seen • Experiential Learning - Network Layer RPR

  45. DHCP: more than IP addresses • DHCP can return more than just allocated IP address on subnet: • address of first-hop router for client • name and IP address of DNS sever • network mask (indicating network versus host portion of address) • Experiential Learning - Network Layer RPR

  46. Day 2:Understanding Web Security • Overview of HTTP/HTTPS • SSL certificate management • HTTPS deployment challenges • HO1: Deploying SSL, click thru browser warnings • HTTP mixed content, lock icons • HO2: Using mixed content • MITM challenges, and ARP spoofing • MITM with browser and information stealing • HO3: Implementing MITM with sslstrip • Understanding HSTS protocol, CSP • HO4: implementing CSP and HSTS • Summary • Experiential Learning - Basics of Web Security • RPR

  47. What is MITM Attack • An attack where the attacker secretly captures • Possibly alters the communication between two parties • While parties believe that they are directly communicating with each other • Experiential Learning - Basics of Web Security • RPR

  48. Typical E-commerce Traffic User • Typical Usage: User enters ecomm.site • Gets the web page displayed • Proceeds with transaction • Experiential Learning - Basics of Web Security • RPR

  49. Typical E-commerce Traffic Setup User-A User-X AP/Router 1. 3.. 2. 4, & 5. ecomm.site ecomm.site User-A 1. http://ecomm.site 2. 302 Redirect to https://ecomm.site 3. New request to https://ecomm.site 4. Setup of HTTPS Session 5. Secure Data Exchange • Experiential Learning - Basics of Web Security • RPR

  50. Typical E-commerce Traffic with MITM • Typical Usage: User enters ecomm.site • MITM attacker hijacks the URLs and changes n/w settings • All the back and forth traffic goes via attackr. • Gets the web page displayed • Proceeds with transaction • Experiential Learning - Basics of Web Security • RPR

More Related