1 / 24

CIT 380: Securing Computer Systems

CIT 380: Securing Computer Systems. Web Security. Topics. HTTP Web Input Web Application Vulnerabilities Client-side Attacks Finding Web Vulnerabilities. Web Transactions. Web Server. HTTP Request. Web Browser. Network. OS. HTTP Response. HTTP: HyperText Transfer Protocol.

elaina
Download Presentation

CIT 380: Securing Computer Systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CIT 380: Securing Computer Systems Web Security CIT 380: Securing Computer Systems

  2. Topics • HTTP • Web Input • Web Application Vulnerabilities • Client-side Attacks • Finding Web Vulnerabilities CIT 380: Securing Computer Systems

  3. Web Transactions Web Server HTTP Request Web Browser Network OS HTTP Response CIT 380: Securing Computer Systems

  4. HTTP: HyperText Transfer Protocol Simple request/respond protocol • Request methods: GET, POST, HEAD, etc. • Protocol versions: 1.0, 1.1 Stateless • Each request independent of previous requests, i.e. request #2 doesn’t know you auth’d in #1. • Applications responsible for handling state. CIT 380: Securing Computer Systems

  5. HTTP Request GET http://www.google.com/ HTTP/1.1 Host: www.google.com User-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/20060909 Firefox/1.5.0.7 Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4 Method URL Protocol Version Headers Blank Line No Data for GET method CIT 380: Securing Computer Systems

  6. HTTP Response HTTP/1.1 200 OK Cache-Control: private Content-Type: text/html Server: GWS/2.1 Date: Fri, 13 Oct 2006 03:16:30 GMT <HTML> ... (page data) ... </HTML> Protocol Version HTTP Response Code Headers Blank Line Web Page Data CIT 380: Securing Computer Systems

  7. Client Side HTTP requests may reveal private info. HTTP responses may reveal private info. HTTP responses may include malicious code (Java, ActiveX, Javascript) Server Side HTTP requests may contain malicious input. HTTP requests may have forged authentication. HTTP responses may be intercepted. Different Perspectives CIT 380: Securing Computer Systems

  8. Web-based Input • Client and Server Perspectives • Types of Input • URL parameters • HTML • Cookies • Javascript • Cross-Site Scripting CIT 380: Securing Computer Systems

  9. URL Format <proto>://<user>@<host>:<port>/<path>?<qstr> • Whitespace marks end of URL • “@” separates userinfo from host • “?” marks beginning of query string • “&” separates query parameters • %HH represents character with hex values • ex: %20 represents a space http://username:password@www.auth.com:8001/a%20spaced%20path CIT 380: Securing Computer Systems

  10. URL Parameters • Client controls query-string • Cannot limit values to those specified in form • Any character can be URL-encoded • Even if it doesn’t need to be. • Any valid format may be used to disguise true destination of URL CIT 380: Securing Computer Systems

  11. URL Obfuscation • IP address representations • Dotted quad (decimal, octal, hexadecimal) • Hexadecimal without dots (with left padding) • dword (32-bit int) • Examples: www.eecs.utoledo.edu • 131.183.19.14 (dotted quad) • 0xDEDA83B7130E (hexadecimal + padding) • 2209813262 (dword) CIT 380: Securing Computer Systems

  12. HTML Special Characters • “<“ begins a tag • “>” ends a tag • some browsers will auto-insert matching “<“ • “&” begins a character entity • ex: &lt; represents literal “<“ character • Quotes(‘ and “) used to enclose attribute values CIT 380: Securing Computer Systems

  13. Character Set Encoding • Default: ISO-8859-1 (Latin-1) • Char sets dictate which chars are special • UTF-8 allows multiple representations • Force Latin-1 encoding of web page with: • <META http-equiv=“Content-Type” content=“text/html; charset=ISO-8859-1”> CIT 380: Securing Computer Systems

  14. Hidden Fields <input type=“hidden” name=“user” value=“james”> • Used to propagate data between HTTP requests since protocol is stateless • Clearly visible in HTML source • Form can be copied, modified to change hidden fields, then used to invoke script CIT 380: Securing Computer Systems

  15. Cookies Server to Client Content-type: text/html Set-Cookie: foo=bar; path=/; expires Fri, 20-Feb-2004 23:59:00 GMT Client to Server Content-type: text/html Cookie: foo=bar CIT 380: Securing Computer Systems

  16. Client Side URLs may not lead where they seem to. Cookies can be used to track your browsing. Pages may include malicious code (Java, ActiveX, Javascript) Server Side Cookies aren’t confidential. Hidden fields aren’t secret. Client may use own forms. URLs can have any format. POST data can have any format. Cookies can have any format. Web Input Summary CIT 380: Securing Computer Systems

  17. Web Application Vulnerabilities Input-based Security Problems • Injection Flaws • Insecure Remote File Inclusion • Unvalidated Input Authentication and Authorization • Authentication • Access Control • Cross-Site Scripting Other Bugs • Error Handling and Information Leakage • Insecure Storage • Insecure Communications CIT 380: Securing Computer Systems

  18. Injection • Injection attacks trick an application into including unintended commands in the data send to an interpreter. • Interpreters • Interpret strings as commands. • Ex: SQL, shell (cmd.exe, bash), LDAP, XPath • Key Idea • Input data from the application is executed as code by the interpreter. CIT 380: Securing Computer Systems

  19. SQL Injection Attacker • App sends form to user. • Attacker submits form with SQL exploit data. • Application builds string with exploit data. • Application sends SQL query to DB. • DB executes query, including exploit, sends data back to application. • Application returns data to user. ‘ or 1=1-- User Pass Firewall DB Server Web Server CIT 380: Securing Computer Systems

  20. SQL Injection in PHP $link = mysql_connect($DB_HOST, $DB_USERNAME, $DB_PASSWORD) or die ("Couldn't connect: " . mysql_error()); mysql_select_db($DB_DATABASE); $query = "select count(*) from users where username = '$username' and password = '$password'"; $result = mysql_query($query); CIT 380: Securing Computer Systems

  21. SQL Injection Attack #1 Unauthorized Access Attempt: password = ’ or 1=1 -- SQL statement becomes: select count(*) from users where username = ‘user’ and password = ‘’ or 1=1 -- Checks if password is empty OR 1=1, which is always true, permitting access. CIT 380: Securing Computer Systems

  22. SQL Injection Attack #2 Database Modification Attack: password = foo’; delete from tableuserswhereusernamelike ‘% Database executes two SQL statements: select count(*) from users where username = ‘user’ and password = ‘foo’ delete from tableuserswhereusernamelike ‘%’ CIT 380: Securing Computer Systems

  23. Impact of SQL Injection SELECT SSN FROM USERS WHERE UID=‘$UID’ CIT 380: Securing Computer Systems

  24. Mitigation: Prepared Queries require_once 'MDB2.php'; $mdb2 =& MDB2::factory($dsn, $options); if (PEAR::isError($mdb2)) { die($mdb2->getMessage()); } $sql = “SELECT count(*) from users where username = ? and password = ?”; $types = array('text', 'text'); $sth = $mdb2->prepare($sql, $types, MDB2_PREPARE_MANIP); $data = array($username, $password); $sth->execute($data); CIT 380: Securing Computer Systems

More Related