Http security
Download
1 / 25

HTTP & Security - PowerPoint PPT Presentation


  • 182 Views
  • Updated On :

HTTP & Security. (Some of the slides in this file were adapted from Oppliger’s online slides at http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm .). Chapter 2. HTTP Network utility programs (netcat, achilles) User authentication, authorization & access control

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'HTTP & Security' - lorelei


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Http security l.jpg

HTTP & Security

(Some of the slides in this file were adapted from Oppliger’s online slides at http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm.)


Chapter 2 l.jpg
Chapter 2

  • HTTP

  • Network utility programs (netcat, achilles)

  • User authentication, authorization & access control

  • Basic HTTP authentication

  • Digest access authentication

  • Certificate-based authentication

  • Config. of web servers

Web Security


Http revisited l.jpg
HTTP revisited

  • A request/response protocol between a web browser and a web server

  • An request is in the form of an URL.

  • Processing of a request:

    • The url is resolved by the DNS to get the IP address of the web server;

    • A TCP connection is established between the browser and the server at port 80;

    • The browser sends an HTTP request over this connection to the server.

  • Processing of a response ?

Web Security


Http request methods l.jpg
HTTP Request Methods

Source: McClure, Stuart, Saumil Shah, and Shreeraj Shah. Web Hacking:attacks and defense. Addison Wesley. 2003.

Web Security


Http data typing l.jpg
HTTP Data Typing

  • Its data typing feature allows systems to be built independently of the data being transferred.

    The Content-Type entity-header field indicates the media type of the Entity-Body sent to the recipient or, in the case of the HEAD method, the media type that would have been sent had the request been a GET.

    Content-Type = "Content-Type" ":" media-type

    Media types are defined in Section 3.6 of RFC1945.

    An example of the field is Content-Type: text/html

Web Security


Http response l.jpg
HTTP Response

  • An HTTP request from a client is handled by the server and responded to accordingly. To respond, the server sends back a series of message components that can be categorized as follows:

    • Response code—a numeric code that corresponds to an associated response.

    • Header fields—additional information about the response.

    • Data—the content or body of the response.

  • With these three components, the client browser understands the server's response and interacts with the server.

Web Security


Http response codes l.jpg
HTTP Response Codes

  • Berners-Lee, et al. RFC 1945 HTTP/1.0, May 1996. (ftp://ftp.rfc-editor.org/in-notes/rfc1945.txt)

  • The first digit of the Status-Code defines the class of response. The last two digits do not have any categorization role.

  • There are 5 values for the first digit:

    • 1xx: Informational - Not used, but reserved for future use

    • 2xx: Success - The action was successfully received, understood, and accepted.

    • 3xx: Redirection - Further action must be taken in order to complete the request

    • 4xx: Client Error - The request contains bad syntax or cannot be fulfilled

    • 5xx: Server Error - The server failed to fulfill an apparently valid request

Web Security


Http v1 0 status codes l.jpg
HTTP v1.0 status codes

  • Status-Code =

    "200" ; OK

    | "201" ; Created

    | "202" ; Accepted

    | "204" ; No Content

    | "301" ; Moved Permanently

    | "302" ; Moved Temporarily

    | "304" ; Not Modified

    | "400" ; Bad Request

    | "401" ; Unauthorized

    | "403" ; Forbidden

    | "404" ; Not Found

    | "500" ; Internal Server Error

    | "501" ; Not Implemented

    | "502" ; Bad Gateway

    | "503" ; Service Unavailable

  • More status codes in v1.1: See ftp://ftp.rfc-editor.org/in-notes/rfc2616.txt

Web Security


Network utility programs l.jpg
Network Utility Programs

  • Netcat

    http://www.vulnwatch.org/netcat/ (for windows)

    http://netcat.sourceforge.net/download.php (GNU netcat on sourceforge.net)

  • Cryptcat

    • a lightweight version of netcat with integrated transport encryption capabilities.

      http://sourceforge.net/projects/cryptcat/

Web Security


Network utility programs10 l.jpg
Network Utility Programs

  • Example Use of Netcat

    • To get a web page:

      nc sce.uhcl.edu 80

      GET / HTTP/1.0

      HTTP/1.1 200 OK

      Server: Microsoft-IIS/5.0

      Date: Wed, 26 Feb 2003 15:08:22 GMT

      Connection: Keep-Alive

      Content-Length: 10166

      Content-Type: text/html

      Set-Cookie: ASPSESSIONIDSASQDDAR=MECEBLAAEIKECJGFFELEBJMA; path=/

      Cache-control: private

      <html>

      <head>

      <title>SCE Home Page</title> …

Web Security


Network utility programs11 l.jpg
Network Utility Programs

  • Example Use of Netcat

    • To get the meta information of a web page:

      nc sce.uhcl.edu 80

      HEAD / HTTP/1.0

      HTTP/1.1 200 OK

      Server: Microsoft-IIS/5.0

      Date: Wed, 26 Feb 2003 15:11:33 GMT

      Connection: Keep-Alive

      Content-Length: 10166

      Content-Type: text/html

      Set-Cookie: ASPSESSIONIDSASQDDAR=PECEBLAAKMPGGDIHEGJOAJLJ; path=/

      Cache-control: private

Web Security


Network utility programs12 l.jpg
Network Utility Programs

  • Other Uses of Netcat

    • Have Netcat listen at a particular port:

      (AT the listening side) nc -L -p 53 -e cmd.exe

      (At the remote side) nc –v hostAddress 53

    • Allows the administrator to see if a port is available, for example, through a firewall.

Web Security


Achilles l.jpg
Achilles

  • Acts like a web proxy

  • Allows a person to intercept and modify information sent from a web server to a web browser

  • Download:

    • source codes: http://sourceforge.net/projects/achilles/

    • an older local copy with executable: achilles-0-27.zip

  • Proxy configuration on the browser is needed.

Web Security


Slide14 l.jpg

Achilles Configurations:1. Start the proxy2. Check the first 4 ‘intercept modes’3. In the web browser, set ‘localhost’ and port 5000 to be the proxy server4. Then try to access a page (The request will be sent to the Achilles window instead.)

Web Security


Http security15 l.jpg
HTTP Security

  • In most scenarios, authentication is not needed for a client to access the web server, because the server is configured to accept requests from anonymous users.

  • In some cases (such as Intranet), authentication is needed to restrict access.

  • User authentication: The process of verifying the identity of a requesting user

  • User authorization: The process of granting the privileges to access particular resources

Web Security


Http authentication l.jpg
HTTP Authentication

  • RFC2617HTTP Authentication: Basic and Digest Access Authentication. J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart. June 1999.

  • Two authentication schemes:

    • Basic authentication

    • Digest access authentication

Web Security


Http security17 l.jpg
HTTP Security

  • The "basic" authentication scheme is based on the model that the user agent must authenticate itself with a user-ID and a password for each realm.

  • The server will authorize the request only if it can validate the user-ID and password for the protection space of the Request-URI. There are no optional authentication parameters.

  • The "basic" authentication scheme is not a secure method of user authentication, nor does it prevent the Entity-Body from being transmitted in clear text across the physical network used as the carrier.

Web Security


Http digest authentication l.jpg
HTTP Digest Authentication

  • Proposed as a simple replacement of the HTTP basic authentication scheme

  • The password is not transmitted in clear

  • Instead, the server challenges the client with a nonce, and the client must respond with a corresponding response

  • The requested URL is part of the response  meaning the response is only good for one URL

Web Security


Http authentication19 l.jpg
HTTP Authentication

  • Drawbacks of Digest access authentication:

    • Still a password-based authentication method (with the limitations)

    • Not supported by all browsers and servers

  • Neither the HTTP basic authentication or digest authentication can be used to encrypt data

  • SSL/TLS may be used if data encryption is needed  certificate-based authentication

Web Security


Https l.jpg
HTTPS

  • HTTP over SSL

    SSL encrypts traffic between two hosts, significantly reducing the ability of an attacker to access sensitive traffic and record information such as passwords.

    But, SSL does not truly provide security, if the SSL certificate is exposed. Tools such as ssldump can be used to decrypt SSL traffic.

    A network packet analyzer: Snort (http://www.snort.org/)

Web Security


Http security considerations l.jpg
HTTP Security Considerations

  • The GET and HEAD methods should never have the significance of taking an action other than retrieval.

  • These methods should be considered “safe”. True?

  • It is not possible to ensure that the server does not generate side-effects as a result of performing a GET request.

Web Security


Http security considerations22 l.jpg
HTTP Security Considerations

  • Abuse of Server Log Information:

    A server is in the position to save personal data about a user's requests which may identify their reading patterns or subjects of interest.

    This information is clearly confidential in nature and its handling may be constrained by law in certain countries.

Web Security


Http security considerations23 l.jpg
HTTP Security Considerations

  • Transfer of Sensitive Information:

    HTTP cannot regulate the content of the data that is transferred, nor is there any a priori method of determining the sensitivity of any particular piece of information within the context of any given request.

    Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Implementers should make the Server header field a configurable option.

Web Security


Http security considerations24 l.jpg
HTTP Security Considerations

  • Attacks Based on File and Path Names:

    Implementations of HTTP origin servers should be careful to restrict the documents returned by HTTP requests to be only those that were intended by the server administrators.

    For example, Unix, Microsoft Windows, and other operating systems use ".." to indicate a directory level above the current one.

    Files intended for reference only internally to the server (such as access control files, configuration files, and script code) must be protected from inappropriate retrieval.

Web Security


Configuration of web server l.jpg
Configuration of Web Server

  • User group configuration

  • Authentication files

  • Authorization

  • Examples:

    • Apache Web server: see the book

    • IIS web server in Windows 2003

Web Security