Building Secure Web Applications with IDS Michael Chaney Technical Director ChainLink Networking Solutions, Inc.
Agenda Security in general Web security How intruders are getting in What can we do to keep intruders out
Security and World Wide Web Contradiction of terms
Goal and Objective Goal is to provide secure services impenetrable to hackers, but allow access to public browsers
Today’s Situation Stats from CSI/FBI study 40% penetration from outside 89% with firewalls 60% with Intrusion Detection Systems 38% unauthorized access or misuse of web sites 21% did not know…
How do intruders get in? Password guessing Buffer overflows URL mangling Software vulnerabilities Backdoors Packet sniffing - passwords, account #, weak encryption Open services - port scanning
Buffer Overflow Example Code Red /default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858 %ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078% u0000%u00=a Impact - intruders can insert and execute arbitrary code
URL Mangling Intruder changes url or parameters sent to Web server Impact – view records, change data Example: http:// change to any other order id
URL Mangling (cont) Example: Since application would look like this: select * from orders where orderid=1000; Hacker could append to url: te+from+ordershttp:// te+from+orders; To make sql: select * from orders where orderid=1000;delete from orders;
URL Mangling (cont) Example web page with news story and storyid=1 primary key url: Modified url: 1+union+select+FileToClob(‘/etc/passwd’,’serve r’)+from+sysusers+where+username=USER
URL Mangling (cont) Web Datablade Specific /' union select WebExplode(' $1 ','') from sysusers where username=USER --/
Packet Sniffing Forms with user ID/password or other sensitive data should be SSL Do not use basic authentication, clear text user id and password for every request
Packet Sniffing Example
Security Implementations System architecture Fill application holes Limit database account permissions Traps Monitoring
System Architecture Secure the perimeter Limit open services Proxy web services URL sanity checks Hide server identity VPN access SSL
Filling Application Holes Web server patches Web application server patches Parameter checks Use stored procedures or functions where possible* Limit access to web application user*
Traps Set traps to catch and identify hackers in the act Multiple failed attempts before successful break-in Block intruders caught in the act
Monitoring Tools Intrusion Detection Systems Onaudit I-SPY sysmaster database
Application Tracing JDBC driver PROTOCOLTRACE,PROTOCOLTRACEFILE Custom traces statements in JDBC driver Onstat SQLDEBUG/SQLPRINT
Online Resources BugTraq CERT
Online Resources BugTraq CERT
Online Resources BugTraq CERT
Questions/Comments Contact: Michael Chaney ChainLink Networking Solutions, Inc.