Application Security: General apps &Web service (April 11, 2016) © Abdou Illia – Spring 2016
Learning Objectives Discuss general Application security Discuss Webservice/E-Commerce security [Discuss E-Mail security]
General Applications Security Issues
Network applications What is a network application (NA)? What is the difference between a network application and a stand-alone/non-network application (SA)? Use a checkmark (√) to indicate which of the following characteristics apply to NA and SA. Characteristics NA SA Both program being used and the data you’re working with are store on your computer Either the program you’re using or the data you are working with reside on a network Both the program you’re using and the data you’re working with reside on a network Uses a client-server architecture
Which of the following can be classified as client or server network application? Microsoft Project Microsoft Visio Oracle Solaris Windows NT Adobe Photoshop C++ Google Chrome UNIX IIS Apache WinSCP (client FTP) OS X Movie Maker Internet Explorer
Application security Imagine that you have the following categories of software installed on your computers. Which one would you harden first and why? Which one you should harden next and why? Client and server network applications Non-network applications Operating systems
Applications Security Issues Few Operating Systems, but Many Applications Because OS are harden, most attacks target applications. Most applications run with administrative or super user (root) privileges Securing applications is challenging Huge number of apps, Variety of security baselines Client & server application programs Computer Hardware Operating System Web service software (IIS, Apache, ...) Web browser, Photo editors, Movie maker, Productivity software, etc.
Which of the following is true about Application Security? If a server application (or service) is no longer needed, it should be turned off Fewer applications on a computer means fewer attack opportunities Use good security baselines to install and configure apps Do not install application centrally using group policies Add application layer authentication by requiring users to provide credentials to run application programs Implement cryptographic authentication for sensitive apps If a server application (or service) is no longer needed, it should be removed Do not turn on each applications’ automatic update checking 8
Applications and Buffer Overflow OUTDO OR Buffers are RAM areas where data is stored temporarily Buffer overflow occurs when data spill from one buffer to the next Buffer Overflow is the biggest issue in application coding If an attacker sends more data than the programmer had allocated to a buffer, a buffer might overflow, overwriting an adjacent section of RAM Buffer overflow attacks RAM Buffer1 Buffer2 Buffer7 Buffer3 Buffer4 Buffer6 Buffer5 9
Buffer Overflow Attack Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions. If the data contain malware, the malware could run and creates a DoS Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD Buffer Instructions 1 2 3 4 5 6 Print Run Program Accept input Buffer Instructions 1 2 3 4 5 6 A B C D E F LET JOHN IN WITHOUT PASSWORD Run Program Accept input 10 10
Stack Entry and Buffer Overflow Stack entry: data buffer & Return address registry 2. Add Data to Buffer 1. Write Return Address Return Address 5. Start of Attacker data Data Buffer 3. Direction of Data Writing 4. Overwrite Return Address When a program puts one subprogram on hold to call another, it writes the return address in RAM areas called stack entries The called subprogram may add data to the buffer to the point it overwrites the return address If the added buffer data is Attack code, this will be a buffer overflow attack Buffer Overflow explained w/beer: https://www.youtube.com/watch?v=7LDdd90aq5Y
Preventing Buffer Overflow Key Principle: Never Trust User Input Use Languages/tools that provide automatic bounds checking such as Perl, Python, and Java instead lower level language (C or Assembly, etc). However, this is usually not possible or practical because almost all modern OS are written in the C language. Eliminate The Use Of Flawed Library Functions like gets(), strcpy, and strcmp that fail to check the length or bounds of their arguments. Design And Build Security Within Code Use Source Code Scanning Tools. Example: PurifyPlus Software Suite can perform a dynamic analysis of Java, C, or C++ source code. For instance, this simple change informs strcpy() that it only has an eight byte destination buffer and that it must discontinue raw copy at eight bytes. // replace le following line strcpy (buffer2, strng2); // by strcpy (buffer2, string2, 8)
Applications permissions Examples for smartphones Make phone calls For Dialer replacements, Google Voice, etc. NOT for Ringtone apps. If an app you download has no business setting up a phone call, be suspicious. Send SMS or MMS Read contact data Find GPS location If an app gets its revenue from location-based ads, it needs to know where you are. Otherwise be suspicious. Network Communication (full internet access, view network / Wi-Fi state, Create Bluetooth connection) If an app has no function for you to communicate with anyone else, or any type of downloadable content, this usually means ads. To show you ads, the app needs to get them from the Internet
How to Know apps permissions? Download and install SureMDM Web Console Login into the SureMDM Web Console Select your smartphone or tablet from the device list. Click on the Apps buttons to see list of installed apps on the device. Select an Application and Click on Permission button. Screen similar to the following will popup.
Applications permissions (cont.) Android does a great job forcing app developers to inform the prospective user just what sort of permissions are required and what information the app will access. If an app does not need permissions it is requesting before installing, do not install. If a hacker takes over an application program, he or she receives the permissions with which the program runs.
Web service security
Webservice & E-Commerce apps Web applications could be the target of many types of attacks like: Directory browsing Traversal attacks Web defacement Using HTTP proxy to manipulate interaction between client and server IIS IPP Buffer Overflow Browser attacks Time configuration
Web sites’ directory browsing Web server with Directory Browsing disabled User cannot get access to list of files in the directory by knowing or guessing directory names
Web site with directory browsing Web server with Directory Browsing enabled User can get access to the list of files in the directory by knowing or guessing directory names
Traversal Attack Normally, paths start at the WWW root directory Adding ../ (Windows) or ..\ (Unix) in an HTTP request might take the attacker up a level, out of the WWW root directory. Example: http://website.com ../../ Example: http://castle.eiu.edu/~a_illia/BUS3500/Brief/Case1/../ If attacker traverses to Command Prompt directory in Windows 2000 or NT, he can execute any command with system privileges
Traversal Attacks (Cont.) Preventing traversal attacks Companies filter out ../ and ..\ using URL scanning software Attackers respond with hexadecimal and UNICODE representations for ../ and ..\ ASCII Character Chart with Decimal, Binary and Hexadecimal Conversions Name Character Code Decimal Binary Hex Null NUL Ctrl @ 00000000 00 Start of Heading SOH Ctrl A 1 00000001 01 Space 32 00100000 20 Exclamation Point ! Shift 1 33 00100010 22 Plus + Shift = 43 00101011 2B Period . 46 00101110 2E Forward Slash / 47 00101111 2F Tilde ~ Shift’ 126 01111110 7E
Website defacement Taking over a web server and replacing normal web pages by hacker-produced pages Effect could last because ISP cache of popular web sites Example of recent website defacements ATTRITION Web Page Hack Mirror: http://attrition.org/mirror/ Zone-H web site for most recent attacks: http://www.zone-h.org: Check Onhold and Archive
Manipulating HTTP requests Attackers use proxies to manipulate communications between browsers and web servers Example using Webscarab
IIS IPP Buffer Overflow The Internet Printing Protocol (IPP) service included in IIS 5.0 and earlier versions is vulnerable to buffer overflow attacks The jill.c program was developed to launch the attack using: GET NULL.printer HTTP/1.0 Host: 420-byte jill.c code to launch the command shell IIS server responds launching the command shell (C:\WINNT\SYSTEM32\>) giving the attacker SYSTEM privileges.
IIS IPP Buffer Overflow (cont.) Link to jill.c code Code compilable using gcc jill.c –o jill on Linux Precompiled version (jill-win32.c) and executable (jill-win32.exe) available at ftp://ftp.technotronic.com/ newfiles/jill-win32.exe. This executable file is ready to run on a Windows machine.
IIS IPP Buffer Overflow (cont.) Source: http://puna.net.nz/archives/Hacking/David_Sheridan_GCIH.doc
Login Screen Bypass Attack Website user gets a login screen Instead of logging in, user enters a URL to bypass the login screen and gain access without authorization.
Browser Attacks Malicious links attack.txt.exe seems to be attack.txt User must click on them to execute (but not always) Common extensions are hidden by default in some operating systems. attack.txt.exe seems to be attack.txt
Browser Attacks (Cont.) Common Attacks Redirection to unwanted webpage Scripts might change the registry, home page Some scripts might “trojanize” your DNS error-handling routine when you mistype a URL Pop-up windows Web bugs; i.e. links that are nearly invisible, can be used to track users at a website Domain names that are common misspellings of popular domain names Microsoff.com, www.whitehouse.com (a porn site)