Web Security Programming I Building Security in from the Start Except where otherwise noted all portions of this work are Copyright (c) 2007 Google and.

Slides:



Advertisements
Similar presentations
Chapter 17 Failures and exceptions. This chapter discusses n Failure. n The meaning of system failure. n Causes of failure. n Handling failure. n Exception.
Advertisements

Socket Programming ENTERPRISE JAVA. 2 Content  Sockets  Streams  Threads  Readings.
Presenter: James Huang Date: Sept. 29,  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.
PHP syntax basics. Personal Home Page This is a Hypertext processor It works on the server side It demands a Web-server to be installed.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Using TCP sockets in Java Created by M Bateman, A Ruddle & C Allison As part of the TCP View project.
Sockets For Servers Instructors: Fu-Chiung Cheng ( 鄭福炯 ) Associate Professor Computer Science & Engineering Tatung University.
COEN 445 Communication Networks and Protocols Lab 4
1 Java Networking – Part I CS , Spring 2008/9.
16-Jun-15 HTTP Hypertext Transfer Protocol. 2 HTTP messages HTTP is the language that web clients and web servers use to talk to each other HTTP is largely.
CSCI 4550/8556 Computer Networks Comer, Chapter 3: Network Programming and Applications.
Network Programming CS3250. References Core Java, Vol. II, Chapter 3. Book examples are available from
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
System Programming Practical session 10 Java sockets.
Chapter 2 Application Layer Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July.
28-Jun-15 Basic Protocols. 2 Sockets Sockets, or ports, are a very low level software construct that allows computers to talk to one another When you.
CSCE 515: Computer Network Programming Chin-Tser Huang University of South Carolina.
Implementing Application Protocols. Overview An application protocol facilitates communication between applications. For example, an client uses.
Web Proxy Server. Proxy Server Introduction Returns status and error messages. Handles http CGI requests. –For more information about CGI please refer.
C HAPTER 2 Secure Systems Design Ahmed Khademzadeh Imam Reza University of Mashhad
Computer Networks  Network - A system of computers interconnected in order to share information.  Data transmission - consists of sending and receiving.
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
Java for enterprise networks Version 2.3 Feb 2008 JSP Validation and Exception handling Why validate? Client side validation.
C HAPTER 3 Secure Design Principles Slides adapted from "Foundations of Security: What Every Programmer Needs To Know" by Neil Daswani, Christoph Kern,
FTP (File Transfer Protocol) & Telnet
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
Lecture#2 on Internet and World Wide Web. Internet Applications Electronic Mail ( ) Electronic Mail ( ) Domain mail server collects incoming mail.
Chapter 17 - Deploying Java Applications on the Web1 Chapter 17 Deploying Java Applications on the Web.
HOW WEB SERVER WORKS? By- PUSHPENDU MONDAL RAJAT CHAUHAN RAHUL YADAV RANJIT MEENA RAHUL TYAGI.
Cli/Serv.: Chat/121 Client/Server Distributed Systems v Objectives –discuss a client/server based chat system –mention two other ways of chatting.
REVIEW On Friday we explored Client-Server Applications with Sockets. Servers must create a ServerSocket object on a specific Port #. They then can wait.
School of Engineering and Computer Science Victoria University of Wellington Copyright: Peter Andreae david streader, VUW Echo Networking COMP
NMD202 Web Scripting Week3. What we will cover today Includes Exercises PHP Forms Exercises Server side validation Exercises.
1 Software Construction and Evolution - CSSE 375 Exception Handling - Principles Steve Chenoweth, RHIT Above – Exception handling on the ENIAC. From
1 Streams Files are a computer’s long term memory Need ability for programs to –get information from files –copy information from program variables to.
1 Welcome to CSC 301 Web Programming Charles Frank.
Li Tak Sing COMPS311F. Case study: consumers and producers A fixed size buffer which can hold at most certain integers. A number of producers which generate.
Web Design & Development 1 Lec - 21 Umair Javed. Web Design & Development 2 Socket Programming.
Sockets Sockets A socket is an object that encapsulates a TCP/IP connection There is a socket on both ends of a connection, the client side and the server.
Secure Design. Topics 1. “Designing-In” Security 2. Convenience and Security 3. Security By Obscurity 4. Open vs. Closed Source 5. A Game of Economics.
School of Engineering and Computer Science Victoria University of Wellington Copyright: Peter Andreae, VUW Networking COMP # 22.
Networks Sockets and Streams. TCP/IP in action server ports …65535 lower port numbers ( ) are reserved port echo7 time13 ftp20 telnet23.
Dynamic Architectures (Component Reconfiguration) with Fractal.
Lab 2 Primer Assignment 3 Structure File I/O More parsing and HTTP Formatting.
1 WWW. 2 World Wide Web Major application protocol used on the Internet Simple interface Two concepts –Point –Click.
WEB SERVER Mark Kimmet Shana Blair. The Project Web Server Application  Receives request for web pages or images from a client browser via the internet.
Java Server Programming Web Interface for Java Programs.
2: Application Layer 1 Chapter 2: Application layer r 2.1 Principles of network applications  app architectures  app requirements r 2.2 Web and HTTP.
CSI 3125, Preliminaries, page 1 Networking. CSI 3125, Preliminaries, page 2 Networking A network represents interconnection of computers that is capable.
SE-2840 Dr. Mark L. Hornick 1 Introduction to Ajax Asynchronous Javascript And XML.
UNIT-6. Basics of Networking TCP/IP Sockets Simple Client Server program Multiple clients Sending file from Server to Client Parallel search server.
Data Communications and Computer Networks Chapter 2 CS 3830 Lecture 7 Omar Meqdadi Department of Computer Science and Software Engineering University of.
URL Programming Mimi Opkins CECS277. What is a URL?  URL is an acronym for Uniform Resource Locator and is a reference (an address) to a resource on.
MT311 Java Application Development and Programming Languages Li Tak Sing ( 李德成 )
Network Programming: Servers. Agenda l Steps for creating a server Create a ServerSocket object Create a Socket object from ServerSocket Create an input.
COMP2322 Lab 4 Socket Programming Toby Lam March 2, 2016.
Web Server Assignment1 Reference ( Main class (for example : MyServer.java) –Initialization.
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
Network Programming. These days almost all devices.
School of Engineering and Computer Science Victoria University of Wellington Copyright: Peter Andreae david streader, VUW Echo Networking COMP
Prepared by: Dr. Abdallah Mohamed, AOU-KW Unit9: Internet programming 1.
Echo Networking COMP
Handling Errors in Web Applications
Authentication & .htaccess
Client-server Programming
HTTP and Sockets Lecture 6
Hypertext Transfer Protocol
HyperText Transfer Protocol
Socket Programming 2: Application Layer.
Presentation transcript:

Web Security Programming I Building Security in from the Start Except where otherwise noted all portions of this work are Copyright (c) 2007 Google and are licensed under the Creative Commons Attribution 3.0 License

A Simple Web Server To illustrate what can go wrong if we do not design for security in our web applications from the start, consider a simple web server implemented in Java. All this program does is serve documents using HTTP. We will walkthrough the code in the following slides.

Some Preliminaries… (HyperText Transfer Protocol): The communications protocol used to connect to servers on the Web. Its primary function is to establish a connection with a Web server and transmit HTML pages to the client browser or any other files required by an HTTP application. Addresses of Web sites begin with an prefix.

Some Preliminaries… A typical HTTP request that a browser makes to a web server: Get / HTTP/1.0 When the server receives this request for filename / (which means the root document on the web server), it attempts to load index.html. It sends back: HTTP/ OK followed by the document contents.

SimpleWebServer: main() /* This method is called when the program is run from the command line. */ public static void main (String argv[]) throws Exception { /* Create a SimpleWebServer object, and run it */ SimpleWebServer sws = new SimpleWebServer(); sws.run(); }

SimpleWebServer Object public class SimpleWebServer { /* Run the HTTP server on this TCP port. */ private static final int PORT = 8080; /* The socket used to process incoming connections from web clients */ private static ServerSocket dServerSocket; public SimpleWebServer () throws Exception { dServerSocket = new ServerSocket (PORT); } public void run() throws Exception { while (true) { /* wait for a connection from a client */ Socket s = dServerSocket.accept(); /* then process the client's request */ processRequest(s); }

SimpleWebServer: processRequest 1 /* Reads the HTTP request from the client, and responds with the file the user requested or a HTTP error code. */ public void processRequest(Socket s) throws Exception { /* used to read data from the client */ BufferedReader br = new BufferedReader (new InputStreamReader (s.getInputStream())); /* used to write data to the client */ OutputStreamWriter osw = new OutputStreamWriter (s.getOutputStream()); /* read the HTTP request from the client */ String request = br.readLine(); String command = null; String pathname = null;

SimpleWebServer: processRequest 2 /* parse the HTTP request */ StringTokenizer st = new StringTokenizer (request, " "); command = st.nextToken(); pathname = st.nextToken(); if (command.equals("GET")) { /* if the request is a GET try to respond with the file the user is requesting */ serveFile (osw,pathname); } else { /* if the request is a NOT a GET, return an error saying this server does not implement the requested command */ osw.write ("HTTP/ Not Implemented\n\n"); } /* close the connection to the client */ osw.close();

SimpleWebServer: serveFile 1 public void serveFile (OutputStreamWriter osw, String pathname) throws Exception { FileReader fr=null; int c=-1; StringBuffer sb = new StringBuffer(); /* remove the initial slash at the beginning of the pathname in the request */ if (pathname.charAt(0)=='/') pathname=pathname.substring(1); /* if there was no filename specified by the client, serve the "index.html" file */ if (pathname.equals("")) pathname="index.html";

SimpleWebServer: serveFile 2 /* try to open file specified by pathname */ try { fr = new FileReader (pathname); c = fr.read(); } catch (Exception e) { /* if the file is not found,return the appropriate HTTP response code */ osw.write ("HTTP/ Not Found\n\n"); return; }

SimpleWebServer: serveFile 3 /* if the requested file can be successfully opened and read, then return an OK response code and send the contents of the file */ osw.write ("HTTP/ OK\n\n"); while (c != -1) { sb.append((char)c); c = fr.read(); } osw.write (sb.toString());

Can you identify any security vulnerabilities in SimpleWebServer?

What Can Go Wrong? Denial of Service (DoS): An attacker makes a web server unavailable. Example: an online bookstore’s web server crashes and the bookstore loses revenue

DoS on SimpleWebServer? Just send a carriage return as the first message instead of a properly formatted GET message…

DoS on SimpleWebServer? processRequest(): /* read the HTTP request from the client */ String request = br.readLine(); String command = null; String pathname = null; /* parse the HTTP request */ StringTokenizer st = new StringTokenizer (request, " "); command = st.nextToken(); pathname = st.nextToken();

DoS on SimpleWebServer? The web server crashes Service to all subsequent clients is denied until the web server is restarted

How Do We Fix This? The web server should immediately disconnect from any web client that sends a malformed HTTP request to the server. The programmer needs to carefully handle exceptions to deal with malformed requests.

How would you fix this code? processRequest(): /* read the HTTP request from the client */ String request = br.readLine(); String command = null; String pathname = null; /* parse the HTTP request */ StringTokenizer st = new StringTokenizer (request, " "); command = st.nextToken(); pathname = st.nextToken();

A possible solution /* read the HTTP request from the client */ String request = br.readLine(); String command = null; String pathname = null; try { /* parse the HTTP request */ StringTokenizer st = new StringTokenizer (request, " "); command = st.nextToken(); pathname = st.nextToken(); } catch (Exception e) { osw.write (“HTTP/ Bad Request\n\n”); osw.close(); return; }

Importance of “Careful” Exception Handling Error messages and observable behavior can tip off an attacker to vulnerabilities Fault Injection: Providing a program with input that it does not expect (as in the CR for SimpleWebServer) and observing behavior

Careful Exception Handling Two possible designs for int checkPassword (String username, String password) The function could fail, so what exception should the function return? 1)ERROR_ACCESS_DENIED ERROR_PASS_FILE_NOT_FOUND ERROR_OUT_OF_MEMORY NO_ERROR_ACCESS_ALLOWED 2)NO_ERROR ERROR int getError () Be careful to not provide more information to a user than is needed.

Careful Exception Handling int result = checkPassword ( … ) if (result == ERROR_ACCESS_DENIED) { abort(); } else { // Complete login } Problem: result != ERROR_ACCESS_DENIED does not infer ERROR_ACCESS_ALLOWED Result could have been: ERROR_PASS_FILE_NOT_FOUND or ERROR_OUT_OF_MEMORY !

Fail-Safe int result = checkPassword ( … ) if (result == NO_ERROR) { // Complete login } else { int reason = getError(); abort(); } Much better– less error prone! checkPassword failure occurs securely!

Summary Effective exception handling is essential in designing security in from the start Next time, we look at other vulnerabilities in the SimpleWebServer

Sources The content of these slides was adapted from: "Foundations of Security: What Every Programmer Needs To Know" (ISBN ) by Neil Daswani, Christoph Kern, and Anita Kesavan.