Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012.

Slides:



Advertisements
Similar presentations
Application Security: General apps &Web service
Advertisements

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
System and Network Security Practices COEN 351 E-Commerce Security.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.
1 DOS with Windows 3.1 and 3.11 Operating Environments n Designed to allow applications to have a graphical interface DOS runs in the background as the.
Hacking Web Server Defiana Arnaldy, M.Si
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Application Security: Web service and (April 11, 2011) © Abdou Illia – Spring 2011.
1 Web Server Concepts Dr. Awad Khalil Computer Science Department AUC.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Basics of Web Databases With the advent of Web database technology, Web pages are no longer static, but dynamic with connection to a back-end database.
1 Application Security: Electronic Commerce and Chapter 9 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall.
5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.
Computer Security and Penetration Testing
ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.
 2001 Prentice Hall, Inc. All rights reserved. 1 Chapter 21 - Web Servers (IIS, PWS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Attacking Applications: SQL Injection & Buffer Overflows.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References.
FTP Server and FTP Commands By Nanda Ganesan, Ph.D. © Nanda Ganesan, All Rights Reserved.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Hour 7 The Application Layer 1. What Is the Application Layer? The Application layer is the top layer in TCP/IP's protocol suite Some of the components.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.
Application Layer Khondaker Abdullah-Al-Mamun Lecturer, CSE Instructor, CNAP AUST.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Review For Exam 3 © Abdou Illia – Spring The Elements of Cryptography.
Review For Exam 3 © Abdou Illia – Spring The Elements of Cryptography.
TCP/IP (Transmission Control Protocol / Internet Protocol)
1 WWW. 2 World Wide Web Major application protocol used on the Internet Simple interface Two concepts –Point –Click.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
1 Figure 9-3: Webserver and E-Commerce Security Importance of Webservice and E-Commerce Security  Cost of disruptions  The cost of loss of reputation.
Security Issues with PHP  PHP installation  PHP programming Willa Zhu & Eugene Burger.
Review For Exam 3 © Abdou Illia – Spring The Elements of Cryptography.
1 Chapter Overview Creating Web Sites and FTP Sites Creating Virtual Directories Managing Site Security Troubleshooting IIS.
17 Establishing Dial-up Connection to the Internet Using Windows 9x 1.Install and configure the modem 2.Configure Dial-Up Adapter 3.Configure Dial-Up Networking.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
1 Figure 9-3: Webserver and E-Commerce Security Browser Attacks  Take over a client via the browser Interesting information on the client Can use browser.
MIS Week 5 Site:
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
9/21/04 James Gallagher Server Installation and Testing: Hands-on ● Install the CGI server with the HDF and FreeForm handlers ● Link data so the server.
Web and Proxy Server.
Application Security: Web service and
Protecting Memory What is there to protect in memory?
Chapter 7: Identifying Advanced Attacks
WWW and HTTP King Fahd University of Petroleum & Minerals
World Wide Web policy.
Protecting Memory What is there to protect in memory?
Chapter 27 WWW and HTTP.
Application Security: General apps &Web service
Configuring Internet-related services
Introduction to Systems Security
Designing IIS Security (IIS – Internet Information Service)
Understanding and Preventing Buffer Overflow Attacks in Unix
Web Servers (IIS and Apache)
Web Application Development Using PHP
Presentation transcript:

Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012

2 Learning Objectives Discuss general Application security Discuss Webservice/E-Commerce security [Discuss security]

3 General Applications Security Issues

4 Applications Security Issues Few Operating Systems But Many Applications Because OS are harden, most attacks target applications installed on servers. Most applications run with administrative or super user (root) privileges Securing applications is challenging Computer Hardware Operating System Web service software (IIS, Apache,...) Web browser, Photo editors, Movie maker, Productivity software, etc. Client & server application programs

5 Which of the following is true about Application Security? If a server application (or service) is no longer needed, it should be turned off Fewer applications on a computer, fewer attack opportunities Use good security baselines to install and configure apps Do not install application centrally using group policies Add application layer authentication by requiring users to provide credentials to run application programs Implement cryptographic authentication for sensitive apps If a server application (or service) is no longer needed, it should be removed Do not turn on each applications’ automatic update checking

6 Applications and Buffer Overflow Buffer Overflow is the biggest issue in application coding Buffer overflow leads to Buffer Overflow Attacks Buffers are RAM areas where data is stored temporarily If an attacker sends more data than the programmer had allocated to a buffer, a buffer might overflow, overwriting an adjacent section of RAM RAM Buffer1Buffer2 Buffer7Buffer3Buffer4Buffer6Buffer5

7 Buffer Overflow Attack Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions. If the data contains malware, the malware could run and creates a DoS Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD 7 BufferInstructions Print Run Program Accept input BufferInstructions ABCDEFLET JOHN IN WITHOUT PASSWORD Run Program Accept input

8 Stack entry: data buffer & Return address registry Stack Entry and Buffer Overflow Return Address 1. Write Return Address 2. Add Data to Buffer Data Buffer 5. Start of Attacker data 3. Direction of Data Writing 4. Overwrite Return Address When a program must put one subprogram on hold to call another, it writes the return address in RAM areas called stack entries The called subprogram may add data to the buffer to the point it overwrites the return address If the added buffer data is Attack code, this will be a buffer overflow attack

9 Preventing Buffer Overflow Use Language tools that provide automatic bounds checking such as Perl, Python, and Java instead lower level language (C, C++, Assembly, etc). However, this is usually not possible or practical because almost all modern OS are written in the C language. Eliminate The Use Of Flawed Library Functions like gets(), strcpy, and strcmp that fail to check the length or bounds of their arguments. Design And Build Security Within Code Use Source Code Scanning Tools. Example: PurifyPlus Software Suite can perform a dynamic analysis of Java, C, or C++ source code. // replace le following line Strcpy (buffer2, strng2); // by Strcpy (buffer2, string2, 8) For instance, this simple change informs strcpy() that it only has an eight byte destination buffer and that it must discontinue raw copy at eight bytes.

10 Web service security

11 Webservice & E-Commerce apps Web applications could be the target of many types of attacks like: Directory browsing Traversal attacks Web defacement Using HTTP proxy to manipulate interaction between client and server IIS IPP Buffer Overflow Browser attacks Time configuration

12 Web sites’ directory browsing Web server with Directory Browsing disabled User cannot get access to list of files in the directory by knowing or guessing directory names

13 Web site with directory browsing Web server with Directory Browsing enabled User can get access to the list of files in the directory by knowing or guessing directory names

14 Traversal Attack Normally, paths start at the WWW root directory Adding../ (Windows) or..\ (Unix) in an HTTP request might take the attacker up a level, out of the WWW root directory. Example: Example: If attacker traverses to Command Prompt directory in Windows 2000 or NT, he can execute any command with system privileges

15 Traversal Attacks (Cont.) Preventing traversal attacks Companies filter out../ and..\ using URL scanning software Attackers respond with hexadecimal and UNICODE representations for../ and..\ ASCII Character Chart with Decimal, Binary and Hexadecimal Conversions NameCharacterCodeDecimalBinaryHex Start of HeadingSOHCtrl A Space Exclamation Point!Shift Plus+Shift = B Period E Forward Slash// F Tilde~Shift’ E

16 Website defacement Taking over a web server and replacing normal web pages by hacker-produced pages Effect could last because ISP cache of popular web sites Example of recent website defacements ATTRITION Web Page Hack Mirror: Zone-H web site for most recent attacks: Check Onhold and Archive

17 Manipulating HTTP requests Attackers use proxies to manipulate communications between browsers and web servers Example using Webscarab

18 IIS IPP Buffer Overflow The Internet Printing Protocol (IPP) service included in IIS 5.0 and earlier versions is vulnerable to buffer overflow attacks The jill.c program was developed to launch the attack using: GET NULL.printer HTTP/1.0 Host: 420-byte jill.c code to launch the command shell IIS server responds launching the command shell (C:\WINNT\SYSTEM32\>) giving the attacker SYSTEM privileges.

19 IIS IPP Buffer Overflow (cont.) Link to jill.c code Code compilable using gcc jill.c –o jill on Linux Precompiled version (jill-win32.c) and executable (jill-win32.exe) available at ftp://ftp.technotronic.com/ newfiles/jill-win32.exe. This executable file is ready to run on a Windows machine.

20 IIS IPP Buffer Overflow (cont.) Source:

21 Browser Attacks Malicious links User must click on them to execute (but not always) Common extensions are hidden by default in some operating systems.  attack.txt.exe seems to be attack.txt

22 Browser Attacks (Cont.) Common Attacks Redirection to unwanted webpage Scripts might change the registry, home page Some scripts might “trojanize” your DNS error- handling routine when you mistype a URL Pop-up windows Web bugs; i.e. links that are nearly invisible, can be used to track users at a website Domain names that are common misspellings of popular domain names  Microsoff.com, (a porn site)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.