Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities
Client Browser Operating System Secondary Software Server Web Server Operating System Secondary Software Network Protocol Transport Vulnerabilities
Web Browsers Internet Explorer > 90% market share Mozilla Derivatives < 5% market share Operating Systems Windows > 90% market share Macintosh < 5% market share Linux < 1% market share Secondary Software clients Browser add-ons Types of Clients
HyperText Transfer Protocol (HTTP) versions 1.0, 1.1 stateless TCP/IP protocol cookies basic authentication features transfer encodings keep-alive, pipelining Secure Socket Layers (SSL) encrypts connections identity verified by server certificate certificate issued by certification authority Browser Protocol
HTML rendering HTML 1.0, 2.0, 3.2, 4.01, XHTML 1.0, 1.1 XML + XSL CSS 1.0, 2.0 Embedded Dynamic Features JavaScript, Java, ActiveX Media Players, other Plug-Ins Browser Content
Social engineering Spoofing Can exploit DNS, or look-alike URLs Embedding Weaknesses Java, ActiveX security policy Plug-in Security Policy Buffer overflows Can affect browser, OS, or add-on software Could be “remote root exploit” Client Vulnerabilities
Scripting Weaknesses JavaScript security policy Cross site scripting (XSS) Attacks Targeted towards personal info site Often exploits unfiltered user input (comment areas, forums, etc) Inject malicious scripts which can steal cookies/other info Client Vulnerabilities
Privacy Policies Cookies Usage tracking Browser control over advertising Content Filtering Privacy/Content
Estimated 35 million servers on the web Includes virtual hosts Apache Microsoft IIS* Sun ONE* Types of Servers © 2003, Netcraft *Business sites more likely using commercial servers
Linux, BSD variants Windows flavor-of-the-week Solaris, other high-end Unixes Operating Systems
Database Servers MySQL, SQL Server, Oracle, DB2 Web Applications Implementation platforms Scripting PHP, Perl, Python, ASP, JSP, XSP Java Frameworks J2EE, WebSphere, WebLogic, WebObjects Other Frameworks.NET Secondary Services
Exploitable Web Applications Source of many serious targeted exploits Invalidated Parameters Broken Access Control Session Hijacking Cross-Site Scripting Flaws Command Injection Flaws Error Handling Problems Insecure Use of Cryptography Remote Administration Flaws Web and Application Server Misconfiguration Server Vulnerabilities
Other attacks Denial of Service Remote Root Exploits Network Topology, Protocols Worms Limited ability to enforce acceptable use policies Server Vulnerabilities
IIS Vulnerability, worm deployed July, 2001 Distributed denial of service (DDOS) attack Worm Example Code Red
Internet uses TCP/IP, UDP Connected Networks Routers Domain Name Servers (DNS) Firewalls Virtual Private Networks (VPN) Proxy Servers Load Balancers Networks
Availability Attacks on key routers Attacks on DNS Confidentiality Sniffing clear-text traffic Network Vulnerabilities
W3 Consortium - w3schools browser stats - Thawte - Cross-site scripting FAQ - Netcraft Web Server Survey - CERT - CAIDA Analysis of Code Red - OWASP Top 10 Vulnerabilities - Personal experience, 3+ years at: MacFixIt.com MacCentral.com VersionTracker.com Bibliography