Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Security: Web service and

Published byBarbara Stanley Modified over 7 years ago

Similar presentations

Presentation on theme: "Application Security: Web service and"— Presentation transcript:

1 Application Security: Web service and E-Mail
(April 11, 2011) © Abdou Illia – Spring 2011

2 Learning Objectives Discuss general Application security
Discuss Webservice/E-Commerce security Discuss security

3 General Applications Security Issues

4 Applications Security Issues
Few Operating Systems But Many Applications Because OS are harden, most attacks target applications installed on servers. Many applications run with administrative or super user (root) privileges Securing applications is challenging Buffer Overflow Attacks Most widespread vulnerabilities in application programs Buffers are RAM areas where data is stored temporarily If an attacker sends more data than the programmer had allocated to a buffer, a buffer might overflow, overwriting an adjacent section of RAM RAM Buffer1 Buffer2 Buffer3 Buffer4 Buffer5 Buffer6 Buffer7

5 Buffer Overflow The overflowsample function:
Declares a buffer array capable of holding eight ASCII characters Places the buffer in an initialization loop The loop force-feeds 15 “x” into the buffer array through programming error Only 8 “x” could fit Nine “x” must spill over A function written in C void overflowsample (void) { char buffer1[8]; int I; For (I = 0; I < 16; I++) { buffer1[I] = ‘x’; } } When the program is run… What will be the value of buffer1[3]? _____, Buffer1[15]? _____ What would happen? The part of the function’s code designed to check the bounds of the array will prevent any error from happening. The program will generate an error and terminate.

6 Buffer Overflow Int main() { char name[8]; char etc_passwd[8]; char password[8]; // retrieve the user information printf (“Enter your name:”); gets (name); etc_passwd = get_password (name); printf (“Enter your password:”); gets (password); printf (“Your name and password entries were %s and %s.”, name, password); printf (“The password for %s In the /etc/shadow file Is %s”’ name, etc_passwd); // call procedure to check login authorization authenticate (password, etc_password); return 0; } void authenticate (char * string1, char string2) { char buffer1[8]; char buffer2[8]; strcpy (buffer1, string1); strcpy (buffer2, string2); if (strcmp (buffer1, buffer2) == 0 permit(); }

7 Buffer Overflow

8 Stack Entry and Buffer Overflow
Stack entry: data buffer & Return address registry 2. Add Data to Buffer 1. Write Return Address Return Address 5. Start of Attacker data Data Buffer 3. Direction of Data Writing 4. Overwrite Return Address When a program must put one subprogram on hold to call another, it writes the return address in RAM areas called stack entries The called subprogram may add data to the buffer to the point it overwrites the return address If the added buffer data is Attack code, this will be a buffer overflow attack

9 Buffer Overflow Attack
Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions. If the data contains malware, the malware could run and creates a DoS Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD Buffer Instructions 1 2 3 4 5 6 Print Run Program Accept input Buffer Instructions 1 2 3 4 5 6 A B C D E F LET JOHN IN WITHOUT PASSWORD Run Program Accept input 9 9

10 Preventing Buffer Overflow
Use Language tools that provide automatic bounds checking such as Perl, Python, and Java instead lower level language (C, C++, Assembly, etc). However, this is usually not possible or practical because almost all modern OS are written in the C language. Eliminate The Use Of Flawed Library Functions like gets(), strcpy, and strcmp that fail to check the length or bounds of their arguments. Design And Build Security Within Code Use Source Code Scanning Tools. Example: PurifyPlus Software Suite can perform a dynamic analysis of Java, C, or C++ source code. For instance, this simple change informs strcpy() that it only has an eight byte destination buffer and that it must discontinue raw copy at eight bytes. // replace le following line Strcpy (buffer2, strng2); // by Strcpy (buffer2, string2, 8)

11 General Application Security
Minimize number of applications Fewer applications on a computer, fewer attack opportunities Use security baselines for installation Security baselines improve security Add application layer authentication Important for sensitive applications Could be password-based Implement cryptographic systems

12 Web service security

13 Webservice Versus E-Commerce
Webservice includes basic functionalities for Retrieval of static files Creation of dynamic webpages E-Commerce requires additional software for Online catalogs Shopping carts Connection to back-end database Connection to organizations for payments, etc. E-Commerce Software Webserver Software (IIS, Apache, etc.) Subsidiary E-Commerce Software Component (DHTML, etc.) Custom Programs (in client-side scripting)

14 Webservice Versus E-Commerce
Web applications could be the target of many types of attacks like: Directory browsing Traversal attacks Web defacement Using HTTP proxy to manipulate interaction between client and server IIS IPP Buffer Overflow Browser attacks Time configuration

15 Web sites’ directory browsing
Web server with Directory Browsing disabled User cannot get access to list of files in the directory by knowing or guessing directory names

16 Web site with directory browsing
Web server with Directory Browsing enabled User can get access to the list of files in the directory by knowing or guessing directory names

17 Traversal Attack Normally, paths start at the WWW root directory
Adding ../ might take the attacker up a level, out of the WWW root box If attacker traverses to Command Prompt directory in Windows 2000 or NT, can execute any command with system privileges

18 Traversal Attacks (Cont.)
Preventing traversal attacks Companies filter out / and \ using URL scanning software Attackers respond with hexadecimal and UNICODE representations for / and \ ASCII Character Chart with Decimal, Binary and Hexadecimal Conversions Name Character Code Decimal Binary Hex Null NUL 00 Start of Heading SOH Ctrl A 1 01 Space 32 20 Exclamation Point ! Shift 1 33 22 Plus + Shift = 43 2B Period . 46 2E Forward Slash / 47 2F Tilde ~ Shift’ 126 7E

19 Website defacement Taking over a web server and replacing normal web pages by hacker-produced pages Effect could last because ISP cache of popular web sites Example of recent website defacements ATTRITION Web Page Hack Mirror: Zone-H web site for most recent attacks: Check Onhold and Archive

20 Manipulating HTTP requests
Attackers use proxies to manipulate communications between browsers and web servers Example using Webscarab

21 IIS IPP Buffer Overflow
The Internet Printing Protocol (IPP) service included in IIS 5.0 and earlier versions is vulnerable to buffer overflow attacks The jill.c program was developed to launch the attack using: GET NULL.printer HTTP/1.0 Host: 420 byte jill.c code to launch the command shell IIS server responds launching the command shell (C:\WINNT\SYSTEM32\>) giving the attacker SYSTEM privileges.

22 IIS IPP Buffer Overflow (cont.)
Link to jill.c code Code compilable using gcc jill.c –o jill on Linux Precompiled version (jill-win32.c) and executable (jill-win32.exe) available at ftp://ftp.technotronic.com/ newfiles/jill-win32.exe. This executable file is ready to run on a Windows machine.

23 IIS IPP Buffer Overflow (cont.)
Source:

24 HTTP Requests GET By far the most common method used
HTTP defines 8 methods (or "verbs") indicating the desired action to be performed on a resource GET HEAD POST PUT DELETE TRACE OPTIONS CONNECT HTTP Requests GET By far the most common method used Requests data from specified host Example of request with GET method GET /index.html HTTP/1.1 Host:

25 HTTP Requests HEAD Asks for response identical to a GET request without response body Useful for retrieving meta-information written in response headers without having to transport the entire content POST Submits data to be processed (e.g. from an HTML form) to a server The data is included in the body of the request PUT Uploads data to the server DELETE Delete specified file TRACE Echoes back the received request so that a client can see what intermediate servers are adding or changing in the request OPTIONS Returns HTTP methods supported by the server. This can be used to check the functionality of a web server.

26 Browser Attacks Malicious links attack.txt.exe seems to be attack.txt
User must click on them to execute (but not always) Common extensions are hidden by default in some operating systems. attack.txt.exe seems to be attack.txt

27 Browser Attacks (Cont.)
Common Attacks Redirection to unwanted webpage Scripts might change the registry, home page Some scripts might “trojanize” when your DNS error-handling routine when you mistype a URL Pop-up windows Web bugs; i.e. links that are nearly invisible, can be used to track users at a website Domain names that are common misspellings of popular domain names Microsoff.com, (a porn site)

28

29 E-Mail Protocols SMTP To Send SMTP To Send Receiver’s Mail
Server Sender’s Mail Server Simple Mail Transfer Protocol (SMTP) to transmit mail in real time to a user’s mail server or between mail servers Sender-initiated Sending Client Receiving Client

30 E-Mail protocols POP or IMAP To Receive Receiver’s Mail Sender’s Mail
Server Sender’s Mail Server POP or IMAP to download mail to receiver when the receiver capable of downloading mail. Receiver-initiated Sending Client Receiving Client Internet Message Application Program (IMAP): More powerful, can manage messages on the receiver’s mail server, less widely used Post Office Protocol (POP): Simple, loosing grounds to IMAP

31 E-Mail Standards Receiver’s Mail Server Sender’s Mail Server
Message Body Format Standard Message RFC 822 or 2822 HTML body UNICODE Sending Client Receiving Client RFC 822 (English ASCII code) or 2822: for all-text bodies UNICODE: for all languages HTML body: for fancy text and graphics

32 E-Mail Security E-Mail Encryption
Not widely used because of lack of clear standards IETF has not been able to settle upon a single standard because of in-fighting Three standards are used in corporations TLS S/MIME PGP

33 E-Mail Security E-Mail Encryption
TLS only requires a digital certificate for servers S/MIME requires a PKI for digital certificates PGP uses trust among circles of friends: If A trusts B, and B trusts C, A may trust C’s list of public keys Dangerous: Misplaced trust can spread bogus key/name pairs widely

Download ppt "Application Security: Web service and"

Similar presentations

Application Security: General apps &Web service

Application Security: General apps &Web service
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how e-mail server and client software work Use FTP to transfer files Initiate.

How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.

Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.
Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.

Application Layer  We will learn about protocols by examining popular application-level protocols  HTTP  FTP  SMTP / POP3 / IMAP  Focus on client-server.
HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.

HTTP Overview Vijayan Sugumaran School of Business Administration Oakland University.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 

11 SECURING INTERNET MESSAGING Chapter 9. Chapter 9: SECURING INTERNET MESSAGING2 CHAPTER OBJECTIVES  Explain basic concepts of Internet messaging. 
Copyright © Texas Education Agency, 2013. All rights reserved.1 Web Technologies Web Administration.

Copyright © Texas Education Agency, All rights reserved.1 Web Technologies Web Administration.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as e-mail.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
1 Application Security: Electronic Commerce and E-Mail Chapter 9 Copyright 2003 Prentice-Hall.

1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.
Application Security: Web service and E-Mail (April 11, 2011) © Abdou Illia – Spring 2011.

Application Security: Web service and (April 11, 2011) © Abdou Illia – Spring 2011.
Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012.

Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012.
Chapter 1: Introduction to Web

Chapter 1: Introduction to Web
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.

CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.
Web application architecture

Web application architecture

Similar presentations

Ads by Google