Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Services and Authentication

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Services and Authentication"— Presentation transcript:

1 Web Services and Authentication
IS/CS 698 Min Song Information Systems

2 What is Web Application Security?
Web Applications exist in many forms. Some search, some count, others even transfer money within your bank accounts. Web Applications are employed to carry out many mission-critical tasks and if anything on the web is certain, our reliance upon web applications will continue to grow. Simply, the securing of web applications.

3 Why is web application security important?
Before software functionality was capable of being delivered via the web, software developers security concerns were relatively given: that their user-base was limited to internal or wan networks. All this has now changed. Web developers now create software that runs upon web servers accessed by anyone, anywhere. The scope and magnitude of their software delivery has increased exponentially and in so doing, security issues have also risen. - Browser Hi-Jacking - Cookie Theft - Denial of Service - Abuse - User Privacy Invasion

4 Architecture of the Web
Hypertext information model (linking of documents) Client/Server consultation protocol ? Internet server user transaction documents

5 Security problems : confidentiality
Unauthorized release of information ? Internet user ? pirate

6 Security problems: integrity
Unauthorized modification of information Internet user ? pirate

7 Security measures firewalls encryption Access control authentication
authorization

8 Encryption: principles
Mathematical transformation of a message Hello Encrypt Hel Decrypt Hello plaintext cyphertext plaintext encryption key decryption key -Document confidentiality -Document integrity -Server authentication -Client authentication

9 Access control model Reference noeuds Monitor user resources request
guard Reference Monitor authorize operation noeuds deny consult update security database security administrator

10 Access control: authentication
Verifying the identity of a user identity, proof of identity security database

11 Web authentication mechanisms

12 Access control: authorization
Verifying the access rights of a user identity, proof of identity ? security database

13 Web authorization mechanisms
Access control lists (ACL) Roles, groups : simple user administration Capabilities : exchange of access control information in the request

14 The goal of an attack Steal data Blackmail Beachhead for other attacks
Bragging rights Vandalism Demonstrate vulnerability/satisfy curiosity Damage company reputation Others? What do you need for a credit card attack to be successful? How can you program that to make it more secure? Beachhead: To avoid detection, hop onto multiple servers in multiple countries to route your attack. Example: Route your attack through N. Korea or China Bragging rights: Vandalism: Al-Jazeera site Embarrass:

15 Commonly attacked services
SMTP servers (port 25) sendmail: “The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application. “ RPC servers (port 111 & others) NetBIOS shares (port 139) Opasoft worm FTP servers (ports 20, 21) wuftpd vulnerabilities SSH servers (port 22) OpenSSH vulnerability Web servers (ports 80, 443) Apache chunked encoding vulnerability Sendmail: “The address parser performs insufficient bounds checking in certain conditions due to a char to int conversion, making it possible for an attacker to take control of the application. “ NetBIOS: Opasoft worm: RPC: FTP: wuftpd vulnerability SSH: OpenSSH vulnerability Privilege separation: “The basic idea behind privilege separation is that OpenSSH sshd(8) has something like lines of code. A lot of them run as root. However, when UsePrivilegeSeparation is enabled, the daemon splits into two parts. A part containing about 2500 lines of code remains as root, and the rest of the code is shoved into a chroot-jail without any privileges. This makes the daemon less vulnerable to attack.” HTTP: Apache Exploit code:

16 Web server attack Scan to find open ports
Find out what’s running on open ports (banner grabbing) Profile the server Windows (look for Kerberos, NetBIOS, AD) Unix Use TCP fingerprinting Probe for weaknesses on interesting ports Default configuration files and settings (e.g. popular IIS ones) Buffer overflows Insecure applications Launch attack Use exploit code from Internet… …or build your own WebDAV exploit: Compiled exploit:

17 Scanning… What O/S is this system?

18 Scanning… What O/S is this system?
Show nmap scan against linuxvm, makes a guess at the remote O/S.

19 Example Web Application
Internet DMZ Protected network Internal network AJP IIOP T9 etc. DB Clear-text or SSL Web server App server (optional) HTTP request Web app Web app Web app transport DB Web app Web client: IE, Mozilla, etc. Apache IIS Netscape etc. Servlet engine J2EE server ColdFusion Oracle 9iAS etc. Perl C++ CGI Java ASP PHP etc. ADO ODBC JDBC etc. Oracle SQL Server etc. HTTP reply (HTML, JavaScript, VBScript, etc.)

20 OWASP Top 10 Web Application Security Vulnerabilities
Unvalidated parameters Broken access control Broken account/session management Cross-site scripting flaws Buffer overflows Command injection flaws Error handling problems Insecure use of cryptography Remote administration flaws Web and app server mis-configuration

21 #10: Web/App Server Misconfiguration
Tension between “work out of the box” and “use only what you need” Developers ≠ web masters Examples Unpatched security flaws (BID example) Misconfigurations that allow directory traversal Administrative services accessible Default accounts/passwords Countermeasures Create and use hardening guides Turn off all unused services Set up and audit roles, permissions, and accounts Set up logging and alerts Oracle 9ias examples: IIS Hardening guide: C:\Documents and Settings\mnystrom\My Documents\InfoSec\Technical Reference NT IIS 5_0 and Win2K Hardening Configuration.htm Apache hardening guide: C:\Documents and Settings\mnystrom\My Documents\InfoSec\Apache hardening guide.doc Examples: Show how an administrator might want to change admin web site properties for Admin web server, select “Directory Security/IP address and domain name restrictions/Edit…”

22 #9: Remote Administration Flaws
Problems Weak authentication (username=“admin”) Weak encryption Countermeasures Don’t place admin interface on same server Use strong authentication: certificates, tokens, strong passwords, etc. Encrypt entire session (VPN or SSL) Control who has accounts IP restrictions Example: Example ColdFusion:

23 #8: Poor Cryptography Insecure storage of credit cards, passwords, etc. Poor choice of algorithm (or invent your own) Poor randomness Session IDs Tokens Cookies Improper storage in memory Countermeasures Store only what you must Store a hash instead of the full value (SHA-1) Use only vetted, public cryptography Demonstrate md5 tool with on Windows XP laptop with: md5 –dhello md5 –djello Demonstrate encryption with PGP pgp –e /home/mnystrom/example.txt mnystrom (produces example.txt.pgp) pgp /home/mnystrom/example.txt.pgp

24 #7: Error Handling Examples: stack traces, DB dumps
Helps attacker know how to target the app Inconsistencies can be revealing too “File not found” vs. “Access denied” Fail-open errors Need to give enough info to user w/o giving too much info to attacker Countermeasures Code review Modify default error pages (404, 401, etc.) Fail open auth example is… Won’t work with passwords, but if you try it _without_ a password, it lets you in. Show sample code. Show 401 error message on after logging in, shows “plsql” in path.

25 Error messages example

26 #6: Command Injection Allows attacker to relay malicious code in form variables or URL System commands SQL Interpreted code (Perl, Python, etc.) Many apps use calls to external programs sendmail Examples Path traversal: “../” Add more commands: “; rm –r *” SQL injection: Countermeasures Taint all input Avoid system calls (use libraries instead) Run application with limited privileges Go to SQL Injection example… ‘ OR 1=1 Parameter injection Go to Parameter Injection /etc/passwd; rm -fr /tmp/*

27 #5: Buffer Overflows Mostly affects web/app servers
Can affect apps/libraries too Goal: crash the target app and get a shell Buffer overflow example echo “vrfy `perl –e ‘print “a” x 1000’`” |nc 25 Replace this with something like this… char shellcode[] = “\xeb\xlf\x5e\x89\x76\x08…” Countermeasures Keep up with bug reports Code reviews Use Java C:\eviltools\overflow-example\Smasher.html Enter DDDDDDDDDDD (11 D’s) You can look up the ASCII function call with… See this report: C:\Program Files\Stealth\Rep\win2kvm.html Example against IIS:

28 #4: Cross-Site Scripting (XSS)
Attacker uses a trust application/company to send malicious code to end-user Attacker can “hide” the malicious code Unicode encoding 2 types of attacks Stored Reflected Wide-spread problem! Countermeasure: input validation Positive Negative: “< > ( ) # &” Don’t forget these: “&lt &gt &#40 &#41 &#35 &#38” Stored example: Go to Database XSS example, and store the following in the message field: <script language="javascript" type="text/javascript">alert("Ha Ha Ha");</script> For reflected attack, add the above line to Example of what this can do:

29 #3: Broken Account and Session Management
Weak authentication Password-only Easily guessable usernames (admin, etc.) Unencrypted secrets are sniffable How to break in Guess password Reset password Have app you new password Sniff password Backend authentication How database passwords are stored Trust relationships between hosts (IP address can be spoofed, etc.) Use brutus to guess manager password, show how it could be used to break into admin account Target: linuxvm/manager/html Port: 8080 Type: HTTP (Basic Auth) Method HEAD Use Username checked, Single User checked, Userid=manager BREAK IN Show sniffer in win2kvm Brute force crackers: Show passwords, database stuff at:

30 #2: Broken Access Control
Usually inconsistently defined/applied Examples Insecure session IDs or keys Forced browsing past access control checks Path traversal File permissions – may allow access to config/password files Client-side caching Open Go to “Weak Authentication Cookie” Use Sleuth, set Intercept to stop on AuthCookie Log in as dave/dave Change AuthCookie to “ggfkggfk” for Jeff: AuthCookie=ggfkggfk; (encoding is backwards twice + advance one letter)

31 #1: Unvalidated Parameters
Attacker can easily change any part of the HTTP request before submitting URL Cookies Form fields Hidden fields Headers Encoding is not encrypting Toasted Spam: Input must be validated on the server (not just the client). CoolCarts: Countermeasures Tainting (Perl) Code reviews (check variable against list of allowed values, not vice-versa) Application firewalls CodeSeeker: Input validation demo: Edit hidden values on form Remember to modify action on the form too (replace /cgi-bin with Re-open in browser and click “Preview total” Encoding/encrypting demo 1) Start linuxvm 2) Open Sleuth 3) Set Intercept & have it break on all responses 4) Browse to Basic auth for manager/manager in Tomcat manager app: bWFuYWdlcjptYW5hZ2Vy Use this tool for decoding: Or use this tool… java -classpath c:\javalib\dnsjava\dnsjava jar;c:\dev\Base64Decoder\classes Base64 decode <text> Alternative to test against unvalidated parameters: Go to “Parameter Injection” Show that linuxvm’s /tmp drive has something in it Place this in the field /etc/passwd; rm -fr /tmp/* Notes on perl tainting: #!/usr/local/bin/perl –T The only way to untaint a variable is to do a regular expression match using () groups inside the regular expression pattern match. In Perl, the first () group match gets assigned to $1, the second () group to $2, and so on. Perl considers these new variables that arise from () groups to be untainted. Once your regular expression has created these variables, you can use them as your new untainted values.

Download ppt "Web Services and Authentication"

Similar presentations

Webgoat.

Webgoat.
OWASP’s Ten Most Critical Web Application Security Vulnerabilities

OWASP’s Ten Most Critical Web Application Security Vulnerabilities
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan

Web Application Security Vulnerabilities Yen-Cheng Chen Department of Information Management National Chi Nan University Puli, 545 Nantou, Taiwan
1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP Security Architect Cisco Systems, Inc.

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP Security Architect Cisco Systems, Inc.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP-ISSAP Security Architect Cisco Systems,

1 © 2003 Cisco Systems, Inc. All rights reserved. Session Number Presentation_ID Web Security Martin Nystrom, CISSP-ISSAP Security Architect Cisco Systems,
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.

WEB SECURITY. WEB ATTACK TYPES Buffer OverflowsXML InjectionsSession Hijacking Attacks WEB Attack Types.
Security in Application & SDLC

Security in Application & SDLC
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Silberschatz, Galvin and Gagne  2002 19.1 Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.

Silberschatz, Galvin and Gagne  Operating System Concepts Module 19: Security The Security Problem Authentication Program Threats System Threats.
Introduction To Windows NT ® Server And Internet Information Server.

Introduction To Windows NT ® Server And Internet Information Server.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
1 Security in Application & SDLC Barkan Asaf Nov, 2006.

1 Security in Application & SDLC Barkan Asaf Nov, 2006.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities

Similar presentations

Ads by Google