Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Back-Stage Pass: What Every Hacker Wants Presented by: Art Jones.

Published byRebecca Welch Modified over 9 years ago

Similar presentations

Presentation on theme: "A Back-Stage Pass: What Every Hacker Wants Presented by: Art Jones."— Presentation transcript:

1 A Back-Stage Pass: What Every Hacker Wants Presented by: Art Jones

2 A Back-Stage Pass What does the web do? What is its purpose? It is a communications media; like print or paint or clay or even music… only digital. Digital = easy to create, change, copy, move. Easy = cheap to produce, cheap to distribute. As with any medium, “good don’t come cheap.” There are very few masters of more than one medium.

3 A Back-Stage Pass A bit of a history lesson Clarify some terms Understand how modern web systems work See where security breaks down Some basics…

4 Web Service Web Client (browser) DNS Server 1.User requests URL: http://www.psu.edu/webconference.http://www.psu.edu/webconference 2.Browser / Operating System get the IP address from DNS Server. 3.Browser opens a connection to the web server’s address, specifying port #80, and issues a message: “GET /webconference”. (Messages use HTTP) 4.Web service looks in its /webconference directory. Because a specific file was not requested, the service checks its rules, and looks for a default name. 5.The web service then copies the file from its directory back to the browser, using HTTP. Disk Drive Internet A very general overview of how a web browser gets a web page…

5 Terms Client = computer that wants data Server = computer with the data Service = software that provides the data DNS = Domain Name Service IP = Internet Protocol HTTP = Hyper-Text Transfer Protocol HTML = Hyper-Text Markup Language

6 Web Service Web Client (browser) Internet Corrupted DNS Server Things you need to keep in mind: DNS lookups take time and network bandwidth (usually not much, but consider scaling factors) and DNS Servers can be hacked to re-direct clients. The web server with the real data is never contacted. EVIL Web Server What’s the address for www.psu.edu?www.psu.edu www.psu.edu = 000.000.000.666www.psu.edu Give me the data Data: please enter your credit card number…

7 Web Service Internet Things you need to keep in mind: Web servers generally allow anonymous access to their data resources. This is accomplished by aliasing the unknown internet user as an account known to the server. (IUSR_Servername, Apache, Anonymous) Data access uses this account’s permissions in the operating system. Disk Drive This conversation is anonymous (but can be forced to be authenticated, creating intra/extra- nets) This conversation is aliased with a known account name

8 Web Service Web Client (browser) Internet Certificate Authority Service Encryption & Authentication Disk Drive 1.Client requests secure connection to service (https:; port 8080) 2.Service responds: “here is my public key” 3.Client to certificate authority: “I am trying to contact a service, here is the key it gave me.” 4.Certificate authority to client: “looks good to me.” 5.Client to web service:

9 Terms Encryption Authentication PKI –Public Key –Private Key Certificate HTTPS

10 Web Service Internet Disk Drive A closer look at web services CGI programs allow dynamic webpage content; HTML is built when a page is requested, instead of existing statically on disk. Simple uses would be hit-counters, real-time server reports, generating e-mail from web-based forms, etc. Compiled program executes quickly, and code can be kept elsewhere. Compiled Program using The Common Gateway Interface (CGI)

11 Web Service Internet Disk Drive A closer look at web services Microsoft’s answer to CGI Programs saved as.DLL files Web service recognized hits to particular file types as requests for ISAPI- generated data. Used in MS’s web-based server administration system. Compiled Program using Internet Services Application Program Interface (ISAPI; sometimes called ISAPI filters)

12 Web Service Internet Disk Drive A closer look at web services Cold Fusion’s model: put the web service and the command interpreter in one program. This allowed mixing of HTML and program code within a single file. Primary use is for database-driven web pages. Command Interpreter

13 Web Service Internet Disk Drive A closer look at web services Microsoft introduced Active Server Pages (ASP), which will interpret code in Visual Basic Script (or Java Script) language. Allowed mixing HTML and programming code. Implemented as an ISAPI.DLL file, building on their previous system. Took advantage of their large base of VB programmers. ISAPI filter that Interprets programming code (ASP, PHP)

14 Web Service Internet Disk Drive Other Options ISAPI filter that Interprets programming code Compiled Program

15 Web Service Internet Disk Drive Tying to databases Compiled program or ISAPI filter Database Service

16 Web Service Internet Disk Drive Tying to databases ISAPI filter that Interprets programming code ODBC/JDBC Database Service (MS-SQL, MySQL, etc.)

17 Terms CGI ISAPI Filter ASP/PHP/JSP ODBC/JDBC CF

18 Web Service Internet Disk Drive Security Concerns Compiled program or ISAPI filter Database Service Scripts are typically run in the context of the web service user (usually an anonymous account) Database services usually maintain their own accounts and security permissions (with some really open defaults) Communication between the script and the DB must use a DB account

19 Web Client IE, Netscape/Mozilla Crawlers Varying platform capabilities (PDA’s, etc.) Internet Client-side operations Know your audience. Define your audience & give warnings. You may have to accommodate non-optimal client platforms (and connections)

20 Browser HTML variants Scripting languages (JavaScript, VB-Script) Plug-ins to handle non-HTML files MIME mappings to launch other applications Java Internet Client-side operations Browser & other applications launched through the browser run in the context of the user, and will be constrained by the user’s permissions. Many e-mail clients work very similarly to web browsers, with scripting, plug-ins, MIME mappings, etc. The big difference is their built-in ability to send messages, allowing worm propagation. Biggest security concern is the user

21 Web Client Data-seeking programs Internet What about XML? XML is just another language like HTML XML can be used to hold data, independently of presentation Data is transferred in XML- encoded format It is up to the client program to do something with the data. Maybe display it; maybe process it; maybe just store it. Put these technologies together and you get “Web Services” Allows for authoritative sources of data Basis for.NET and J2EE architectures.

22 Lessons: Know your specific architecture. Web developers, web and DB admins, and network admins must all cooperate to secure the server side. Don’t tell people who don’t need to know. (“…what every hacker wants!”) Understand the contexts where programs will run. The servers/services, accounts used at each step, and target clients are all important.

23 Questions?

Download ppt "A Back-Stage Pass: What Every Hacker Wants Presented by: Art Jones."

Similar presentations

E-Commerce CMM503 – Lecture 8 Stuart Watt Room C2.

E-Commerce CMM503 – Lecture 8 Stuart Watt Room C2.
Overview Environment for Internet database connectivity

Overview Environment for Internet database connectivity
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
DT228/3 Web Development WWW and Client server model.

DT228/3 Web Development WWW and Client server model.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.

DT211/3 Internet Application Development Active Server Pages & IIS Web server.
15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.

15 Chapter 15 Web Database Development Database Systems: Design, Implementation, and Management, Fifth Edition, Rob and Coronel.
Introduction to ASP.NET. 2 © UW Business School, University of Washington 2004 Outline Static vs. Dynamic Web Pages.NET Framework Installing ASP.NET First.

Introduction to ASP.NET. 2 © UW Business School, University of Washington 2004 Outline Static vs. Dynamic Web Pages.NET Framework Installing ASP.NET First.
Layer 7- Application Layer

Layer 7- Application Layer
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Introduction to Web Database Processing

Introduction to Web Database Processing
Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 2.

Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 2.
DT211/3 Internet Development Application Internet Development Application.

DT211/3 Internet Development Application Internet Development Application.
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.

1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
© 2004, Robert K. Moniot Chapter 1 Introduction to Computers and the Internet.

© 2004, Robert K. Moniot Chapter 1 Introduction to Computers and the Internet.

Similar presentations

Ads by Google