1 / 202

Web Securities

Web Securities. Bingoo 2012-05-13. 无线网络 TP_LINK_42AC76 密码: linkage123. Who am I ?. 黄进兵 bingoo huang 程序 猿 ? 码农 ?. Who are you?. 轻松 互动 小考. 安全事故回顾. 缴费充值密码暴力破解 缴费充值折扣侵入 商 城 2.0 全 量商品信息泄露 商 城 2.0 全量用户信息泄露 …. O utline. AM Http Basics Tools Performance PM Attacks

thina
Télécharger la présentation

Web Securities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Web Securities Bingoo 2012-05-13

  2. 无线网络TP_LINK_42AC76密码:linkage123

  3. Who am I ? • 黄进兵 bingoohuang • 程序猿? 码农?

  4. Who are you?

  5. 轻松 • 互动 • 小考

  6. 安全事故回顾 • 缴费充值密码暴力破解 • 缴费充值折扣侵入 • 商城2.0全量商品信息泄露 • 商城2.0全量用户信息泄露 • …

  7. Outline • AM • Http Basics • Tools • Performance • PM • Attacks • Encoding & Encryption

  8. Hyper Text Transfer Protocol (HTTP) Objective: Understand HTTP (the protocol that makes the Internet possible) Refs: RFC 1945(HTTP 1.0) RFC 2616(HTTP1.1) 2012-03-12: draft -19 of the revised HTTP/1.1 specifications

  9. Bit of History • Mar’89 – T.B. Lee presents “Information Management: A Proposal” • Aug’91 – Announces WWW • Mar’93 – Mosaic announced • Mar’94 – Netscape found • Oct’94 – W3C found by T.B. Lee

  10. OSI & TCP/IP protocol suite • OSI is a reference model

  11. OSI & TCP/IP protocol suite… • TCP/IP protocol suite is implementation of OSI

  12. The Communication Server Client LB Web Server App Server DB Server Proxy Browser Internet GET / 200 OK Index.html GET /js.js GET /pic.jpg 200 OK More content… HTTP: Sure!

  13. The Communication • …. or simply

  14. HTTP Usage • HTTP is the protocol that supports communication between web browsers and web servers. • A “Web Server” is a HTTP server • Most clients/servers today speak version 1.1, but 1.0 is also in use.

  15. From the RFC “HTTP is an application-level protocol with the lightness and speed necessary for distributed, hypermedia information systems.”

  16. Accessing Resources over the Web • <protocol>://<server>/<path> Defines the address (Uniform Resource Locator) Communication Protocol between the client and the server

  17. Hypertext Transport Protocol (HTTP) characteristics • Request-response mechanism: • Transaction is initiated by a client sending a request to server • Server generates a response • Resource Identification • Each HTTP request includes a URI (Uniform Resource Identifier) • Statelessness • The server does not maintain any information about the transaction • Meta data support • Metadata about information can be exchanged in the messages

  18. HTTP Request Format Specifies request method Request Line GET /index.html HTTP/1.0 Specifies resource via URI & meta data Header Lines Host: www.content-networking.com Date: BBBBBBBBBBBB User-Agent: Mozilla/5.0 (en) (WINNT; U) Accept-Language: en-us Carriage Return/Line Feed Message Body Content-length: (Message Payload)

  19. Request Methods • GET • whatever information is identified by the Reuest-URI • Can Get static content and data produced by a program • POST • Submit information to Web Server • Eg: posting to blog, submission of user form… • Information is included in message body • The actual function depends on request URI Example POST/phonebook.cgi.HTTP/1.0 Date: User-Agent: Accept Language: en-us Content Length: 14 98490 55266 Looks up phone book for the number Could have been also achieved by Get But in that case number would have been in the Resource URL Which would have been stored in the log

  20. Get • You know GET • Retrieval of information • Transfers a representation of a resource from the server to the client • Safe & idempotent

  21. GET /user/ramsey HTTP/1.1 Host: atom.example.org HTTP/1.1 200 OK Date: Tue, 22 Sep 2009 17:28:14 GMT Server: Apache/2.2.11 (Unix) DAV/2 PHP/5.3.0 X-Powered-By: PHP/5.3.0 Content-Length: 594 Content-Type: application/atom+xml;type=entry <?xml version="1.0" encoding="utf-8"?> <entry xmlns="http://www.w3.org/2005/Atom" xml:base="http://atom.example.org/"> <title>ramsey</title> ... </entry>

  22. Request Methods…contd (ii) • HEAD • Servers response does not include message body • Useful for getting resource metadata without transferring the resource • Also useful for debugging , checking for validity, accessibility and modification • PUT • Requests a server store the enclosed data under the supplied Request URL. • Creates the resource if it does not create • Not useful for web publishing (FTP is preferred for security purposes) • DELETE • Removes the Web object • Needs to be carefully used for security reasons

  23. Request Methods…contd (iii) • TRACE method • Invokes a remote appliction layer feedback of the request message • Useful for testing what is being received at the server • Also possible to forward to intermediaries for debugging purposes • OPTIONS • Requests information about communication options available to server

  24. Safe methods • GET & HEAD should not take action other than retrieval • These are considered safe • Allows agents to represent POST, PUT, & • DELETE in a special way

  25. Idempotence • Side-effects of N > 0 identical requests is the same as for a single request • GET, HEAD, PUT and DELETE share this property • OPTIONS and TRACE are inherently idempotent

  26. HTTP Response Format Status line with result code and phrase Status line HTTP/1.0 200 OK Specifies server & resource meta data Header Lines Date: BBBBBBBBBBBB Server: Apache/1.3.12 (Unix) Last-Modified: (date) Content Type: text/html Status-Line Headers . . . Carriage Return/Line Feed blank line Message Body Content... Content-length: (Message Payload)

  27. Result Code and Phrase • 1xx: Informational – Not Done Yet • 2xx: Success – You win • 3xx:Redirection-You lose but try again • 4xx:Client Error – You lose, your fault • 5xx:Server Error – You lose, my bad 200 OK 204 No Content 300 Mutiple Choices 301 Moved Permanently 302 Moved Temporarily 304 Not Modified 400 Bad Request 401 Unauthorized 404 Not Found 500 Internal Server Error

  28. Try it with telnet > telnet www.cs.rpi.edu 80 GET / HTTP/1.0 HTTP/1.0 200 OK Server: Apache ... Request-line Blank Line (end of headers) Response

  29. Try it with telnet 1.1 > telnet www.cs.rpi.edu 80 GET / HTTP/1.1 Host: www.cs.rpi.edu HTTP/1.0 200 OK Server: Apache ... Required! Netprog - HTTP

  30. Improvements in HTTP/1.1 • Persistent connections • Keeps the connection open after the server response • Connection can be closed by either client or server • Request Pipelining • Allows a client to send several requests without waiting for a response • Server responds in the same order • Chunked Encoding • Allows sender to break a message into arbitrary sized chunks • Useful for dynamically created response messages

  31. Handling Statelessness • HTTP is a stateless protocol • i.e., server’s got a bad memory • Cookies to rescue • Cookies: • are text files stored by client browser • maintain session by storing information • are non-executable • Cookie attributes: • name=value • expires=value • domain=value • path=value • Secure • HttpOnly--not a part of spec

  32. Cookies • HTTP is stateless protocol • Cookies manage state maintenance by shifting the burden to client • Cookies are transmitted in clear text (security issue) Server Client Usual HTTP Request 1st client request Client does not interpret the cookie string Server is presented with the previously returned state information Usual HTTP Response, including header line Set-cookie: <cookie> Usual HTTP Request, including header line Set-cookie: <cookie> 2nd client request Usual HTTP Response

  33. User Authentication • Users browser information remembers credentials and includes them in headers for subsequent requests • Browser typically deletes stored authentication credentials once browser is closed • HTTP allows various authentication mechanisms Server Client Usual HTTP Request HTTP Response with code 401, including header line www-authenticate: <string1> 1st client request User inputs credentials Same HTTP Request, including header line Authorization: <string2> Usual HTTP Response Usual HTTP Request, including header line Authorization: <string2> 2ndclient request Usual HTTP Response

  34. HTTP • HTTP is insecure! • Subject to man-in-the-middle and eavesdropping attacks • HTTP over TLS or SSL • Uses port 443 by default • Based on Public key cryptography

  35. SSL: Secure Web Communications • SSL protocol is application independent • Operates between application layer and transport layer • Application protocols such as HTTP sit on top of it and TCP/IP beneath it • SSL provides:

  36. How SSL Works • The Public Key is a random number generated in pair (the other part of the pair is the private key known only to the server) • Data encrypted by the public key can be decrypted only by using the private key Server Client HTTPS Request SSL Certificate with the Public Key of the Server Generates a random number or session key which can be encrypted using the server public key Decrypted using the Server Private Key Sends Session Key encrypted with the Server Public Key Response/Request encrypted with session key

  37. Ensuring SSL version compatibility • There are different versions of SSL depending on the encryption algorithm used. • The browser sends the versions it supports • The server sends the certificate. The certificate includes: • The identity of the organization to which the web server belongs • The certificate’s expiration date • The public key • The identity of the organization that issued the certificate, known as a certification authority (CA) • Browsers store and recognize certificates issued by a number of well-known CAs.

  38. What it does and what it does not

  39. HTTP Problems • Single request per connection. • Exclusively client-initiated requests. • Uncompressed request and response headers. • Redundant headers. • Optional data compression. Source: http://dev.chromium.org/spdy/spdy-whitepaper

  40. SPDY (pronounced "SPeeDY") • Allow many concurrent HTTP requests to run across a single TCP session. • Reduce the bandwidth currently used by HTTP by compressing headers and eliminating unnecessary headers. • Make SSL the underlying transport protocol, for better security and compatibility with existing network infrastructure. • Enable the server to initiate communications with the client and push data to the client whenever possible.

  41. cURL • User + password Authentication • Basic Digest NTLM Negotiate Kerberos • Proxy • Resume • Cookies • Proxy tunneling • SSL certs • HTTP range requests • UA spoofing • Wireshark • gzip/deflate

  42. The real cURL • HTTP HTTPS • FTP FTPS • SCP • SFTP TFTP • TELNET • LDAP • DICT • POP • SMTP • RTMP • RTSP

  43. HTTP • Get requests are simple: • $ curl “google.com/search?q=ilugc” • $ curl --user-agent "Mozilla/5.0 [en] (X11; U; Linux 2.6.28 i386)" “http://google.com/search?q=ilugc” • Post requests are also simple with curl. ;-) • $ curl --data-urlencode input=value http://example.com/cgi • Proxy • $curl --proxy-user proxyuser:proxypasswordcurl.haxx.se

  44. Introducing Fiddler Web Debugging for Performance and Operations www.fiddler2.com/perf/

  45. Intercepting Web Traffic

  46. Fiddler for Performance • Measure / analyze / simulate the end-user experience. • Measure request size, page weight • Analyze caching, compression, page composition • Simulate low-speed / high-latency connections

  47. Performance Statistics

More Related