210 likes | 276 Vues
Web Application Security. Introduction. Security is a process of authenticating users and controlling what a user can see or do. Server. Web. DB Server. 3-tier architecture. Web Browser. Some Internet Security Protocols. Application Layer Security Electronic mail security
E N D
Introduction • Security is a process of authenticating users and controlling what a user can see or do
Server Web DB Server 3-tier architecture Web Browser
Some Internet Security Protocols • Application Layer Security • Electronic mail security • PGP (Pretty Good Privacy) • S/MIME (Secure Multi-Purpose Internet Mail Extensions) • Transport Layer Security • SSL/TLS (Secure Sockets Layer/Transport Layer Security ) • SSH (Secure Shell ) • Network Layer Security • IP Security (IPsec) • Infrastructure protection • DNSSEC (DNS Security Extensions) • SNMPv3 security (Simple Network Management Protocol Version 3)
How do you measure security? • Does 128-bit encryption make you feel safer?
The client • Common web browser • Communicates to server with HTTP (PUT, POST, GET) • HTML markup language for layout of pages • Scripting languages built into client to control client side content and communications with server dynamically • Cookies to store state
The server • Analyses HTTP requests from client and responds accordingly. • Either send plain HTML page • Process query data and send back dynamically produced page to client.
The web server • Common examples: Apache, IIS. • These servers and the host’s have their own security problems • Server side programming • Perl, ASP (Jscript/VBScript), PHP, C
The DBMS • SQL • DBMS • Microsoft SQL server • Oracle • MySQL • DB2 • These DBMS also have their own security problems
Attacks • On the server • Using “out of the box” security holes to gain escalated privileges, or execute commands on the server. • Make the server do something it is not supposed to do. • Examples • ColdFusion, Showcode.asp, FrontPage, etc. etc. etc.
Attacks • Through holes found using a common security scanner • Scanners simply request a fixed file name to see if the file exists or not • Assumes that exploitable files/server have not been patched, can bring false positives • Old techniques, but effective. • EASY to protect against.
Attacks • On out of the box applications • Attacker can setup and audit the application in their own environment • If one goes down, they all do • Targets of common scanners
Attacks • On custom applications • More difficult to audit • “Black box” auditing techniques • Looks for common stupid mistakes
Case one • IIS Security hole used to view ASP • Database settings extracted • SQL server live to internet • Information from server-side scripts used to connect to server
Case two • ASP not filtering input • Able to directly manipulate SQL query • Manipulating the SQL query extracts a valid cookie and creates the password
The problems? • Unfiltered user input • User data not checked and can be crafted to manipulate processing on the server to reveal file contents or bypass and gain access • Backdoor straight to the Crown Jewels
The enablers • Reliance on cryptography for security • Security through obscurity • Poor development • Poor experience • Limited resources • Awareness • Monitoring and plan
The solution(s) • Good initial setup • Programming practices • Internal Audits • Awareness • Updates, patches and hotfixes
The solution(s) • Intrusion detection • Network design • System architecture
Keep (Last Building in Castle to Fall) Moat / Main Gate Outer Perimeter Controlling Castle Access Inner Perimeter Stronghold, Higher Walls produce containment area Between Inner / Outer Perimeters Security Analogy
Keep Outer Perimeter Inner Perimeter Stronghold Internet Security Crown Jewels Internal Firewall Internet Internal Network DMZ Mission Critical Systems