Académique Documents
Professionnel Documents
Culture Documents
Web Application n
n
Web Application basics
Web Network Security
Security n Web Host Security
n Web Application Security
n Best Practices
Prof. Sukumar Nandi
Indian Institute of Technology Guwahati n Questions ?
n Application Databases
Web Apps
“n-tiers”
Databases
1
How are they connected ? (contd.)
n Web Client (normally a browser) issues a
request to the Web Server using
HTTP/HTTPS.
n Web server processes the request and
builds a web page using resources such as
databases.
n This web page is returned to the Web
Client, which it displays to the user.
2
Network Security elements Router Security
n Router Security n Use ssh as opposed to Telnet for
n DDoS Security accessing the router.
n Firewalls n Close all unwanted services like http, ntp
etc
n Network Intrusion Detection System
n Host Intrusion Detection System n Add infrastructure ACLs to protect the
routers themselves from malicious attacks.
3
Basics of a DDoS Attack Automated DDoS Attack
Vulnerable hosts
1 Initiate scan 2 are compromised
DDoS client
Attack tool installed on
3 each compromised host
DDoS
agents
5
5
5
Massive DDoS
attack launched
affic
S Tr
DDo
Victim Network
4
Internet Router Policy Internet Router Configuration
Ingress filtering: access-list 133 deny ip host 0.0.0.0 any
access-list 133 deny ip 127.0.0.0 0.255.255.255 any
access-list 133 deny ip 10.0.0.0 0.255.255.255 any
• deny all rfc 1918 and special use addresses access-list 133 deny ip 172.16.0.0 0.15.255.255 any
from entering the corporate network access-list 133 deny ip 192.168.0.0 0.0.255.255 any
access-list 133 deny ip 192.0.2.0 0.0.0.255 any
access-list 133 deny ip 169.254.0.0 0.0.255.255 any
• deny all traffic with an IP source address of the corporate access-list 133 deny ip 240.0.0.0 15.255.255.255 any
network or branch networks access-list 133 deny ip 144.254.0.0 0.0.255.255 any
access-list 133 deny ip 171.71.32.0 0.0.0.31 any
access-list 133 deny ip 192.150.42.0 0.0.0.31 any
• permit all other traffic access-list 133 permit ip any any
5
Host based IDS
n Protecting individual hosts is necessary.
n Sometimes internal computers might be the
first point of attack of email based worms Web Host Security
and viruses.
n A good patching system is also required.
n Security updates for software packages
installed on the computer should be
installed from time to time.
6
What is so unique about web App. Sec
Web Application N-BIOS
Security
HTTP(S)
FTP
Firewall Web Server Data Base
Server
RPC
7
Are Web Apps vulnerable ? Web App vulnerability list
n Attractive targets yielding high value results n Unvalidated parameters
n Credit Card Numbers
n Bank account information n Broken Access Control
n Confidential information
n Personal Email n Broken Account and Session Management
n Conventional security solutions (SSL and n XSS Flaws
Firewalls) not adequate
n Often developed in house - poor code and n Buffer Overflows
frequent updates n Command Injection Flaws
n Gartner: most of the cyber attacks were at the
application level n Error handling Problems
n Remote Administration Flaws n Web apps use this information to generate web pages
8
1. Unvalidated Parameters (contd.) 1. Unvalidated Parameters (contd.)
n Unvalidated input: n Unvalidated input: “SQL Injection”
n Never trust input from a user n A little more difficult
n Malicious user can tamper with anything and try to: n Insert SQL statement where they do not sufficiently
n Cause errors to occur and give up info validate input
n Buffer overflow
n Modify parameters n Vulnerable CGI-code will forward the malicious
n Common attacks: statement to database
n Modifying URL n Database is indifferent, executes the statement and
n SQL Injection sends the results back to the user
n Cross Site Scripting
n Session hijacking with cookie modification
n CGI code will look like (don’t worry about this part!):
n CGI code will look like (don’t worry about this part!): v_cat = request("category") # v_cat= 10’ UNION SELECT name, pwd FROM
v_cat = request("category") #v_cat=10; admins;--
sqlstr ="SELECT description FROM product WHERE category='" & v_cat & "'" sqlstr ="SELECT description FROM product WHERE category='" & v_cat & "'"
set rs=conn.execute( sqlstr ) set rs=conn.execute( sqlstr )
n Database will execute:
n Database will execute: SELECT description FROM product WHERE category=’10’
n SELECT description FROM product WHERE category=10; UNION SELECT name, pwd FROM admin;--
(-- is comment out the rest of syntax.)
9
3. Broken Account and Session
2. Broken Access Control Management
n Access control is how you keep one user away from other users’ n Account Management
information n Handling credentials across client-server gap
n The problem is that many environments provide authentication, but n Backend authentication credentials too
don’t handle access control well n Session Management
n Many sites have a complex access control policy
n HTTP is a “stateless” protocol. Web apps need to keep track of
n Insidiously difficult to implement correctly which request came from which user
n Key Points n “Brand” sessions with an id using cookie, hidden field, URL tag,
n Write down your access control policy etc…
n Don’t use any “id’s” that an attacker can manipulate n Key Points
n Implement access control in a centralized module n Keep credentials secret at all times
n Don’t try to strip out active content – too many variations. Use a
n Few people check html/javascript codes, sometime the links are
“positive” specification. unicoded, hard to read
10
5. Buffer Overflows 6. Command Injection Flaws
n Web applications involve many interpreters
n Web applications read all types of input from users
n OS calls, SQL databases, templating systems
n Libraries, DLL’s, Server code, Custom code, Exec
n Malicious code
n C and C++ code is vulnerable to buffer overflows
n Sent in HTTP request
n Input overflows end of buffer and overwrites the stack
n Extracted by web application
n Can be used to execute arbitrary code
n Passed to interpreter, executed on behalf of web app
n Key Points
n Key Points
n Don’t use C or C++
n Use extreme care when invoking an interpreter
n Be careful about reading into buffers
n Use limited interfaces where possible (PreparedStatement)
n Use safe string libraries correctly
n Check return values
11
Application Hacking
n Key Points:
n Make sure error screens don’t print stack traces
Application Hacking
12
l Full path names
revealed
l Table Name
l Field Name
l Database Name
13
8. Insecure Use of Cryptography 9. Remote Administration Flaws
n Use cryptography to store sensitive information n Many sites allow remote administration
n Algorithms are simple to use, integrating them is hard n Very powerful, often hidden interfaces
n Rethink whether you need to store the information n Separate the admin application from the main app
n Don’t store user passwords – use a hash like SHA-256 n Limit the scope of remote administration
n The “master secret” can be split into two locations and assembled n Consider strong authentication
n Configuration files, external servers, within the code n Smart card or token
n Key Points:
n Keep up with patches (Code Red, Slammer)
14
How to protect Web Apps ?
n How to stop Web application attacks
n Error message customization
n Restricted access to sensitive information Questions ?
n Patch Web servers
n Remove the sensitive page from Google
n Regularly perform application test
n Deploy a web application firewall
n Deploy IPS that will analyze application level
15