Application Security: Web service and

Application Security:

Web service and E-Mail

(April 11, 2011)

© Abdou Illia – Spring 2011

2

Learning Objectives

„

Discuss general Application security

„

Discuss Webservice/E-Commerce security

„

Discuss E-Mail security

3

General Applications Security Issues

4 RAM

Applications Security Issues

„ Few Operating Systems But Many Applications

„ Because OS are harden, most attacks target applications installed on servers.

„ Many applications run with administrative or super user (root) privileges

„ Securing applications is challenging

„ Buffer Overflow Attacks

„ Most widespread vulnerabilities in application programs

„ Buffers are RAM areas where data is stored temporarily

„ If an attacker sends more data than the programmer had allocated to a buffer, a buffer might overflow, overwriting an adjacent section of RAM

Buffer1 Buffer2

Buffer7 Buffer3 Buffer4Buffer5Buffer6

5

Buffer Overflow

„ The overflowsample function:

„ Declares a buffer array capable of holding eight ASCII characters

„ Places the buffer in an initialization loop

„ The loop force-feeds 15 “x” into the buffer array through programming error

„ Only 8 “x” could fit

„ Nine “x” must spill over

void overflowsample (void) {

char buffer1[8];

int I;

For (I = 0; I < 16; I++) {

buffer1[I] = ‘x’;

} }

A function written in C

„ When the program is run…

„ What will be the value of buffer1[3]? _____, Buffer1[15]? _____

„ What would happen?

a) The part of the function’s code designed to check the bounds of the array will prevent any error from happening.

b) The program will generate an error and terminate.

6

Buffer Overflow

Int main() {

char name[8];

char etc_passwd[8];

char password[8];

// retrieve the user information printf (“Enter your name:”);

gets (name);

etc_passwd = get_password (name);

printf (“Enter your password:”);

gets (password);

printf (“Your name and password entries were %s and %s.”, name, password);

printf (“The password for %s In the /etc/shadow file Is %s”’ name, etc_passwd);

// call procedure to check login authorization authenticate (password, etc_password);

return 0;

}

void authenticate (char * string1, char string2) {

char buffer1[8];

char buffer2[8];

strcpy (buffer1, string1);

strcpy (buffer2, string2);

if (strcmp (buffer1, buffer2) == 0 permit();

}

7

Buffer Overflow

8 Stack entry: data buffer & Return address registry

Stack Entry and Buffer Overflow

Return Address 1. Write Return

Address 2. Add Data

to Buffer

Data Buffer 5. Start of

Attacker data

3. Direction of Data Writing

4. Overwrite Return Address

„ When a program must put one subprogram on hold to call another, it writes the return address in RAM areas called stack entries

„ The called subprogram may add data to the buffer to the point it overwrites the return address

„ If the added buffer data is Attack code, this will be a buffer overflow attack

http://www.metacafe.com/watch/1452134/buffer_overflow_attacks_explained_with_beer/

9

Buffer Overflow Attack

„

Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions.

„

If the data contains malware, the malware could run and creates a DoS

„

Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD

9

Buffer Instructions

1 2 3 4 5 6

Print Run Program Accept input

Buffer Instructions

1 2 3 4 5 6

A B C D E F LET JOHN IN WITHOUT PASSWORD

Run Program Accept input

10

Preventing Buffer Overflow

„ Use Language tools that provide automatic bounds checking such as Perl, Python, and Java instead lower level language (C, C++, Assembly, etc).

„However, this is usually not possible or practical because almost all modern OS are written in the C language.

„ Eliminate The Use Of Flawed Library Functions like gets(), strcpy, and strcmp that fail to check the length or bounds of their arguments.

„ Design And Build Security Within Code

„ Use Source Code Scanning Tools.

„Example: PurifyPlus Software Suite can perform a dynamic analysis of Java, C, or C++ source code.

// replace le following line Strcpy (buffer2, strng2);

// by

Strcpy (buffer2, string2, 8) For instance, this simple change

informs strcpy() that it only has an eight byte destination buffer and that it must discontinue raw

copy at eight bytes.

11

General Application Security

„

Minimize number of applications

„ Fewer applications on a computer, fewer attack opportunities

„

Use security baselines for installation

„Security baselines improve security

„

Add application layer authentication

„Important for sensitive applications

„Could be password-based

„

Implement cryptographic systems

12

Web service security

13

Webservice Versus E-Commerce

E-Commerce Software

Subsidiary E-Commerce

Software Component

(DHTML, etc.)

Custom Programs (in client-side

scripting) Webserver Software

(IIS, Apache, etc.)

„

Webservice includes basic functionalities for

„Retrieval of static files

„Creation of dynamic webpages

„

E-Commerce requires additional software for

„ Online catalogs

„ Shopping carts

„ Connection to back-end database

„ Connection to organizations for payments, etc.

14

Webservice Versus E-Commerce

„

Web applications could be the target of many types of attacks like:

„ Directory browsing

„ Traversal attacks

„ Web defacement

„ Using HTTP proxy to manipulate interaction between client and server

„ IIS IPP Buffer Overflow

„ Browser attacks

„ Time configuration

15

Web sites’ directory browsing

„ Web server with Directory Browsing disabled

„ User cannot get access to list of files in the directory by knowing or guessing directory names

16

Web site with directory browsing

„ Web server with Directory Browsing enabled

„ User can get access to the list of files in the directory by knowing or guessing directory names

17

Traversal Attack

„

Normally, paths start at the WWW root directory

„

Adding ../ might take the attacker up a level, out of the WWW root box

„

If attacker traverses to Command Prompt directory in Windows 2000 or NT, can execute any command with system privileges

18

Traversal Attacks (Cont.)

„

Preventing traversal attacks

„Companies filter out / and \ using URL scanning software

„Attackers respond with hexadecimal and UNICODE representations for / and \

ASCII Character Chart with Decimal, Binary and Hexadecimal Conversions

Name Character Code Decimal Binary Hex

Null NUL Ctrl @ 0 00000000 00

Start of Heading SOH Ctrl A 1 00000001 01

Space 32 00100000 20

Exclamation Point ! Shift 1 33 00100010 22

Plus + Shift = 43 00101011 2B

Period . . 46 00101110 2E

Forward Slash / / 47 00101111 2F

Tilde ~ Shift’ 126 01111110 7E

19

Website defacement

„

Taking over a web server and replacing normal web pages by hacker-produced pages

„

Effect could last because ISP cache of popular web sites

„

Example of recent website defacements

„ATTRITION Web Page Hack Mirror:

http://attrition.org/mirror/

„Zone-H web site for most recent attacks:

http://www.zone-h.org: Check Onhold and Archive

20

Manipulating HTTP requests

„

Attackers use proxies to manipulate communications between browsers and web servers

„

Example using Webscarab

21

IIS IPP Buffer Overflow

„

The Internet Printing Protocol (IPP) service included in IIS 5.0 and earlier versions is vulnerable to buffer overflow attacks

„

The jill.c program was developed to launch the attack using:

GET NULL.printer HTTP/1.0

Host: 420 byte jill.c code to launch the command shell

„

IIS server responds launching the command

shell (C:\WINNT\SYSTEM32\>) giving the

attacker SYSTEM privileges.

22

IIS IPP Buffer Overflow (cont.)

„

Link to jill.c code

„

Code compilable using gcc jill.c –o jill on Linux

„

Precompiled version (jill-win32.c) and executable (jill-win32.exe) available at ftp://ftp.technotronic.com/

„

newfiles/jill-win32.exe. This executable file is ready to run on a Windows machine.

23

IIS IPP Buffer Overflow (cont.)

„ Source: http://puna.net.nz/archives/Hacking/David_Sheridan_GCIH.doc

24

HTTP Requests

„

GET

„

By far the most common method used

„

Requests data from specified host

GET /index.html HTTP/1.1 Host: www.example.com

Example of request with GET method

„ HTTP defines 8 methods (or "verbs") indicating the desired action to be performed on a resource

„ GET

„ HEAD

„ POST

„ PUT

„ DELETE

„ TRACE

„ OPTIONS

„ CONNECT

25

HTTP Requests

„ HEAD

„Asks for response identical to a GET request without response body

„Useful for retrieving meta-information written in response headers without having to transport the entire content

„ POST

„Submits data to be processed (e.g. from an HTML form) to a server

„The data is included in the body of the request

„ PUT

„Uploads data to the server

„ DELETE

„Delete specified file

„ TRACE

„Echoes back the received request so that a client can see what intermediate servers are adding or changing in the request

„ OPTIONS

„Returns HTTP methods supported by the server.

This can be used to check the functionality of a web server.

26

Browser Attacks

„

Malicious links

„User must click on them to execute (but not always)

„Common extensions are hidden by default in some operating systems.

ƒ

attack.txt.exe seems to be attack.txt

27

Browser Attacks (Cont.)

„

Common Attacks

„Redirection to unwanted webpage

„Scripts might change the registry, home page

„Some scripts might “trojanize” when your DNS error- handling routine when you mistype a URL

„Pop-up windows

„

Web bugs; i.e. links that are nearly invisible, can be used to track users at a website

„Domain names that are common misspellings of popular domain names

ƒMicrosoff.com, www.whitehouse.com(a porn site)

28

E-Mail

29

E-Mail Protocols

SMTP To Send SMTP

To Send

Sending E-Mail

Client

Receiving E-Mail Client Sender’s Mail

Server

Receiver’s Mail Server

Simple Mail Transfer Protocol (SMTP) to transmit mail in real time to a user’s mail server or between mail servers Sender-initiated

30

E-Mail protocols

Sending E-Mail Client

Receiving E-Mail Client Sender’s Mail

Server

Receiver’s Mail Server

POP or IMAP To Receive

POP or IMAP to download mail to receiver when the receiver capable of downloading mail.

Receiver-initiated

„ Internet Message Application Program (IMAP): More powerful, can manage messages on the receiver’s mail server, less widely used

„ Post Office Protocol (POP): Simple, loosing grounds to IMAP

31

E-Mail Standards

Sending E-Mail

Client

Receiving E-Mail

Client Sender’s Mail

Server

Receiver’s Mail Server

Message

RFC 822 or 2822 HTML body UNICODE Message Body Format Standard

„ RFC 822 (English ASCII code) or 2822: for all-text bodies

„ UNICODE: for all languages

„ HTML body: for fancy text and graphics

32

E-Mail Security

„

E-Mail Encryption

„

Not widely used because of lack of clear standards

„

IETF has not been able to settle upon a single standard because of in-fighting

„

Three standards are used in corporations

„TLS

„S/MIME

„PGP

33

E-Mail Security

„

E-Mail Encryption

„

TLS only requires a digital certificate for servers

„

S/MIME requires a PKI for digital certificates

„

PGP uses trust among circles of friends: If A trusts B, and B trusts C, A may trust C’s list of public keys

ƒ

Dangerous: Misplaced trust can spread

bogus key/name pairs widely