CSC 482/582 Assignment #2
Securing SimpleWebServer Due: September 29, 2015
The goal of this assignment is to learn how to validate input securely. To this purpose, students will add a feature to upload files to SimpleWebServer example from section 2.4 of Foundations of Security and ensure that all HTTP request input is properly validated. The SimpleWebServer code can be downloaded along with all the examples from the book from the book web site. You can find a link to the source code on the Readings page of the class web site.
It is possible on Windows that your local firewall may prevent SimpleWebServer from lis-tening on TCP port 8080. You will need to configure your firewall to permit this access to do this lab. If you are uncomfortable with doing this, then you can develop your lab on the department server, kosh.nku.edu, or you may develop it on a virtual machine.
1
Recommended Readings
You should read the associated book sections and refer to the manuals below: • Foundations of Security, sections 2.4, 3.1.
• RFC 2616 HTTP/1.1, http://www.w3.org/Protocols/rfc2616/rfc2616.html, sec-tions 9.3, 9.6, and 10.4.
2
Resources Required
You will need the following data and tools to create and test the software: • SimpleWebServer source code.
• A Java 7 compiler.
• curl, downloadable from http://curl.haxx.se/.
• netcat, downloadable from http://netcat.sourceforge.net/.
You can install software packages like curl on your Linux virtual using the Advanced Pack-aging Tool with commands like sudo apt-get install curl.
You can find SimpleWebServer.java in the Chapter2 subdirectory of the textbook’s source code archive. If you want to test SimpleWebServer from another machine, you can run both curl and netcat from the department server, kosh.nku.edu.
3
Compiling and Running on Linux
While you may write your code on any platform, you must compile and run the final version of your code on your Linux virtual machine. You can transfer files to and from the virtual
machine using a free secure file transfer protocol (SFTP) client like sftp on Linux or MacOS or WinSCP on Windows. To find the IP address of the Linux VM, use the ifconfig command.
Java expects source code to be in a directory structure that mirrors the Java class name structure, so you will need to first create a directory.
$ mkdir -p com/learnsecurity $ cd com/learnsecurity
After copying your source code file to that directory, you can compile and run it as follows. $ javac SimpleWebServer.java
$ cd ../..
$ java com.learnsecurity.SimpleWebServer
The program produces no output will wait for input from the network. To send it output, open another terminal window and run netcat in that window to connect with our web server running on port 8080 of the local machine.
$ nc localhost 8080
If you hit the ENTER key, then the SimpleWebServer program from the book will crash. If you enter a valid HTTP request in the form GET url, where url is replaced with the path to the file you want to access, SimpleWebServer should return the file.
4
Program Requirements
4.1
File Upload
Add the ability to upload files in a secure manner using the HTTP PUT method to SimpleWebServer. The PUT method for HTTP/1.1 is specified in section 9.6 of RFC 2616. Your web server
should send the appropriate response codes to valid and invalid PUT requests as explained in section 9.6 of the RFC. Further documentation of response codes is available in section 10. An example of a PUT request is shown below:
PUT /path/to/uploaded/file.jpg HTTP/1.1 Content-Type: image/jpeg
Content-Length: 1185
Body containing binary JPEG data follows blank line.
To submit a PUT request to your web server, you can use the curl command as follows: $ curl --upload-file file.jpg http://localhost:8080/remote/path/f.jpg
4.2
HTTP Request Validation
Modify the processRequest() method to validate the HTTP request sent by the browser. This method currently does no validation and will crash if it is sent some types of invalid input, including a blank request. Your modified version of SimpleWebServer should not crash, no matter how much, how little, or what type of input is received. It should meet the following requirements in addition to not crashing:
1. Accept properly formatted GET and PUT requests. SimpleWebServer must return an HTTP response code 501 to all requests other than GET or PUT. It must return an HTTP response code 505 to all HTTP versions other than 1.0 and 1.1. SimpleWeb-Server must return an HTTP response code of 400 to malformed requests, including any request not of the format REQUEST URL HTTP/version.
2. Limit the size of accepted URLs to 1KB. If a browser requests a URL longer than 1KB, SimpleWebServer must return an HTTP response code 414, with appropriate error message.
3. Check that all HTTP headers have the proper format of a header name followed by a colon, a space, and a value. SimpleWebServer must return an HTTP response code of 400 to requests with malformed headers.
4. Ensure the presence of the Content-Length required header for PUT requests. Sim-pleWebServer should return a 411 HTTP response code for a missing Content-Length header.
4.3
Path Validation
In addition to checking HTTP request syntax, SimpleWebServer needs to validate URLs. In particular, a malicious user could submit an HTTP request to SimpleWebServer that would access files outside of the web server’s working directory. For example, by using a URL path component such as ../../../etc/shadow, the password hashes could be downloaded with a GET request or perhaps overwritten with a PUT request if the web server has permission to write to the password database.
A correctly implemented web server must enforce access control to ensure that no files outside of the working directory can be accessed. In this section, you will show how this vulnerability can be exploited in the book’s code and implement the best possible fix for it.
1. Show how the vulnerability can be exploited in the version of SimpleWebServer that comes with the book. In your report, provide an example of such an HTTP request with an explanation of how it works and what file it would provide access to that a secure web server would refuse to provide.
2. Fix the vulnerability by canonicalizing the URL path component then performing an access check to verify that the requested file is located in the web server’s working
directory or below it. Return a 403 Forbidden HTTP response code, as documented in section 10.4.4 of RFC 2616, when a path above the working directory is requested. 3. Document your fix. As part of your assignment report, include a paragraph explain-ing the design of your security fix, includexplain-ing an explanation of how it prevents path manipulation attacks from occuring.
5
Test Requirements
Test both the original SimpleWebServer and your modified version of that program with both acceptable and unacceptable inputs, including at least one of each of the following test cases:
1. A blank HTTP request (just send a newline). 2. An HTTP request without a URL.
3. An HTTP request without an HTTP version. 4. An HTTP request with an invalid HTTP version. 5. An HTTP request with more than 3 components. 6. A request with a URL smaller than 1KB.
7. A request with a URL larger than 1KB.
8. A POST request (which is not supported by SimpleWebServer.) 9. A GET request to an allowable path.
10. A GET request to a path above the working directory. 11. A PUT request to an allowable path.
12. A PUT request to a path above the working directory.
The curl command is useful for testing PUT requests, but it cannot make the malformed HTTP requests described above that you need to test your HTTP request validation code with. To send malformed requests to SimpleWebServer, use netcat.
6
Deliverables
For this assignment, you need to turn in a hardcopy of your assignment report in class and e-mail to me an electronic attachment named a4-lastname-firstname.zip with your actual last name and first place used in place of the placeholders.
Your electronic assignment submission should include:
1. A document in Open Document Text (ODT) format beginning with a one to two paragraph summary of your sections and divided into four sections. Three of the sections must have the names of the subsections of the program requirements: File Upload, HTTP Request Validation, and Path Validation. The last section must be named Testing. The three program requirements sections must describe the changes made to the source code for each section above and the reasons why you made
those changes. The Testing section should describe your testing process, including the precise inputs and commands used, along with the results observed (for both the original and modified versions of SimpleWebServer) and descriptions of whether or not the results were correct.
2. Modified source file, SimpleWebServer.java, which includes // format comments be-ginning with your name before each group of lines that you changed in the source code.
