Hypertext for Hyper Techs

Transcription

1 Hypertext for Hyper Techs An Introduction to HTTP for SecPros

2 Bio Josh Little, GSEC ~14 years in IT. Support, Server/Storage Admin, Webmaster, Web App Dev, Networking, VoIP, Projects, Security. Currently a Security Engineer for a major global business intelligence firm.

3 HTTP - What the heck is it... Hypertext Transfer Protocol (HTTP) is an applicationlevel protocol for distributed, collaborative, hypermedia information systems. HTTP exists in two modern forms - HTTP/1.0 and HTTP/1.1. Defined in RFC 1945 and 2068/2616 respectively. Request/response, client/server model

4 What it ain t... HTTP!= HTML - HTTP is a protocol that delivers content and not the content itself HTTP!= tcp/80 - HTTP servers can run on any port and are often found on random high ports.

5 Where You ll Find It Web Servers (obviously - IIS, Apache, etc.) Application Servers (Tomcat, Oracle, JBOSS, etc.) Content distribution servers (e.g. Flash Media server) System, service, & device management consoles

6 HTTP Request/Response Model HTTP Request HTTP Response GET /index.html HTTP/1.1 Host: User-Agent: Mozilla/4.0 Cookie: JSESSIONID=AFKFF9384FFJG HTTP/ OK Date: Mon, 10 Jul :00:00 GMT Server: Apache/ (Unix) (Red-Hat/Linux) Last-Modified: Wed, 06 Jul :11:55 GMT Accept-Ranges: bytes Content-Length: 66 Connection: close Content-Type: text/html; charset=utf-8 <HTML><head><title>Test</title></head><body> Content</body></html>

7 Just Asking For It... HTTP Request Format <VERB> <URI> <PROTOCOL><crlf> <HEADER NAME>: <HEADER VALUE><crlf> <crlf>

8 What s your address? URI = Uniform Resource Identifier Refers to a resource, either by location or namespace URL = Uniform Resource Location scheme:// username:password@domain:port/path? query_string#fragment_id URLs are URIs. HTTP uses absolute or relative URLs for accessing content resources.

9 Standard HTTP Methods GET URI string contains all parameters passed. Retrieves specified resource GET /index.php?cat=toys&sort=byprice&ret=25 POST Delivers specified data to server resource Data contained in message body

10 More Standard Methods HEAD Returns only the expected headers for given resource

11 One Last Method... OPTIONS Returns the valid methods for a given URI, as well as any other optional server features. Fingerprint a URI

12 Specialized Methods CONNECT - Used by HTTP Proxies for TCP Tunneling TRACE/TRACK - Used for debugging/loopback PUT/DELETE - Used by WebDAV servers (file system over HTTP)

13 Protocol Versions Two major versions still supported - HTTP/1.0 & HTTP/ 1.1 Most servers respond to both protocols Limited features & efficiencies in HTTP/1.0

14 HTTP/1.0 Only requires the basic HTTP resource request for connections. Limited support for caching and compression. One connection, one request. HTTP/1.1 Requires Host Header Multiple cache control options. HTTP Pipelining - multiple requests per connection. OPTIONS method. Digest and Proxy authentication

15 Headers Headers are Name:Value pairs used to adjust client/ server behavior and relate information. HTTP RFC defines a standard set of headers, but custom headers can also be set, if both client and server understand them.

16 Request Headers Host Defines virtual host alias Host: Cookie User-Agent Referer Attaches relevant cookie values to requests Defines the client creating the request Defines the URL the client is coming from Cookie: CG=US:WI:Milwaukee User-Agent: Mozilla/5.0 Referer: Content-Length Length of message body, in decimal octets Content-Length: 365

17 Response Headers Server Set-Cookie Content-Type Via Relates the reported version of the HTTP Server Defines a new cookie for the client Defines the MIME type of the content being served Defines any proxies the response was sent through Server: Apache/ (Debian) Set-Cookie: arrowspc=1; domain=.cnet.com; path=/; expires=fri, 19-Aug :30:04 GMT Content-Type: text/html Via: HTTP/1.0 phx1-rb-revapp2.cnet.com:80 (cnwk.proxy.servlet.pathproxy Servlet $Revision: $)

18 Response Codes Each Response begins with the responding protocol version and the server s response code. Code is a numeric value and a short description. Content returned is dependent on the request, application, and server platform.

19 Common Response Codes 200 OK Request successful 302 Found Resource temporarily found elsewhere 400 Bad Request Request contains syntax errors 403 Forbidden Server refused to fulfill the request 404 Not Found 500 Internal Error The resource requested does not exist on the server An error occurred on the server that prevented the request.

20 Example HTTP Request/Responses GET / HTTP/1.1 Host: User-Agent: Mozilla/5.0 HTTP/ OK Date: Wed, 20 Jul :11:15 GMT Server: Apache Last-Modified: Tue, 10 Feb :39:52 GMT ETag: " d00c6e00" Accept-Ranges: bytes Content-Length: 560 Vary: Accept-Encoding Content-Type: text/html <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" " <html xmlns=" <head> <meta http-equiv="content-type" content="text/html; charset=iso " /> <title>zombie Tango</title> <link href="/css/styles.css" rel="stylesheet" type="text/css" /> </head> <body> <div id="container"> <div id="logo"><a href="/blog" alt="click to enter site"><img src="/img/ ztlogo_lg.jpg" alt="do the Zombie Tango..." title="do the Zombie Tango..." /></a></div> </div> </body> </html>

21 Example HTTP Request/Responses GET /w/api.php?action=opensearch&search=h&namespace=0&suggest= HTTP/1.1 Host: en.wikipedia.org Connection: keep-alive Referer: X-Requested-With: XMLHttpRequest User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/ (KHTML, like Gecko) Chrome/ Safari/ Content-Type: application/x-www-form-urlencoded Accept: application/json, text/javascript, */* Accept-Encoding: gzip,deflate,sdch Accept-Language: en-us,en;q=0.8 Accept-Charset: ISO ,utf-8;q=0.7,*;q=0.3 Cookie: clicktracking-session=fe6cd33goczlwhsm6dg6ejvmvo3khihaz; mediawiki.user.bucket %3Aext.articleFeedback-tracking=8%3Atrack; hidesnmessage=1; mediawiki.user.bucket %3Aext.articleFeedback-options=8%3Ashow HTTP/ OK Date: Wed, 20 Jul :01:09 GMT Server: Apache Cache-Control: max-age=86400, s-maxage=86400, public Expires: Thu, 21 Jul :01:09 GMT Content-Encoding: gzip Vary: Accept-Encoding Content-Length: 134 Content-Type: application/json; charset=utf-8 Age: 857 X-Cache: HIT from sq35.wikimedia.org X-Cache-Lookup: HIT from sq35.wikimedia.org:3128 X-Cache: MISS from sq73.wikimedia.org X-Cache-Lookup: MISS from sq73.wikimedia.org:80 Connection: keep-alive

22 State Management HTTP Stateless by nature Up to the application to determine how it associates traffic with discrete users E.g. Cookie values, Basic/Digest Authentication

23 HTTP & Security

24 General Security Concerns HTTP Servers are everywhere Misconfigured HTTP Servers leak information about your architecture HTTP Servers are typically the most exposed public service Two areas for attack - the HTTP server/protocol itself and the content that it serves.

25 Attacks against HTTP HTTP Response Splitting - Using unsanitized input to trick the client into seeing two different responses by adding a <crlf> string and additional content. Headers and content can be controlled. Man-in-the-middle attacks - HTTP is very susceptible to MitM attacks due to ASCII nature of protocol. DoS Attacks/Slowloris - Consuming or overloading server processes

26 In Strict Confidence... Unencrypted HTTP very easy to intercept and read Secure HTTP (HTTP/S) attempts to mitigate this Uses SSL/TLS to encrypt complete HTTP payload No part of HTTP packet, including headers, available outside the SSL session. Increased use of HTTP/S means decreased visibility into traffic by traditional security tools (IDS, DLP, content filters, etc.)

27 Cookie Monster Many HTTP-based applications use cookies for authentication/statetracking Cookie = Username/password Cross-domain restrictions prevent cookie disclosure outside originating domain. XSS flaws can disclose cookies to bad guys. Cookie security mechanisms - Secure & HTTPOnly

28 Tools of the Trade Doing it by hand - Telnet and ncat curl & wget Web browsers Local proxies - BURP, WebScarab, Zed Attack Proxy, Fiddler Firefox plugins - TamperData, Groundspeed

29 ?