Internet infrastructure

Transcription

1 Internet infrastructure Prof. dr. ir. André Mariën

2 Web servers HTTP protocol Request/reply operation MIME-like format for both Requests Replies Data model initially: File system like: /.../.../.../x.y Content: text/plain, text/html, text/gif

3 Importance of HTML, initially Mark-up language Declarative GUI production Supports hyperlinks Hide addressing Multi-media: Formatted text Images Forms

4 URI <protocol> :// <address> <request> Address: Request examples path?querystring HTTP URL " "//" host [ ":" port ] [ abs_path ] Others LDAP, IMAP, FTP, NEWS, MAILTO

5 HTML essentials Markup <TAG>...</TAG> <TAG ATT1= val1 ATT2= val2 >...</TAG> Anchors <A HREF= URL >text/image</a> Embedded content, example: images <IMG SRC= URL >

6 HTML drawbacks HTML is based on SGML Lots of freedom and defaults: difficult to parse Liberal parsing and interpretation in the browsers Barely structure validation Proper nesting Browser incompatibilities

7 XML Drops some complexity of HTML Must have end tag Structure validation Empty elements better defined <TAG/> Replaces ASN.1 as structure description

8 CSS and XSLT HTML became more and more complex Introduced more and more formatting No longer what, but also how Cascading Style Sheets: Separates layout from structure, again XSLT: Powerful rewriting tool for XML

9 Web clients A.k.a. Browsers Multi-protocol client HTTP, FTP, LDAP,... Successor of Gopher clients Multi-media Text Image

10 Extensions: client side Javascript Scripting language To animate content To check forms To create dynamically content Java Active regions Much more control

11 Extensions: client side: activex Programs with full access Trust based on signing Trust is unlimited: yes or no Integrates very well in the MS client platforms Plug-ins Many examples PDF plug-in Flash (shockwave) Helper applications Separate applications Launched after confirmation to handle specific content

12 Extensions: server side Dynamic content: early systems CGI: common gateway interface Launch external program for content generation SSI: server side includes ml

13 CGI operation Coupling: start separate process Loose coupling Independence of language, run-time,... API Parameter passing via process environment Caller sets relevant variables Main drawback Process started per request

14 SSI <!--#command tag1="value1 tag2="value2" --> Main commands: Include Echo Exec virtual/file document_name, date_local,... CGI variables Cmd/CGI

15 SSI: grandfather of others JSP: java server pages ASP: active server pages PHP: hypertext preprocessor Coldfusion...

16 ASP: <%... %> <% =date %> : insert current date <% =monthname(month(now)) %> Script within HTML: <a href= <%=weekdayname(weekday(now))%>.htm > Link of the Day </a>

17 ASP example script The hour is <% if hour(now) = 0 then %> midnight. <% end if if hour(now) = 12 then %> noon. <% end if if (hour(now) >= 1) and (hour(now) <= 11) then =hour(now) %> o'clock AM. <% end if if (hour(now) >= 13) and (hour(now) <= 23) then =hour(now) - 12 %> o'clock PM. <% end if %>

18 ASP & SSI combined <% if TheName="John" then %> <!--#include virtual="/file1.html" --> <% else %> <!--#include virtual="/file2.asp" --> <% end if %>

19 ASP Session management <% Session("permission")="YES" Session("username")="Joe" %>... Hi <% =Session("username") %>! shared application data <% Application.Lock Application("pagevisits") = Application("pagevisits")+1 Application.Unlock %> Page views: <% =Application("pagevisits") %>

20 ASP: request & response Request object Request.cookies( key ); Response object Response.cookies( otherkey );

21 Dynamic content styles HTML + mark-up Preprocessor Mark-up: special delimiters for processing Code inside HTML ASP, PHP, coldfusion Language embedding Program scripts containing HTML mark-up Perl scripts, servlets

22 Preprocessing HTML + mark-up processes preprocessor webservers HTML Files/database

23 Language embedding script processes Script interpreter webservers HTML Files/database

24 Dynamic content: problems Separation of duties Web designers Web developers Preprocessing Web designers write code Language embedding Developers design pages

25 JSP Strongly related to servlet technology Servlets: Java technology to handle web requests Implemented with servlet runners

26 Servlet runners Client connections HTTP listener Persistent connections servlet runner To Back-end

27 Servlets Standard Java interface Servlet HTTPServlet Provides Request and Response objects HTTPServlet: methods doget dopost doput Servlets: sessions & applications HTTPSession object ServletContext: application context

28 JSP Looks like a preprocessing page HTML with embedded tags Executes as a servlet Language embedding flavor Translation is automatic No interpretation during execution

29 JSP tags See the JSP tag syntax pages: some tags Declaration: <%! Circle a = new Circle(2.0); %> Expression: <%= new java.util.date() %> Directive: <%@ include file="copyright.html" %>

30 JSP examples insert date: <HTML> <BODY> Hello! The time is now <%= new java.util.date() %> </BODY> </HTML> more complex example <BODY> <% // This scriptlet declares and initializes "date" System.out.println( "Evaluating date now" ); java.util.date date = new java.util.date(); %> Hello! The time is now <% out.println( date ); out.println( request.getremotehost()); %>

31 JSP Directives page import="java.util.*" %> include file="hello.jsp" %> Defining methods <%! Date thedate = new Date(); Date getdate() { System.out.println( "In getdate() method" ); return thedate; } %> Hello! The time is now <%= getdate() %>

32 Important concept: usebean Beans: objects with simple interface JSP writers: GUI designers Should not write code Should use beans Should include bean properties Beans: written by developers

33 JSP: beans Beans: <jsp:usebean id="mymap" scope="session" class=" .map" /> <jsp:setproperty name="mymap" property="name" param="name" /> <% mymap.setaction( "delete" ); %>

34 HTTP basics Request: GET /x/y/h.html HTTP/1.0 Reply 200 HTTP/1.0 OK Message Headers: content-type: text/html Body: <HTML>...</HTML>

35 Essential protocol features Basic authentication 401: authorization required Authorization header Redirects Initially to allow content migration Now: link control measures POST besides GET Full MIME-style content inside requests HTTP/1.1: RFC 2068 Protocol version HTTP/x.y 0.9, 1.0, 1.1

36 Request syntax Request-Line *( general-header request-header entity-header ) CRLF [ message-body ]

37 Request-response Request Line Method Request-URI HTTP- Version CRLF Method: GET, HEAD, POST PUT, DELETE, TRACE OPTIONS Request Header Accept, Accept-Charset, Accept-Encoding, Accept- Language Authorization, Proxy- Authorization, Host If-Modified-Since Referer, User-Agent Response Status-Line *( general-header response-header entity-header ) CRLF [ message-body ]

38 status code 1xx: Informational - Request received, continuing process 2xx: Success - The action was successfully received, understood, and accepted 3xx: Redirection - Further action must be taken in order to complete the request 4xx: Client Error - The request contains bad syntax or cannot be fulfilled 5xx: Server Error - The server failed to fulfill an apparently valid request

39 Status Codes 1xx "100" ; Continue "101" ; Switching Protocols 2xx "200" ; OK "201" ; Created "202" ; Accepted "203" ; Non-Authoritative Information "204" ; No Content "205" ; Reset Content

40 Status Code 3xx "300" ; Multiple Choices "301" ; Moved Permanently "302" ; Moved Temporarily "303" ; See Other "304" ; Not Modified "305" ; Use Proxy 4xx "400" ; Bad Request "401" ; Unauthorized "402" ; Payment Required "403" ; Forbidden "404" ; Not Found "405" ; Method Not Allowed "406" ; Not Acceptable "407" ; Proxy Authentication Required

41 Status Codes 4xx (Cont.) "408" ; Request Time-out "409" ; Conflict "410" ; Gone "411" ; Length Required "412" ; Precondition Failed "413" ; Request Entity Too Large "414" ; Request-URI Too Large "415" ; Unsupported Media Type 5xx "500" ; Internal Server Error "501" ; Not Implemented "502" ; Bad Gateway "503" ; Service Unavailable "504" ; Gateway Time-out "505" ; HTTP Version not supported

42 Headers General headers: Connection, proxying, cache Response headers: Authentication, redirection, caching Entity headers: Content related

43 Headers General Headers Cache-Control Date Pragma Transfer-Encoding Via Response Header Location Proxy-Authenticate Server WWW-Authenticate Entity Header Content-Base, Content- Encoding, Content- Language, Content- Length, Content- Location, Content-Type ETag Expires, Last-Modified

44 Authentication Generic client -> request server reply: 401 unauthorized Plus server header: how-to WWW-authenticate: <scheme> <realm> [, <param>] client -> request Repeats request but adds authorization information Authorization: <credential> Basic Authentication Scheme Server reply: 401 unauthorized WWW-Authenticate: Basic realm="wallyworld Client request Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== base64(uid:password): QWxhZGRpbjpvcGVuIHNlc2FtZQ== Note Base64 is encoding, not encryption digest authentication: see RFC 2069

45 End-to-end and Hop-by-hop Headers End-to-end headers: transmitted to the ultimate recipient Hop-by-hop headers: meaningful only for a single transport-level connection HTTP/1.1 hop-by-hop Headers Connection Keep-Alive Public Proxy-Authenticate Transfer-Encoding All other headers: end-to-end

46 Proxies Incoming (reverse) proxies Outgoing proxies Secure hop Authorization enforcement Caching proxy

47 Proxies client client Outgoing Proxy internet Reverse Proxy Web Server client

48 Outgoing proxy Proxy protocol Request contains URL GET HTTP/1.0 Proxy authentication Browser control

49 Reverse proxy Normal HTTP protocol No specific authentication Fits in security zone concept Network zone containing proxy service zone containing web server Application zone containing application server

50 WEB APPLICATION FIREWALLS

51 What is a WAF? OWASP: a security solution on the web application level which - from a technical point of view - does not depend on the application itself Broad: covers many technological solutions Separate hardware boxes (appliances) Reverse proxy filters WASC "An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack."

52 References OWASP_Best_Practices:_Use_of_Web_Applica tion_firewalls Apache Security by Ivan Ristic, O'Reilly Media, Inc. ISBN Preventing Web Attacks with Apache by Ryan Barnett, Addison-Wesley Professional. ISBN

53 Fundamental issue the web was not designed for such complex applications which are currently state of the art. Core protocol: HTTP HTTP is not stateful sessions or stateful applications must be defined separately and implemented securely. high degree of complexity of the web scripts, frameworks and web technologies frequently used leads to vulnerabilities Ubizen

54 Features Problem Cookie protection Information leakage Session riding (CSRF) Session timeout Parameter tampering Data validation (relating to field/content/context/appl) Countermeasure Cookies can be signed, encrypted, completely hidden or replaced Cookies can be linked to the client IP Cloaking filter: outgoing pages can be cleaned (error messages, comments, undesirable information) URL encryption / token Timeout for active and inactive (idle) sessions can be specified Parameter URL encryption (GET), parameter encryption (GET and POST) Site usage enforcement: sequence of URLs can be fixed or can be detected length, constant value/range of values whitelist and/or blacklist canonalisation of the data Ubizen

55 Concerns Yet-another-proxy argument: increased complexity of the IT infrastructure) Keeping the WAF configured Training the WAF Follow releases of the web application The frameworks Testing False positives In-stream, so can block business More complex troubleshooting Cost-effectiveness Just do it in the applications? Ubizen