Lecture 11 Web Application Security (part 1) Computer and Network Security 4th of January 2016 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 1/37
Support The Web Application Hacker s Handbook, 2nd Edition Chapters 3, 4, 5, 6 CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 2/37
Overview part 1 Web Application Techonologies Mapping the Application Attacking Authentication Path Manipulation part 2 Injecting OS Commands Injecting into SQL Cross-Site Scripting Input Sanitization CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 3/37
Why Web Application Security Shopping Social Networking Banking Auctions Gambling Web logs Web mail Interactive information CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 4/37
Application Security Content applications are highly interactive applications nowadays are dynamic and rely on user input there are multiple types and values of input an user may submit an application should consider valid input and responses to both valid and invalid input input validation, sanitization CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 5/37
Outline Web Application Technologies Mapping the Application Attacking Authentication Session Management Path Manipulation Conclusion CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 6/37
HTTP. HTTP Messages Hypertext Transfer Protocol request-respose plain text TCP, port 80, port 443 for HTTPS methods, headers and content, usually HTML resources accessible from URIs/URLs stateless: connection is closed after each request-response CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 7/37
HTTP Methods GET: retrieve a resource variables may be used in URL as?var1=value1&cvar2=value2 HEAD: similar to GET, only retrieves headers PUT: place data on resource variabiles are sent inside the content useful for security (in conjunction with encryption) useful for sending larger content, that wouldn t fit the URL variable value CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 8/37
HTTP Headers sent both in requests and responses Host: used for Virtual Hosting since HTTP/1.1 User-Agent: the browser Date, Cookie, Content-Type http://en.wikipedia.org/wiki/list_of_http_header_ fields CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 9/37
Cookies used to preserve information across connections (statefulness) send by a server to a web browser web server sends Set-Cookie header web client/browser uses Cookie header name and value tracking cookies authentication cookies: require HTTPS secure cookie is an HTTPS setting: cookie data is always encrypted HttpOnly attribute; cookie may only be used in HTTP(S), not in JavaScript used for session management cookie expiry date CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 10/37
URLs Uniform Resource Locator URI: Uniform Resource Identifier points to a resource URL encoding is important from a security point of view %2e%2e%2f means../ CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 11/37
HTTP and HTML HTTP is the protocol, HTML is a content formatting language HTTP may deliver binary data, though HTML is most common HTML may contain links and JavaScript code CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 12/37
HTTPS secure HTTP HTTP + SSL communication between client and server is encrypted it may be possible that only certain pieces of content are encrypted watch out for cookies static information may not be encrypted connection may fall back to HTTP provided HTTP is allowed an attacker may try to drop the connection from HTTPS to HTTP using a man-in-the-middle attack HTTPS Everywhere https://www.eff.org/https-everywhere browser extension to enable HTTPS on as many sites as possible CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 13/37
CGI Common Gateway Interface request content is redirected from the web server to an outside process, to its standard input response is provided by process to standard output and is provided to the web server to pass it to the client a process is spawned for each request if the process dies, nothing happens to the web server CGI scripts may be written in any language FastCGI preforks processes CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 14/37
Web Server Modules alternative to CGI content is processes by web server modules inside the web server process modules are usually dynamic library files faster than CGI problematic if an error occurs CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 15/37
Outline Web Application Technologies Mapping the Application Attacking Authentication Session Management Path Manipulation Conclusion CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 16/37
Mapping an Application discovery, enumeration, exploration discover valid URLs discover paths discover hidden content (password files, temporary files, hidden files with bad permissions) discover parameters CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 17/37
Goals hidden files password files, configuration files parameters to provide administrative/privileged access folders where to upload data CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 18/37
Web Spidering discovering of paths & pages automated and user-directed find out available content and guess hidden content typical page names typical paths in folders debug resources temporary resources common scripts and file extensions Skipfish, Burp Suite, OWASP Zed Attack Proxy, Wapiti (also perform tests/attacks) end is a sitemap CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 19/37
Outline Web Application Technologies Mapping the Application Attacking Authentication Session Management Path Manipulation Conclusion CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 20/37
Authentication Technologies HTTP basic/digest authentication HTML forms client SSL certficates multifactor authentication authentication services CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 21/37
Authentication Vulnerabilities bad/weak passwords bad implementation of forgotten password, remember me storage of credentials (inside a PHP file or a config file) delivery of password for recovery CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 22/37
Securing Authentication strong credentials prevent brute force store securely proper recovery functionality aim for passwordless access (OAuth, SSO) log, monitor, notify CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 23/37
Outline Web Application Technologies Mapping the Application Attacking Authentication Session Management Path Manipulation Conclusion CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 24/37
Session Management maintaining state URL based session ID: easy to intercept hidden post fields: still quite easy to intercept cookies CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 25/37
Session Tokens session IDs randomness is important, the session ID should be unpredictable length is important duration of life is important must be sent in a secure manner (over HTTPS) to prevent hijacking CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 26/37
Attacking Session Management session token generation session token handling CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 27/37
Session Token Generation predicable session IDs bad random generation (poor entropy) may be subject to brute force session fixation attack session ID is created by attacker URL with session ID is sent to be used by the vulnerable application the vulnerable application authenticates to the server the attacker is no able to use the session ID to access the server as an authenticated user CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 28/37
Session Token Handling make sure connection is encrypted, otherwise traffic gets intercepted session hijacking use HTTPS use secure cookies use HttpOnly attribute CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 29/37
Outline Web Application Technologies Mapping the Application Attacking Authentication Session Management Path Manipulation Conclusion CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 30/37
Path Traversal Vulnerabilities access unavailble file (/etc/passwd) http://www.example.com/../../../etc/passwd URL parameters CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 31/37
Detecting and Circumenting look for../.. encode slash and dot in input: dot (%2e), slash (%2f) input sanitization isolated web server access to certain directories CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 32/37
Target of Path Traversal password files configuration files database credentials write/upload scripts execute scripts CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 33/37
Preventing Path Traversal Vulnerabilities do not pass user data to filesystem API maintain a list of valid files to serve in case file uploading is allowed check for path traversal sequences after decoding use hard-coded list of file types use calls such as getcanonicalpath (Java) to check the start directory use chrooted environment CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 34/37
Outline Web Application Technologies Mapping the Application Attacking Authentication Session Management Path Manipulation Conclusion CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 35/37
Keywords HTTP HTTPS HTML URL HTTP methods HTTP headers cookie CGI modules session secure cookie HttpOnly mapping Skipfish Burp authentication session ID session tokens path traversal input sanitization CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 36/37
References https: //www.owasp.org/index.php/top_10_2013-top_10 https://www.owasp.org/index.php/session_ Management_Cheat_Sheet CSE Dep, ACS, UPB Lecture 11, Web Application Security (part 1) 37/37