Internet infrastructure Prof. dr. ir. André Mariën
Web servers HTTP protocol Request/reply operation MIME-like format for both Requests Replies Data model initially: File system like: /.../.../.../x.y Content: text/plain, text/html, text/gif
Importance of HTML, initially Mark-up language Declarative GUI production Supports hyperlinks Hide addressing Multi-media: Formatted text Images Forms
URI <protocol> :// <address> <request> Address: [user@]host[:port] Request examples path?querystring HTTP URL "http:" "//" host [ ":" port ] [ abs_path ] Others LDAP, IMAP, FTP, NEWS, MAILTO
HTML essentials Markup <TAG>...</TAG> <TAG ATT1= val1 ATT2= val2 >...</TAG> Anchors <A HREF= URL >text/image</a> Embedded content, example: images <IMG SRC= URL >
HTML drawbacks HTML is based on SGML Lots of freedom and defaults: difficult to parse Liberal parsing and interpretation in the browsers Barely structure validation Proper nesting Browser incompatibilities
XML Drops some complexity of HTML Must have end tag Structure validation Empty elements better defined <TAG/> Replaces ASN.1 as structure description
CSS and XSLT HTML became more and more complex Introduced more and more formatting No longer what, but also how Cascading Style Sheets: Separates layout from structure, again XSLT: Powerful rewriting tool for XML
Web clients A.k.a. Browsers Multi-protocol client HTTP, FTP, LDAP,... Successor of Gopher clients Multi-media Text Image
Extensions: client side Javascript Scripting language To animate content To check forms To create dynamically content Java Active regions Much more control
Extensions: client side: activex Programs with full access Trust based on signing Trust is unlimited: yes or no Integrates very well in the MS client platforms Plug-ins Many examples PDF plug-in Flash (shockwave) Helper applications Separate applications Launched after confirmation to handle specific content
Extensions: server side Dynamic content: early systems CGI: common gateway interface Launch external program for content generation SSI: server side includes http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.ht ml http://www.apacheweek.com/features/ssi
CGI operation Coupling: start separate process Loose coupling Independence of language, run-time,... API Parameter passing via process environment Caller sets relevant variables Main drawback Process started per request
SSI <!--#command tag1="value1 tag2="value2" --> Main commands: Include Echo Exec virtual/file document_name, date_local,... CGI variables Cmd/CGI
SSI: grandfather of others JSP: java server pages ASP: active server pages PHP: hypertext preprocessor www.php.net Coldfusion...
ASP: www.asptutorial.inf <%... %> <% =date %> : insert current date <% =monthname(month(now)) %> Script within HTML: <a href= <%=weekdayname(weekday(now))%>.htm > Link of the Day </a>
ASP example script The hour is <% if hour(now) = 0 then %> midnight. <% end if if hour(now) = 12 then %> noon. <% end if if (hour(now) >= 1) and (hour(now) <= 11) then =hour(now) %> o'clock AM. <% end if if (hour(now) >= 13) and (hour(now) <= 23) then =hour(now) - 12 %> o'clock PM. <% end if %>
ASP & SSI combined <% if TheName="John" then %> <!--#include virtual="/file1.html" --> <% else %> <!--#include virtual="/file2.asp" --> <% end if %>
ASP Session management <% Session("permission")="YES" Session("username")="Joe" %>... Hi <% =Session("username") %>! shared application data <% Application.Lock Application("pagevisits") = Application("pagevisits")+1 Application.Unlock %> Page views: <% =Application("pagevisits") %>
ASP: request & response Request object Request.cookies( key ); Response object Response.cookies( otherkey );
Dynamic content styles HTML + mark-up Preprocessor Mark-up: special delimiters for processing Code inside HTML ASP, PHP, coldfusion Language embedding Program scripts containing HTML mark-up Perl scripts, servlets
Preprocessing HTML + mark-up processes preprocessor webservers HTML Files/database
Language embedding script processes Script interpreter webservers HTML Files/database
Dynamic content: problems Separation of duties Web designers Web developers Preprocessing Web designers write code Language embedding Developers design pages
JSP http://java.sun.com/products/jsp/ Strongly related to servlet technology Servlets: Java technology to handle web requests Implemented with servlet runners
Servlet runners Client connections HTTP listener Persistent connections servlet runner To Back-end
Servlets Standard Java interface Servlet HTTPServlet Provides Request and Response objects HTTPServlet: methods doget dopost doput Servlets: sessions & applications HTTPSession object ServletContext: application context
JSP Looks like a preprocessing page HTML with embedded tags Executes as a servlet Language embedding flavor Translation is automatic No interpretation during execution
JSP tags See the JSP tag syntax pages: http://java.sun.com/products/jsp/pdf/card11.pdf some tags Declaration: <%! Circle a = new Circle(2.0); %> Expression: <%= new java.util.date() %> Directive: <%@ include file="copyright.html" %>
JSP examples insert date: <HTML> <BODY> Hello! The time is now <%= new java.util.date() %> </BODY> </HTML> more complex example <BODY> <% // This scriptlet declares and initializes "date" System.out.println( "Evaluating date now" ); java.util.date date = new java.util.date(); %> Hello! The time is now <% out.println( date ); out.println( request.getremotehost()); %>
JSP Directives <%@ page import="java.util.*" %> <%@ include file="hello.jsp" %> Defining methods <%! Date thedate = new Date(); Date getdate() { System.out.println( "In getdate() method" ); return thedate; } %> Hello! The time is now <%= getdate() %>
Important concept: usebean Beans: objects with simple interface JSP writers: GUI designers Should not write code Should use beans Should include bean properties Beans: written by developers
JSP: beans Beans: <jsp:usebean id="mymap" scope="session" class="email.map" /> <jsp:setproperty name="mymap" property="name" param="name" /> <% mymap.setaction( "delete" ); %>
HTTP basics Request: GET /x/y/h.html HTTP/1.0 Reply 200 HTTP/1.0 OK Message Headers: content-type: text/html Body: <HTML>...</HTML>
Essential protocol features Basic authentication 401: authorization required Authorization header Redirects Initially to allow content migration Now: link control measures POST besides GET Full MIME-style content inside requests HTTP/1.1: RFC 2068 Protocol version HTTP/x.y 0.9, 1.0, 1.1
Request syntax Request-Line *( general-header request-header entity-header ) CRLF [ message-body ]
Request-response Request Line Method Request-URI HTTP- Version CRLF Method: GET, HEAD, POST PUT, DELETE, TRACE OPTIONS Request Header Accept, Accept-Charset, Accept-Encoding, Accept- Language Authorization, Proxy- Authorization, Host If-Modified-Since Referer, User-Agent Response Status-Line *( general-header response-header entity-header ) CRLF [ message-body ]
status code 1xx: Informational - Request received, continuing process 2xx: Success - The action was successfully received, understood, and accepted 3xx: Redirection - Further action must be taken in order to complete the request 4xx: Client Error - The request contains bad syntax or cannot be fulfilled 5xx: Server Error - The server failed to fulfill an apparently valid request
Status Codes 1xx "100" ; Continue "101" ; Switching Protocols 2xx "200" ; OK "201" ; Created "202" ; Accepted "203" ; Non-Authoritative Information "204" ; No Content "205" ; Reset Content
Status Code 3xx "300" ; Multiple Choices "301" ; Moved Permanently "302" ; Moved Temporarily "303" ; See Other "304" ; Not Modified "305" ; Use Proxy 4xx "400" ; Bad Request "401" ; Unauthorized "402" ; Payment Required "403" ; Forbidden "404" ; Not Found "405" ; Method Not Allowed "406" ; Not Acceptable "407" ; Proxy Authentication Required
Status Codes 4xx (Cont.) "408" ; Request Time-out "409" ; Conflict "410" ; Gone "411" ; Length Required "412" ; Precondition Failed "413" ; Request Entity Too Large "414" ; Request-URI Too Large "415" ; Unsupported Media Type 5xx "500" ; Internal Server Error "501" ; Not Implemented "502" ; Bad Gateway "503" ; Service Unavailable "504" ; Gateway Time-out "505" ; HTTP Version not supported
Headers General headers: Connection, proxying, cache Response headers: Authentication, redirection, caching Entity headers: Content related
Headers General Headers Cache-Control Date Pragma Transfer-Encoding Via Response Header Location Proxy-Authenticate Server WWW-Authenticate Entity Header Content-Base, Content- Encoding, Content- Language, Content- Length, Content- Location, Content-Type ETag Expires, Last-Modified
Authentication Generic client -> request server reply: 401 unauthorized Plus server header: how-to WWW-authenticate: <scheme> <realm> [, <param>] client -> request Repeats request but adds authorization information Authorization: <credential> Basic Authentication Scheme Server reply: 401 unauthorized WWW-Authenticate: Basic realm="wallyworld Client request Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== base64(uid:password): QWxhZGRpbjpvcGVuIHNlc2FtZQ== Note Base64 is encoding, not encryption digest authentication: see RFC 2069
End-to-end and Hop-by-hop Headers End-to-end headers: transmitted to the ultimate recipient Hop-by-hop headers: meaningful only for a single transport-level connection HTTP/1.1 hop-by-hop Headers Connection Keep-Alive Public Proxy-Authenticate Transfer-Encoding All other headers: end-to-end
Proxies Incoming (reverse) proxies Outgoing proxies Secure hop Authorization enforcement Caching proxy
Proxies client client Outgoing Proxy internet Reverse Proxy Web Server client
Outgoing proxy Proxy protocol Request contains URL GET http://server/... HTTP/1.0 Proxy authentication Browser control
Reverse proxy Normal HTTP protocol No specific authentication Fits in security zone concept Network zone containing proxy service zone containing web server Application zone containing application server
WEB APPLICATION FIREWALLS
What is a WAF? OWASP: a security solution on the web application level which - from a technical point of view - does not depend on the application itself Broad: covers many technological solutions Separate hardware boxes (appliances) Reverse proxy filters WASC "An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack."
References https://www.owasp.org/index.php/category: OWASP_Best_Practices:_Use_of_Web_Applica tion_firewalls http://www.modsecurity.org/ Apache Security by Ivan Ristic, O'Reilly Media, Inc. ISBN - 0596007248 Preventing Web Attacks with Apache by Ryan Barnett, Addison-Wesley Professional. ISBN - 0321321286
Fundamental issue the web was not designed for such complex applications which are currently state of the art. Core protocol: HTTP HTTP is not stateful sessions or stateful applications must be defined separately and implemented securely. high degree of complexity of the web scripts, frameworks and web technologies frequently used leads to vulnerabilities Ubizen
Features Problem Cookie protection Information leakage Session riding (CSRF) Session timeout Parameter tampering Data validation (relating to field/content/context/appl) Countermeasure Cookies can be signed, encrypted, completely hidden or replaced Cookies can be linked to the client IP Cloaking filter: outgoing pages can be cleaned (error messages, comments, undesirable information) URL encryption / token Timeout for active and inactive (idle) sessions can be specified Parameter URL encryption (GET), parameter encryption (GET and POST) Site usage enforcement: sequence of URLs can be fixed or can be detected length, constant value/range of values whitelist and/or blacklist canonalisation of the data Ubizen
Concerns Yet-another-proxy argument: increased complexity of the IT infrastructure) Keeping the WAF configured Training the WAF Follow releases of the web application The frameworks Testing False positives In-stream, so can block business More complex troubleshooting Cost-effectiveness Just do it in the applications? Ubizen