General apps &Web service

bubblesradiographerΔιακομιστές

4 Δεκ 2013 (πριν από 3 χρόνια και 8 μήνες)

78 εμφανίσεις

Application Security:

General apps &Web service

(April 8, 2013)

© Abdou Illia


Spring 2013

2

Learning Objectives


Discuss general Application security


Discuss Webservice/E
-
Commerce security


[Discuss E
-
Mail security]

3

General Applications Security Issues

4

Which of the following is an OS?

A.
Microsoft Project

B.
Microsoft Visio

C.
Oracle Solaris

D.
Windows NT

E.
Adobe Photoshop

F.
C++

G.
Google Chrome

H.
UNIX

I.
IIS

J.
Apache

K.
WinSCP

(client FTP)

L.
OS X

M.
Movie Maker

N.
Internet Explorer

5

Which of the following is can be
classified as client or server
network
application
?

A.
Microsoft Project

B.
Microsoft Visio

C.
Oracle Solaris

D.
Windows NT

E.
Adobe Photoshop

F.
C++

G.
Google Chrome

H.
UNIX

I.
IIS

J.
Apache

K.
WinSCP

(client FTP)

L.
OS X

M.
Movie Maker

N.
Internet Explorer

6

Application security

A.
Client and server network applications

B.
Non
-
network applications

C.
Operating systems


Imagine that you have the following categories of software
installed on your computers. Which one would you harden
first and why?

7

Applications Security Issues


Few Operating Systems
, but
Many Applications


Because OS are harden, most attacks target
applications.


Most applications run with
administrative

or
super user

(
root
) privileges


Securing applications is challenging


Huge number of apps, Variety of security baselines


Computer Hardware

Operating System

Web service software (IIS, Apache, ...)

Web browser, Photo editors, Movie maker,

Productivity software, etc.

Client & server
application
programs

8

Which of the following is true about
Application Security?

A.
If a server application (or service) is no longer needed, it
should be turned off

B.
Fewer applications on a computer means fewer attack
opportunities

C.
Use good security baselines to install and configure apps

D.
Do not install application centrally using group policies

E.
Add application layer authentication by requiring users to
provide credentials to run application programs

F.
Implement cryptographic authentication for sensitive apps

G.
If a server application (or service) is no longer needed, it
should be removed

H.
Do not turn on each applications’ automatic update
checking

9

Applications and Buffer Overflow


Buffers are RAM areas where data is stored temporarily


Buffer overflow occurs when data spill from one buffer to
the next


Buffer Overflow is the biggest issue in application coding


If an attacker sends more data than the programmer
had allocated to a buffer, a buffer might overflow,
overwriting an adjacent section of RAM


Buffer overflow attacks

RAM

Buffer1

Buffer2

Buffer7

Buffer3

Buffer4

Buffer6

Buffer5

OUTDO

OR

10

Buffer Overflow Attack


Occurs when ill
-
written programs allow data destined to a
memory buffer to overwrite instructions in adjacent memory
register that contains instructions.


If the data contain malware, the malware could run and
creates a DoS


Example of input data: ABCDEF LET JOHN IN WITHOUT
PASSWORD

10

Buffer

Instructions

1

2

3

4

5

6

Print

Run Program

Accept input

Buffer

Instructions

1

2

3

4

5

6

A

B

C

D

E

F

LET JOHN IN WITHOUT PASSWORD

Run Program

Accept input

11

Stack entry: data buffer & Return address registry

Stack Entry and Buffer Overflow

Return

Address


1. Write Return

Address


2. Add Data

to Buffer

Data Buffer

5. Start of

Attacker data

3. Direction of

Data Writing

4. Overwrite

Return Address


When a program puts one subprogram on hold to call another, it
writes the return address in RAM areas called stack entries


The called subprogram may add data to the buffer to the point it
overwrites the return address


If the added buffer data is Attack code, this will be a
buffer
overflow attack


http://www.metacafe.com/watch/1452134/buffer_overflow_attacks_explained_with_beer/

12

Preventing Buffer Overflow


Use Languages/tools that provide automatic bounds checking

such as Perl, Python, and Java instead lower level language (C or
Assembly, etc).


However, this is usually not possible or practical because
almost all modern OS are written in the C language.


Eliminate The Use Of Flawed Library Functions

like gets(),
strcpy, and strcmp that fail to check the length or bounds of their
arguments.


Design And Build Security Within Code







Use Source Code Scanning Tools
.


Example: PurifyPlus Software Suite can perform a
dynamic analysis of Java, C, or C++ source code.

// replace le following line

strcpy (buffer2, strng2);

// by

strcpy (buffer2, string2, 8)

For instance, this simple change
informs strcpy() that it only has
an eight byte destination buffer
and that it must discontinue raw
copy at eight bytes.

Key Principle: Never Trust User Input

13

Applications permissions


Examples for smartphones


Make phone calls


For Dialer replacements, Google Voice, etc. NOT for
Ringtone apps. If an app you download has no business
setting up a phone call, be suspicious.


Send SMS or MMS


Read contact data


Find GPS location


If an app gets its revenue from location
-
based ads, it needs to
know where you are. Otherwise be suspicious.


Network Communication (full internet access, view
network / Wi
-
Fi state, Create Bluetooth connection)


If an app has no function for you to communicate with anyone
else, or any type of downloadable content, this usually means ads.
To show you ads, the app needs to get them from the Internet


14

How to Know apps permissions?


Download and install SureMDM Web Console


Login into the SureMDM Web Console


Select your smartphone or tablet from the device list.


Click on the Apps buttons to see list of installed apps on the device.


Select an Application and Click on Permission button. Screen similar to the
following will popup.


15

Applications permissions (cont.)


Android does a great job forcing app developers to
inform the prospective user just what sort of
permissions are required and what information the
app will access.


If an app does not need permissions it is requesting
before installing, do not install.


If a hacker takes over an application program, he or
she receives the permissions with which the
program runs.



16

Web service security

17

Webservice & E
-
Commerce apps


Web applications could be the target of many types
of attacks like:


Directory browsing


Traversal attacks


Web defacement


Using HTTP proxy to manipulate interaction between client
and server


IIS IPP Buffer Overflow


Browser attacks


Time configuration


18

Web sites’ directory browsing


Web server with
Directory Browsing disabled


User cannot get access to list of files in the directory by
knowing or guessing directory names

19

Web site with directory
browsing


Web server with
Directory Browsing enabled


User can get access to the list of files in the directory by
knowing or guessing directory names

20

Traversal Attack


Normally, paths start at the
WWW root

directory


Adding ../ (Windows) or ..
\

(Unix) in an HTTP request might take the
attacker up a level, out of the WWW root directory.


Example: http://website.com ../../


Example: http://castle.eiu.edu/~a_illia/BUS3500/Brief/Case1/../


If attacker traverses to Command Prompt directory in Windows
2000 or NT, he can execute any command with system privileges

21

Traversal Attacks (Cont.)


Preventing traversal attacks


Companies filter out ../ and ..
\

using URL scanning software


Attackers respond with hexadecimal and UNICODE
representations for ../ and ..
\

ASCII Character Chart with Decimal, Binary and Hexadecimal Conversions

Name

Character

Code

Decimal

Binary

Hex

Null

NUL

Ctrl @

0

00000000

00

Start of Heading

SOH

Ctrl A

1

00000001

01

Space

32

00100000

20

Exclamation Point

!

Shift 1

33

00100010

22

Plus

+

Shift =

43

00101011

2B

Period

.

.

46

00101110

2E

Forward Slash

/

/

47

00101111

2F

Tilde

~

Shift’

126

01111110

7E

22

Website defacement


Taking over a web server and replacing normal
web pages by hacker
-
produced pages


Effect could last because ISP cache of popular
web sites


Example of recent website defacements


ATTRITION Web Page Hack Mirror:
http://attrition.org/mirror/


Zone
-
H web site for most recent attacks:


http://www.zone
-
h.org
: Check Onhold and Archive

23

Manipulating HTTP requests


Attackers use proxies to manipulate
communications between browsers and web
servers


Example using Webscarab

24

IIS IPP Buffer Overflow


The Internet Printing Protocol (IPP) service
included in IIS 5.0 and earlier versions is
vulnerable to buffer overflow attacks


The jill.c program was developed to launch the
attack using:

GET NULL.printer HTTP/1.0

Host: 420
-
byte jill.c code to launch the command shell


IIS server responds launching the command shell
(C:
\
WINNT
\
SYSTEM32
\
>) giving the attacker
SYSTEM privileges.

25

IIS IPP Buffer Overflow (cont.)


Link to jill.c code



Code compilable using
gcc jill.c

o jill

on Linux


Precompiled version (jill
-
win32.c) and
executable (jill
-
win32.exe) available at
ftp://ftp.technotronic.com/


newfiles/jill
-
win32.exe. This executable file is
ready to run on a Windows machine.


26

IIS IPP Buffer Overflow (cont.)


Source: http://puna.net.nz/archives/Hacking/David_Sheridan_GCIH.doc

27

Login Screen Bypass Attack


Website user gets a login screen


Instead of logging in, user enters a URL to
bypass the login screen and gain access
without authorization.


28

Browser Attacks


Malicious links


User must click on them to execute (but not
always)


Common extensions are hidden by default in
some operating systems.


attack.txt.exe seems to be attack.txt

29

Browser Attacks (Cont.)


Common Attacks


Redirection to unwanted webpage


Scripts might change the registry, home page


Some scripts might “trojanize” your DNS error
-
handling routine when you mistype a URL


Pop
-
up windows


Web bugs; i.e. links that are nearly invisible,
can be used to track users at a website


Domain names that are common misspellings of
popular domain names


Microsoff.com,
www.whitehouse.com

(a porn site)