Network Security - ISA 656 Web Security

dewberryeventΑσφάλεια

2 Νοε 2013 (πριν από 3 χρόνια και 9 μήνες)

82 εμφανίσεις

NetworkSecurity-ISA656
WebSecurity
AngelosStavrou
October30,2007
WebSecurity
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
2/45
Crypto(SSL)
Clientsecurity
Serversecurity
SSL
WebSecurity
SSL
SSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
3/45
Mostlycoveredlasttime
CryptoisinsufficientforWebsecurity
Oneissue:linkagebetweencryptolayerand
applications
TrustingSSL
WebSecurity
SSLSSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
4/45
Whatdoestheserverreallyknowaboutthe
client?
Whatdoestheclientreallyknowaboutthe
server?
TheServer’sKnowledgeoftheClient
WebSecurity
SSLSSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
5/45
WhathasSSLtoldtheserver?
Unlessclient-sidecertificatesareused,
absolutelynothing
SSLprovidesasecurepipe.Someoneisatthe
otherend;youdon’tknowwhom
HowDidThatHappen?
WebSecurity
SSLSSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
6/45
Intheory,wecouldhavehaddigitally-signed
purchaseorderslinkedtocreditcardaccounts
ThatwouldhaverequiredthatNetscape,when
itinventedSSL,havesomewaytoissue
client-sidecertificatesthatwerelinkedto
creditcardaccountsanddidn’thavethecredit
cardnumberinthecertificate
Netscapecouldn’thavedonethat;onlythe
bankscouldhave
Backin1994,banksdidn’tbelieveinthis
new-fangledInternetthing(rememberthat
untilWindows95,TCP/IPwasn’tincludedin
Windows
SET
WebSecurity
SSLSSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
7/45
Afewyearslater,VisaandMaster-card(and
eventuallyAmex)tried
TheydevelopedaprotocolcalledSET(Secure
ElectronicTransactions)
Itprovidedclient-sidecertificateslinkedto
creditcards
Intheory,merchantswouldn’tneedtoknow
(andstore)creditcardnumbers
Virtuallynooneusedit
Thereasonswerebothtechnicalandfinancial
TheFailureofSET
WebSecurity
SSLSSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
8/45
Itrequiredclient-sidesoftware
⇒Veryfewpeopleinstallextrasoftware
Client-sidecertificatesarehardtouse—what
ifyouuseseveralcomputers?
Therewastoolittlefinancialincentivefor
merchants,sotheycouldn’tgivecustomersa
discountforusingSET
Itstillpermittedmerchantstostorecredit
cardnumbers;infact,theywerepresent,albeit
encrypted,inthecertificate
⇒Merchantsusecreditcardnumbersas
customertrackingkeysfordatabases
Goodcryptoaloneisn’tsufficient!
Aside:TheSETRootCertificate
WebSecurity
SSLSSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
9/45
WhoshouldcontroltheSETrootcertificate,
usedtosigntheVisa,Master-card,etc.,
top-levelcertificates?
(SETcertifiedVisaetal.;theycertifiedbanks,
whointurnissuedcustomercertificates)
Itwouldbecatastrophiciftheroot’sprivate
keywerecompromised
Visadidn’ttrustMaster-card,orvice-versa
Solution:asacrificialPCsignedallofthe
second-levelcertificates,atwhichpointitwas
physicallysmashed.Differentorganizations
tookhomedifferentpieces...
TheClient’sKnowledgeoftheServer
WebSecurity
SSLSSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
10/45
Theclientreceivestheserver’scertificate.
Doesthathelp?
Acertificatemeansthatsomeonehasattested
tothebindingofsomenametoapublickey.
Whohasdonethecertification?Isittheright
name?
WhoIssuesWebCertificates?
WebSecurity
SSLSSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
11/45
Everybrowserhasalistofbuilt-incertificate
authorities
ThelatestversionofFirefoxhas138certificate
authorities!
Doyoutrustthemalltobehonestand
competent?
Doyouevenknowthemall?
(BaltimoreCyber-trustislisted.ItsolditsPKI
businessin2003.Arethenewowners
trustworthy?)
MountainAmericaCreditUnion
WebSecurity
SSLSSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
12/45
Earlythisyear,someonepersuadedareputable
CAtoissuethemacertificateforMountain
America,acreditunion
TheDNSnamewas
www.mountain-america.net
Itlookslegitimate,buttherealcreditunion
siteisatwww.mtnamerica.org.
(There’salsowww.mountainamerica.com,a
LasVegastravelsite)
Whichsitewasintendedbytheuser?
AFakeCertificate
WebSecurity
SSLSSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
13/45
ATechnicalAttack
WebSecurity
SSLSSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
14/45
Usually,youshopviaunencryptedpages
Youclick“Checkout”(or“Login”onabank
website)
Thenextpage—downloadedwithoutSSL
protection—hastheloginlink,whichwilluse
SSL
Whatifanattackertamperswiththatpage,
andchangesthelinktosomethingdifferent?
Willyounotice?
Notethatsomesmallsitesout-sourcepayment
processing...
ConclusionsonSSL
WebSecurity
SSLSSL
TrustingSSL
TheServer’s
Knowledgeofthe
Client
HowDidThat
Happen?
SET
TheFailureofSET
Aside:TheSET
RootCertificate
TheClient’s
Knowledgeofthe
Server
WhoIssuesWeb
Certificates?
MountainAmerica
CreditUnion
AFakeCertificate
ATechnicalAttack
ConclusionsonSSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
15/45
Thecryptographyitselfseemscorrect
Thehumanfactorsaredubious
Mostusersdon’tknowwhatacertificateis,or
howtoverifyone
Evenwhentheydoknow,it’shardtoknow
whatitshouldsayinanygivensituation
Thereisnorationalbasisfordecidingwhether
ornottotrustagivenCA
ProtectingtheClient
WebSecurity
SSL
ProtectingtheClient
WebBrowser
Security
TheAttackers’Goals
BuggyCode
WhyAreBrowsers
SoInsecure?
ActiveContent
Continuing
Authentication
Server-SideSecurity
16/45
WebBrowserSecurity
WebSecurity
SSL
ProtectingtheClient
WebBrowser
Security
TheAttackers’Goals
BuggyCode
WhyAreBrowsers
SoInsecure?
ActiveContent
Continuing
Authentication
Server-SideSecurity
17/45
Userinterface
Buggycode
Activecontent
TheAttackers’Goals
WebSecurity
SSL
ProtectingtheClient
WebBrowser
Security
TheAttackers’Goals
BuggyCode
WhyAreBrowsers
SoInsecure?
ActiveContent
Continuing
Authentication
Server-SideSecurity
18/45
Stealpersonalinformation,especiallyfinancial
sitepasswords
Turncomputersinto“bots”
Botscanbeusedfordenialofserviceattacks,
sendingspam,hostingphishingwebsites,etc.
BuggyCode
WebSecurity
SSL
ProtectingtheClient
WebBrowser
Security
TheAttackers’Goals
BuggyCode
WhyAreBrowsers
SoInsecure?
ActiveContent
Continuing
Authentication
Server-SideSecurity
19/45
Allbrowsersarevulnerable,andgettingworse
Browserbugs(Symantec):
Browser1H20052H20051H2006
IE252538
Firefox321747
Opera797
Safari4612
Exposureperiod(Symantec):
Browser2H20051H2006
IE259
Firefox-21
Safari5
Opera182
WhyAreBrowsersSoInsecure?
WebSecurity
SSL
ProtectingtheClient
WebBrowser
Security
TheAttackers’Goals
BuggyCode
WhyAreBrowsers
SoInsecure?
ActiveContent
Continuing
Authentication
Server-SideSecurity
20/45
Theirtaskiscomplex
Theyaredealingwithmanyuntrustedsites
Bydefinition,browserinputscrossprotection
domains
Itislikelythatnobrowserissignificantlybetter
thananyotherinthisregard—they’reallbad
ActiveContent
WebSecurity
SSL
ProtectingtheClient
ActiveContent
ActiveContent
Javascript
AJAX
ActiveX
Downloading
ActiveXControls
WhyActiveX?
Continuing
Authentication
Server-SideSecurity
21/45
ActiveContent
WebSecurity
SSL
ProtectingtheClient
ActiveContent
ActiveContent
Javascript
AJAX
ActiveX
Downloading
ActiveXControls
WhyActiveX?
Continuing
Authentication
Server-SideSecurity
22/45
There’sworseyetforwebusers:activecontent
Typicalactivecontent:Javascript,Java,Flash,
ActiveX
Webpagescancontainmore-or-lessarbitrary
programsorreferencestoprograms
Toviewcertainwebpages,usersaretold
“pleaseinstallthisplug-in”,i.e.,aprogram
“Givenachoicebetweendancingpigsand
security,userswillpickdancingpigsevery
time.”(EdFelten)
Javascript
WebSecurity
SSL
ProtectingtheClient
ActiveContent
ActiveContent
Javascript
AJAX
ActiveX
Downloading
ActiveXControls
WhyActiveX?
Continuing
Authentication
Server-SideSecurity
23/45
NorelationshiptoJava—originallycalled
LiveScript(EvilScript?)
Sourceofmostrecentsecurityholes,inFirefox
andIE
Noclearsecuritymodel
Cruciallinkincross-sitescriptingattacks
AJAX
WebSecurity
SSL
ProtectingtheClient
ActiveContent
ActiveContent
Javascript
AJAX
ActiveX
Downloading
ActiveXControls
WhyActiveX?
Continuing
Authentication
Server-SideSecurity
24/45
AJAX—AsynchronousJavascriptand
XHTML
Permitshighlyinteractivewebpages,i.e.,
GoogleMaps
Securityimplicationsforclientandserverare
stillquiteunclear(butarelikelytobebad...)
ActiveX
WebSecurity
SSL
ProtectingtheClient
ActiveContent
ActiveContent
Javascript
AJAX
ActiveX
Downloading
ActiveXControls
WhyActiveX?
Continuing
Authentication
Server-SideSecurity
25/45
Thebiggestactivecontentdesignerror
Over1,000ActiveXcontrolsonatypicalnew,
out-of-thebox,machine
Translation:over1,000differentpiecesofcode
thatcanberunbyalmostanywebpage
Butwait,there’smore!
DownloadingActiveXControls
WebSecurity
SSL
ProtectingtheClient
ActiveContent
ActiveContent
Javascript
AJAX
ActiveX
Downloading
ActiveXControls
WhyActiveX?
Continuing
Authentication
Server-SideSecurity
26/45
Anywebpagecandownloadothercontrols
Translation:anywebpagecandownloadan
arbitrarypieceofcodetorunonauser’s
machine
Theonlyprotectionisadigitalsignatureon
thedownloadedcode
Butatbestthatidentifiestheauthor—see
thepreviousdiscussionofcertificates!
Thereisnorestrictiononwhatthecodecan
do
WhyActiveX?
WebSecurity
SSL
ProtectingtheClient
ActiveContent
ActiveContent
Javascript
AJAX
ActiveX
Downloading
ActiveXControls
WhyActiveX?
Continuing
Authentication
Server-SideSecurity
27/45
Itcanbeusedforsomeverybeneficialthings,
suchasWindowsUpdate
Itcanbeusedto“enhance”theuser’sweb
experience,i.e.,providedancingpigs
Businessreasons?TiewebsitestoWindows
andIE?
OnlyIEhasActiveX.Thisisthesinglebiggest
securitydifferencebetweenIEandFirefox
ContinuingAuthentication
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Continuing
Authentication
UntrustedClients
Protecting
Identification
Information
HiddenValues
Cookies
Protecting
AuthenticationData
Sidebar:Cookies
andJavascript
Cross-SiteScripting
(XSS)
WhyItWorks
SanitizingInput
Server-SideSecurity
28/45
ContinuingAuthentication
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Continuing
Authentication
UntrustedClients
Protecting
Identification
Information
HiddenValues
Cookies
Protecting
AuthenticationData
Sidebar:Cookies
andJavascript
Cross-SiteScripting
(XSS)
WhyItWorks
SanitizingInput
Server-SideSecurity
29/45
Initialauthenticationisusuallybypassword
Howiscontinuingauthenticationdone?
Twoprincipalways:cookiesandhiddenvalues
Bothhavetheirlimits
Fundamentalissue:botharesentbyuntrusted
clients
UntrustedClients
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Continuing
Authentication
UntrustedClients
Protecting
Identification
Information
HiddenValues
Cookies
Protecting
AuthenticationData
Sidebar:Cookies
andJavascript
Cross-SiteScripting
(XSS)
WhyItWorks
SanitizingInput
Server-SideSecurity
30/45
Thewebsiteisinterestedinidentifyingusers
(Some)usershaveincentivetocheat
Thegoalofthewebsiteistomakecheating
impossible
Butthewebsitedoesn’tcontroltheclient
softwareorbehavior
ProtectingIdentificationInformation
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Continuing
Authentication
UntrustedClients
Protecting
Identification
Information
HiddenValues
Cookies
Protecting
AuthenticationData
Sidebar:Cookies
andJavascript
Cross-SiteScripting
(XSS)
WhyItWorks
SanitizingInput
Server-SideSecurity
31/45
Aftertheuserlogsin(somehow),createa
stringthatcontainstheuser-id
Encrypt(optional)andMACthisstring,using
keysknownonlytotheserver;passthestring
totheclient
Whenthestringissenttotheserver,validate
theMACanddecrypt,toseewhoitis
Onlytheserverknowsthosekeys,soonlythe
servercouldhavecreatedthoseprotected
strings(similartoKeberosTGT)
Optional:includetimestamp,IPaddress,etc.
HiddenValues
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Continuing
Authentication
UntrustedClients
Protecting
Identification
Information
HiddenValues
Cookies
Protecting
AuthenticationData
Sidebar:Cookies
andJavascript
Cross-SiteScripting
(XSS)
WhyItWorks
SanitizingInput
Server-SideSecurity
32/45
Protecteduser-idstringcanbeembeddedin
thewebpage,andreturnedonclicks
EmbedinURLs—butthenthey’revisiblein
logfiles
Makethemhiddenvariablespassedbackin
forms:
<INPUTTYPE=HIDDENNAME=REQRENEW>
<INPUTTYPE=HIDDENNAME=PIDVALUE="2378">
<INPUTTYPE=HIDDENNAME=SEQVALUE="20060928002359">
<P><INPUTTYPE=SUBMITVALUE="RenewItems"><INPUT</FORM>
Cookies
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Continuing
Authentication
UntrustedClients
Protecting
Identification
Information
HiddenValues
Cookies
Protecting
AuthenticationData
Sidebar:Cookies
andJavascript
Cross-SiteScripting
(XSS)
WhyItWorks
SanitizingInput
Server-SideSecurity
33/45
Morecommonlyused
Allowyoutore-entersite
Aresometimesstoredonuser’sdisks
ProtectingAuthenticationData
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Continuing
Authentication
UntrustedClients
Protecting
Identification
Information
HiddenValues
Cookies
Protecting
AuthenticationData
Sidebar:Cookies
andJavascript
Cross-SiteScripting
(XSS)
WhyItWorks
SanitizingInput
Server-SideSecurity
34/45
Continuingauthenticationdataisfrequently
unencrypted!
Mostsitesdon’twanttheoverheadofSSLfor
everything
Credentialsareeasilystolen
Usualdefenses:lifetime;re-authenticatebefore
doingreallysensitivestuff
Sidebar:CookiesandJavascript
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Continuing
Authentication
UntrustedClients
Protecting
Identification
Information
HiddenValues
Cookies
Protecting
AuthenticationData
Sidebar:Cookies
andJavascript
Cross-SiteScripting
(XSS)
WhyItWorks
SanitizingInput
Server-SideSecurity
35/45
IEtrustslocalcontentmorethanittrusts
downloadedfiles
Contentis“local”ifit’scomingfromafileon
theuser’sdisk
Eachcookieisstoredasaseparatefile
Supposeyouputascriptinacookie,andthen
referenceditbyfilename?
Nowyouknowwhybrowsersuserandom
charactersinsomeoftheirfilenames...
(PartiallychangedbyWindowsXPSP2)
Cross-SiteScripting(XSS)
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Continuing
Authentication
UntrustedClients
Protecting
Identification
Information
HiddenValues
Cookies
Protecting
AuthenticationData
Sidebar:Cookies
andJavascript
Cross-SiteScripting
(XSS)
WhyItWorks
SanitizingInput
Server-SideSecurity
36/45
Problemusuallyoccurswhensitesdon’t
sanitizeuserinputtostripHTML
Example:chatroom(orMySpaceorblog
sites)thatletusersentercomments
The“comments”canincludeJavascriptcode
ThisJavascriptcodecantransmittheuser’s
authenticationcookiestosomeothersite
WhyItWorks
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Continuing
Authentication
UntrustedClients
Protecting
Identification
Information
HiddenValues
Cookies
Protecting
AuthenticationData
Sidebar:Cookies
andJavascript
Cross-SiteScripting
(XSS)
WhyItWorks
SanitizingInput
Server-SideSecurity
37/45
AJavascriptprogramcanonlyaccessdatafor
thecurrentwebsite
ButJavascriptfromasitecanaccessthat
site’scookies
BecauseoftheXSSbug,theJavascriptfrom
thatsitecontainsmaliciouscode
Itcanthereforestealcookiesandsendthemto
someothersite,via(say)anIMGURL
SanitizingInput
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Continuing
Authentication
UntrustedClients
Protecting
Identification
Information
HiddenValues
Cookies
Protecting
AuthenticationData
Sidebar:Cookies
andJavascript
Cross-SiteScripting
(XSS)
WhyItWorks
SanitizingInput
Server-SideSecurity
38/45
Veryhardtodoproperly
Whitelistinsteadofblacklist—accept<I>
insteadofblocking<SCRIPT>
Watchforencoding:%3C
WatchforUnicode:&#x3C;or&#x003c;or
&#x00003c;or&#60;or...
Probablyawaytowriteitinoctal,too
Unicodeistricky—seeRFC3454.Whatdo
allofyourusers’browsersunderstand?
Server-SideSecurity
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
Protectingthe
Server
StandardDefenses
Server-SideScripts
InjectionAttacks
ScrubbingYourSite
Users
39/45
ProtectingtheServer
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
Protectingthe
Server
StandardDefenses
Server-SideScripts
InjectionAttacks
ScrubbingYourSite
Users
40/45
Serversareverytemptingtargets
Defacement
Stealdata(i.e.,creditcardnumbers)
Distributemalwaretounsuspectingclients
StandardDefenses
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
Protectingthe
Server
StandardDefenses
Server-SideScripts
InjectionAttacks
ScrubbingYourSite
Users
41/45
Checkallinputs
Rememberthatnothingtheclientsendscan
betrusted
Scrubyoursite
Server-SideScripts
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
Protectingthe
Server
StandardDefenses
Server-SideScripts
InjectionAttacks
ScrubbingYourSite
Users
42/45
Mostinterestingwebsitesuseserver-side
scripts:CGI,ASP,PHP,server-sideinclude,
etc.
Eachsuchscriptisaseparatenetworkservice
Forawebsitetobesecure,allofitsscripts
mustbesecure
Whatsecuritycontextdoscriptsrunin?The
webserver’s?Howdoestheserverprotectits
sensitivefilesagainstmalfunctioningscripts?
Thislatterisaparticularproblemwithserver
plug-ins,suchasPHP
Partialdefense:usethingslikesuexec
InjectionAttacks
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
Protectingthe
Server
StandardDefenses
Server-SideScripts
InjectionAttacks
ScrubbingYourSite
Users
43/45
Often,user-suppliedinputisusedtoconstruct
afilenameorSQLquery
Badguyscansendbogusdata
Example:ascriptthatsendsemailcollectsa
usernameandexecutes
/usr/bin/sendmailusername
Thebadguysupplies
foo;rm-rf/
asthe
username
Theactualcodeexecutedis
/usr/bin/sendmailfoo;rm-rf/
Oops...
ScrubbingYourSite
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
Protectingthe
Server
StandardDefenses
Server-SideScripts
InjectionAttacks
ScrubbingYourSite
Users
44/45
Whatisreallybeingserved?
Webserversoftencomewithdefaultscripts—
someoftheseareinsecure
Example:nph-test-cgithatusedtocome
withApache
Example:proprietarydocuments;Googlefor
them:filetype:pdf”companyconfidential”
(Bytheway,manydocumenthaveother,
hiddendata)
CanGoogleforsomeothervulnerabilities,too
Users
WebSecurity
SSL
ProtectingtheClient
ActiveContent
Continuing
Authentication
Server-SideSecurity
Protectingthe
Server
StandardDefenses
Server-SideScripts
InjectionAttacks
ScrubbingYourSite
Users
45/45
Ifyoursitepermitsuserwebpages—this
department?—youhaveseriousthreats
AretheuserCGIscriptssecure?
CanusersrunPHPscriptsinthebrowser’s
securitycontext?
Areallofthesesecure?