Transcript SELECT * FROM User WHERE UserName=`andy`

BCIS 4630 Fundamentals of IT Security
EMAIL & WEB
Dr. Andy Wu
Overview
• Email security concerns
• Web application security concerns
• Server vulnerabilities
– Character encoding
• Stateless HTTP: a dilemma
• Attack on/from client
– Cross-site scripting (HTML injection)
– Session hijacking
– SQL injection
2
Email Attacks
• Email server and client programs are software applications
that, like any other applications, contain vulnerabilities due to
programmer error and oversight.
• Email content and credentials are transmitted in clear text,
making them susceptible to sniffing.
• Other common email-related security problems:
–
–
–
–
–
–
Virus (the proverbial attachment)
Worms
Spamming
Phishing
Scams (419s)
Hoax
3
SMTP Vulnerabilities
• Attackers can use several commands to exploit SMTP
servers.
• Buffer overflows
– Hackers may try to overflow the buffer of the user’s system.
– Use abnormally long input when issuing the HELO, MAIL or
RCPT commands.
• Attacker scan use malicious code to take control of the
mail server itself.
– Permits attackers to take complete control of a mail system.
– Debug and Wiz commands can open a back door.
4
SMTP Vulnerabilities
• Attackers scan the Internet for any incorrectly
configured SMTP servers.
• Scanning e-mail servers
– EXPN and VRFY may allow attackers to acquire
information from an e-mail server.
• Spamming e-mail servers
– Attacker sends a single e-mail message to a large
number of recipients.
– Attacker takes advantage of improperly configured
servers.
5
Forged Email Headers
• Headers that can be forged:
– Subject, Date, Message-ID
– From, To, CC
– Any arbitrary fields such as X-Mailer and XMessage-Info
– Received (except the last one)
• Headers that cannot be forged:
– The final Received
– IP address of the originating mail server
6
Spam
• Spam is the common term for unsolicited commercial e-mail.
– The term comes from a skit on Monty Python's Flying Circus
where two people are in a restaurant that only serves spam.
– The key to spam is the concept of repetition of unwanted things.
• The biggest incentive for the spammers is the “referral fees”
that they can collect by “referring” people to some commercial
sites.
– Pornography sites used to be the most popular.
– Recently, the most common sites promoted are online pharmacies
and loans.
• Spammers utilize mail relays for two purposes:
– To offload the work of sending large amounts of mail
– To disguise the source of the mail
7
Open Relay
•
•
Chucky ([email protected]) wants to send email to [email protected],
[email protected], [email protected]...
A properly (ideally) configured email server should only send out emails
originated from its own domain and deliver emails destined to user accounts
within its domain.
– If Com1’s SMTP server is configured correctly, it will not send out these emails because
Chucky’s email address belongs in another domain (childsplay.com).
– If these three emails come from outside, it will simply drop the emails for Bob and Eve.
It, however, will deliver the email to Alice.
•
If Com1’s email server is mis-configured, it behaves differently.
– Chucky may be able to deliver these emails even though his account is from a different
domain (childsplay.com instead of com1.com).
– Even though emails to Bob and Eve are for addresses in other domains (com2.com,
com3.com), it will try its best effort to deliver them by forwarding them to other email
servers.
8
Fighting Spam
• Ways to fight spam include:
– E-mail filtering
– Educate users about spam
• Cautious internet surfing
• Cautious towards unknown e-mail
–
–
–
–
Shut down open relays
Host/server filters
Blacklisting or DNSBL
Greylisting
9
Blocking Spam
• Spam can be filtered at the host level with pattern
matching, focusing on the sender, the subject, or
the text of the e-mail.
• Spam can also be filtered at the server level by
using pattern matching, but some mail software
also use blackhole lists of open relays.
• Spammers, however, always come up with even
smarter ways to evade detection.
– Sending the spam message as an image file seems to
be the most “effective” at this time.
10
Phishing
• Tries to obtain users’ confidential information such
as identification data, credit card numbers, bank
account numbers, web site credentials by tricking
the users into visiting fake Web sites.
• Often delivered with spam from “throw-away” email
accounts and spoofed identities.
• Often uses social engineering, e.g., the email urges
users to take some action. If users comply and
perform actions such as a “security update”, they
will be entering confidential information.
11
Phishing Skills
• Impersonation is the most popular and simplest
method of deceit.
• The attacker builds a complete fake site that looks
almost identical to the real McCoy, often using
images from the real site and adopting the same
elements of style.
• The attacker can use Web crawlers that look at a
site and attempt to download text and links on that
site.
• Images can be placed on the fake site by directly
linking their sources to the real site.
12
419 Scams
• 419 or Advanced Fee Fraud
– Named after the relevant section of the Criminal
Code of Nigeria referring to “Advance Fee Fraud”.
– Occurs when the victim pays money to someone
in anticipation of receiving something of greater
value.
• Victim is approached by an offshore company or
individual who cannot move a huge sum of money
overseas due to “foreign exchange control”.
• The victim is ask to transfer a relatively small amount of
money to help with the transfer of the huge sum. He/she
is offered some percentage of that money in return.
13
Web Apps: What Can Go Wrong
• Web platform
– Platform software (OS, IIS, etc.) may contain vulnerabilities.
• Client software
– Browser functionalities, e.g., scripting support, plug-ins, can be abused.
• Web application
– Authentication mechanism or program logic may have flaws.
– Session management mechanisms, e.g., cookies, sessions, can be
manipulated.
• Database server
– Malicious database queries compromise confidentiality or execute
commands.
• Transport
– Traffic between the client and the server can be sniffed.
14
Web Platforms
• Attacks can be launched by:
– Finding the vulnerabilities in the platform on
which the Web server is running, e.g., server
OS, Web server application.
– Tempering with the information in the
browser’s URL bar, HTTP header, input in
fields in an HTML form, etc.
– Non-ASCII Encoding schemes can be used to
obfuscate the attack and evade detection.
15
Encoding
• Web pages and URLs largely use the ASCII character
set. However, some characters have special meanings
and could cause confusion if entered as ASCII
characters.
– Also, HTTP does not allow spaces in the URL.
• Alternative encoding schemes, therefore, were created
to encode characters.
• Unfortunately, they are largely HEX-based and the
resultant patterns of characters look cryptic compared
with their ASCII counterparts.
• To untrained eyes, the meaning of a string of non-ASCII
characters is not readily interpretable.
16
URL Coding
•
•
•
Characters are represented in a URL as a percent sign directly followed by
the two-digit HEX equivalent to the character’s ASCII value.
The encoded form is called a “URL escape”.
They are often seen in phishing emails as a way to obfuscate the nature of
the URL.
Char
ASCII
URL Escape
Char
ASCII
URL Escape
.
72
%2e
/
73
%2f
<
86
%3c
>
88
%3e
(
66
%28
)
67
%29
(space)
32
%20
null
0
%00
17
Base64
•
•
Base64 is used to code and decode binary data (0s and 1s) as printable
ASCII characters.
It processes 3 bytes (24 bits) at a time. To ensure that the coding results in
printable ASCII characters, it takes 6 bits out of the 24, finds its decimal
equivalent, converts it to a printable character, and then the next 6.
– Using six bits meaning that there are 2^6 = 64 possibilities:10 digits, 26 lower
caseletters, 26 uppercase letters, the plus sign (+), and the forward slash (/).
•
Email handles binary in Base64.
Value
Character
Value
Character
0
A
42
a
52
1
61
9
62
+
63
/
18
UTF-7
• The English characters can be sufficiently handled with
the default UTF-8 scheme.
• To represent characters not found in English,
alternatives have to be used, e.g., Unicode, UTF-7, etc.
• UTF-7 is a widely supported scheme. It converts
Unicode into ASCII values.
UTF-8
UTF-7
<
+ADw-
>
+AD419
IIS Vulnerabilities
• In 1997, the L0pht crew showed that Microsoft Internet
Information Server (IIS) treated different representation of the
character . (dot) differently.
– Requesting the file login.asp displayed the regular HTML page.
– Requesting the file login%2easp displayed the source code of
the file.
• In 2001, Microsoft reported that entering
http://<server>/..%c0%af..%c0%af..%c0%af
..%c0%af..%c0%afwindows..%c0%afsystem32
..%c0%afcmd.exe (equivalent to
http://<server>/../../../../../../windows/
system32/cmd.exe, which normally would be blocked) would
bypass blocking and give the attacker a command console to
run commands on the Web server.
20
A Problematic Clientele
• Attacker from his or her own browser can “experiment” with
what he/her enters in the address bar or form fields to profile
the application sitting on the server and/or to launch attacks on
the weakness he/she finds.
• Attacker can install malicious contents in a victim’s browser or
manipulate what and how browser reacts to response sent
from the Web server (e.g., cross-site scripting).
• Cookies and session variables were solutions to dilemma
caused by the stateless HTTP. They can be stolen or hijacked.
• Browser add-ons can be used for attacks.
• JavaScript and ActiveX were meant to add interaction to user
experience but can be abused.
21
A Dilemma in Web Design
• HTTP is a stateless protocol.
– The client makes a request; the server serves the requested
document; and then the server closes the connection.
– Each request from the client is processed independent of other
requests.
– The server does not “remember” previous requests from the same
client.
– This allows the server to serve a maximum number of concurrent
requests efficiently.
• However, there are many occasions when we want the
server to “remember” the client.
22
(Not Necessarily Good) Solutions
• Cookies
– Small blocks of ASCII text stored on the client.
– Passed within an HTML stream to store data temporarily in a Web
browser instance.
– May be too small for Web application’s needs.
– Web application cannot rely on the assumption that a user will
accept cookies.
• Sessions
– Server-side collections of variables that make up the state.
– Once logged on, the client is assigned a session ID.
– The client is identified by this session ID in future requests.
23
Cookies
• A cookie contains a series of name-value pairs.
– The specification for cookies establishes several
specific name-value pairs for defined purposes.
– Additional name-value pairs may be defined at will by a
developer.
• Cookies store information that identifies the user,
his/her preference, previous activities at the site,
etc.
• Cookies pass back and forth between the Web
server and the browser, providing a seemingly
continuous communication session.
24
Cookies
• Cookies raise some privacy concern.
• Although cookies are unable to execute
code or access files, malicious use of
cookies occurs when
– Cookies are used to track a user’s surfing
habits.
– A user’s logon information from one site is sent
to another.
25
Sessions
• A Web application is composed by a number of Web pages,
many of which are dynamic. The first time a user accesses any
of those pages, he/she starts a “session” with the Web server.
When he/she closes the browser window, that particular
session ends.
• Most Web application can use session variables.
• Once the user logs on, a session is initiated and the user is
assigned a session ID.
– Session ID works like a short-term password or a proof of
successful authentication.
• Some programmers may store session IDs as cookies on the
user’s computer. The cookie is created when a session starts
and is removed when the session ends.
26
Cross-Site Scripting
• An attacker can connect to the server and hide malicious scripts on
the server.
• He/she then sends the victim a link to the infected page on the server.
In the link, he/she includes text such as the <script>tag that will
invoke the malicious script on the server.
• If the victim clicks the link, the page is requested from the server.
However, the <script> tag in the link is included as part of the HTML
streamed from the server to the client.
• The victim’s browser processes the HTML and when it comes across
the <script> tag it invokes the script.
– The malicious code can steal the victim’s information such as session ID
cookie and passes it to the attacker.
– With the victim’s session ID cookie, the attacker can impersonate the
victim.
27
XSS Attack on My 3680 Example
28
XSS Attack
• The success of the XSS attack relies on injecting
unexpected HTML code by manipulating the URL,
hence another name “HTML injection”.
• To fool the victim and to evade detection,
obfuscating the angle brackets and any other
unusual characters is essential. This can be done
by using URL encoding, UTF-7, etc. For example:
http://localhost:8080/eastwind/
validate2.jsp?username=%3Cscript%3Ecross
%28%29%3C/script%3E
29
Session Hijacking
• An attacker can get access to the session ID of a loggedin user. Ways to get a session ID:
–
–
–
–
–
–
Guessing
Brute forcing
Trial and error
Referer in HTTP header
Packet sniffing
Cross-site scripting
• The attacker can then install the session ID in his own
browser and present it to the server.
• The server would believe that it is communicating with the
authenticated user and give the attacker access to data
that the victim would have access to.
30
SQL Injection
• A web application normally builds queries based on inputs
taken from web/HTML controls, such as textboxes, and
then passes the query to the database server.
• An attacker may be able to modify or add queries that are
sent to a database server by playing with input to the web
application.
• If the application code is unable to detect characters in
the user input that have special meaning in SQL, the
attacker may be able to do more than what the web
application was designed to do.
31
What Can SQL Injection do?
•
•
•
•
•
•
Bypass logins
Modify data
Delete rows or entire tables
Execute console commands
Read hidden data
Steal credentials
SQL Injection
• Code for handling input
username = txtUsername.Text.ToString();
password = txtPassword.Text.ToString();
cmdGetUserInfo.CommandText = "SELECT * FROM
User WHERE UserName='" + username + "' AND
Password='" + password + "'";
33
SQL Injection
• The SQL statement that is assembled after the user
submits the form
SELECT * FROM User WHERE Username='andy' OR
'a'='a' AND Password=''
• Since the AND part is evaluated before the OR part,
and “a” is always equal to “a”, the statement is in
effect evaluated as:
SELECT * FROM User WHERE UserName='andy' OR TRUE
• As long as the username “andy” exists, this query will
retrieve the row.
– Thus, the password becomes useless.
34
Prevention with Good Coding Practice
• Use strongly typed variables and database column
definitions.
• Assign query results to a strongly typed variable.
• Limit data lengths.
• Apply data separation and role-based access within the
database.
• Avoid creating queries via string concatenation.
• A good, though not perfect, prevention is to use stored
procedures.
– With stored procedures, attacker input is more likely to be
evaluated as illegal or to return no matches.
35
Stored Procedures
• In the previous example, the malicious input (andy OR
‘a’=‘b) will be treated by the database server as the value
of the @username parameter rather than part of the SQL
statement.
• It is not possible for an attacker to manipulate the entire
query. For example,
Create Procedure GetUserInfo As
Declare @Username varchar
Declare @Password varchar
Set @Username = ""
Set @Password = ""
SELECT * FROM User WHERE Username = @Username
AND Password = @Password
GO
36
Other Preventive Measures
• Permissions
– Multiple database accounts
• Awareness
– Pay attention to where your data comes from
– Think like a hacker when programming
• Patch ASAP
• Conceal Errors