Using Proxies to secure applications and more

Download Report

Transcript Using Proxies to secure applications and more 

USING PROXIES TO SECURE APPLICATIONS AND MORE
By Josh Sokol
# whoami
 Josh Sokol ([email protected])
 B.S. in Computer Science
 Cisco Certified Network Associate (CCNA)
 SANS GIAC in Web Application Security
(GWAS)
 Web Systems Engineer for National
Instruments
 Own the Web Systems “Security Practice”
Some Questions To Be Answered
 What’s this proxy thing everyone is talking
about?
 When and why should I use a proxy?
 My company doesn’t like to spend money on
security so why are you wasting my time?
 Talk is cheap…show me how it works!
What is a Proxy?
 A process that accepts requests for some
service and passes them on to the real server.
Request
Proxy
Request
Types of Proxies









Caching Proxy
Web Proxy
Content-filtering Web Proxy
Anonymizing Proxy
Hostile Proxy
Intercepting Proxy
Forced Proxy
Open Proxy
Reverse Proxy
Act I – Anonymizing Proxies
•Firefox
•Extension: SwitchProxy
•Tor and Privoxy
Anonymizing Proxies
 http://www.whatismyip.com
 Start Tor and Privoxy
 Select “Tor” from SwitchProxy
 http://www.whatismyip.com
Am I really anonymous?
Kinda, but not really. My HTTP requests are being
passed through the proxy, but what about DNS?
Also, does my proxy know who I am? Yes!
Problems
•Speed
•False sense of security
Proxy 4 Free List
 http://www.proxy4free.com/page1.html
Act II – Reverse Proxies
•Apache
•mod_proxy
Reverse Proxies
ProxyRequests Off
<Location /owasp>
ProxyPass http://www.owasp.org
ProxyPassReverse http://www.owasp.org
Order allow,deny
allow from all
</Location>
 http://doughboy.homeip.net/owasp
Benefits of Reverse Proxies
 Single machine acts as a gateway to the real
servers in the network.
 Use mod_cache (and mod_mem_cache) to
keep static documents in memory.
 Single point of authentication
Act III – Intercepting Proxies
•Firefox
•Extension: SwitchProxy
•Extension: Tamper Data | Google Ratproxy | OWASP WebScarab
Tamper Data
 Use tamperdata to view and modify
HTTP/HTTPS headers and post parameters.
 Trace and time http response/requests.
 Security test web applications by modifying
POST parameters.
Tamper Data Example
 http://www.altoromutual.com
 Username: jsmith
 Password: Demo1234
Google Ratproxy
 A semi-automated, largely passive web
application security audit tool, optimized for an
accurate and sensitive detection, and automatic
annotation, of potential problems and securityrelevant design patterns based on the
observation of existing, user-initiated traffic in
complex web 2.0 environments.
 Detects and prioritizes broad classes of security
problems, such as dynamic cross-site trust
model considerations, script inclusion issues,
content serving problems, insufficient XSRF and
XSS defenses, and much more.
Using Ratproxy with Cygwin
 Install Cygwin with make, gcc-core, openssl




dev, and openssl utilities.
Download Ratproxy.
Modify the make file by removing the “-Wnopointer-sign”.
Download the Flare action script decompiler.
“make” Ratproxy.
Add the Cygwin libraries to your Windows
path.
Google RatProxy Example
 ratproxy.exe –v C:\cygwin –w ratproxy.log –p
8282 –d yourdomain.com –lfscm
 Tell SwitchProxy to use Ratproxy.
 Surf!
 sh ratproxy-report.sh ratproxy.log >
report.html
OWASP WebScarab
 WebScarab is a framework for analyzing
applications that communicate using the
HTTP and HTTPS protocols.
 In its most common usage, WebScarab
operates as an intercepting proxy, allowing
the operator to review and modify requests
created by the browser before they are sent
to the server, and to review and modify
responses returned from the server before
they are received by the browser.
OWASP WebScarab Example
 Start WebScarab.
 Check the “Proxy” tab to verify port
configuration.
 Tell SwitchProxy to use WebScarab.
 Surf http://www.altoromutual.com!
 Change cookie information.
 Change GET/POST information.
OWASP WebScarab Example 2
Web Services
 Google search for inurl:”?wsdl”
 http://www.altoromutual.com/bank/ws.asmx?W
SDL
 http://www.weather.gov/forecasts/xml/SOAP_se
rver/ndfdXMLserver.php?wsdl
 http://terraservice.net/TerraService.asmx?WSDL
 http://webservices.amazon.com/AWSECommerc
eService/AWSECommerceService.wsdl
Other Cool Features of WebScarab
 Site Spider
 XSS/CSRF
 Session ID Analysis
 Fuzzer
Other FREE Proxy Software
 Paros (http://www.parosproxy.org/)
 Through Paros's proxy nature, all HTTP and HTTPS data
between server and client, including cookies and form
fields, can be intercepted and modified.
 Burp Suite (http://portswigger.net/suite/)
 Burp Suite is an integrated platform for attacking web
applications. It contains all of the Burp tools with numerous
interfaces between them designed to facilitate and speed
up the process of attacking an application. All tools share
the same robust framework for handling HTTP requests,
authentication, downstream proxies, logging, alerting and
extensibility.