Chaney_Secure_Web_Applications
Download
Report
Transcript Chaney_Secure_Web_Applications
Building Secure Web Applications
with IDS
Michael Chaney
Technical Director
ChainLink Networking Solutions, Inc.
Agenda
Security in general
Web security
How intruders are getting in
What can we do to keep intruders out
Security and World Wide Web
Contradiction of terms
Goal and Objective
Goal is to provide secure services
impenetrable to hackers, but allow access
to public browsers
Today’s Situation
Stats from CSI/FBI study
40%
89%
60%
38%
sites
21%
penetration from outside
with firewalls
with Intrusion Detection Systems
unauthorized access or misuse of web
did not know…
How do intruders get in?
Password guessing
Buffer overflows
URL mangling
Software vulnerabilities
Backdoors
Packet sniffing - passwords, account #, weak
encryption
Open services - port scanning
Buffer Overflow Example
Code Red
/default.ida?NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN
NNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u6858
%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u53ff%u0078%
u0000%u00=a
Impact - intruders can insert and execute
arbitrary code
URL Mangling
Intruder changes url or parameters sent
to Web server
Impact – view records, change data
Example:
http://www.yoursite.com/orderstatus?orderid=
1000 - change to any other order id
URL Mangling (cont)
Example:
Since application would look like this:
select * from orders where orderid=1000;
Hacker could append to url:
http://www.yoursite.com/orderstatus?orderid=1000;dele
te+from+orders;
To make sql:
select * from orders where orderid=1000;delete from
orders;
URL Mangling (cont)
Example web page with news story and
storyid=1 primary key
url:
http://www.yoursite.com/story?storyid=1
Modified url:
http://www.yoursite.com/story?storyid=1+union+select+FileToClob(‘/etc/passwd’,’server’
)+from+sysusers+where+username=USER
URL Mangling (cont)
Web Datablade Specific
<form action="http://www.yoursite.com/path/"
method="POST">
<textarea cols="50" rows="10" name="MIval">/'
union select WebExplode('<?misql sql="select *
from systables order by
1;">$1<br><?/misql>','') from sysusers where
username=USER --/ </textarea>
<input type="submit">
</form>
Packet Sniffing
Forms with user ID/password or other
sensitive data should be SSL
Do not use basic authentication, clear
text user id and password for every
request
Packet Sniffing Example
Security Implementations
System architecture
Fill application holes
Limit database account permissions
Traps
Monitoring
System Architecture
Secure the perimeter
Limit open services
Proxy web services
URL sanity checks
Hide server identity
VPN access
SSL
Filling Application Holes
Web server patches
Web application server patches
Parameter checks
Use stored procedures or functions
where possible*
Limit access to web application user*
Traps
Set traps to catch and identify hackers in
the act
Multiple failed attempts before successful
break-in
Block intruders caught in the act
Monitoring Tools
Intrusion Detection Systems
Onaudit
I-SPY
sysmaster database
Application Tracing
JDBC driver
PROTOCOLTRACE,PROTOCOLTRACEFILE
Custom traces statements in JDBC driver
Onstat
SQLDEBUG/SQLPRINT
Online Resources
BugTraq
http://online.securityfocus.com/
CERT
http://www.cert.org/
Online Resources
BugTraq
http://online.securityfocus.com/
CERT
http://www.cert.org/
Online Resources
BugTraq
http://online.securityfocus.com/
CERT
http://www.cert.org/
Questions/Comments
Contact:
Michael Chaney
ChainLink Networking Solutions, Inc.
[email protected]