Transcript web_security - Personal.psu.edu

IST 210
Web Application Security
IST 210

Introduction
Security is a process of authenticating
users and controlling what a user can
see or do
IST 210
3-tier architecture
Web
Browser
Web
Server
DB
Server
IST 210
Some Internet Security Protocols

Application Layer Security

Electronic mail security



Transport Layer Security



SSL/TLS (Secure Sockets Layer/Transport Layer Security )
SSH (Secure Shell )
Network Layer Security


PGP (Pretty Good Privacy)
S/MIME (Secure Multi-Purpose Internet Mail Extensions)
IP Security (IPsec)
Infrastructure protection


DNSSEC (DNS Security Extensions)
SNMPv3 security (Simple Network Management Protocol Version 3)
How do you measure security?
IST 210

Does 128-bit encryption make you feel safer?
IST 210
The client





Common web browser
Communicates to server with HTTP (PUT,
POST, GET)
HTML markup language for layout of pages
Scripting languages built into client to control
client side content and communications with
server dynamically
Cookies to store state
IST 210
The server



Analyses HTTP requests from client and
responds accordingly.
Either send plain HTML page
Process query data and send back
dynamically produced page to client.
IST 210
The web server

Common examples: Apache, IIS.


These servers and the host’s have their
own security problems
Server side programming

Perl, ASP (Jscript/VBScript), PHP, C
IST 210
The DBMS


SQL
DBMS





Microsoft SQL server
Oracle
MySQL
DB2
These DBMS also have their own
security problems
IST 210
Attacks

On the server



Using “out of the box” security holes to
gain escalated privileges, or execute
commands on the server.
Make the server do something it is not
supposed to do.
Examples

ColdFusion, Showcode.asp, FrontPage, etc.
etc. etc.
IST 210
Attacks

Through holes found using a common
security scanner




Scanners simply request a fixed file name to see if
the file exists or not
Assumes that exploitable files/server have not
been patched, can bring false positives
Old techniques, but effective.
EASY to protect against.
IST 210
Attacks

On out of the box applications



Attacker can setup and audit the
application in their own environment
If one goes down, they all do
Targets of common scanners
IST 210
Attacks

On custom applications



More difficult to audit
“Black box” auditing techniques
Looks for common stupid mistakes
IST 210
Case one




IIS Security hole used to view ASP
Database settings extracted
SQL server live to internet
Information from server-side scripts
used to connect to server
IST 210
Case two



ASP not filtering input
Able to directly manipulate SQL query
Manipulating the SQL query extracts a
valid cookie and creates the password
IST 210
The problems?



Unfiltered user input
User data not checked and can be
crafted to manipulate processing on the
server to reveal file contents or bypass
and gain access
Backdoor straight to the Crown Jewels
IST 210
The enablers







Reliance on cryptography for security
Security through obscurity
Poor development
Poor experience
Limited resources
Awareness
Monitoring and plan
IST 210
The solution(s)





Good initial setup
Programming practices
Internal Audits
Awareness
Updates, patches and hotfixes
IST 210
The solution(s)



Intrusion detection
Network design
System architecture
Security Analogy
IST 210
Keep
(Last Building
in Castle to Fall)
Inner Perimeter
Stronghold, Higher Walls produce
containment area Between Inner /
Outer Perimeters
Moat / Main Gate
Outer Perimeter Controlling
Castle Access
Internet Security
IST 210
Keep
Outer Perimeter
Inner Perimeter
Stronghold
Crown
Jewels
Internal
Firewall
Internet
DMZ
Internal Network
Mission Critical
Systems