Software Security - Week 13

Web Security

• Web security protects networks and computer systems from damage or theft of software, hardware, or data.
• It maintains smooth business operations that rely on computers and prevents hackers and malware from manipulating systems, software, or networks.
• Web security involves multiple tools working together, requiring configuration, management, updates, and patches.

Overall Web Architecture

• The web architecture consists of web browsers, application servers (e.g., PHP, Java Servlet), and databases (e.g., MySQL).

Web Application Example

• Client-side elements include the user interface (e.g., home, profile, privacy settings) and dynamic content.
• Server-side elements manage data and logic, interacting with databases and potentially using server-side extensions.
• Web protocols connect different origins (e.g., facebook.com, linkedin.com, twitter.com, youtube.com).

Denial-of-Service (DoS) Attacks

• Denial of Service (DoS) attack: An attacker makes a web server unavailable.
• How it works: The attacker floods the web server with requests.
• Distributed DoS (DDoS): A DoS attack using many computers.
• The server becomes overwhelmed, leading to slowdowns or failure.
• Problems caused: Site unavailability, online store revenue loss due to server crashes, data loss or corruption, and high bandwidth costs.

Kinds of Denial-of-Service Attacks

• Direct attack: Targets the machine directly.
• Indirect attack: Targets something that points to the machine.
• Reputation attack: References the machine in a way that damages its reputation.

Direct Denial-Of-Service Attack

• Involves sending many requests (HTTP, SMTP).
• Easy to trace.
• Relatively easy to defend against using TCP/IP blocking at the router.

Direct Denial-Of-Service Attack : SYN Flooding

• SYN Flooding: Exploits the TCP/IP 3-way handshake (SYN, SYN-ACK, ACK).
• The attacker sends SYN requests but does not complete the handshake.
• Difficult to trace as each SYN has a different return address.
• Defenses: Ignore SYNs from impossible addresses, use large buffer pools (e.g., 10 \rightarrow 1024), random drop, or oldest drop.
• Attacker sends SYN to the Server.
• Server responds with SYN-ACK to the Attacker.
• Attacker does nothing.
• Server waits and runs out of resources.

Indirect Denial-Of-Service Attack

• Attacker sends a DNS server a request for a large domain's information, spoofing the IP address of the victim.
• The DNS server sends a large DNS reply to the victim.
• This is repeated many times from multiple DNS servers, overwhelming the victim with unwanted DNS traffic.
• Defenses:
  • Disable open recursive DNS.
  • Only allow trusted IPs to query your DNS.
  • Block public access unless you're a public DNS provider.
  • Rate limiting: Limit the number of requests per IP or domain (e.g., no more than 10 queries per second from an IP).

Reputation-based Denial-Of-Service Attack

• Involves sending spoofed emails to many recipients.
• Example: Sending an email Subject: Call Now! and receiving many angry responses.

Packet Sniffing

• Packet sniffing: Listening to traffic on a network.
• Many internet protocols (HTTP, AIM, email) are unsecure.
• If an attacker is on the same local network (LAN), they can:
  • Read your email/IMs as you send them.
  • See what websites you are viewing.
  • Grab your password as it's being sent to the server.
• Solutions:
  • Use secure protocols (HTTPS).
  • Encryption.
  • Prevent unauthorized access to your LAN.

Password Cracking

• Password cracking: Guessing passwords of privileged users.
• How it works:
  • Brute force attack: Trying every possible password.
  • Dictionary attack: Trying passwords based on words in a dictionary, combinations of words, numbers, etc.
• Prevention:
  • Force users to have secure passwords.
  • Block an IP address from logging in after N failed attempts.

Phishing / Social Engineering

• Phishing: Using masqueraded emails or websites.
• Social engineering: Manipulating users to acquire passwords or credit card numbers.
• Problems: Attackers can log in as tricked users and compromise the system.

Man-in-the-Middle Attack

• Man-in-the-middle attack: An attacker intercepts traffic between two communication endpoints.
• The attacker tricks the user into going to their site instead of the real site.
• Sensitive information is intercepted and/or modified before sending it from one endpoint to the other.

Privilege Escalation

• Privilege escalation: An attacker gains the ability to run code on your server as a privileged user.
• Example: Exploiting a flaw to run database queries as an administrator.
• Running as root grants complete control over the server.

Malware Installation

• Malware installed on a local network can cause significant damage.
• It allows cyber attackers to steal data and infect machines with ransomware.

Thinking Like an Attacker: Finding Vulnerabilities

• Looking through a target application for exploits.
• View Source: Check for HTML comments, script code, sensitive information like IP addresses, email addresses, SQL queries, hidden fields.
• Watch HTTP requests/responses: Look for hidden pages, files, parameters.
• Error messages: Identify vulnerabilities through error messages (e.g., 200 OK, 400 Invalid request, 403 Forbidden, 404 File not found, 500 Internal server error).

Input Forms

• Forms allow users to pass parameters to the web server using GET or POST requests.
• GET: Parameters are in the request URL (e.g., http://www.google.com?q=Stephen+Colbert&lang=en).
• POST: Parameters are in the HTTP packet header.
• Forms can be exploited through parameter tampering, injection attacks, session hijacking.
• Mitigation: Input validation and sanitization, parameterized queries, Cross-Site Request Forgery (CSRF) protection, HTTPS encryption.

Form Validation

• Validation: Examining form parameters to ensure they are acceptable before submission (e.g., nonempty, alphabetical, numeric, length).
• Client-side: HTML/JS checks values before the request is sent.
• Server-side: JSP/Ruby/PHP/etc. checks values received.
• Restricting choices using select boxes, input text boxes with maxlength attribute, and key event listeners.

Guessing Files/Directories

• Many sites have reachable files and resources hidden only by obscurity.
• Try common file/folder/commands to see what happens (e.g., /etc/passwd, /etc/shadow, cat, ls, grep).
• Guess file names based on others (e.g., page11.php --> page12.php, loginfailure.jsp --> loginsuccess.jsp, accounts/myaccount.html --> accounts/youraccount.html).
• Use brute force/web spiders and port scanners.

Designing for Security

• Focus on methods of security.

Security Through Obscurity

• Security through obscurity: Relying on attackers not knowing something needed to harm you.
• Example: Keeping a file secret (e.g., http://foo.com/passwords.txt).
• Example: Relying on a brief authentication database downtime being unknown.

Secure Authentication

• Force users to log in before performing sensitive operations.
• Use secure protocols (HTTPS, etc.) to prevent sniffing.
• Force users to use strong passwords (not "password", "abc", same as user name, etc.).

Principle of Least Privilege

• Principle of least privilege: Having just enough authority to get the job done and no more.
• Examples:
  • A web server should only access necessary HTML files.
  • Code should not run as root unless absolutely necessary.
  • Turn off unnecessary services (disable SSH, sendmail, etc.) and close unnecessary ports (keep 80, etc.).

Sanitizing Inputs

• Sanitizing inputs: Encoding and filtering untrusted user input before accepting it into a trusted system.
• Ensure accepted data is the correct type, format, length.
• Disallow bad data in HTML forms.
• Remove SQL code from submitted user names.
• HTML-encode input text displayed back to the user as HTML or JavaScript.

Verifying That Code Is Secure

• Before code is written: Considering security in the design process.
• As code is being written: Code reviews and pair programming.
• After code has been written: Walkthroughs and security audits.

Types of Security Evaluation Methods

• Security audit: Series of checks and questions to assess system security (internal or external auditor; best as a process).
• Penetration test: Targeted white-hat attempt to compromise system security.
• Risk analysis: Assessment of relative risks of compromised security.

Security Audit Questions

• Does your system require secure authentication with passwords?
• Are passwords difficult to crack?
• Are there access control lists (ACLs) in place on network devices?
• Are there audit logs to record who accesses data?
• Are the audit logs reviewed?
• Are your OS security settings up to accepted industry levels?
• Have all unnecessary applications and services been eliminated?
• Are all operating systems and applications patched to current levels?
• How is backup media stored? Who has access to it? Is it up-to-date?
• Is there a disaster recovery plan? Has it ever been rehearsed?
• Are there good cryptographic tools in place to govern data encryption?
• Have custom-built applications been written with security in mind?
• How have these custom applications been tested for security flaws?
• How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?