ZD

Software Security - Week 13

Web Security

  • Web security protects networks and computer systems from damage or theft of software, hardware, or data.
  • It maintains smooth business operations that rely on computers and prevents hackers and malware from manipulating systems, software, or networks.
  • Web security involves multiple tools working together, requiring configuration, management, updates, and patches.

Overall Web Architecture

  • The web architecture consists of web browsers, application servers (e.g., PHP, Java Servlet), and databases (e.g., MySQL).

Web Application Example

  • Client-side elements include the user interface (e.g., home, profile, privacy settings) and dynamic content.
  • Server-side elements manage data and logic, interacting with databases and potentially using server-side extensions.
  • Web protocols connect different origins (e.g., facebook.com, linkedin.com, twitter.com, youtube.com).

Denial-of-Service (DoS) Attacks

  • Denial of Service (DoS) attack: An attacker makes a web server unavailable.
  • How it works: The attacker floods the web server with requests.
  • Distributed DoS (DDoS): A DoS attack using many computers.
  • The server becomes overwhelmed, leading to slowdowns or failure.
  • Problems caused: Site unavailability, online store revenue loss due to server crashes, data loss or corruption, and high bandwidth costs.

Kinds of Denial-of-Service Attacks

  • Direct attack: Targets the machine directly.
  • Indirect attack: Targets something that points to the machine.
  • Reputation attack: References the machine in a way that damages its reputation.

Direct Denial-Of-Service Attack

  • Involves sending many requests (HTTP, SMTP).
  • Easy to trace.
  • Relatively easy to defend against using TCP/IP blocking at the router.

Direct Denial-Of-Service Attack : SYN Flooding

  • SYN Flooding: Exploits the TCP/IP 3-way handshake (SYN, SYN-ACK, ACK).
  • The attacker sends SYN requests but does not complete the handshake.
  • Difficult to trace as each SYN has a different return address.
  • Defenses: Ignore SYNs from impossible addresses, use large buffer pools (e.g., 10 \rightarrow 1024), random drop, or oldest drop.
  • Attacker sends SYN to the Server.
  • Server responds with SYN-ACK to the Attacker.
  • Attacker does nothing.
  • Server waits and runs out of resources.

Indirect Denial-Of-Service Attack

  • Attacker sends a DNS server a request for a large domain's information, spoofing the IP address of the victim.
  • The DNS server sends a large DNS reply to the victim.
  • This is repeated many times from multiple DNS servers, overwhelming the victim with unwanted DNS traffic.
  • Defenses:
    • Disable open recursive DNS.
    • Only allow trusted IPs to query your DNS.
    • Block public access unless you're a public DNS provider.
    • Rate limiting: Limit the number of requests per IP or domain (e.g., no more than 10 queries per second from an IP).

Reputation-based Denial-Of-Service Attack

  • Involves sending spoofed emails to many recipients.
  • Example: Sending an email Subject: Call Now! and receiving many angry responses.

Packet Sniffing

  • Packet sniffing: Listening to traffic on a network.
  • Many internet protocols (HTTP, AIM, email) are unsecure.
  • If an attacker is on the same local network (LAN), they can:
    • Read your email/IMs as you send them.
    • See what websites you are viewing.
    • Grab your password as it's being sent to the server.
  • Solutions:
    • Use secure protocols (HTTPS).
    • Encryption.
    • Prevent unauthorized access to your LAN.

Password Cracking

  • Password cracking: Guessing passwords of privileged users.
  • How it works:
    • Brute force attack: Trying every possible password.
    • Dictionary attack: Trying passwords based on words in a dictionary, combinations of words, numbers, etc.
  • Prevention:
    • Force users to have secure passwords.
    • Block an IP address from logging in after N failed attempts.

Phishing / Social Engineering

  • Phishing: Using masqueraded emails or websites.
  • Social engineering: Manipulating users to acquire passwords or credit card numbers.
  • Problems: Attackers can log in as tricked users and compromise the system.

Man-in-the-Middle Attack

  • Man-in-the-middle attack: An attacker intercepts traffic between two communication endpoints.
  • The attacker tricks the user into going to their site instead of the real site.
  • Sensitive information is intercepted and/or modified before sending it from one endpoint to the other.

Privilege Escalation

  • Privilege escalation: An attacker gains the ability to run code on your server as a privileged user.
  • Example: Exploiting a flaw to run database queries as an administrator.
  • Running as root grants complete control over the server.

Malware Installation

  • Malware installed on a local network can cause significant damage.
  • It allows cyber attackers to steal data and infect machines with ransomware.

Thinking Like an Attacker: Finding Vulnerabilities

  • Looking through a target application for exploits.
  • View Source: Check for HTML comments, script code, sensitive information like IP addresses, email addresses, SQL queries, hidden fields.
  • Watch HTTP requests/responses: Look for hidden pages, files, parameters.
  • Error messages: Identify vulnerabilities through error messages (e.g., 200 OK, 400 Invalid request, 403 Forbidden, 404 File not found, 500 Internal server error).

Input Forms

  • Forms allow users to pass parameters to the web server using GET or POST requests.
  • GET: Parameters are in the request URL (e.g., http://www.google.com?q=Stephen+Colbert&lang=en).
  • POST: Parameters are in the HTTP packet header.
  • Forms can be exploited through parameter tampering, injection attacks, session hijacking.
  • Mitigation: Input validation and sanitization, parameterized queries, Cross-Site Request Forgery (CSRF) protection, HTTPS encryption.

Form Validation

  • Validation: Examining form parameters to ensure they are acceptable before submission (e.g., nonempty, alphabetical, numeric, length).
  • Client-side: HTML/JS checks values before the request is sent.
  • Server-side: JSP/Ruby/PHP/etc. checks values received.
  • Restricting choices using select boxes, input text boxes with maxlength attribute, and key event listeners.

Guessing Files/Directories

  • Many sites have reachable files and resources hidden only by obscurity.
  • Try common file/folder/commands to see what happens (e.g., /etc/passwd, /etc/shadow, cat, ls, grep).
  • Guess file names based on others (e.g., page11.php --> page12.php, loginfailure.jsp --> loginsuccess.jsp, accounts/myaccount.html --> accounts/youraccount.html).
  • Use brute force/web spiders and port scanners.

Designing for Security

  • Focus on methods of security.

Security Through Obscurity

  • Security through obscurity: Relying on attackers not knowing something needed to harm you.
  • Example: Keeping a file secret (e.g., http://foo.com/passwords.txt).
  • Example: Relying on a brief authentication database downtime being unknown.

Secure Authentication

  • Force users to log in before performing sensitive operations.
  • Use secure protocols (HTTPS, etc.) to prevent sniffing.
  • Force users to use strong passwords (not "password", "abc", same as user name, etc.).

Principle of Least Privilege

  • Principle of least privilege: Having just enough authority to get the job done and no more.
  • Examples:
    • A web server should only access necessary HTML files.
    • Code should not run as root unless absolutely necessary.
    • Turn off unnecessary services (disable SSH, sendmail, etc.) and close unnecessary ports (keep 80, etc.).

Sanitizing Inputs

  • Sanitizing inputs: Encoding and filtering untrusted user input before accepting it into a trusted system.
  • Ensure accepted data is the correct type, format, length.
  • Disallow bad data in HTML forms.
  • Remove SQL code from submitted user names.
  • HTML-encode input text displayed back to the user as HTML or JavaScript.

Verifying That Code Is Secure

  • Before code is written: Considering security in the design process.
  • As code is being written: Code reviews and pair programming.
  • After code has been written: Walkthroughs and security audits.

Types of Security Evaluation Methods

  • Security audit: Series of checks and questions to assess system security (internal or external auditor; best as a process).
  • Penetration test: Targeted white-hat attempt to compromise system security.
  • Risk analysis: Assessment of relative risks of compromised security.

Security Audit Questions

  • Does your system require secure authentication with passwords?
  • Are passwords difficult to crack?
  • Are there access control lists (ACLs) in place on network devices?
  • Are there audit logs to record who accesses data?
  • Are the audit logs reviewed?
  • Are your OS security settings up to accepted industry levels?
  • Have all unnecessary applications and services been eliminated?
  • Are all operating systems and applications patched to current levels?
  • How is backup media stored? Who has access to it? Is it up-to-date?
  • Is there a disaster recovery plan? Has it ever been rehearsed?
  • Are there good cryptographic tools in place to govern data encryption?
  • Have custom-built applications been written with security in mind?
  • How have these custom applications been tested for security flaws?
  • How are configuration and code changes documented at every level? How are these records reviewed and who conducts the review?