Internet Security Project Website Security - PowerPoint PPT Presentation

1 / 34

About This Presentation

Title:

Internet Security Project Website Security

Description:

none – PowerPoint PPT presentation

Number of Views:143

Avg rating:3.0/5.0

Slides: 35

Provided by: aartidong

Category:

Tags: cc | internet | project | security | website

more less

Transcript and Presenter's Notes

Title: Internet Security Project Website Security

1
Internet Security Project Website Security
Members Aarti Dongargaonkar Amit Khanna Amogh
Budhkar Bhairav Dutia Jinal Doshi Rohan
Bawdekar http//www.cc.gatech.edu/abudhkar/Infos
ec_website
2
Outline

Motivation
SQL Injection
Cross Site Scripting
Parameter Manipulation
Directory Traversal
Authentication Hacking
Google Hacking
Observations and Conclusions

3
Motivation

Web-Application attacks account for 70 of all
cyber attacks.
Developers need to be aware of the coding
mistakes that can make their applications
vulnerable to attacks.
Many tutorials were written on the Internet.
Almost none provide hands-on experience to
readers.
Educate a developer with some hands-on experience
of how an insecure piece of code actually
translates into an attack.
Encourage the developers to adopt better coding
practices

4
SQL Injection - What?

Insert a series of SQL statements into a 'query'
by manipulating data input into an application
User input is incorrectly filtered
Use client-supplied data in SQL queries without
stripping off potentially harmful characters
Using Reverse-Engineering by interpreting the
error messages

5
SQL Injection How?

Authorization Bypass Bypassing logon forms
Original query
SELECT id FROM logins
WHERE username 'username
AND password 'password
User Input
Login aarti' Password hacked' OR 'x''x'
Manipulated query
SELECT id FROM logins
WHERE username aarti AND password hacked'
OR 'x''x'

6
SQL Injection How?

Using SELECT command Manipulate the WHERE
clause
Original query
SELECT id FROM users
WHERE username 'username
AND password 'password
User Input
UNION ALL SELECT FROM users
Manipulated query
SELECT id FROM users
WHERE username aarti AND
password UNION ALL SELECT FROM users

7
SQL Injection How?

Using INSERT command
Original query
INSERT INTO TableName VALUES ( strValueOne
, strValueTwo , strValueThree )
User Input
Name (SELECT TOP 1 FieldName FROM TableName)
Email blah_at_blah.com Phone 333-333-3333
Manipulated query
INSERT INTO TableName VALUES ( (SELECT TOP 1
FieldName FROM TableName) , blah_at_blah.com,
333-333-3333)

8
SQL Injection - Countermeasures

Application Remediation
Functionalities provided by most programming
languages.
query_result mysql_query ( "select from
users where name '"
mysql_real_escape_string(user_name) '" )
Database Remediation
Use database stored procedures by parameterizing
input parameters and type enforcing them.
Sanitize the data
Client-supplied data needs to be cleansed of any
malicious characters or strings

9
XSS What?

What is XSS?
Browsers execute scripts JavaScript, VBScript
Introduce malicious script in dynamic pages
Common targets
Types
Malicious code provided by one client for another
Malicious code sent inadvertently by a client for
itself
What XSS is not?
No malicious code is executed on the server
No DoS conditions

10
XSS How?

Malicious code provided by one client for another
e.g. Discussion groups
Hello message board. This is a message.ltSCRIPTgtma
licious codelt/SCRIPTgtThis is the end of my
message.
Malicious code sent inadvertently by a client for
itself
Links in email or any other way
ltA HREF"http//example.com/comment.cgi?
MycommentltSCRIPTgt malicious codelt/SCRIPTgt"gt
Click herelt/Agt

11
XSS Countermeasures

For Users
Disable scripting languages in their browsers
Think before you click
For Developers and Administrators
Input Sanitation
Output Filtering
Application Firewalls

12
Parameter Manipulation- What?

Manipulate data sent between the browser and the
web application
Parameter tampering can often be done with
Cookies
Form Fields
URL Query Strings
Attackers modify URL parameters like prices in
web carts, session tokens or values stored in
cookies

13
Parameter Manipulation How?

URL manipulation
Changing the parameters passed in the browsers
address bar using GET method
www.victim.com/example?accountno12345debitamoun
t1
modified to
www.victim.com/example?accountno1creditamount1
0000
HTML Form Field Manipulation
input name"accesstype" type"hidden"
valueN
modified to
input name"accesstype" type"hidden"
valueY

14
URL Manipulation- Countermeasures

Session token
Parameter accompanied with a session token.
Try avoiding parameters in URL
Cryptographic protection of parameter
Encrypt an entire query string
Add an additional parameter whose value is an MD5
digest of the URL query string

15
HTML Form Field Manipulation-Countermeasures

Session token
Session token instead of hidden form fields
Checks the userid with its session table and
point to the users data variables in the cache /
database.
Name/value pairs encrypted
Name/Value pairs concatenated
Secret key appended to this string
MD5 hash of this outgoing message - additional
hidden field
Incoming, Outgoing hash mismatch - hidden field
altered

16
Directory Traversal What ?

Canonicalization or dot-dot-slash attack.
HTTP exploit which targets on the lack of
security rather than a bug in the code.
Allows attacker to access directories and execute
commands outside the web-servers root directory.
Much easier to execute and more common than the
XSS attack.
Symantec Internet Security Threat Report Final
Quarter of 2005
Directory Traversal - Ranked 2nd
Buffer Overflows - Ranked 6th
XSS - Ranked 7th

17
Directory Traversal How?

Web-server security mechanisms
Access Control Lists
Root Directory
Directory traversal allows attacker to traverse
the root directory and bypass the access control
list.
A simple HTTP exploit makes the server return a
file that has not been properly validated.
A ../ directive instructs the server to go one
level up the current directory.
Attacker needs a browser and some knowledge on
where to find default files and directories on
the system.

18
Directory Traversal - Examples

Via web application code Improper Input
Validation
http//www.abc.com/online/get.asp?item20Mar2003.
html
http//www.abc.com/online/get.asp?item../../WINN
T/win.ini
Via web server Vulnerabilities within the
IIS/Apache server
http//www.abc.com/scripts/..5c../winnt/system32
/ cmd.exe?/cdirc\
Variation Unicode Encoded Directory Traversal
Microsoft added Unicode support to their Web
server
c11c, c09v, c0af translated into / or \
characters
Nimbda Virus Over 300,000 infections
Technique IIS Unicode encoded directory
traversal !!

19
Directory Traversal - Countermeasures

Directory Traversal is a result of poor input
validation
Force all reads to happen from a specific
directory
Apply regular expression filters to remove path
information.
Secure file system permissions also mitigate this
attack
Run web-server as a least privilege user.
Limit this user to read files from only the
web-application directories.
Move sensitive files such as include files
(.inc) out of the web document root to a
directory that the web server can still access.

20
Authentication Hacking What?

A user provides login name and password to
authenticate and prove his identity
Application assigns the user specific privileges
to the system
based on the identity established by the
supplied credentials.
The attacker breaks into the system by proving to
the application that he is a known and valid user
The attacker gains access to whatever privileges
the administrator has assigned for that user.
Manages to enter as a normal user ? have limited
access to only view some important information.
Manages to enter as an administrative user with
global access on the system ? have almost total
control on the application together with its
content.

21
Authentication Hacking How? - Attackers Tools

Password Guessing

22
Authentication Hacking How? - Attackers Tools

Password combinations using special custom tools,
like WebCracker and Brutus.
A dictionary attack
A brute force attack

23
Authentication Hacking Countermeasures

A standard HTML authentication form
Data submission must be conducted over a secure
channel.
Account lockout facility.
If the client fails to submit the appropriate
credentials ? no information should be passed
back to the client indicating why authentication
resulted in a failure.
Brute Forcing and other automated attacks
Adding random content on the page presented to
the authenticating client browser

24
Authentication Hacking Countermeasures
25
Authentication Hacking Countermeasures

Client access from shared hosts
Disable the use of back button.
HTML scripting is used to flush all form input
fields.
Maintaining state
Transmission of a session id must be over a
secure channel.
Session ids must never contain any login
information.
Session id must be random i.e not predictable.

26
Google Hacking What?

Finding exploitable targets and sensitive data by
using search engines
Sensitive information can be
Advisories and server vulnerabilities
Error messages that contain too much information
Files containing passwords
Personal information.

27
Google Hacking - How?

Search engines store data about web pages in an
index database
Using advanced search features, a hacker can
query this database to obtain sensitive
information
Some of the advanced features are
intitle search for a term within the title of
a document.
inurl search only within the URL (web address)
of a
document.
filetype search only within the text of a
particular type of file.

28
Google Hacking - Examples

Intitle index.of inurladmin
This query returns admin directories
accessible from directory listings
Intitle Index of server at
Determine the server version running on the
web servers.
Filetype c exploit
This query will give links to exploits

29
Google Hacking - Countermeasures

Directory listing should be disabled.
Block crawlers
Ensure that default accounts and passwords as
well as any installation scripts and programs are
removed.
Get help from Google
Implement a good, solid security policy

30
Observations Conclusions