Title: Web server security and URLscan 3'1
1Web server security and URLscan 3.1
- Ken Hoover
- Manager, Windows Systems Group (WINSYS)
- ken.hoover_at_yale.edu
- November 11, 2009 YISTA Meeting
2Agenda
- Bugs in the web server
- Security problems with web server installation
- Bugs in web applications
- How URLscan can help
- URLscan installation
- URLscan configuration
- URLscan gotchas
- QA
3Bugs in the Web Server Invalid Paths
- Invalid path exploits
- http//www.victim.com/../../../../etc/passwd
(x) - http//www.victim.com/folder.php/file (Apache)
- http//www.victim.com/scripts/abracadabra.cmd?dir
c\?time - http//www.victim.com/scripts/..c0af../winnt/sys
tem32/cmd.exe?/cdirc \
4Bugs in the web server Buffer Overflows
- Buffer overflows
- Give an overly-long request to the web server so
it crashes and, possibly, executes code that you
specify.
5Bugs in the web server Buffer Overflows
- Some are similar to web server exploits. For
example, paste 3000 characters into a field on a
form, hit submit and see what happens. - Root cause is programmers specifying buffer sizes
and not checking the input
Char overflow(void) char
nametoobigtoobigtoobigtoobigtoobigtoobigtoobigt
oobig char buff10 strcopy (buff, name)
// put large value in small space. return
6Bugs in the web application SQL Injection
- Targeted at web applications that are driven by
databases - Attempts to trick SQL server into executing SQL
code by entering SQL code into fields on web
pages.
7SQL Injection targets web forms
ken
- Enter name of person to search for
- Code creates SQL query by using whats entered in
the box in a SELECT command. - Intended SQL code
- SELECT FROM people WHERE name ken
8SQL Injection How it works
- Enter name of person to search for
- Programmer EXPECTS SQL server to execute this
command - SELECT FROM people WHERE name ken
- SQL server ACTUALLY executes
- SELECT FROM people WHERE name ken' OR
't''t - If successful, what has the attacker just done?
ken OR tt
9SQL Injection in log files
- Look for SQL commands in HTTP logs
- GET /content/dpenecalofevesub.asp
vw0curyr310progsik3cal_typ_ik2h10h20ca
l_eve_typ_ik2520And20char(124)2b(Select20Cast
(Count(1)20as20varchar(8000))2Bchar(124)20From
20sysobjects20Where2011)gt0174800a000dType
_mismatch_'CInt' 80 - 24.144.146.82 NV32ts 500 0
0 - Translation SELECT CAST(COUNT(1) AS
VARCHAR(8000) FROM sysobjects WHERE
10Bugs in the web application SQL Injection
SQL injection can be catastrophic!
(Sorry, I cant republish the image I used here,
but if you go to http//xkcd.com/327, youll see
it there.)
xkcd.com/327/
11Defenses
- Install a well-known web server and keep it up to
date with patches, etc. - Protects against known errors in the coding of
the web server itself - NEVER trust any input provided by the user.
- Validate all input to make sure its correct.
- Use plug-ins that can help protect your web
server from certain types of attacks - Like URLscan
12URLscan What is it?
- URLscan
- Current version 3.1
- Free download from www.iis.net
- Simple installation, starts working immediately.
- Installs as ISAPI plugin for IIS6
- Default installation is for all sites on the
server but can be installed manually for
individual sites. - Negligible performance impact to your site.
- BUT Can break web sites if not configured
properly
13URLscan How it works
- URLscan works by performing a series of tests on
an incoming URL before IIS sees it. - URL size tests
- HTTP Verb check
- File extension tests
- URL normalization tests
- Invalid/unexpected character tests
- Escape sequence tests
- And more
14URLscan config file (partial)
15URLscan logging SQL injection
- 2009-07-16 153859 219.152.40.4 616999277 POST
- /news/article.aspx?id1599'DECLARE20_at_S20NVARCHA
R(4000)SET2 - 0_at_SCAST(0x4400450043004C0041005200450020004000540
0200076006100 - 72006300680061007200280032003500350029002C00400043
0020007600610 - 07200630068006100720028003200350035002900200044004
50043004C0041 - 005200450020005400610062006C
- 65005F0043007500720073006F00720020004400450041004
C004C004F004 - 041005400450020005400610062006C0065005F00430075007
20073006F0072 - 0020AS20NVARCHAR(4000))EXEC(_at_S)-- Rejected
- querystringtoolong querystring 2118 2048
16DEMO Testing and Tweaking URLscan
I wanna see the dancing kitty
17URLscan - configuration
- URLScan configuration process summary
- Install URLscan on a test version of your
site. - Test your site CAREFULLY
- Check the URLscan log to find out whether the
problem is because URLscan blocked something. - Tweak the URLscan config file to fix the rule
which blocked the site from working properly. - Repeat until the site is 100 functional with
URLscan in place.
18Urlscan implementation
- AFTER configuring a test site to work properly
- Install URLscan on production site.
- COPY config file from test site to production
- Test production site (should work the same as
test site) - Monitor URLscan logs carefully for 2-3 weeks and
make config adjustments as necessary. Continue
to check logs periodically.
19SUMMARY
- Protect your web server AND your web site.
- Properly install and maintain your web server
application - Be careful when putting code, plugins or
applications onto your web site, they can bring
their own bugs (i.e. PHP) - Use URLscan if you want extra security, but be
prepared for extra testing. - This is only a tiny introduction to web server
security
20(No Transcript)