Web server security and URLscan 3'1 - PowerPoint PPT Presentation

1 / 20
About This Presentation
Title:

Web server security and URLscan 3'1

Description:

http://www.victim.com/scripts/abracadabra.cmd?&dir c: ?&time ... I wanna see the dancing kitty... URLscan - configuration. URLScan configuration process summary: ... – PowerPoint PPT presentation

Number of Views:333
Avg rating:3.0/5.0
Slides: 21
Provided by: patrickj154
Category:

less

Transcript and Presenter's Notes

Title: Web server security and URLscan 3'1


1
Web server security and URLscan 3.1
  • Ken Hoover
  • Manager, Windows Systems Group (WINSYS)
  • ken.hoover_at_yale.edu
  • November 11, 2009 YISTA Meeting

2
Agenda
  • Bugs in the web server
  • Security problems with web server installation
  • Bugs in web applications
  • How URLscan can help
  • URLscan installation
  • URLscan configuration
  • URLscan gotchas
  • QA

3
Bugs in the Web Server Invalid Paths
  • Invalid path exploits
  • http//www.victim.com/../../../../etc/passwd
    (x)
  • http//www.victim.com/folder.php/file (Apache)
  • http//www.victim.com/scripts/abracadabra.cmd?dir
    c\?time
  • http//www.victim.com/scripts/..c0af../winnt/sys
    tem32/cmd.exe?/cdirc \

4
Bugs in the web server Buffer Overflows
  • Buffer overflows
  • Give an overly-long request to the web server so
    it crashes and, possibly, executes code that you
    specify.

5
Bugs in the web server Buffer Overflows
  • Some are similar to web server exploits. For
    example, paste 3000 characters into a field on a
    form, hit submit and see what happens.
  • Root cause is programmers specifying buffer sizes
    and not checking the input

Char overflow(void) char
nametoobigtoobigtoobigtoobigtoobigtoobigtoobigt
oobig char buff10 strcopy (buff, name)
// put large value in small space. return
6
Bugs in the web application SQL Injection
  • Targeted at web applications that are driven by
    databases
  • Attempts to trick SQL server into executing SQL
    code by entering SQL code into fields on web
    pages.

7
SQL Injection targets web forms
ken
  • Enter name of person to search for
  • Code creates SQL query by using whats entered in
    the box in a SELECT command.
  • Intended SQL code
  • SELECT FROM people WHERE name ken

8
SQL Injection How it works
  • Enter name of person to search for
  • Programmer EXPECTS SQL server to execute this
    command
  • SELECT FROM people WHERE name ken
  • SQL server ACTUALLY executes
  • SELECT FROM people WHERE name ken' OR
    't''t
  • If successful, what has the attacker just done?

ken OR tt
9
SQL Injection in log files
  • Look for SQL commands in HTTP logs
  • GET /content/dpenecalofevesub.asp
    vw0curyr310progsik3cal_typ_ik2h10h20ca
    l_eve_typ_ik2520And20char(124)2b(Select20Cast
    (Count(1)20as20varchar(8000))2Bchar(124)20From
    20sysobjects20Where2011)gt0174800a000dType
    _mismatch_'CInt' 80 - 24.144.146.82 NV32ts 500 0
    0
  • Translation SELECT CAST(COUNT(1) AS
    VARCHAR(8000) FROM sysobjects WHERE

10
Bugs in the web application SQL Injection
SQL injection can be catastrophic!
(Sorry, I cant republish the image I used here,
but if you go to http//xkcd.com/327, youll see
it there.)
xkcd.com/327/
11
Defenses
  • Install a well-known web server and keep it up to
    date with patches, etc.
  • Protects against known errors in the coding of
    the web server itself
  • NEVER trust any input provided by the user.
  • Validate all input to make sure its correct.
  • Use plug-ins that can help protect your web
    server from certain types of attacks
  • Like URLscan

12
URLscan What is it?
  • URLscan
  • Current version 3.1
  • Free download from www.iis.net
  • Simple installation, starts working immediately.
  • Installs as ISAPI plugin for IIS6
  • Default installation is for all sites on the
    server but can be installed manually for
    individual sites.
  • Negligible performance impact to your site.
  • BUT Can break web sites if not configured
    properly

13
URLscan How it works
  • URLscan works by performing a series of tests on
    an incoming URL before IIS sees it.
  • URL size tests
  • HTTP Verb check
  • File extension tests
  • URL normalization tests
  • Invalid/unexpected character tests
  • Escape sequence tests
  • And more

14
URLscan config file (partial)
15
URLscan logging SQL injection
  • 2009-07-16 153859 219.152.40.4 616999277 POST
  • /news/article.aspx?id1599'DECLARE20_at_S20NVARCHA
    R(4000)SET2
  • 0_at_SCAST(0x4400450043004C0041005200450020004000540
    0200076006100
  • 72006300680061007200280032003500350029002C00400043
    0020007600610
  • 07200630068006100720028003200350035002900200044004
    50043004C0041
  • 005200450020005400610062006C
  • 65005F0043007500720073006F00720020004400450041004
    C004C004F004
  • 041005400450020005400610062006C0065005F00430075007
    20073006F0072
  • 0020AS20NVARCHAR(4000))EXEC(_at_S)-- Rejected
  • querystringtoolong querystring 2118 2048

16
DEMO Testing and Tweaking URLscan
I wanna see the dancing kitty
17
URLscan - configuration
  • URLScan configuration process summary
  • Install URLscan on a test version of your
    site.
  • Test your site CAREFULLY
  • Check the URLscan log to find out whether the
    problem is because URLscan blocked something.
  • Tweak the URLscan config file to fix the rule
    which blocked the site from working properly.
  • Repeat until the site is 100 functional with
    URLscan in place.

18
Urlscan implementation
  • AFTER configuring a test site to work properly
  • Install URLscan on production site.
  • COPY config file from test site to production
  • Test production site (should work the same as
    test site)
  • Monitor URLscan logs carefully for 2-3 weeks and
    make config adjustments as necessary. Continue
    to check logs periodically.

19
SUMMARY
  • Protect your web server AND your web site.
  • Properly install and maintain your web server
    application
  • Be careful when putting code, plugins or
    applications onto your web site, they can bring
    their own bugs (i.e. PHP)
  • Use URLscan if you want extra security, but be
    prepared for extra testing.
  • This is only a tiny introduction to web server
    security

20
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com