Download Ladd Van Tol Senior Software Engineer Security on the Web Part

Security on the Web
Part One - Vulnerabilities
Ladd Van Tol
Senior Software Engineer
Vulnerabilities
• Client
• Browser
• Operating System
• Secondary Software
• Server
• Web Server
• Operating System
• Secondary Software
• Network
• Protocol
• Transport
Types of Clients
• Web Browsers
• Internet Explorer > 90% market share
• Mozilla Derivatives < 5% market share
• Operating Systems
• Windows > 90% market share
• Macintosh < 5% market share
• Linux < 1% market share
• Secondary Software
• Email clients
• Browser add-ons
Browser Protocol
• HyperText Transfer Protocol (HTTP)
• versions 1.0, 1.1
• stateless TCP/IP protocol
• cookies
• basic authentication features
• transfer encodings
• keep-alive, pipelining
• Secure Socket Layers (SSL)
• encrypts connections
• identity verified by server certificate
• certificate issued by certification authority
Browser Content
• HTML rendering
• HTML 1.0, 2.0, 3.2, 4.01, XHTML 1.0, 1.1
• XML + XSL
• CSS 1.0, 2.0
• Embedded Dynamic Features
• JavaScript, Java, ActiveX
• Media Players, other Plug-Ins
Client Vulnerabilities
• Social engineering
• Spoofing
• Can exploit DNS, or look-alike URLs
• Embedding Weaknesses
• Java, ActiveX security policy
• Plug-in Security Policy
• Buffer overflows
• Can affect browser, OS, or add-on software
• Could be “remote root exploit”
Client Vulnerabilities
• Scripting Weaknesses
• JavaScript security policy
• Cross site scripting (XSS) Attacks
• Targeted towards personal info site
• Often exploits unfiltered user input
(comment areas, forums, etc)
• Inject malicious scripts which can steal
cookies/other info
Privacy/Content
• Privacy Policies
• Cookies
• Usage tracking
• Browser control over advertising
• Content Filtering
Types of Servers
• Estimated 35 million servers on the web
• Includes virtual hosts
• Apache
• Microsoft IIS*
• Sun ONE*
*Business sites more likely using commercial servers
© 2003, Netcraft
Operating Systems
• Linux, BSD variants
• Windows flavor-of-the-week
• Solaris, other high-end Unixes
Secondary Services
• Database Servers
• MySQL, SQL Server, Oracle, DB2
• Web Applications
• Implementation platforms
• Scripting
• PHP, Perl, Python, ASP, JSP, XSP
• Java Frameworks
• J2EE, WebSphere, WebLogic,
WebObjects
• Other Frameworks
• .NET
Server Vulnerabilities
• Exploitable Web Applications
• Source of many serious targeted exploits
• Invalidated Parameters
• Broken Access Control
• Session Hijacking
• Cross-Site Scripting Flaws
• Command Injection Flaws
• Error Handling Problems
• Insecure Use of Cryptography
• Remote Administration Flaws
• Web and Application Server
Misconfiguration
Server Vulnerabilities
• Other attacks
• Denial of Service
• Remote Root Exploits
• Network Topology, Protocols
• Worms
• Limited ability to enforce acceptable use
policies
Worm Example
Code Red
• IIS Vulnerability, worm deployed July,
2001
• Distributed denial of service (DDOS) attack
Networks
• Internet uses TCP/IP, UDP
• Connected Networks
• Routers
• Domain Name Servers (DNS)
• Firewalls
• Virtual Private Networks (VPN)
• Proxy Servers
• Load Balancers
Network
Vulnerabilities
• Availability
• Attacks on key routers
• Attacks on DNS
• Confidentiality
• Sniffing clear-text traffic
Bibliography
•
•
•
•
•
•
•
•
•
W3 Consortium - http://w3c.org
w3schools browser stats - http://www.w3schools.com/browsers/browsers_stats.asp
Thawte - http://thawte.com
Cross-site scripting FAQ - http://www.cgisecurity.com/articles/xss-faq.shtml
Netcraft Web Server Survey - http://netcraft.co.uk/survey/
CERT - http://www.cert.org/
CAIDA Analysis of Code Red - http://www.caida.org/analysis/security/code-red/
OWASP Top 10 Vulnerabilities - http://www.serverwatch.com/news/article.php/1568761
Personal experience, 3+ years at:
MacFixIt.com
MacCentral.com
VersionTracker.com
•
•
•