Download Applications Security

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
page
19
page
20
page
21
page
22
Document related concepts

URL redirection wikipedia , lookup

Transcript 
Application Security:
General apps &Web service
(April 11, 2012)
© Abdou Illia – Spring 2012
Learning Objectives
 Discuss general Application security
 Discuss Webservice/E-Commerce security
 [Discuss E-Mail security]
2
General Applications Security Issues
3
Applications Security Issues
 Few Operating Systems But Many Applications



Because OS are harden, most attacks target
applications installed on servers.
Most applications run with administrative or super user
(root) privileges
Securing applications is challenging
Web service software (IIS, Apache, ...)
Web browser, Photo editors, Movie maker,
Productivity software, etc.
Operating System
Computer Hardware
Client & server
application
programs
4
Which of the following is true about
Application Security?
 If a server application (or service) is no longer needed, it
should be turned off
 Fewer applications on a computer, fewer attack
opportunities
 Use good security baselines to install and configure apps
 Do not install application centrally using group policies
 Add application layer authentication by requiring users to
provide credentials to run application programs
 Implement cryptographic authentication for sensitive apps
 If a server application (or service) is no longer needed, it
should be removed
 Do not turn on each applications’ automatic update
checking
5
Applications and Buffer Overflow
 Buffer Overflow is the biggest issue in application coding
 Buffer overflow leads to Buffer Overflow Attacks
 Buffers are RAM areas where data is stored
temporarily
 If an attacker sends more data than the programmer
had allocated to a buffer, a buffer might overflow,
overwriting an adjacent section of RAM
Buffer1
RAM
Buffer2
Buffer3 Buffer4 Buffer5 Buffer6 Buffer7
6
Buffer Overflow Attack
 Occurs when ill-written programs allow data destined to a
memory buffer to overwrite instructions in adjacent memory
register that contains instructions.
 If the data contains malware, the malware could run and
creates a DoS
 Example of input data: ABCDEF LET JOHN IN WITHOUT
PASSWORD
Buffer
1
2
3
Instructions
4
5
6
Print
Run Program
Accept input
Buffer
1
A
7
2
B
3
C
Instructions
4
D
5
E
6
F
LET JOHN IN WITHOUT PASSWORD
Run Program
Accept input
7
Stack Entry and Buffer Overflow
2. Add Data
to Buffer
5. Start of
Attacker data
3. Direction of
Data Writing
1. Write Return
Address
Data Buffer
Return
Address
4. Overwrite
Return Address
Stack entry: data buffer & Return address registry



When a program must put one subprogram on hold to call another,
it writes the return address in RAM areas called stack entries
The called subprogram may add data to the buffer to the point it
overwrites the return address
If the added buffer data is Attack code, this will be a buffer
overflow attack
8
http://www.metacafe.com/watch/1452134/buffer_overflow_attacks_explained_with_beer/
Preventing Buffer Overflow
 Use Language tools that provide automatic bounds checking
such as Perl, Python, and Java instead lower level language (C,
C++, Assembly, etc).

However, this is usually not possible or practical because
almost all modern OS are written in the C language.
 Eliminate The Use Of Flawed Library Functions like gets(),
strcpy, and strcmp that fail to check the length or bounds of their
arguments.
 Design And Build Security Within Code
For instance, this simple change
informs strcpy() that it only has
an eight byte destination buffer
and that it must discontinue raw
copy at eight bytes.
// replace le following line
Strcpy (buffer2, strng2);
// by
Strcpy (buffer2, string2, 8)
 Use Source Code Scanning Tools.

Example: PurifyPlus Software Suite can perform a
dynamic analysis of Java, C, or C++ source code.
9
Web service security
10
Webservice & E-Commerce apps
 Web applications could be the target of many types
of attacks like:

Directory browsing

Traversal attacks

Web defacement

Using HTTP proxy to manipulate interaction between client
and server

IIS IPP Buffer Overflow

Browser attacks

Time configuration
11
Web sites’ directory browsing


Web server with Directory Browsing disabled
User cannot get access to list of files in the directory by
knowing or guessing directory names
12
Web site with directory
browsing


Web server with Directory Browsing enabled
User can get access to the list of files in the directory by
knowing or guessing directory names
13
Traversal Attack
 Normally, paths start at the WWW root directory
 Adding ../ (Windows) or ..\ (Unix) in an HTTP request might take the
attacker up a level, out of the WWW root directory.
Example: http://website.com ../../
Example: http://castle.eiu.edu/~a_illia/BUS3500/Brief/Case1/../
 If attacker traverses to Command Prompt directory in Windows
2000 or NT, he can execute any command with system privileges
14
Traversal Attacks (Cont.)
 Preventing traversal attacks

Companies filter out ../ and ..\ using URL scanning software

Attackers respond with hexadecimal and UNICODE
representations for ../ and ..\
ASCII Character Chart with Decimal, Binary and Hexadecimal Conversions
Name
Character
Code
Decimal
Binary
Hex
Null
NUL
Ctrl @
0
00000000
00
Start of Heading
SOH
Ctrl A
1
00000001
01
32
00100000
20
Space
Exclamation Point
!
Shift 1
33
00100010
22
Plus
+
Shift =
43
00101011
2B
Period
.
.
46
00101110
2E
Forward Slash
/
/
47
00101111
2F
Tilde
~
Shift’
126
01111110
7E
15
Website defacement
 Taking over a web server and replacing normal
web pages by hacker-produced pages
 Effect could last because ISP cache of popular
web sites
 Example of recent website defacements

ATTRITION Web Page Hack Mirror:
http://attrition.org/mirror/

Zone-H web site for most recent attacks:
http://www.zone-h.org: Check Onhold and Archive
16
Manipulating HTTP requests
 Attackers use proxies to manipulate
communications between browsers and web
servers
 Example using Webscarab
17
IIS IPP Buffer Overflow
 The Internet Printing Protocol (IPP) service
included in IIS 5.0 and earlier versions is
vulnerable to buffer overflow attacks
 The jill.c program was developed to launch the
attack using:
GET NULL.printer HTTP/1.0
Host: 420-byte jill.c code to launch the command shell
 IIS server responds launching the command shell
(C:\WINNT\SYSTEM32\>) giving the attacker
SYSTEM privileges.
18
IIS IPP Buffer Overflow (cont.)
 Link to jill.c code
 Code compilable using
gcc jill.c –o jill on Linux
 Precompiled version (jill-win32.c) and
executable (jill-win32.exe) available at
ftp://ftp.technotronic.com/
 newfiles/jill-win32.exe. This executable file is
ready to run on a Windows machine.
19
IIS IPP Buffer Overflow (cont.)
 Source: http://puna.net.nz/archives/Hacking/David_Sheridan_GCIH.doc
20
Browser Attacks
 Malicious links

User must click on them to execute (but not
always)

Common extensions are hidden by default in
some operating systems.
 attack.txt.exe seems to be attack.txt
21
Browser Attacks (Cont.)
 Common Attacks
 Redirection to unwanted webpage
 Scripts might change the registry, home page
 Some scripts might “trojanize” your DNS errorhandling routine when you mistype a URL
 Pop-up windows

Web bugs; i.e. links that are nearly invisible,
can be used to track users at a website

Domain names that are common misspellings of
popular domain names
 Microsoff.com, www.whitehouse.com (a porn site)
22
Related documents
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034 M.Sc.
LOYOLA COLLEGE (AUTONOMOUS), CHENNAI – 600 034 M.Sc.
Buffer Overflow
Buffer Overflow
Application Security
Application Security
What Percentage of the Earth`s Surface is Water - edventure-GA
What Percentage of the Earth`s Surface is Water - edventure-GA
Slides - MIT Database Group
Slides - MIT Database Group
slides
slides
Lazy Garbage Collection of Recovery State for Fault – Tolerant
Lazy Garbage Collection of Recovery State for Fault – Tolerant
A Low-Power CMOS Output Buffer A low
A Low-Power CMOS Output Buffer A low
Document 13591807
Document 13591807
ppt - College of Engineering | SIU
ppt - College of Engineering | SIU
Clinical biochemistry (1) water balance
Clinical biochemistry (1) water balance
Murr Emparro Cap e
Murr Emparro Cap e
Slides 6 - USC Upstate: Faculty
Slides 6 - USC Upstate: Faculty
Storing Data: Disks and Files
Storing Data: Disks and Files
Smart Zone Sensing With Auto Breaking System Using
Smart Zone Sensing With Auto Breaking System Using
Chapter 1 Security Problems in Computing
Chapter 1 Security Problems in Computing