Web Server Security
Packet Sniffing
• Information on the Internet is exchanged in
chunks of data called packets
• There are special programs that allow packets
to be sniffed
• A packet sniffer will listen to all packets on the
network, whether or not addressed to the local
machine
• This allows the user of the packet sniffer to
see anything and everything that is being
transmitted on the local network
1
Web Server Security
For example
Using a publicly available packet sniffer program called
tcpdump all the packets being transmitted on our local
network can be seen
Prompt# tcpdump –x –n –t -q
10.0.0.7.23 > 10.0.0.2.1095: tcp1
4500 0029 dc4f 4000 ff06 8b76 0a00 0007
0a00 0002 0017 0447 60a2 1a5e 45e2 15b4
Here a conversation is taking place between two local
machines with IP addresses 10.0.0.2 and 10.0.0.7
2
IP Spoofing
• IP spoofing is the act of sending a packet out with the
forged IP address
• When a hacker is carrying out an attach the thing
he/she wants is his/her identity known
• Spoofing the IP address is an easy way to hide the
identity of the machine the attack is coming from
• An attacker could spoof the IP to come from an IP
address that does not belong to anyone or that is not
currently in use
• The attacker could also spoof the IP address to make
the attack appear as if it were coming from an existing
machine elsewhere on the Internet
• Spoofing the IP address is simple. There are programs
available on the Internet that allow you to manually
construct the packets and send it out on the wire
3
IP Spoofing on Solaris
Edit the /etc/hosts file
Save the changes and reboot
Solaris# vi /etc/hosts
Before spoofing:
127.0.0.1 localhost
172.23.14.8 mytesthost
After:
127.0.0.1
10.0.0.5
localhost
mytesthost
4
Web Client Security
So far what we covered is Server side security.
But what about the client side security
Java Applets
• An applet is a program that runs inside your browser
• You need a java capable browser or an applet viewer to
run the applet code
• Applets can be considered as a partial program
containing only the middle portion
• The beginning and ending of the program are part of
the browser or applet viewer
5
Web Client Security
To run an applet you first need the applet .class file
This is the compiled bytecode generated from the Java
source code
<html>
<Applet
Code=“someapplet.class” width=“500” height “200” >
Param Name=“text” value =“example”>
</Applet>
<html>
6
Protecting yourself from JavaApplets
It is possible to disable Java in your browser
Netscape controls this features under
“Preferences”
Internet Explorer controls it under “Internet
Options”
Select “Advanced” for both browsers
7
What happens when an applet tries
to connect to another system
• The most dangerous scenario with applets
• No longer your firewalls protect your machines from
attack
• This is the primary reason to disallow applets to connect
to remote systems
• The applet can connect back to the machine it
originated from
• This will allow a hacker to determine what traffic is
allowed to exit your network through your firewalls
• This model of security of Java applets is called the
sandbox model
8
What happens when an applet tries
to connect to another system
• Applets are allowed to function as normal programs, but
they must play within the sandbox
• They are limited in their capabilities and are not treated
as full-fledged programs
• The latest Java security manager allows different sites
to define different security policies, depending on the
applet and its origin
• Another addition to Java security model is the idea of
signed applets
• By signing an applet you are assured that the applet
has not been modified from its original form
9
ActiveX Security
• ActiveX was developed by Microsoft and is
based on their object linking and embedding
(OLE) technology
• ActiveX equivalent of Java Applet is called an
ActiveX control
• Unlike Java Applets ActiveX controls are
platform dependent
• This means you need to compile for every
platform you expect to connect to the site
• Rather than using the Applet tag you need to
use the <Object> tag
10
ActiveX Security
• ActiveX controls will be digitally signed by the
author of the control
• The digital signature is then signed by the
security mechanism for ActiveX called
Authenticode
• Unlike the sandbox approach in ActiveX prior
to running the ActiveX control you are
prompted with the name of the author who
wrote and signed the code
11
JavaScript Security
• Using JS all sorts of bugs ranging from being
able to send out e-mail or viewing the history
file, to tracking a user online or uploading a
file, have been discovered
• It is possible to disable JS in your browser
• Same way as the applets blocking on the
browser settings
• When a page is loaded sometimes new
browsers are continuously opened until the
browser is terminated
12
JavaScript Security
• This will eat up all your system memory and
you will have no choice
• This is a client-side denial-of-service attack
using the standard functionality of Javascript
• Another annoying script is upon loading the
URL your browser window will develop a mind
of its own and start to move all over the
screen, and may get out of control
13
JavaScript Security
• Unlike the Java Applet or ActiveX the good thing with JS
is that once you disable the JS from your browser
window you can always check the script in the browser
window and allow it to reload once you know the
contents of the script
• Unlike the Applets or ActiveX controls which use a single
tag to embed something the JS has event handlers like
onLoad() method which are difficult to strip as the
script passes through the firewall
• Netscape has added the functionality to sign the scripts
very similar to the applets
• Now you can choose only to run signed scripts that
were singed by the author you trust
14
Cookies
What is a Cookie?
• Cookie is nothing more than a data
• It is not a program and is not executable
• It is like you filling the form with details and sending it
to the server
• In a cookie the server fills the information and passes it
to the client
• When the client requests a web document from the
server the server sends the document and some
additional data
• This additional data is called the cookie
15
Cookies
• Later when the client makes additional
connections to the server, it will send the
cookie back
• It will keep the cookie for future connections
• Without the cookie the server has no idea who
is connecting to it
• It may know which IP address the connection
is from, thus which machine the client running
on
16
Cookies
Example
Content-type: text/html
Set-Cookie: colorpref=blue
<HTML>
<HEAD>
<TITLE>
</TITLE>
<HEAD>
</HTML>
• This is all that a server will send to the browser to store for
future reference. So the next time the background will be in
blue to the user
• If the server specify the expiration date then that will be
saved on disk when the user exist the browser
• If no date is specified the cookie will be deleted upon exit
17
Cookie Security
• Since the length of the cookies are limited
there is not much concern about the security
attacks via cookies as they don’t execute
anywhere
• The only issue with the cookies is the user
privacy
• So the security issue is to you the user and
not to the computer
18
Encryption
• Cryptography comes in many forms but the
principles are the same. i.e to protect your
data from eavesdropping, spying, or falling
into wrong hands
Example:
• Lets encrypt a message using following data
and standard English alphabet:
ABCDEFGHIJKLMNOPQRSTUVWXYZ
19
Encryption
• Plain text: Meet me on the corner at midnight
• Algorithm: C=P+K C is the cipher text
P is the plaintext character
K is the value of the key
• Key: 3
• Ciphertext: Phhw ph rq wkh fruqhu dw plgqljkw
The Ciphertext message is not in any recognizable
readable form
So you need to know the key to interpret the message
20
Encryption
• This algorithm states simply that to encrypt a
plain text character (P) and generate a
ciphertext character (c) we merely add to the
plaintext character the value of the key (K)
• Another way of looking at this example is that
we are shifting the plaintext character to the
right of the alphabet by three characters: X, Y,
and Z will wrap around and be replaced by A,
B, and C respectively
21
Encryption
A
B
D
E
G
H
I
M
K
L
L
O.
Q. R.
T. U.
P.
S.
V.
W.
Z.
Meet
>
J
C
F
N.
.X
Y.
.
22
Certificates
• A client needs to be sure that the public key she is using
corresponds to the server's private key
• Similarly, the server also needs to verify that the
message signature really corresponds to client's
signature
• If each party has a certificate which validates the
other's identity, confirms the public key, and is signed
by a trusted agency, then they both will be assured that
they are communicating with whom they think they are.
• Such a trusted agency is called a Certificate Authority,
and certificates are used for authentication.
23
Certificate Content
Subject
Distinguished Name, Public Key
Issuer
Distinguished Name, Signature
Period of Validity
Not Before Date, Not After Date
Administrative Information
Version, Serial Number
Extended Information
24
Certificate Authority
• By first verifying the information in a
certificate request before granting the
certificate, the Certificate Authority assures
the identity of the private key owner of a keypair.
• A Certificate Authority may also issue a
certificate for another Certificate Authority.
• who vouches for the certificate of the top-level
authority, which has no issuer?
• one must exercise extra care in trusting a selfsigned certificate.
25
Certificate Authority
• The wide publication of a public key by the root
authority reduces the risk in trusting this key -- it would
be obvious if someone else publicized a key claiming to
be the authority.
• Browsers are preconfigured to trust well-known
certificate authorities
• A number of companies, such as VeriSign have
established themselves as certificate authorities. These
companies provide the following services:
– Verifying certificate requests
– Processing certificate requests
– Issuing and managing certificates
26
Creating a Certified Authority
• It is also possible to create your own
Certificate Authority.
• Specifications for certificates can be found at
http://www.ietf.org/html.charters/pkixcharter.html (Public-Key Infrastructure (X.509)
Working group in IETF)
27
Implementing SSL
• Although one might write an SSL
implementation from scratch following the
specification (TLS spec at
http://www.ietf.org/rfc/rfc2246.txt), it is much
easier to use one of the existing SSL toolkit
libraries.
• In addition, because of patents, it is usually
necessary to license some of the cryptography
libraries
• http://www.openssl.org/
28
Intrusion detection and recovery
• If the security model fails, it is important to
detect the intrusion as early as possible
• The most important thing is to know what is
happening on the network and on the
machines within the network
• The data contained in the logs is an excellent
resource for determining what is happening at
the site
29
Audits, Logs, Accounting
• Logs notify us of errors or specific applicationlevel transactions
• Audits provide more information
– Used to monitor when the file is opened, read, or
written to
– Also can be used to monitor process and see when a
process starts/ends a child process
• Accounting is a means of calculating how
much of the system resources are being used
by each user
30
System and Network usage
monitoring
• The use of web server resources should be
fairly consistent
• E.g. if your web site has around 1000 hits
every day, and then suddenly this drops to 10
on one day, something suspicious is happening
• If a user logs on and works only on weekends
and then suddenly logs on on a weekday in
the middle of the night, it could be an attack.
31
Log examples
•
After loading the default server page
2004-11-17 15:11:32 GET / 200 0 2763 10.0.0.7:32957 hosts
•
After attempting to load a page that does not exist
2004-11-17 15:12:32 GET /noexist.html 404 0 404
10.0.0.7:32999 hosts
•
After submitting an online form whose data is processed by
a CGI script
2004-11-17 15:13:32 GET /info.html 200 0 1119 10.0.0.7:32997
hosta
2004-11-17 15:13:45 POST /cgi-bin/info.pl 302 0 359
32
10.0.0.7:32997 hosta
HTAccess
• Web-based authentication denies web access
to visitors who do not give a valid username
and password
• An access control list (ACL) is a method of
limiting access to a particular portion of a Web
site
• For example you may want to give access to
an online database only for fee paying
customers
• An ACL can be used to place a restriction on a
single file or an entire directory, including its
sub directories
33
Format of the HTAccess file
AuthUserFile
mnt/web/guide/somewhere/somepath/.htpasswd
AuthGroupFile /dev/null
AuthName Somewhere.com's Secret Section
AuthType Basic
34
HTAccess file
• The .htaccess file affects the directory in which it is
placed, so in this example, any visitor requesting
<URL:http://somewhere/somepath/> would be
presented with an authentication request.
• The .htaccess file also affects directories recursively
below it. Therefore, requesting
<URL:http://somewhere.com/somepath/evenmore/>
would yield the same authentication request unless
~/somepath/evenmore had a .htaccess file of its own.
• The first line, starting with AuthUserFile, tells the
webserver where to find your username/password file.
• Notice that the AuthName in the example,
"Somewhere.com's Secret Section," is used in the
authentication request.
35
Creating .htpasswd file
• To create an .htpasswd file, go to the
directory you specified in AuthUserFile. In
the example, this is
/mnt/web/guide/somewhere/somepath. Then
use the htpasswd program with the -c switch
to create your .htpasswd in the current
directory.
• Type htpasswd -c .htpasswd username to
create the file and add "username" as the first
user. The program will prompt you for a
password, then verify by asking again.
36
What is HTTPS?
• Secure HTPP
• Essentially an implementation of HTTP , using
SSL
37
•
•
SOAP
Message
<? Xml version=’1.0’ ?>
<env:Envelope xmlns :
env=http://www.w3.org/2002/06/soap-envelope>
•
<env: Header>
•
………
•
…….
SOAP Envelope, defines the
overall frame work for
representing the contents of the
SOAP message, who will deal
with the message (initermediaries)
•
•
•
•
•
•
<env:Header>
<env:Body>
mandatory, contains the payload
of the message which is intended
for the final SOAP reciever
……..
</env:Body>
</env:Envelope>
38
Kerberos
• The most popular representative of secret key
authentication protocols is Keberos, which was
developed by MIT.
• After the client and server have used Keberos to
prove their identity, they can also encrypt all of their
communication to ensure data confidentiality and
integrity.
• Keberos is commonly used in the middle tier within
corporate networks.
• Keberos allows a principal to prove its identity to a
server without sending authentication data that might
allow an attacker to subsequently impersonate the
principal.
39
Kerberos
• The client application provides a secret key that is
derived from a password as the basis of
authentication. The secret key may potentially be
stored on a hardware token (DES card) for stronger
authentication and may also be derived from a public
key certificate.
• To use Kerberos security service, the client first sends the
principal’s identity to the authentication server, which
sends back a credential call a ticket-granting ticket (TGT)
• The TGT has been encrypted so that only the legitimate
principal who posses the correct password is able to
decrypt it and use it at a future time.
40
Token-based authentication
• With token based systems the user must posses
a physical token that plays some part in the
authentication process, which makes this
approach a lot stronger than passwords by
themselves.
• Tokens are expensive and complex to implement
than IDs and password. Sometimes the token
displays a value that must be verified by an
authentication server.
• Examples of tokens include CRYPTOCard and
RSA SecureID.
41
Security methods in Web Services
•
•
•
•
XML Security
WS- Security
XML Encryption
SAML
Security Assertion Markup Language
42
Points to remember when designing web
servers
• Authentication
SSL Transport layer authentication
WS-Security (Kerberos) for message based
authentication
• Authorisation
Once the user is authenticated the next step is
to find out if they are allowed to access the
resource that they are requesting
• Integrity
IPSec guarantees integrity.
Message has not been tampered on transit
43
Points to remember when designing secure
web servers
• Confidentiality
XML Encryption SSL/TLS, IPSec
• Auditing
The ability to write an audit trail is important for
any security system
• Administration
Administrating involves managing the security
policy
• Availability
Availability involves protecting unwanted
message storms
44
Recovering from an attack
• If you abruptly kill the hacker’s connection into
the machine he will suspect that you are onto
him
• Alternatively it is difficult to sit and see someone
hacking your terminal
• Depending on your time and resources you could
set up a dummy machine to trick the hacker into
thinking that he is still going undetected
• The machine would be an identical one without
any sensitive data
• This will help you to track back the hacker even
if he tries to masquerade
45