Triangles - Multnomah Education Service District

Triangles - Multnomah Education Service District

Security and the Web CascadeLinks Regional Web Summit Namaste Retreat & Conference Center Wilsonville, Oregon October 19th, 2000 Security and the Web The web was once considered very safe, essentially a high-level read-only medium The web is now extraordinarily complex and an extreme security risk What changed?

CGI/dynamically generated web pages have low-level access to the host operating system, databases, etc Web browsers with client-side scripting capabilities and tight integration with the operating system What's the danger? Design of the web introduces new types of attacks which are not well understood Tight integration between web browser/server and the host operating system opens a near infinite number of issues Loose integration between the web browser

and the web server, using the stateless HTTP protocol, reduces the degree of trust which can be achieved Underlying theme You must understand the different levels of abstraction Every layer has unique weaknesses and issues Security is only as strong as the weakest link: all weaknesses must be addressed in order to be "secure" Layers of abstraction HTTP protocol (stateless API between

client & server) Server: retrieves files off the hard drive, executes a program using the CGI API, or interprets a script using an internal module (e.g. PHP, ASP) file access limited to the web root, possibly restricted by .htaccess, etc - these restrictions are enforced by the web server! CGI or internal scripts are not limited to the web root, auth restrictions, etc. CGI/scripts have access to the OS, execute programs, access databases, etc.

Layers of abstraction(cont.) Web browser Renders the HTML received from the web server Executes scripts or other code sent by the web server (e.g. ActiveX, Javascript, Java)

ActiveX basically has carte-blanch access to the core Windows Operating System APIs Javascript, while not as bad as ActiveX, has been at the root of a large number of security issues Java operates in a "sandbox", but occasionally is used in exploits What about browser plugins? Types of attacks Exploiting the statelessness between the server and the client Exploiting weaknesses in the server or client to alter content or gain unauthorized access to lower levels of the operating system

Weaknesses of HTTP HTTP is a stateless, clear-text protocol Statelessness makes it much easier for man-inthe middle type attacks Clear-text means that it is trivial for a man-inthe-middle to analyze the interaction between the client and server in real-time. Can capture cookies used for authentication, login names, passwords and other information passed in forms It's not easy to properly escape HTML tags in text that is intended to be displayed "as-is" Web server weaknesses

Directory recursion, breaking out of the web root http://buggyserver.com/../../../../../../etc/password http://okserver.com/bad.cgi?file=../../../etc/password Trusting user-supplied input Never, never, never trust user-supplied input! Filter all input for html injection, SQL commands

Example scripts often leak information Some servers and CGIs are vulnerable to buffer overflows and other standard attacks Web browser issues ActiveX, Javascript, and friends are a security nightmare, allowing execution of arbitrary commands, silent leakage of sensitive information Interpretation of HTML/scripts where it should not be, not interpreting HTML/scripts where it should Lack of adequate cookie management facilities often a privacy concern

Other issues Keep on top of vendor patches How do you upload files to the server? Clear-text protocols such as FTP can expose your username/password If you allow ftp and http to access the same directories, make sure ftp uploads are not permitted! Make sure your filesystem/database permissions are sane Change all default passwords

Suggestions Turn off Javascript & friends in browser Use SSL for passing all sensitive data Audit your CGIs/scripts for issues such as directory recursion and non-sanitized user input Keep state information on the server, don't rely on cookies or HIDDEN fields supported by PHP, ASP, Cold Fusion, etc. Encrypt cookies where you must use them Resources Security Focus

CERT http://www.cert.org http://www.cert.org/advisories/CA-2000-02.html Cracked site mirrors (this could be you)

http://www.securityfocus.com http://www.attrition.org/mirror/attrition/ Reflections on Trusting Trust http://www.acm.org/classics/sep95 Examples Real-life example of cross-site scripting:

http://www.zdnet.com/pcmag/stories/opinions/0,7802,2434175,00.html http://k12linux.mesd.k12.or.us/cascadelinks/css.jpg (screen shot) www.apache.org gets hacked: http://www.securityfocus.com/templates/archive.pike?list=1&mid=58478 slashdot.org gets hacked:

http://slashdot.org/articles/00/09/29/1245218.shtml Perl poison null: http://k12linux.mesd.k12.or.us/cascadelinks/P55-07 Links...

Recently Viewed Presentations

  • Lmck 1331 Komunikasi Efektif Set 89

    Lmck 1331 Komunikasi Efektif Set 89

    Panel temuduga telah memberi kebebasan kepada para peserta untuk menonjolkan bakat diri sendiri mengikuti kreativiti masing-masing.Peserta boleh menari apa-apa tarian ataupun mempersembahkan seni mempertahankan diri dalam masa yang ditetapkan. Saya telah mempersembahkan seni mempertahankan diri dan tarian tradisional mengikut kreativiti...
  • Chapter 3: Ancient & Modern Astronomy I. Motion of the ...

    Chapter 3: Ancient & Modern Astronomy I. Motion of the ...

    Chapter 3: Ancient & Modern Astronomy I. Motion of the planets A. Diurnal motion - due to Earth's rotation - East-to-West direction B. Sidereal motion - due to . . . (later) - usually West-to-East direction - sometimes East-to-West direction...
  • Sounding Rocket Structural Loads - rsandt.com

    Sounding Rocket Structural Loads - rsandt.com

    Sounding Rocket Structural Loads ... Fin Loading Estimate loading normal to the plane of a fin with strip theory Local angle of attack of a strip of fin (with body upwash) is A Statistics Mini-Tutorial Cause & Effect When an...
  • Putting It Together An ER verb assembly kit

    Putting It Together An ER verb assembly kit

    -From there, we will discuss how these conjugation patterns that we have noticed arrived at their finished form (the steps necessary). -Introduce curriculum web and go over activity instructions. Spend two-three days in computer lab (40 min periods). Owner's Manual...
  • I often wondered whether any of the others

    I often wondered whether any of the others

    Shooting an Elephant. Shooting an Elephant first appeared in 1936 in the autumn issue of New Writing, published twice a year in London from 1936 to 1946.. Setting - Burma (present-day Myanmar) in the 1920s, when the country was a...
  • Chapter 1

    Chapter 1

    Parsing Bottom-Up. The only complicated thing is reducing. 1. If the right hand side of the indicated production has k symbols, pop the top k things off the stack (that is, k state-symbol pairs). This is the handle.
  • Natural Environments: The Atmosphere GG 101  Spring 2005

    Natural Environments: The Atmosphere GG 101 Spring 2005

    Natural Environments: The Atmosphere GG 101 - Spring 2005 Boston University Natural Environments: The Atmosphere GG 101 - Spring 2005 Boston University Myneni Jan-19-05 Course Info (2 of 6) Three main topical areas (1) basic astronomical relationship between the Earth...
  • PROCESS SAFETY: Is It in Our Culture?

    PROCESS SAFETY: Is It in Our Culture?

    Process safety metrics (injury rate was the key metric in spite of loss history, not encouraged to report safety problems) Human Factors (poor shift turnover, fatigue, training program inadequate) Incident investigation MUST also FIND the Underlying causes of an accident,...