Security and the Web CascadeLinks Regional Web Summit Namaste Retreat & Conference Center Wilsonville, Oregon October 19th, 2000 Security and the Web The web was once considered very safe, essentially a high-level read-only medium The web is now extraordinarily complex and an extreme security risk What changed?
CGI/dynamically generated web pages have low-level access to the host operating system, databases, etc Web browsers with client-side scripting capabilities and tight integration with the operating system What's the danger? Design of the web introduces new types of attacks which are not well understood Tight integration between web browser/server and the host operating system opens a near infinite number of issues Loose integration between the web browser
and the web server, using the stateless HTTP protocol, reduces the degree of trust which can be achieved Underlying theme You must understand the different levels of abstraction Every layer has unique weaknesses and issues Security is only as strong as the weakest link: all weaknesses must be addressed in order to be "secure" Layers of abstraction HTTP protocol (stateless API between
client & server) Server: retrieves files off the hard drive, executes a program using the CGI API, or interprets a script using an internal module (e.g. PHP, ASP) file access limited to the web root, possibly restricted by .htaccess, etc - these restrictions are enforced by the web server! CGI or internal scripts are not limited to the web root, auth restrictions, etc. CGI/scripts have access to the OS, execute programs, access databases, etc.
Layers of abstraction(cont.) Web browser Renders the HTML received from the web server Executes scripts or other code sent by the web server (e.g. ActiveX, Javascript, Java)
ActiveX basically has carte-blanch access to the core Windows Operating System APIs Javascript, while not as bad as ActiveX, has been at the root of a large number of security issues Java operates in a "sandbox", but occasionally is used in exploits What about browser plugins? Types of attacks Exploiting the statelessness between the server and the client Exploiting weaknesses in the server or client to alter content or gain unauthorized access to lower levels of the operating system
Weaknesses of HTTP HTTP is a stateless, clear-text protocol Statelessness makes it much easier for man-inthe middle type attacks Clear-text means that it is trivial for a man-inthe-middle to analyze the interaction between the client and server in real-time. Can capture cookies used for authentication, login names, passwords and other information passed in forms It's not easy to properly escape HTML tags in text that is intended to be displayed "as-is" Web server weaknesses
Directory recursion, breaking out of the web root http://buggyserver.com/../../../../../../etc/password http://okserver.com/bad.cgi?file=../../../etc/password Trusting user-supplied input Never, never, never trust user-supplied input! Filter all input for html injection, SQL commands
Example scripts often leak information Some servers and CGIs are vulnerable to buffer overflows and other standard attacks Web browser issues ActiveX, Javascript, and friends are a security nightmare, allowing execution of arbitrary commands, silent leakage of sensitive information Interpretation of HTML/scripts where it should not be, not interpreting HTML/scripts where it should Lack of adequate cookie management facilities often a privacy concern
Other issues Keep on top of vendor patches How do you upload files to the server? Clear-text protocols such as FTP can expose your username/password If you allow ftp and http to access the same directories, make sure ftp uploads are not permitted! Make sure your filesystem/database permissions are sane Change all default passwords
Suggestions Turn off Javascript & friends in browser Use SSL for passing all sensitive data Audit your CGIs/scripts for issues such as directory recursion and non-sanitized user input Keep state information on the server, don't rely on cookies or HIDDEN fields supported by PHP, ASP, Cold Fusion, etc. Encrypt cookies where you must use them Resources Security Focus
CERT http://www.cert.org http://www.cert.org/advisories/CA-2000-02.html Cracked site mirrors (this could be you)
http://www.securityfocus.com http://www.attrition.org/mirror/attrition/ Reflections on Trusting Trust http://www.acm.org/classics/sep95 Examples Real-life example of cross-site scripting:
http://www.zdnet.com/pcmag/stories/opinions/0,7802,2434175,00.html http://k12linux.mesd.k12.or.us/cascadelinks/css.jpg (screen shot) www.apache.org gets hacked: http://www.securityfocus.com/templates/archive.pike?list=1&mid=58478 slashdot.org gets hacked:
http://slashdot.org/articles/00/09/29/1245218.shtml Perl poison null: http://k12linux.mesd.k12.or.us/cascadelinks/P55-07 Links...
![Transitioning from "just war" to Just Peace](https://cdn.slideread.com/thumbnail/transitioning-from-quotjust-warquot-to-just-peace-6a2mzw-thumb.jpg "Transitioning from "just war" to Just Peace")
