Triangles - Multnomah Education Service District

Triangles - Multnomah Education Service District

Security and the Web CascadeLinks Regional Web Summit Namaste Retreat & Conference Center Wilsonville, Oregon October 19th, 2000 Security and the Web The web was once considered very safe, essentially a high-level read-only medium The web is now extraordinarily complex and an extreme security risk What changed?

CGI/dynamically generated web pages have low-level access to the host operating system, databases, etc Web browsers with client-side scripting capabilities and tight integration with the operating system What's the danger? Design of the web introduces new types of attacks which are not well understood Tight integration between web browser/server and the host operating system opens a near infinite number of issues Loose integration between the web browser

and the web server, using the stateless HTTP protocol, reduces the degree of trust which can be achieved Underlying theme You must understand the different levels of abstraction Every layer has unique weaknesses and issues Security is only as strong as the weakest link: all weaknesses must be addressed in order to be "secure" Layers of abstraction HTTP protocol (stateless API between

client & server) Server: retrieves files off the hard drive, executes a program using the CGI API, or interprets a script using an internal module (e.g. PHP, ASP) file access limited to the web root, possibly restricted by .htaccess, etc - these restrictions are enforced by the web server! CGI or internal scripts are not limited to the web root, auth restrictions, etc. CGI/scripts have access to the OS, execute programs, access databases, etc.

Layers of abstraction(cont.) Web browser Renders the HTML received from the web server Executes scripts or other code sent by the web server (e.g. ActiveX, Javascript, Java)

ActiveX basically has carte-blanch access to the core Windows Operating System APIs Javascript, while not as bad as ActiveX, has been at the root of a large number of security issues Java operates in a "sandbox", but occasionally is used in exploits What about browser plugins? Types of attacks Exploiting the statelessness between the server and the client Exploiting weaknesses in the server or client to alter content or gain unauthorized access to lower levels of the operating system

Weaknesses of HTTP HTTP is a stateless, clear-text protocol Statelessness makes it much easier for man-inthe middle type attacks Clear-text means that it is trivial for a man-inthe-middle to analyze the interaction between the client and server in real-time. Can capture cookies used for authentication, login names, passwords and other information passed in forms It's not easy to properly escape HTML tags in text that is intended to be displayed "as-is" Web server weaknesses

Directory recursion, breaking out of the web root http://buggyserver.com/../../../../../../etc/password http://okserver.com/bad.cgi?file=../../../etc/password Trusting user-supplied input Never, never, never trust user-supplied input! Filter all input for html injection, SQL commands

Example scripts often leak information Some servers and CGIs are vulnerable to buffer overflows and other standard attacks Web browser issues ActiveX, Javascript, and friends are a security nightmare, allowing execution of arbitrary commands, silent leakage of sensitive information Interpretation of HTML/scripts where it should not be, not interpreting HTML/scripts where it should Lack of adequate cookie management facilities often a privacy concern

Other issues Keep on top of vendor patches How do you upload files to the server? Clear-text protocols such as FTP can expose your username/password If you allow ftp and http to access the same directories, make sure ftp uploads are not permitted! Make sure your filesystem/database permissions are sane Change all default passwords

Suggestions Turn off Javascript & friends in browser Use SSL for passing all sensitive data Audit your CGIs/scripts for issues such as directory recursion and non-sanitized user input Keep state information on the server, don't rely on cookies or HIDDEN fields supported by PHP, ASP, Cold Fusion, etc. Encrypt cookies where you must use them Resources Security Focus

CERT http://www.cert.org http://www.cert.org/advisories/CA-2000-02.html Cracked site mirrors (this could be you)

http://www.securityfocus.com http://www.attrition.org/mirror/attrition/ Reflections on Trusting Trust http://www.acm.org/classics/sep95 Examples Real-life example of cross-site scripting:

http://www.zdnet.com/pcmag/stories/opinions/0,7802,2434175,00.html http://k12linux.mesd.k12.or.us/cascadelinks/css.jpg (screen shot) www.apache.org gets hacked: http://www.securityfocus.com/templates/archive.pike?list=1&mid=58478 slashdot.org gets hacked:

http://slashdot.org/articles/00/09/29/1245218.shtml Perl poison null: http://k12linux.mesd.k12.or.us/cascadelinks/P55-07 Links...

Recently Viewed Presentations

  • 7th Grade English - MRRECKLING.COM

    7th Grade English - MRRECKLING.COM

    6 Main Parts of Our Language (Parts of Speech) Nouns - name a person, place, thing, or idea. Pronouns—replace nouns or other pronouns. Adjectives - describe nouns and pronouns
  • Transitioning from "just war" to Just Peace

    Transitioning from "just war" to Just Peace

    Eli S. McCarthy, Ph.D. Director of Justice and Peace for U.S. Conference of Superiors of Men Instructor at Georgetown University Just Peace Approach Theology Content Implications Just Peace Theology Shalom: "justice and peace shall embrace" (Psalm 85:10) Jesus as the...
  • The Archetypal Hero - pendleton.k12.ky.us

    The Archetypal Hero - pendleton.k12.ky.us

    What Do Luke Skywalker, Simba, King Arthur, Moses, and William Wallace all have in common? The archetypal hero appears in all religions, mythologies, and stories of the world. He is an expression of our personal and collective unconscious, as theorized...
  • EBOLA EBOLA Who got sick?  Where did they

    EBOLA EBOLA Who got sick? Where did they

    The EBOLA Health Commissioner Understand science of disease and its transmission. Interrupt the transmission of the virus. Monitor high risk areas for future cases
  • Kin selection, inclusive fitness Hamiltons rule: r n

    Kin selection, inclusive fitness Hamiltons rule: r n

    Friendship, gratitude, sympathy, loyalty, betrayal, guilt, dislike, revenge, trust, suspicion, dishonesty, hypocrisy Game Theoretic Approaches Costs versus benefits of behaviors "tit for tat" strategy + forgiveness can lead to cooperation ("the future casts a long shadow back on the present")...
  • Role of Focus Groups and Surveys Roleinof Focus

    Role of Focus Groups and Surveys Roleinof Focus

    Users: Nursing Home/Assistive Living Aids- Care for people with transfer needs in an institutional setting. Mix of experience with manual lifting and mechanical lifts to transfer patients. In the business for at least 2 years. Users/Buyers: People with Mobility Limitations...
  • PowerPoint-presentasjon

    PowerPoint-presentasjon

    (Robson, 2011) Robson, C. (2011). Real world research: A resource for social scientists and practitioner-researchers (3rd ed.). Oxford: Blackwell. ... New material milieu shaped by Alice. Enabling enlargements to be calculated. The general case.
  • Non-Random Mating

    Non-Random Mating

    Non-random mating- the probability that two individuals in a population will mate is not the same for all possible pairs of individuals. Why? Human Populations Easily observable traits Cultural values Social rules Mating usually occurs between similar people with respect...