Applications Security
Download
Report
Transcript Applications Security
Application Security:
General apps &Web service
(April 9, 2014)
© Abdou Illia – Spring 2014
Learning Objectives
Discuss general Application security
Discuss Webservice/E-Commerce security
[Discuss E-Mail security]
2
General Applications Security Issues
3
Which of the following is an OS?
A. Microsoft Project
H. UNIX
B. Microsoft Visio
I.
C. Oracle Solaris
J.
D. Windows NT
K.
E. Adobe Photoshop
L.
F. C++
M.
G. Google Chrome
N.
IIS
Apache
WinSCP (client FTP)
OS X
Movie Maker
Internet Explorer
4
Which of the following is can be
classified as client or server network
application?
A. Microsoft Project
H. UNIX
B. Microsoft Visio
I.
C. Oracle Solaris
J.
D. Windows NT
K.
E. Adobe Photoshop
L.
F. C++
M.
G. Google Chrome
N.
IIS
Apache
WinSCP (client FTP)
OS X
Movie Maker
Internet Explorer
5
Application security
Imagine that you have the following categories of software
installed on your computers. Which one would you harden
first and why?
A. Client and server network applications
B. Non-network applications
C. Operating systems
6
Applications Security Issues
Few Operating Systems, but Many Applications
Because OS are harden, most attacks target
applications.
Most applications run with administrative or super user
(root) privileges
Securing applications is challenging
Huge number of apps, Variety of security baselines
Web service software (IIS, Apache, ...)
Web browser, Photo editors, Movie maker,
Productivity software, etc.
Operating System
Computer Hardware
Client & server
application
programs
7
Which of the following is true about
Application Security?
A. If a server application (or service) is no longer needed, it
should be turned off
B. Fewer applications on a computer means fewer attack
opportunities
C. Use good security baselines to install and configure apps
D. Do not install application centrally using group policies
E. Add application layer authentication by requiring users to
provide credentials to run application programs
F. Implement cryptographic authentication for sensitive apps
G. If a server application (or service) is no longer needed, it
should be removed
H. Do not turn on each applications’ automatic update
checking
8
OUTDO OR
Applications and Buffer Overflow
Buffers are RAM areas where data is stored temporarily
Buffer overflow occurs when data spill from one buffer to
the next
Buffer Overflow is the biggest issue in application coding
If an attacker sends more data than the programmer
had allocated to a buffer, a buffer might overflow,
overwriting an adjacent section of RAM
Buffer overflow attacks
Buffer1
RAM
Buffer2
Buffer3 Buffer4 Buffer5 Buffer6 Buffer7
9
Buffer Overflow Attack
Occurs when ill-written programs allow data destined to a
memory buffer to overwrite instructions in adjacent memory
register that contains instructions.
If the data contain malware, the malware could run and
creates a DoS
Example of input data: ABCDEF LET JOHN IN WITHOUT
PASSWORD
Buffer
1
2
3
Instructions
4
5
6
Print
Run Program
Accept input
Buffer
1
A
10
2
B
3
C
Instructions
4
D
5
E
6
F
LET JOHN IN WITHOUT PASSWORD
Run Program
Accept input
10
Stack Entry and Buffer Overflow
2. Add Data
to Buffer
5. Start of
Attacker data
3. Direction of
Data Writing
1. Write Return
Address
Data Buffer
Return
Address
4. Overwrite
Return Address
Stack entry: data buffer & Return address registry
When a program puts one subprogram on hold to call another, it
writes the return address in RAM areas called stack entries
The called subprogram may add data to the buffer to the point it
overwrites the return address
If the added buffer data is Attack code, this will be a buffer
overflow attack
11
http://www.metacafe.com/watch/1452134/buffer_overflow_attacks_explained_with_beer/
Preventing Buffer Overflow
Key Principle: Never Trust User Input
Use Languages/tools that provide automatic bounds checking
such as Perl, Python, and Java instead lower level language (C or
Assembly, etc).
However, this is usually not possible or practical because
almost all modern OS are written in the C language.
Eliminate The Use Of Flawed Library Functions like gets(),
strcpy, and strcmp that fail to check the length or bounds of their
arguments.
Design And Build Security Within Code
For instance, this simple change
informs strcpy() that it only has
an eight byte destination buffer
and that it must discontinue raw
copy at eight bytes.
// replace le following line
strcpy (buffer2, strng2);
// by
strcpy (buffer2, string2, 8)
Use Source Code Scanning Tools.
Example: PurifyPlus Software Suite can perform a
dynamic analysis of Java, C, or C++ source code.
12
Applications permissions
Examples for smartphones
Make phone calls
For Dialer replacements, Google Voice, etc. NOT for
Ringtone apps. If an app you download has no business
setting up a phone call, be suspicious.
Send SMS or MMS
Read contact data
Find GPS location
If an app gets its revenue from location-based ads, it needs to
know where you are. Otherwise be suspicious.
Network Communication (full internet access, view
network / Wi-Fi state, Create Bluetooth connection)
If an app has no function for you to communicate with anyone
else, or any type of downloadable content, this usually means ads.
To show you ads, the app needs to get them from the Internet
13
How to Know apps permissions?
Download and install SureMDM Web Console
Login into the SureMDM Web Console
Select your smartphone or tablet from the device list.
Click on the Apps buttons to see list of installed apps on the device.
Select an Application and Click on Permission button. Screen similar to the
following will popup.
14
Applications permissions (cont.)
Android does a great job forcing app developers to
inform the prospective user just what sort of
permissions are required and what information the
app will access.
If an app does not need permissions it is requesting
before installing, do not install.
If a hacker takes over an application program, he or
she receives the permissions with which the
program runs.
15
Web service security
16
Webservice & E-Commerce apps
Web applications could be the target of many types
of attacks like:
Directory browsing
Traversal attacks
Web defacement
Using HTTP proxy to manipulate interaction between client
and server
IIS IPP Buffer Overflow
Browser attacks
Time configuration
17
Web sites’ directory browsing
Web server with Directory Browsing disabled
User cannot get access to list of files in the directory by
knowing or guessing directory names
18
Web site with directory
browsing
Web server with Directory Browsing enabled
User can get access to the list of files in the directory by
knowing or guessing directory names
19
Traversal Attack
Normally, paths start at the WWW root directory
Adding ../ (Windows) or ..\ (Unix) in an HTTP request might take the
attacker up a level, out of the WWW root directory.
Example: http://website.com ../../
Example: http://castle.eiu.edu/~a_illia/BUS3500/Brief/Case1/../
If attacker traverses to Command Prompt directory in Windows
2000 or NT, he can execute any command with system privileges
20
Traversal Attacks (Cont.)
Preventing traversal attacks
Companies filter out ../ and ..\ using URL scanning software
Attackers respond with hexadecimal and UNICODE
representations for ../ and ..\
ASCII Character Chart with Decimal, Binary and Hexadecimal Conversions
Name
Character
Code
Decimal
Binary
Hex
Null
NUL
Ctrl @
0
00000000
00
Start of Heading
SOH
Ctrl A
1
00000001
01
32
00100000
20
Space
Exclamation Point
!
Shift 1
33
00100010
22
Plus
+
Shift =
43
00101011
2B
Period
.
.
46
00101110
2E
Forward Slash
/
/
47
00101111
2F
Tilde
~
Shift’
126
01111110
7E
21
Website defacement
Taking over a web server and replacing normal
web pages by hacker-produced pages
Effect could last because ISP cache of popular
web sites
Example of recent website defacements
ATTRITION Web Page Hack Mirror:
http://attrition.org/mirror/
Zone-H web site for most recent attacks:
http://www.zone-h.org: Check Onhold and Archive
22
Manipulating HTTP requests
Attackers use proxies to manipulate
communications between browsers and web
servers
Example using Webscarab
23
IIS IPP Buffer Overflow
The Internet Printing Protocol (IPP) service
included in IIS 5.0 and earlier versions is
vulnerable to buffer overflow attacks
The jill.c program was developed to launch the
attack using:
GET NULL.printer HTTP/1.0
Host: 420-byte jill.c code to launch the command shell
IIS server responds launching the command shell
(C:\WINNT\SYSTEM32\>) giving the attacker
SYSTEM privileges.
24
IIS IPP Buffer Overflow (cont.)
Link to jill.c code
Code compilable using
gcc jill.c –o jill on Linux
Precompiled version (jill-win32.c) and
executable (jill-win32.exe) available at
ftp://ftp.technotronic.com/
newfiles/jill-win32.exe. This executable file is
ready to run on a Windows machine.
25
IIS IPP Buffer Overflow (cont.)
Source: http://puna.net.nz/archives/Hacking/David_Sheridan_GCIH.doc
26
Login Screen Bypass Attack
Website user gets a login screen
Instead of logging in, user enters a URL to
bypass the login screen and gain access
without authorization.
27
Browser Attacks
Malicious links
User must click on them to execute (but not
always)
Common extensions are hidden by default in
some operating systems.
attack.txt.exe seems to be attack.txt
28
Browser Attacks (Cont.)
Common Attacks
Redirection to unwanted webpage
Scripts might change the registry, home page
Some scripts might “trojanize” your DNS errorhandling routine when you mistype a URL
Pop-up windows
Web bugs; i.e. links that are nearly invisible,
can be used to track users at a website
Domain names that are common misspellings of
popular domain names
Microsoff.com, www.whitehouse.com (a porn site)
29