1

Web Server Security

Packet Sniffing• Information on the Internet is exchanged in

chunks of data called packets• There are special programs that allow packets

to be sniffed• A packet sniffer will listen to all packets on the

network, whether or not addressed to the local machine

• This allows the user of the packet sniffer to see anything and everything that is being transmitted on the local network

2

Web Server Security

For example Using a publicly available packet sniffer program called

tcpdump all the packets being transmitted on our local network can be seen

Prompt# tcpdump –x –n –t -q10.0.0.7.23 > 10.0.0.2.1095: tcp1 4500 0029 dc4f 4000 ff06 8b76 0a00 0007 0a00 0002 0017 0447 60a2 1a5e 45e2 15b4 Here a conversation is taking place between two local

machines with IP addresses 10.0.0.2 and 10.0.0.7

3

IP Spoofing

• IP spoofing is the act of sending a packet out with the forged IP address

• When a hacker is carrying out an attach the thing he/she wants is his/her identity known

• Spoofing the IP address is an easy way to hide the identity of the machine the attack is coming from

• An attacker could spoof the IP to come from an IP address that does not belong to anyone or that is not currently in use

• The attacker could also spoof the IP address to make the attack appear as if it were coming from an existing machine elsewhere on the Internet

• Spoofing the IP address is simple. There are programs available on the Internet that allow you to manually construct the packets and send it out on the wire

4

IP Spoofing on Solaris

Edit the /etc/hosts fileSave the changes and reboot

Solaris# vi /etc/hosts

Before spoofing:127.0.0.1 localhost172.23.14.8 mytesthost

After:127.0.0.1 localhost10.0.0.5 mytesthost

5

Web Client Security

So far what we covered is Server side security.But what about the client side security

Java Applets• An applet is a program that runs inside your browser• You need a java capable browser or an applet viewer to

run the applet code• Applets can be considered as a partial program

containing only the middle portion• The beginning and ending of the program are part of

the browser or applet viewer

6

Web Client Security

To run an applet you first need the applet .class fileThis is the compiled bytecode generated from the Java

source code<html><AppletCode=“someapplet.class” width=“500” height “200” >Param Name=“text” value =“example”></Applet><html>

7

Protecting yourself from JavaApplets

It is possible to disable Java in your browserNetscape controls this features under

“Preferences”Internet Explorer controls it under “Internet

Options” Select “Advanced” for both browsers

8

What happens when an applet tries to connect to another system

• The most dangerous scenario with applets• No longer your firewalls protect your machines from

attack• This is the primary reason to disallow applets to connect

to remote systems• The applet can connect back to the machine it

originated from• This will allow a hacker to determine what traffic is

allowed to exit your network through your firewalls• This model of security of Java applets is called the

sandbox model

9

What happens when an applet tries to connect to another system

• Applets are allowed to function as normal programs, but they must play within the sandbox

• They are limited in their capabilities and are not treated as full-fledged programs

• The latest Java security manager allows different sites to define different security policies, depending on the applet and its origin

• Another addition to Java security model is the idea of signed applets

• By signing an applet you are assured that the applet has not been modified from its original form

10

ActiveX Security

• ActiveX was developed by Microsoft and is based on their object linking and embedding (OLE) technology

• ActiveX equivalent of Java Applet is called an ActiveX control

• Unlike Java Applets ActiveX controls are platform dependent

• This means you need to compile for every platform you expect to connect to the site

• Rather than using the Applet tag you need to use the <Object> tag

11

ActiveX Security

• ActiveX controls will be digitally signed by the author of the control

• The digital signature is then signed by the security mechanism for ActiveX called Authenticode

• Unlike the sandbox approach in ActiveX prior to running the ActiveX control you are prompted with the name of the author who wrote and signed the code

12

JavaScript Security

• Using JS all sorts of bugs ranging from being able to send out e-mail or viewing the history file, to tracking a user online or uploading a file, have been discovered

• It is possible to disable JS in your browser• Same way as the applets blocking on the

browser settings• When a page is loaded sometimes new

browsers are continuously opened until the browser is terminated

13

JavaScript Security

• This will eat up all your system memory and you will have no choice

• This is a client-side denial-of-service attack using the standard functionality of Javascript

• Another annoying script is upon loading the URL your browser window will develop a mind of its own and start to move all over the screen, and may get out of control

14

JavaScript Security

• Unlike the Java Applet or ActiveX the good thing with JS is that once you disable the JS from your browser window you can always check the script in the browser window and allow it to reload once you know the contents of the script

• Unlike the Applets or ActiveX controls which use a single tag to embed something the JS has event handlers like onLoad() method which are difficult to strip as the script passes through the firewall

• Netscape has added the functionality to sign the scripts very similar to the applets

• Now you can choose only to run signed scripts that were singed by the author you trust

15

Cookies

What is a Cookie?• Cookie is nothing more than a data• It is not a program and is not executable• It is like you filling the form with details and sending it

to the server• In a cookie the server fills the information and passes it

to the client• When the client requests a web document from the

server the server sends the document and some additional data

• This additional data is called the cookie

16

Cookies

• Later when the client makes additional connections to the server, it will send the cookie back

• It will keep the cookie for future connections• Without the cookie the server has no idea who

is connecting to it• It may know which IP address the connection

is from, thus which machine the client running on

17

Cookies

ExampleContent-type: text/htmlSet-Cookie: colorpref=blue<HTML><HEAD><TITLE></TITLE><HEAD></HTML>• This is all that a server will send to the browser to store for

future reference. So the next time the background will be in blue to the user

• If the server specify the expiration date then that will be saved on disk when the user exist the browser

• If no date is specified the cookie will be deleted upon exit

18

Cookie Security

• Since the length of the cookies are limited there is not much concern about the security attacks via cookies as they don’t execute anywhere

• The only issue with the cookies is the user privacy

• So the security issue is to you the user and not to the computer

19

Encryption

• Cryptography comes in many forms but the principles are the same. i.e to protect your data from eavesdropping, spying, or falling into wrong hands

Example:• Lets encrypt a message using following data

and standard English alphabet: ABCDEFGHIJKLMNOPQRSTUVWXYZ

20

Encryption

• Plain text: Meet me on the corner at midnight• Algorithm: C=P+K C is the cipher text

P is the plaintext character K is the value of the key• Key: 3

• Ciphertext: Phhw ph rq wkh fruqhu dw plgqljkw The Ciphertext message is not in any recognizable

readable form So you need to know the key to interpret the message

21

Encryption

• This algorithm states simply that to encrypt a plain text character (P) and generate a ciphertext character (c) we merely add to the plaintext character the value of the key (K)

• Another way of looking at this example is that we are shifting the plaintext character to the right of the alphabet by three characters: X, Y, and Z will wrap around and be replaced by A, B, and C respectively

22

Encryption

A B C

D E F

G H I

JK

L

ML

N. O. P.

Q. R.S.

T. U. V.W.

.XY.

Z.Meet

> .

23

Certificates

• A client needs to be sure that the public key she is using corresponds to the server's private key

• Similarly, the server also needs to verify that the message signature really corresponds to client's signature

• If each party has a certificate which validates the other's identity, confirms the public key, and is signed by a trusted agency, then they both will be assured that they are communicating with whom they think they are.

• Such a trusted agency is called a Certificate Authority, and certificates are used for authentication.

24

Certificate Content

Subject Distinguished Name, Public KeyIssuer Distinguished Name, SignaturePeriod of Validity

Not Before Date, Not After DateAdministrative Information

Version, Serial NumberExtended Information

25

Certificate Authority

• By first verifying the information in a certificate request before granting the certificate, the Certificate Authority assures the identity of the private key owner of a key-pair.

• A Certificate Authority may also issue a certificate for another Certificate Authority.

• who vouches for the certificate of the top-level authority, which has no issuer?

• one must exercise extra care in trusting a self-signed certificate.

26

Certificate Authority

• The wide publication of a public key by the root authority reduces the risk in trusting this key -- it would be obvious if someone else publicized a key claiming to be the authority.

• Browsers are preconfigured to trust well-known certificate authorities

• A number of companies, such as VeriSign have established themselves as certificate authorities. These companies provide the following services: – Verifying certificate requests – Processing certificate requests – Issuing and managing certificates

27

Creating a Certified Authority

• It is also possible to create your own Certificate Authority.

• Specifications for certificates can be found at http://www.ietf.org/html.charters/pkix-charter.html (Public-Key Infrastructure (X.509) Working group in IETF)

28

Implementing SSL

• Although one might write an SSL implementation from scratch following the specification (TLS spec at http://www.ietf.org/rfc/rfc2246.txt), it is much easier to use one of the existing SSL toolkit libraries.

• In addition, because of patents, it is usually necessary to license some of the cryptography libraries

• http://www.openssl.org/

29

Intrusion detection and recovery

• If the security model fails, it is important to detect the intrusion as early as possible

• The most important thing is to know what is happening on the network and on the machines within the network

• The data contained in the logs is an excellent resource for determining what is happening at the site

30

Audits, Logs, Accounting

• Logs notify us of errors or specific application-level transactions

• Audits provide more information– Used to monitor when the file is opened, read, or

written to– Also can be used to monitor process and see when a

process starts/ends a child process

• Accounting is a means of calculating how much of the system resources are being used by each user

31

System and Network usage monitoring

• The use of web server resources should be fairly consistent

• E.g. if your web site has around 1000 hits every day, and then suddenly this drops to 10 on one day, something suspicious is happening

• If a user logs on and works only on weekends and then suddenly logs on on a weekday in the middle of the night, it could be an attack.

32

Log examples

• After loading the default server page

2004-11-17 15:11:32 GET / 200 0 2763 10.0.0.7:32957 hosts

• After attempting to load a page that does not exist 2004-11-17 15:12:32 GET /noexist.html 404 0 404 10.0.0.7:32999 hosts

• After submitting an online form whose data is processed by a CGI script

2004-11-17 15:13:32 GET /info.html 200 0 1119 10.0.0.7:32997 hosta2004-11-17 15:13:45 POST /cgi-bin/info.pl 302 0 359 10.0.0.7:32997 hosta

33

HTAccess

• Web-based authentication denies web access to visitors who do not give a valid username and password

• An access control list (ACL) is a method of limiting access to a particular portion of a Web site

• For example you may want to give access to an online database only for fee paying customers

• An ACL can be used to place a restriction on a single file or an entire directory, including its sub directories

34

Format of the HTAccess file

AuthUserFile mnt/web/guide/somewhere/somepath/.htpasswd

AuthGroupFile /dev/null AuthName Somewhere.com's Secret Section AuthType Basic

35

HTAccess file

• The .htaccess file affects the directory in which it is placed, so in this example, any visitor requesting <URL:http://somewhere/somepath/> would be presented with an authentication request.

• The .htaccess file also affects directories recursively below it. Therefore, requesting <URL:http://somewhere.com/somepath/evenmore/> would yield the same authentication request unless ~/somepath/evenmore had a .htaccess file of its own.

• The first line, starting with AuthUserFile, tells the webserver where to find your username/password file.

• Notice that the AuthName in the example, "Somewhere.com's Secret Section," is used in the authentication request.

36

Creating .htpasswd file

• To create an .htpasswd file, go to the directory you specified in AuthUserFile. In the example, this is /mnt/web/guide/somewhere/somepath. Then use the htpasswd program with the -c switch to create your .htpasswd in the current directory.

• Type htpasswd -c .htpasswd username to create the file and add "username" as the first user. The program will prompt you for a password, then verify by asking again.

37

What is HTTPS?

• Secure HTPP• Essentially an implementation of HTTP , using

SSL

38

SOAP Message• <? Xml version=’1.0’ ?>• <env:Envelope xmlns : env=

http://www.w3.org/2002/06/soap-envelope>• <env: Header>• ………• ……. SOAP Envelope, defines the

overall frame work for representing the contents of the SOAP message, who will deal with the message (initermediaries)

•   <env:Header>• <env:Body> mandatory, contains the payload

of the message which is intended for the final SOAP reciever

• ……..•  • </env:Body>• </env:Envelope>

39

• The most popular representative of secret key authentication protocols is Keberos, which was developed by MIT.

• After the client and server have used Keberos to prove their identity, they can also encrypt all of their communication to ensure data confidentiality and integrity.

• Keberos is commonly used in the middle tier within corporate networks.

• Keberos allows a principal to prove its identity to a server without sending authentication data that might allow an attacker to subsequently impersonate the principal.

Kerberos

40

Kerberos

• The client application provides a secret key that is derived from a password as the basis of authentication. The secret key may potentially be stored on a hardware token (DES card) for stronger authentication and may also be derived from a public key certificate.

• To use Kerberos security service, the client first sends the principal’s identity to the authentication server, which sends back a credential call a ticket-granting ticket (TGT)

• The TGT has been encrypted so that only the legitimate

principal who posses the correct password is able to decrypt it and use it at a future time.

41

Token-based authentication

• With token based systems the user must posses a physical token that plays some part in the authentication process, which makes this approach a lot stronger than passwords by themselves.

• Tokens are expensive and complex to implement than IDs and password. Sometimes the token displays a value that must be verified by an authentication server.

• Examples of tokens include CRYPTOCard and RSA SecureID.

42

Security methods in Web Services

• XML Security• WS- Security• XML Encryption• SAML Security Assertion Markup Language

43

Points to remember when designing web servers

• Authentication SSL Transport layer authentication WS-Security (Kerberos) for message based

authentication• Authorisation Once the user is authenticated the next step is

to find out if they are allowed to access the resource that they are requesting

• Integrity IPSec guarantees integrity. Message has not been tampered on transit

44

Points to remember when designing secure web servers

• Confidentiality XML Encryption SSL/TLS, IPSec• Auditing The ability to write an audit trail is important for

any security system• Administration Administrating involves managing the security

policy• Availability Availability involves protecting unwanted

message storms

45

Recovering from an attack

• If you abruptly kill the hacker’s connection into the machine he will suspect that you are onto him

• Alternatively it is difficult to sit and see someone hacking your terminal

• Depending on your time and resources you could set up a dummy machine to trick the hacker into thinking that he is still going undetected

• The machine would be an identical one without any sensitive data

• This will help you to track back the hacker even if he tries to masquerade