Application Security: Web service and E-MailLearning ObjectivesGeneral Applications Security IssuesApplications Security IssuesBuffer OverflowSlide 6Slide 7Stack Entry and Buffer OverflowBuffer Overflow AttackPreventing Buffer OverflowGeneral Application SecurityWeb service securityWebservice Versus E-CommerceSlide 14Web sites’ directory browsingWeb site with directory browsingTraversal AttackTraversal Attacks (Cont.)Website defacementManipulating HTTP requestsIIS IPP Buffer OverflowIIS IPP Buffer Overflow (cont.)Slide 23HTTP RequestsSlide 25Browser AttacksBrowser Attacks (Cont.)E-MailE-Mail ProtocolsE-Mail protocolsE-Mail StandardsE-Mail SecuritySlide 33Application Security: Web service and E-Mail(April 11, 2011)© Abdou Illia – Spring 20112Learning ObjectivesDiscuss general Application securityDiscuss Webservice/E-Commerce securityDiscuss E-Mail security3General Applications Security Issues4RAMApplications Security IssuesFew Operating Systems But Many ApplicationsBecause OS are harden, most attacks target applications installed on servers.Many applications run with administrative or super user (root) privilegesSecuring applications is challengingBuffer Overflow AttacksMost widespread vulnerabilities in application programsBuffers are RAM areas where data is stored temporarilyIf an attacker sends more data than the programmer had allocated to a buffer, a buffer might overflow, overwriting an adjacent section of RAMBuffer1 Buffer2Buffer7Buffer3 Buffer4 Buffer6Buffer55Buffer OverflowThe overflowsample function:Declares a buffer array capable of holding eight ASCII charactersPlaces the buffer in an initialization loopThe loop force-feeds 15 “x” into the buffer array through programming errorOnly 8 “x” could fitNine “x” must spill over void overflowsample (void){ char buffer1[8]; int I; For (I = 0; I < 16; I++) { buffer1[I] = ‘x’; }} A function written in CWhen the program is run…What will be the value of buffer1[3]? _____, Buffer1[15]? _____What would happen?a) The part of the function’s code designed to check the bounds of the array will prevent any error from happening.b) The program will generate an error and terminate.6Buffer OverflowInt main(){ char name[8]; char etc_passwd[8]; char password[8]; // retrieve the user information printf (“Enter your name:”); gets (name); etc_passwd = get_password (name); printf (“Enter your password:”); gets (password); printf (“Your name and password entries were %s and %s.”, name, password); printf (“The password for %s In the /etc/shadow file Is %s”’ name, etc_passwd); // call procedure to check login authorization authenticate (password, etc_password); return 0;}void authenticate (char * string1, char string2){ char buffer1[8]; char buffer2[8]; strcpy (buffer1, string1); strcpy (buffer2, string2); if (strcmp (buffer1, buffer2) == 0 permit();}7Buffer Overflow8Stack entry: data buffer & Return address registryStack Entry and Buffer OverflowReturnAddress 1. Write ReturnAddress 2. Add Datato BufferData Buffer5. Start ofAttacker data3. Direction ofData Writing4. OverwriteReturn AddressWhen a program must put one subprogram on hold to call another, it writes the return address in RAM areas called stack entriesThe called subprogram may add data to the buffer to the point it overwrites the return addressIf the added buffer data is Attack code, this will be a buffer overflow attack http://www.metacafe.com/watch/1452134/buffer_overflow_attacks_explained_with_beer/9Buffer Overflow AttackOccurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions.If the data contains malware, the malware could run and creates a DoSExample of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD9Buffer Instructions1 2 3 4 5 6PrintRun ProgramAccept inputBuffer Instructions1 2 3 4 5 6A B C D E F LET JOHN IN WITHOUT PASSWORDRun ProgramAccept input10Preventing Buffer OverflowUse Language tools that provide automatic bounds checking such as Perl, Python, and Java instead lower level language (C, C++, Assembly, etc).However, this is usually not possible or practical because almost all modern OS are written in the C language.Eliminate The Use Of Flawed Library Functions like gets(), strcpy, and strcmp that fail to check the length or bounds of their arguments.Design And Build Security Within CodeUse Source Code Scanning Tools. Example: PurifyPlus Software Suite can perform a dynamic analysis of Java, C, or C++ source code.// replace le following lineStrcpy (buffer2, strng2);// byStrcpy (buffer2, string2, 8)For instance, this simple change informs strcpy() that it only has an eight byte destination buffer and that it must discontinue raw copy at eight bytes.11General Application SecurityMinimize number of applicationsFewer applications on a computer, fewer attack opportunitiesUse security baselines for installationSecurity baselines improve security Add application layer authenticationImportant for sensitive applicationsCould be password-basedImplement cryptographic systems12Web service security13Webservice Versus E-CommerceE-Commerce SoftwareSubsidiaryE-CommerceSoftwareComponent(DHTML, etc.)Custom Programs (in client-side scripting)Webserver Software(IIS, Apache, etc.)Webservice includes basic functionalities forRetrieval of static filesCreation of dynamic webpagesE-Commerce requires additional software forOnline catalogsShopping cartsConnection to back-end databaseConnection to organizations for payments, etc.14Webservice Versus E-CommerceWeb applications could be the target of many types of attacks like:Directory browsingTraversal attacksWeb defacementUsing HTTP proxy to manipulate interaction between client and serverIIS IPP Buffer OverflowBrowser attacksTime configuration15Web sites’ directory browsingWeb server with Directory Browsing disabledUser cannot get access to list of files in the directory by knowing or guessing directory names16Web site with directory browsingWeb server with Directory Browsing enabledUser can get access to the list of files in the directory by knowing or guessing directory names17Traversal AttackNormally, paths start at the WWW root directoryAdding