Application Security: Web service and E-Mail(April 11, 2011)© Abdou Illia – Spring 20112Learning Objectives Discuss general Application security Discuss Webservice/E-Commerce security Discuss E-Mail security3General Applications Security Issues4RAMApplications Security Issues Few Operating Systems But Many Applications Because OS are harden, most attacks target applications installed on servers. Many applications run with administrative or super user (root) privileges Securing applications is challenging Buffer Overflow Attacks Most widespread vulnerabilities in application programs Buffers are RAM areas where data is stored temporarily If an attacker sends more data than the programmer had allocatedto a buffer, a buffer might overflow, overwriting an adjacent section of RAMBuffer1 Buffer2Buffer7Buffer3 Buffer4 Buffer6Buffer55Buffer Overflow The overflowsample function: Declares a buffer array capable of holding eight ASCII characters Places the buffer in an initialization loop The loop force-feeds 15 “x” into the buffer array through programming error Only 8 “x” could fit Nine “x” must spill over void overflowsample (void){char buffer1[8];int I;For (I = 0; I < 16; I++){buffer1[I] = ‘x’;}}A function written in CWhen the program is run… What will be the value of buffer1[3]? _____, Buffer1[15]? _____ What would happen?a) The part of the function’s code designed to check the bounds of the array will prevent any error from happening.b) The program will generate an error and terminate.6Buffer OverflowInt main(){char name[8];char etc_passwd[8];char password[8];// retrieve the user informationprintf (“Enter your name:”);gets (name);etc_passwd = get_password (name);printf (“Enter your password:”);gets (password);printf (“Your name and password entries were %s and %s.”, name, password);printf (“The password for %s In the /etc/shadow file Is %s”’ name, etc_passwd);// call procedure to check login authorizationauthenticate (password, etc_password);return 0;}void authenticate (char * string1, char string2){char buffer1[8];char buffer2[8];strcpy (buffer1, string1); strcpy (buffer2, string2);if (strcmp (buffer1, buffer2) == 0 permit();}7Buffer Overflow8Stack entry: data buffer & Return address registryStack Entry and Buffer OverflowReturnAddress1. Write ReturnAddress2. Add Datato BufferData Buffer5. Start ofAttacker data3. Direction ofData Writing4. OverwriteReturn Address When a program must put one subprogram on hold to call another, it writes the return address in RAM areas called stack entries The called subprogram may add data to the buffer to the point itoverwrites the return address If the added buffer data is Attack code, this will be a buffer overflow attackhttp://www.metacafe.com/watch/1452134/buffer_overflow_attacks_explained_with_beer/9Buffer Overflow Attack Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions. If the data contains malware, the malware could run and creates a DoS Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD9Buffer Instructions123456PrintRun ProgramAccept inputBuffer Instructions123456A B C D E F LET JOHN IN WITHOUT PASSWORDRun ProgramAccept input10Preventing Buffer Overflow Use Language tools that provide automatic bounds checkingsuch as Perl, Python, and Java instead lower level language (C, C++, Assembly, etc). However, this is usually not possible or practical because almost all modern OS are written in the C language. Eliminate The Use Of Flawed Library Functions like gets(), strcpy, and strcmp that fail to check the length or bounds of their arguments. Design And Build Security Within Code Use Source Code Scanning Tools.  Example: PurifyPlus Software Suite can perform a dynamic analysis of Java, C, or C++ source code.// replace le following lineStrcpy (buffer2, strng2);// byStrcpy (buffer2, string2, 8)For instance, this simple change informs strcpy() that it only has an eight byte destination buffer and that it must discontinue raw copy at eight bytes.11General Application Security Minimize number of applications Fewer applications on a computer, fewer attack opportunities Use security baselines for installation Security baselines improve security Add application layer authentication Important for sensitive applications Could be password-based Implement cryptographic systems12Web service security13Webservice Versus E-CommerceE-Commerce SoftwareSubsidiaryE-CommerceSoftwareComponent(DHTML, etc.)Custom Programs (in client-side scripting)Webserver Software(IIS, Apache, etc.) Webservice includes basic functionalities for Retrieval of static files Creation of dynamic webpages E-Commerce requires additional software for Online catalogs Shopping carts Connection to back-end database Connection to organizations for payments, etc.14Webservice Versus E-Commerce Web applications could be the target of many types of attacks like: Directory browsing Traversal attacks Web defacement Using HTTP proxy to manipulate interaction between client and server IIS IPP Buffer Overflow Browser attacks Time configuration15Web sites’ directory browsing Web server with Directory Browsing disabled User cannot get access to list of files in the directory by knowing or guessing directory names16Web site with directory browsing Web server with Directory Browsing enabled User can get access to the list of files in the directory by knowing or guessing directory names17Traversal Attack Normally, paths start at the WWW rootdirectory Adding ../ might take the attacker up a level, out of the WWW root box If attacker traverses to Command Prompt directory in Windows 2000 or NT, can execute any command with system privileges18Traversal Attacks (Cont.) Preventing traversal attacks Companies filter out / and \ using URL scanning software Attackers respond with hexadecimal and UNICODE representations for / and \ASCII Character Chart with Decimal, Binary and Hexadecimal ConversionsName Character Code Decimal Binary HexNull NUL Ctrl @ 0 00000000 00Start of Heading SOH Ctrl A 1 00000001 01Space 32 00100000 20Exclamation Point ! Shift 1 33 00100010 22Plus + Shift = 43 00101011 2BPeriod . . 46 00101110 2EForward Slash / / 47 00101111 2FTilde ~ Shift’ 126