1. Application Security: General apps &Web service
(April 15, 2015)
© Abdou Illia – Spring 2015

2. Learning Objectives Discuss general Application security
Discuss Webservice/E-Commerce security
[Discuss security]

3. General Applications Security Issues

4. Network applications
What is a network application (NA)? What is the difference between a network application and a stand-alone/non-network application (SA)? Use a checkmark (√) to show your answer.
Characteristics NA SA
Both program and data are store on the same computer
Either the program used or the data being used reside on a network
Both the program used and the data being used reside on a network
Uses a client-server architecture

5. Which of the following can be classified as client or server network application?
Microsoft Project
Microsoft Visio
Oracle Solaris
Windows NT
Adobe Photoshop
C++
Google Chrome
UNIX
IIS
Apache
WinSCP (client FTP)
OS X
Movie Maker
Internet Explorer

6. Application security
Imagine that you have the following categories of software installed on your computers. Which one would you harden first and why? Which one you should harden next and why?
Client and server network applications
Non-network applications
Operating systems

7. Applications Security Issues
Few Operating Systems, but Many Applications
Because OS are harden, most attacks target applications.
Most applications run with administrative or super user (root) privileges
Securing applications is challenging
Huge number of apps, Variety of security baselines
Client & server application programs
Computer Hardware
Operating System
Web service software (IIS, Apache, ...) Web browser, Photo editors, Movie maker, Productivity software, etc.

8. Which of the following is true about Application Security?
If a server application (or service) is no longer needed, it should be turned off
Fewer applications on a computer means fewer attack opportunities
Use good security baselines to install and configure apps
Do not install application centrally using group policies
Add application layer authentication by requiring users to provide credentials to run application programs
Implement cryptographic authentication for sensitive apps
If a server application (or service) is no longer needed, it should be removed
Do not turn on each applications’ automatic update checking 8

9. Applications and Buffer Overflow
OUTDO OR
Buffers are RAM areas where data is stored temporarily
Buffer overflow occurs when data spill from one buffer to the next
Buffer Overflow is the biggest issue in application coding
If an attacker sends more data than the programmer had allocated to a buffer, a buffer might overflow, overwriting an adjacent section of RAM
Buffer overflow attacks
RAM
Buffer1
Buffer2
Buffer7
Buffer3
Buffer4
Buffer6
Buffer5 9

10. Buffer Overflow Attack
Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions.
If the data contain malware, the malware could run and creates a DoS
Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD
Buffer
Instructions 1 2 3 4 5 6
Print
Run Program
Accept input
Buffer
Instructions 1 2 3 4 5 6 A B C D E F
LET JOHN IN WITHOUT PASSWORD
Run Program
Accept input 10 10

11. Stack Entry and Buffer Overflow
Stack entry: data buffer & Return address registry
2. Add Data
to Buffer
1. Write Return
Address
Return
Address
5. Start of
Attacker data
Data Buffer
3. Direction of
Data Writing
4. Overwrite
Return Address
When a program puts one subprogram on hold to call another, it writes the return address in RAM areas called stack entries
The called subprogram may add data to the buffer to the point it overwrites the return address
If the added buffer data is Attack code, this will be a buffer overflow attack
Buffer Overflow explained w/beer:

12. Preventing Buffer Overflow
Key Principle: Never Trust User Input
Use Languages/tools that provide automatic bounds checking such as Perl, Python, and Java instead lower level language (C or Assembly, etc).
However, this is usually not possible or practical because almost all modern OS are written in the C language.
Eliminate The Use Of Flawed Library Functions like gets(), strcpy, and strcmp that fail to check the length or bounds of their arguments.
Design And Build Security Within Code
Use Source Code Scanning Tools.
Example: PurifyPlus Software Suite can perform a dynamic analysis of Java, C, or C++ source code.
For instance, this simple change informs strcpy() that it only has an eight byte destination buffer and that it must discontinue raw copy at eight bytes.
// replace le following line
strcpy (buffer2, strng2);
// by
strcpy (buffer2, string2, 8)

13. Applications permissions
Examples for smartphones
Make phone calls
For Dialer replacements, Google Voice, etc. NOT for Ringtone apps. If an app you download has no business setting up a phone call, be suspicious.
Send SMS or MMS
Read contact data
Find GPS location
If an app gets its revenue from location-based ads, it needs to know where you are. Otherwise be suspicious.
Network Communication (full internet access, view network / Wi-Fi state, Create Bluetooth connection)
If an app has no function for you to communicate with anyone else, or any type of downloadable content, this usually means ads. To show you ads, the app needs to get them from the Internet

14. How to Know apps permissions?
Download and install SureMDM Web Console
Login into the SureMDM Web Console
Select your smartphone or tablet from the device list.
Click on the Apps buttons to see list of installed apps on the device.
Select an Application and Click on Permission button. Screen similar to the following will popup.

15. Applications permissions (cont.)
Android does a great job forcing app developers to inform the prospective user just what sort of permissions are required and what information the app will access.
If an app does not need permissions it is requesting before installing, do not install.
If a hacker takes over an application program, he or she receives the permissions with which the program runs.

16. Web service security

17. Webservice & E-Commerce apps
Web applications could be the target of many types of attacks like:
Directory browsing
Traversal attacks
Web defacement
Using HTTP proxy to manipulate interaction between client and server
IIS IPP Buffer Overflow
Browser attacks
Time configuration

18. Web sites’ directory browsing
Web server with Directory Browsing disabled
User cannot get access to list of files in the directory by knowing or guessing directory names

19. Web site with directory browsing
Web server with Directory Browsing enabled
User can get access to the list of files in the directory by knowing or guessing directory names

20. Traversal Attack Normally, paths start at the WWW root directory
Adding ../ (Windows) or ..\ (Unix) in an HTTP request might take the attacker up a level, out of the WWW root directory.
Example: ../../
Example:
If attacker traverses to Command Prompt directory in Windows or NT, he can execute any command with system privileges

21. Traversal Attacks (Cont.)
Preventing traversal attacks
Companies filter out ../ and ..\ using URL scanning software
Attackers respond with hexadecimal and UNICODE representations for ../ and ..\
ASCII Character Chart with Decimal, Binary and Hexadecimal Conversions
Name
Character
Code
Decimal
Binary
Hex
Null
NUL 00
Start of Heading
SOH
Ctrl A 1 01
Space 32 20
Exclamation Point !
Shift 1 33 22
Plus +
Shift = 43 2B
Period . 46 2E
Forward Slash / 47 2F
Tilde ~
Shift’
126 7E

22. Website defacement
Taking over a web server and replacing normal web pages by hacker-produced pages
Effect could last because ISP cache of popular web sites
Example of recent website defacements
ATTRITION Web Page Hack Mirror:
Zone-H web site for most recent attacks:
Check Onhold and Archive

23. Manipulating HTTP requests
Attackers use proxies to manipulate communications between browsers and web servers
Example using Webscarab

24. IIS IPP Buffer Overflow
The Internet Printing Protocol (IPP) service included in IIS 5.0 and earlier versions is vulnerable to buffer overflow attacks
The jill.c program was developed to launch the attack using:
GET NULL.printer HTTP/1.0
Host: 420-byte jill.c code to launch the command shell
IIS server responds launching the command shell (C:\WINNT\SYSTEM32\>) giving the attacker SYSTEM privileges.

25. IIS IPP Buffer Overflow (cont.)
Link to jill.c code
Code compilable using gcc jill.c –o jill on Linux
Precompiled version (jill-win32.c) and executable (jill-win32.exe) available at ftp://ftp.technotronic.com/
newfiles/jill-win32.exe. This executable file is ready to run on a Windows machine.

26. IIS IPP Buffer Overflow (cont.)
Source:

27. Login Screen Bypass Attack
Website user gets a login screen
Instead of logging in, user enters a URL to bypass the login screen and gain access without authorization.

28. Browser Attacks Malicious links attack.txt.exe seems to be attack.txt
User must click on them to execute (but not always)
Common extensions are hidden by default in some operating systems.
attack.txt.exe seems to be attack.txt

29. Browser Attacks (Cont.)
Common Attacks
Redirection to unwanted webpage
Scripts might change the registry, home page
Some scripts might “trojanize” your DNS error-handling routine when you mistype a URL
Pop-up windows
Web bugs; i.e. links that are nearly invisible, can be used to track users at a website
Domain names that are common misspellings of popular domain names
Microsoff.com, (a porn site)