Presentation is loading. Please wait.

Presentation is loading. Please wait.

Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012.

Published byAlan Richardson Modified over 8 years ago

Similar presentations

Presentation on theme: "Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012."— Presentation transcript:

1 Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012

2 2 Learning Objectives Discuss general Application security Discuss Webservice/E-Commerce security [Discuss E-Mail security]

3 3 General Applications Security Issues

4 4 Applications Security Issues Few Operating Systems But Many Applications Because OS are harden, most attacks target applications installed on servers. Most applications run with administrative or super user (root) privileges Securing applications is challenging Computer Hardware Operating System Web service software (IIS, Apache,...) Web browser, Photo editors, Movie maker, Productivity software, etc. Client & server application programs

5 5 Which of the following is true about Application Security? If a server application (or service) is no longer needed, it should be turned off Fewer applications on a computer, fewer attack opportunities Use good security baselines to install and configure apps Do not install application centrally using group policies Add application layer authentication by requiring users to provide credentials to run application programs Implement cryptographic authentication for sensitive apps If a server application (or service) is no longer needed, it should be removed Do not turn on each applications’ automatic update checking

6 6 Applications and Buffer Overflow Buffer Overflow is the biggest issue in application coding Buffer overflow leads to Buffer Overflow Attacks Buffers are RAM areas where data is stored temporarily If an attacker sends more data than the programmer had allocated to a buffer, a buffer might overflow, overwriting an adjacent section of RAM RAM Buffer1Buffer2 Buffer7Buffer3Buffer4Buffer6Buffer5

7 7 Buffer Overflow Attack Occurs when ill-written programs allow data destined to a memory buffer to overwrite instructions in adjacent memory register that contains instructions. If the data contains malware, the malware could run and creates a DoS Example of input data: ABCDEF LET JOHN IN WITHOUT PASSWORD 7 BufferInstructions 123456 Print Run Program Accept input BufferInstructions 123456 ABCDEFLET JOHN IN WITHOUT PASSWORD Run Program Accept input

8 8 Stack entry: data buffer & Return address registry Stack Entry and Buffer Overflow Return Address 1. Write Return Address 2. Add Data to Buffer Data Buffer 5. Start of Attacker data 3. Direction of Data Writing 4. Overwrite Return Address When a program must put one subprogram on hold to call another, it writes the return address in RAM areas called stack entries The called subprogram may add data to the buffer to the point it overwrites the return address If the added buffer data is Attack code, this will be a buffer overflow attack http://www.metacafe.com/watch/1452134/buffer_overflow_attacks_explained_with_beer/

9 9 Preventing Buffer Overflow Use Language tools that provide automatic bounds checking such as Perl, Python, and Java instead lower level language (C, C++, Assembly, etc). However, this is usually not possible or practical because almost all modern OS are written in the C language. Eliminate The Use Of Flawed Library Functions like gets(), strcpy, and strcmp that fail to check the length or bounds of their arguments. Design And Build Security Within Code Use Source Code Scanning Tools. Example: PurifyPlus Software Suite can perform a dynamic analysis of Java, C, or C++ source code. // replace le following line Strcpy (buffer2, strng2); // by Strcpy (buffer2, string2, 8) For instance, this simple change informs strcpy() that it only has an eight byte destination buffer and that it must discontinue raw copy at eight bytes.

10 10 Web service security

11 11 Webservice & E-Commerce apps Web applications could be the target of many types of attacks like: Directory browsing Traversal attacks Web defacement Using HTTP proxy to manipulate interaction between client and server IIS IPP Buffer Overflow Browser attacks Time configuration

12 12 Web sites’ directory browsing Web server with Directory Browsing disabled User cannot get access to list of files in the directory by knowing or guessing directory names

13 13 Web site with directory browsing Web server with Directory Browsing enabled User can get access to the list of files in the directory by knowing or guessing directory names

14 14 Traversal Attack Normally, paths start at the WWW root directory Adding../ (Windows) or..\ (Unix) in an HTTP request might take the attacker up a level, out of the WWW root directory. Example: http://website.com../../ Example: http://castle.eiu.edu/~a_illia/BUS3500/Brief/Case1/../ If attacker traverses to Command Prompt directory in Windows 2000 or NT, he can execute any command with system privileges

15 15 Traversal Attacks (Cont.) Preventing traversal attacks Companies filter out../ and..\ using URL scanning software Attackers respond with hexadecimal and UNICODE representations for../ and..\ ASCII Character Chart with Decimal, Binary and Hexadecimal Conversions NameCharacterCodeDecimalBinaryHex NullNULCtrl @00000000000 Start of HeadingSOHCtrl A10000000101 Space320010000020 Exclamation Point!Shift 1330010001022 Plus+Shift =43001010112B Period..46001011102E Forward Slash//47001011112F Tilde~Shift’126011111107E

16 16 Website defacement Taking over a web server and replacing normal web pages by hacker-produced pages Effect could last because ISP cache of popular web sites Example of recent website defacements ATTRITION Web Page Hack Mirror: http://attrition.org/mirror/ http://attrition.org/mirror/ Zone-H web site for most recent attacks: http://www.zone-h.orghttp://www.zone-h.org: Check Onhold and Archive

17 17 Manipulating HTTP requests Attackers use proxies to manipulate communications between browsers and web servers Example using Webscarab

18 18 IIS IPP Buffer Overflow The Internet Printing Protocol (IPP) service included in IIS 5.0 and earlier versions is vulnerable to buffer overflow attacks The jill.c program was developed to launch the attack using: GET NULL.printer HTTP/1.0 Host: 420-byte jill.c code to launch the command shell IIS server responds launching the command shell (C:\WINNT\SYSTEM32\>) giving the attacker SYSTEM privileges.

19 19 IIS IPP Buffer Overflow (cont.) Link to jill.c code Code compilable using gcc jill.c –o jill on Linux Precompiled version (jill-win32.c) and executable (jill-win32.exe) available at ftp://ftp.technotronic.com/ newfiles/jill-win32.exe. This executable file is ready to run on a Windows machine.

20 20 IIS IPP Buffer Overflow (cont.) Source: http://puna.net.nz/archives/Hacking/David_Sheridan_GCIH.doc

21 21 Browser Attacks Malicious links User must click on them to execute (but not always) Common extensions are hidden by default in some operating systems.  attack.txt.exe seems to be attack.txt

22 22 Browser Attacks (Cont.) Common Attacks Redirection to unwanted webpage Scripts might change the registry, home page Some scripts might “trojanize” your DNS error- handling routine when you mistype a URL Pop-up windows Web bugs; i.e. links that are nearly invisible, can be used to track users at a website Domain names that are common misspellings of popular domain names  Microsoff.com, www.whitehouse.com (a porn site)www.whitehouse.com

Download ppt "Application Security: General apps &Web service (April 11, 2012) © Abdou Illia – Spring 2012."

Similar presentations

Application Security: General apps &Web service

Application Security: General apps &Web service
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
Web Defacement Anh Nguyen May 6 th, 2010. Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
How Clients and Servers Work Together. Objectives Web Server Protocols Examine how e-mail server and client software work Use FTP to transfer files Initiate.

How Clients and Servers Work Together. Objectives Web Server Protocols Examine how server and client software work Use FTP to transfer files Initiate.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.

1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?
Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA 5880 - © Abdou Illia.

Network & Computer Attacks (Part 2) February 11, 2010 MIS 4600 – MBA © Abdou Illia.
Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from www.mandrake.com www.mandrake.com.

Chapter Apache Installation in Linux- Mandrake. Acknowledgment The following information has been obtained directly from
Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.

Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.
1 DOS with Windows 3.1 and 3.11 Operating Environments n Designed to allow applications to have a graphical interface DOS runs in the background as the.

1 DOS with Windows 3.1 and 3.11 Operating Environments n Designed to allow applications to have a graphical interface DOS runs in the background as the.
Hacking Web Server Defiana Arnaldy, M.Si 0818 0296 4763.

Hacking Web Server Defiana Arnaldy, M.Si
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as e-mail.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
1 Application Security: Electronic Commerce and E-Mail Chapter 9 Copyright 2003 Prentice-Hall.

1 Application Security: Electronic Commerce and Chapter 9 Copyright 2003 Prentice-Hall.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Application Security: Web service and E-Mail (April 11, 2011) © Abdou Illia – Spring 2011.

Application Security: Web service and (April 11, 2011) © Abdou Illia – Spring 2011.
1 Web Server Concepts Dr. Awad Khalil Computer Science Department AUC.

1 Web Server Concepts Dr. Awad Khalil Computer Science Department AUC.

Similar presentations

Ads by Google