ilab2
play

iLab2 WWW and Application Layer Security with friendly support by - PowerPoint PPT Presentation

Apr 18, 2023 •340 likes •755 views

Chair for Network Architectures and Services Department of Informatics TU Mnchen Prof. Carle iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen Recap: Internet Protocol Suite

  1. Chair for Network Architectures and Services Department of Informatics TU München – Prof. Carle iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tübingen

  2. Recap: Internet Protocol Suite Application protocols: Application Layer e. g. HTTP, SIP, Instant Messengers, … End-to-end connectivity between Transport Layer processes (port concept) Network Layer Routing between networks Data Link Layer Interface to physical media Physical Layer q TCP/IP stack has no specific representation for OSI layers 5, 6, 7 („session“, „representation“, „application“): the Application Layer is responsible for all three 2 iLab 2, WWW Security, WS 2010/11

  3. Why Application Layer Security? q So far, we were mostly concerned with layers below the application layer: § Link Layer security § Crypto protocols: IPSec, SSL, Kerberos … § Firewalls § Intrusion Detection q There are attacks where these defenses do not work: § Cross-Site Scripting, Buffer Overflows, … q Possible because § These attacks are not detectable on lower layers ( à cf. WWW Security), or § The mechanisms do not secure the correct communication end-points ( à cf. Web Service Security, see our NetSec lecture) q In general, many applications need to provide their own security mechanisms § E. g. authentication, authorization 3 iLab 2, WWW Security, WS 2010/11

  4. Part I: Introduction to the WWW q Part I: Introduction to the WWW and Security Aspects q Part II: Internet Crime q Part III: Vulnerabilities and Attacks 4 iLab 2, WWW Security, WS 2010/11

  5. Introduction to the World Wide Web q You all know it – but what is it exactly? q Conceived in 1989/90 by Tim Berners-Lee at CERN q Hypermedia-based extension to the Internet on the Application Layer § Any information (chunk) or data item can be referenced by a Uniform Resource Identifier (URI) § URI syntax (defined in RFCs) : <scheme>://<authority><path>?<query>#<fragment> § Special case: URL ( “ Locator ” ) http://www.net.in.tum.de/de/startseite/ § Special case: URN ( “ Name ” ) urn:oasis:names:specification:docbook:dtd:xml:4.1.2 q Probably the best-known application of the Internet q Currently, most vulnerabilities are found in Web applications 5 iLab 2, WWW Security, WS 2010/11

  6. HTML and Content Generation q HTML is the lingua franca of the Web § Content representation: structured hypertext documents § HTML documents – i. e. Web pages – may include: • JavaScript: script that is executed in browser • Java Applets: Java program, executed by Java VM • Flash: multimedia application, executed (played) by Flash player q Today, much (if not most) content is created dynamically by server-side programs § (Fast-)CGI: interface between Web server and such a server-side program § Possible: include programs directly as modules in Web server (e.g. Apache) q Often, dynamic Web pages also interact with the user § Examples: searches, input forms à think of online banking q Examples of server-side technology/languages: § PHP, Python, Perl, Ruby, … § Java (several technologies), ASP.NET § Possible, but rare: C++ based programs 6 iLab 2, WWW Security, WS 2010/11

  7. HTTP q HTTP is the carrier protocol for HTML § Conceived to be state-less: server does not keep state information about connection to client § Mostly simple GET / POST semantics ( PUT is possible) § HTML-specific encoding options q OK for the beginnings – but the Web became the most important medium for all kinds of purposes (e. g. e-commerce, forums, etc.) à today: complete work flows implemented with HTTP/HTML à need to keep state between different pages à sessions 7 iLab 2, WWW Security, WS 2010/11

  8. Sessions Over HTTP q Sessions: many work-arounds around the state-less property § Cookies: small text files that the server makes the browser store • Client authenticates to server à receives cookie with a “ secret ” value à use this value to keep the session alive (re-transmit) § Session-IDs (passed in HTTP header) § Parameters in URL § Hidden variables in input forms (HTML-only solution) q Session information is a valuable target § E. g., online banking: credit card or account information 8 iLab 2, WWW Security, WS 2010/11

  9. A Few More Aspects q Cookies can be exploited to work against privacy § User tracking: identify user and store information about browsing habits § 3rd party cookies: cookies that are not downloaded from the site you are visiting, but from another one • Can be used to track users across sites § Cookies can be set without the user knowing (there are reasonably safe standard settings) § Security trade-off: many Web pages require cookies to work, disabling them completely may not be an option q Cookies may also contain confidential session information § Attacker may try to get at such information ( à Cross-Site Scripting) 9 iLab 2, WWW Security, WS 2010/11

  10. A Few More Aspects q Session IDs in the URL can also be a weakness § Can be guessed or involuntarily compromised (e. g. sending a link) à “ session hijacking ” q GET command may encode parameters in the URL § Can be a weakness: § Some URLs are used to trigger an action, e.g. http://www.example.org/update.php?insert=user § Attacker can craft certain URLs ( à Cross-Site Request Forgery) 10 iLab 2, WWW Security, WS 2010/11

  11. HTTP Authentication q HTTP Authentication § Basic Authentication: not intended for security • Server requests username + password • Browser answers in plain text à relies on underlying SSL for security • No logout! Browser keeps username and password in cache § Digest Authentication: protects username + password • Server also sends a nonce • Browser reply is MD5 hash: md5(username,password,nonce) • No mutual authentication – only client authentication • More secure and avoids replay attacks, but MD5 is known to have weaknesses • SIP uses a similar method q HTTP authentication often replaced with other methods § Requires session management § Complex task 11 iLab 2, WWW Security, WS 2010/11

  12. JavaScript q Script language that is executed on client-side (not only in browsers!) § Originally developed by Netscape; today more or less a standard § Object-oriented with C-like syntax, but multi-paradigm § Allows dynamic content for the WWW à AJAX etc. § Allows a Web site to execute programs in the browser q The Web is less attractive without JavaScript – but anything that is downloaded and executed by a client may be a security risk q Recent development: JavaScript used on Server-side as well (Node.js) 12 iLab 2, WWW Security, WS 2010/11

  13. JavaScript q Security Issues: § Allows authors to write malicious code § Allows cross-site attacks (we look at these a bit later in this lecture) q Defenses: § Sandboxing of JavaScript execution • Difficult to implement § Same-origin policy: script may only access other resources on the Web if it comes from the same origin § Same-origin policy can be violated with Cross-Site Scripting 13 iLab 2, WWW Security, WS 2010/11

  14. Part II: Internet Crime q Part I: Introduction to the WWW and Security Aspects q Part II: Internet Crime q Part III: Vulnerabilities and Attacks 14 iLab 2, WWW Security, WS 2010/11

  15. Vulnerabilities: some numbers q 3,462 vs 2,029 web/non-web application vulnerabilities were discovered by Symantec in 2008 q Average exposure time: 60 days q 12,885 site-specific XSS vulnerabilities submitted to XSSed in 2008 alone q Only 3% of site-specific vulnerabilities were fixed by the end of 2008 q The bad guys are not some hackers who “ want to know how it works ” q These days, it ’ s a business! q “ Symantec Underground Economy Report 2008 ” : “ Moreover, considerable evidence exists that organized crime is involved in many cases … “ [ed.: referring to cooperation between groups] 15 iLab 2, WWW Security, WS 2010/11

  16. Comparison: two classic vulnerabilities Source: MITRE CVE trends 16 iLab 2, WWW Security, WS 2010/11

  17. From the Symantec Report 2011 17 iLab 2, WWW Security, WS 2010/11

  18. From the Symantec Report 2011 18 iLab 2, WWW Security, WS 2010/11

  19. From the Symantec Report 2011 19 iLab 2, WWW Security, WS 2010/11

  20. From the Symantec Report 2008 20 iLab 2, WWW Security, WS 2010/11

  21. From the Symantec Report 2011 21 iLab 2, WWW Security, WS 2010/11

  22. Part III: Vulnerabilities and Attacks q Part I: Introduction to the WWW and Security Aspects q Part II: Internet Crime q Part III: Vulnerabilities and Attacks 22 iLab 2, WWW Security, WS 2010/11

  23. Classification of Attacks (incomplete) Client-side Server-side q C++ (e. g. Firefox) q Web Server: Common C++, Java implementation q XULRunner q Script languages languages q Java Common attack q Drive-by downloads q Cross-Site scripting types q Buffer overflows q Code Injection q SQL Injection q (DoS and the like) q Malware installation q Defacement Result of attack q Computer q Loss of private data manipulation q Loss of corporate secrets q Loss of private data 23 iLab 2, WWW Security, WS 2010/11

Recommend

iLab2 Introduction to SIP Daniel Raumer raumer@net.in.tum.de Agenda SIP - What? SIP

iLab2 Introduction to SIP Daniel Raumer raumer@net.in.tum.de Agenda SIP - What? SIP

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen iLab2 Introduction to SIP Daniel Raumer raumer@net.in.tum.de Agenda SIP - What? SIP - How? Repetition Security iLab2

263 views • 14 slides
iLab2 Introduction to IP - Multicast Daniel Raumer raumer@net.in.tum.de What is he

iLab2 Introduction to IP - Multicast Daniel Raumer raumer@net.in.tum.de What is he

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen iLab2 Introduction to IP - Multicast Daniel Raumer raumer@net.in.tum.de What is he talking about? Multicast? Motivation

725 views • 24 slides
iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University

iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University

Chair for Network Architectures and Services Department of Informatics TU Mnchen Prof. Carle iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen Recap: Internet Protocol Suite

802 views • 48 slides
iLab2 Introduction to Multicast and SIP Daniel Raumer raumer@net.in.tum.de Introduction

iLab2 Introduction to Multicast and SIP Daniel Raumer raumer@net.in.tum.de Introduction

Lehrstuhl Netzarchitekturen und Netzdienste Institut fr Informatik Technische Universitt Mnchen iLab2 Introduction to Multicast and SIP Daniel Raumer raumer@net.in.tum.de Introduction Hands on Lab Multicast Who? SIP -

538 views • 28 slides
iLab2: WWW Security Johannes Naab &lt;2019-03-15 Fri&gt; Contents 1 WWW Basics 1 2

iLab2: WWW Security Johannes Naab &lt;2019-03-15 Fri&gt; Contents 1 WWW Basics 1 2

iLab2: WWW Security Johannes Naab &lt;2019-03-15 Fri&gt; Contents 1 WWW Basics 1 2 Security 2 3 Attacks 3 4 Defenses &amp; Mitigation 5 5 Reporting Vulnerabilities 7 1 WWW Basics reading mails chatting on facebook

177 views • 7 slides
How the Internet works? The Border Gateway Protocol (BGP) Edwin Cordeiro iLab2 Lecture SS 2017

How the Internet works? The Border Gateway Protocol (BGP) Edwin Cordeiro iLab2 Lecture SS 2017

Chair of Network Architectures and Services - Prof. Carle Department of Computer Science Technical University of Munich How the Internet works? The Border Gateway Protocol (BGP) Edwin Cordeiro iLab2 Lecture SS 2017 Technical University of

687 views • 67 slides
Ilab2: Advanced Wireless Summer 2017 Prof. Dr.-Ing. Georg Carle Maurice Leclaire Chair of

Ilab2: Advanced Wireless Summer 2017 Prof. Dr.-Ing. Georg Carle Maurice Leclaire Chair of

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Ilab2: Advanced Wireless Summer 2017 Prof. Dr.-Ing. Georg Carle Maurice Leclaire Chair of Network Architectures and Services Department of

654 views • 63 slides
Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen

Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen

Chair for Network Architectures and Services Department of Informatics TU Mnchen Prof. Carle iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen Recap: Internet Protocol Suite

972 views • 46 slides

More recommend