email & web dr. andy wu bcis 4630 fundamentals of it security
TRANSCRIPT
EMAIL & WEB
Dr. Andy Wu
BCIS 4630 Fundamentals of IT Security
2
Overview
• Email security concerns• Web application security concerns• Server vulnerabilities
– Character encoding• Stateless HTTP: a dilemma• Attack on/from client
– Cross-site scripting (HTML injection)– Session hijacking– SQL injection
3
Email Attacks• Email server and client programs are software applications that,
like any other applications, contain vulnerabilities due to programmer error and oversight.
• Email content and credentials are transmitted in clear text, making them susceptible to sniffing.
• Other common email-related security problems:– Virus (the proverbial attachment)– Worms– Spamming– Phishing– Scams (419s)– Hoax
4
SMTP Vulnerabilities• Attackers can use several commands to exploit SMTP
servers.• Buffer overflows
– Hackers may try to overflow the buffer of the user’s system.– Use abnormally long input when issuing the HELO, MAIL or
RCPT commands.• Attacker scan use malicious code to take control of the
mail server itself.– Permits attackers to take complete control of a mail system.– Debug and Wiz commands can open a back door.
5
SMTP Vulnerabilities• Attackers scan the Internet for any incorrectly
configured SMTP servers.• Scanning e-mail servers
– EXPN and VRFY may allow attackers to acquire information from an e-mail server.
• Spamming e-mail servers– Attacker sends a single e-mail message to a large
number of recipients.– Attacker takes advantage of improperly configured
servers.
6
Forged Email Headers
• Headers that can be forged:– Subject, Date, Message-ID– From, To, CC– Any arbitrary fields such as X-Mailer and X-
Message-Info– Received (except the last one)
• Headers that cannot be forged:– The final Received– IP address of the originating mail server
7
Spam• Spam is the common term for unsolicited commercial e-mail.
– The term comes from a skit on Monty Python's Flying Circus where two people are in a restaurant that only serves spam.
– The key to spam is the concept of repetition of unwanted things.• The biggest incentive for the spammers is the “referral fees” that
they can collect by “referring” people to some commercial sites.– Pornography sites used to be the most popular.– Recently, the most common sites promoted are online pharmacies and
loans.• Spammers utilize mail relays for two purposes:
– To offload the work of sending large amounts of mail– To disguise the source of the mail
8
Open Relay• Chucky ([email protected]) wants to send email to [email protected],
[email protected], [email protected]...• A properly (ideally) configured email server should only send out emails
originated from its own domain and deliver emails destined to user accounts within its domain.– If Com1’s SMTP server is configured correctly, it will not send out these emails
because Chucky’s email address belongs in another domain (childsplay.com).– If these three emails come from outside, it will simply drop the emails for Bob and
Eve. It, however, will deliver the email to Alice.• If Com1’s email server is mis-configured, it behaves differently.
– Chucky may be able to deliver these emails even though his account is from a different domain (childsplay.com instead of com1.com).
– Even though emails to Bob and Eve are for addresses in other domains (com2.com, com3.com), it will try its best effort to deliver them by forwarding them to other email servers.
9
Fighting Spam
• Ways to fight spam include:– E-mail filtering– Educate users about spam
• Cautious internet surfing• Cautious towards unknown e-mail
– Shut down open relays – Host/server filters– Blacklisting or DNSBL– Greylisting
10
Blocking Spam• Spam can be filtered at the host level with pattern
matching, focusing on the sender, the subject, or the text of the e-mail.
• Spam can also be filtered at the server level by using pattern matching, but some mail software also use blackhole lists of open relays.
• Spammers, however, always come up with even smarter ways to evade detection.– Sending the spam message as an image file seems to be
the most “effective” at this time.
11
Phishing• Tries to obtain users’ confidential information such as
identification data, credit card numbers, bank account numbers, web site credentials by tricking the users into visiting fake Web sites.
• Often delivered with spam from “throw-away” email accounts and spoofed identities.
• Often uses social engineering, e.g., the email urges users to take some action. If users comply and perform actions such as a “security update”, they will be entering confidential information.
12
Phishing Skills• Impersonation is the most popular and simplest method
of deceit.• The attacker builds a complete fake site that looks
almost identical to the real McCoy, often using images from the real site and adopting the same elements of style.
• The attacker can use Web crawlers that look at a site and attempt to download text and links on that site.
• Images can be placed on the fake site by directly linking their sources to the real site.
13
419 Scams
• 419 or Advanced Fee Fraud– Named after the relevant section of the Criminal Code
of Nigeria referring to “Advance Fee Fraud”.– Occurs when the victim pays money to someone in
anticipation of receiving something of greater value.• Victim is approached by an offshore company or individual
who cannot move a huge sum of money overseas due to “foreign exchange control”.
• The victim is ask to transfer a relatively small amount of money to help with the transfer of the huge sum. He/she is offered some percentage of that money in return.
14
Web Apps: What Can Go Wrong• Web platform
– Platform software (OS, IIS, etc.) may contain vulnerabilities.• Client software
– Browser functionalities, e.g., scripting support, plug-ins, can be abused.• Web application
– Authentication mechanism or program logic may have flaws.– Session management mechanisms, e.g., cookies, sessions, can be
manipulated.• Database server
– Malicious database queries compromise confidentiality or execute commands.
• Transport– Traffic between the client and the server can be sniffed.
15
Web Platforms
• Attacks can be launched by:– Finding the vulnerabilities in the platform on
which the Web server is running, e.g., server OS, Web server application.
– Tempering with the information in the browser’s URL bar, HTTP header, input in fields in an HTML form, etc.
– Non-ASCII Encoding schemes can be used to obfuscate the attack and evade detection.
16
Encoding• Web pages and URLs largely use the ASCII character set.
However, some characters have special meanings and could cause confusion if entered as ASCII characters.– Also, HTTP does not allow spaces in the URL.
• Alternative encoding schemes, therefore, were created to encode characters.
• Unfortunately, they are largely HEX-based and the resultant patterns of characters look cryptic compared with their ASCII counterparts.
• To untrained eyes, the meaning of a string of non-ASCII characters is not readily interpretable.
17
URL Coding• Characters are represented in a URL as a percent sign directly followed by the
two-digit HEX equivalent to the character’s ASCII value.• The encoded form is called a “URL escape”.• They are often seen in phishing emails as a way to obfuscate the nature of the
URL.
Char ASCII URL Escape Char ASCII URL Escape
. 72 %2e / 73 %2f
< 86 %3c > 88 %3e
( 66 %28 ) 67 %29
(space) 32 %20 null 0 %00
18
Base64• Base64 is used to code and decode binary data (0s and 1s) as printable
ASCII characters.• It processes 3 bytes (24 bits) at a time. To ensure that the coding results in
printable ASCII characters, it takes 6 bits out of the 24, finds its decimal equivalent, converts it to a printable character, and then the next 6.– Using six bits meaning that there are 2^6 = 64 possibilities:10 digits, 26 lower
caseletters, 26 uppercase letters, the plus sign (+), and the forward slash (/).• Email handles binary in Base64.
Value Character Value Character
0 A 42 a
52 1 61 9
62 + 63 /
19
UTF-7• The English characters can be sufficiently handled with the
default UTF-8 scheme.• To represent characters not found in English, alternatives
have to be used, e.g., Unicode, UTF-7, etc.• UTF-7 is a widely supported scheme. It converts Unicode into
ASCII values.
UTF-8 UTF-7
< +ADw-
> +AD4-
20
IIS Vulnerabilities• In 1997, the L0pht crew showed that Microsoft Internet Information
Server (IIS) treated different representation of the character . (dot) differently.– Requesting the file login.asp displayed the regular HTML page.– Requesting the file login%2easp displayed the source code of the file.
• In 2001, Microsoft reported that entering http://<server>/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows..%c0%afsystem32..%c0%afcmd.exe (equivalent to http://<server>/../../../../../../windows/system32/cmd.exe, which normally would be blocked) would bypass blocking and give the attacker a command console to run commands on the Web server.
21
A Problematic Clientele• Attacker from his or her own browser can “experiment” with what
he/her enters in the address bar or form fields to profile the application sitting on the server and/or to launch attacks on the weakness he/she finds.
• Attacker can install malicious contents in a victim’s browser or manipulate what and how browser reacts to response sent from the Web server (e.g., cross-site scripting).
• Cookies and session variables were solutions to dilemma caused by the stateless HTTP. They can be stolen or hijacked.
• Browser add-ons can be used for attacks.• JavaScript and ActiveX were meant to add interaction to user
experience but can be abused.
22
A Dilemma in Web Design• HTTP is a stateless protocol.
– The client makes a request; the server serves the requested document; and then the server closes the connection.
– Each request from the client is processed independent of other requests.
– The server does not “remember” previous requests from the same client.
– This allows the server to serve a maximum number of concurrent requests efficiently.
• However, there are many occasions when we want the server to “remember” the client.
23
(Not Necessarily Good) Solutions• Cookies
– Small blocks of ASCII text stored on the client.– Passed within an HTML stream to store data temporarily in a Web
browser instance.– May be too small for Web application’s needs.– Web application cannot rely on the assumption that a user will
accept cookies.
• Sessions– Server-side collections of variables that make up the state.– Once logged on, the client is assigned a session ID.– The client is identified by this session ID in future requests.
24
Cookies• A cookie contains a series of name-value pairs.
– The specification for cookies establishes several specific name-value pairs for defined purposes.
– Additional name-value pairs may be defined at will by a developer.
• Cookies store information that identifies the user, his/her preference, previous activities at the site, etc.
• Cookies pass back and forth between the Web server and the browser, providing a seemingly continuous communication session.
25
Cookies
• Cookies raise some privacy concern.• Although cookies are unable to execute
code or access files, malicious use of cookies occurs when – Cookies are used to track a user’s surfing
habits.– A user’s logon information from one site is sent
to another.
26
Sessions• A Web application is composed by a number of Web pages, many
of which are dynamic. The first time a user accesses any of those pages, he/she starts a “session” with the Web server. When he/she closes the browser window, that particular session ends.
• Most Web application can use session variables.• Once the user logs on, a session is initiated and the user is
assigned a session ID.– Session ID works like a short-term password or a proof of successful
authentication. • Some programmers may store session IDs as cookies on the
user’s computer. The cookie is created when a session starts and is removed when the session ends.
27
Cross-Site Scripting• An attacker can connect to the server and hide malicious scripts on the
server.• He/she then sends the victim a link to the infected page on the server.
In the link, he/she includes text such as the <script>tag that will invoke the malicious script on the server.
• If the victim clicks the link, the page is requested from the server. However, the <script> tag in the link is included as part of the HTML streamed from the server to the client.
• The victim’s browser processes the HTML and when it comes across the <script> tag it invokes the script.– The malicious code can steal the victim’s information such as session ID
cookie and passes it to the attacker.– With the victim’s session ID cookie, the attacker can impersonate the victim.
28
XSS Attack on My 3680 Example
29
XSS Attack• The success of the XSS attack relies on injecting
unexpected HTML code by manipulating the URL, hence another name “HTML injection”.
• To fool the victim and to evade detection, obfuscating the angle brackets and any other unusual characters is essential. This can be done by using URL encoding, UTF-7, etc. For example:
http://localhost:8080/eastwind/validate2.jsp?username=%3Cscript%3Ecross%28%29%3C/script%3E
30
Session Hijacking• An attacker can get access to the session ID of a logged-
in user. Ways to get a session ID:– Guessing– Brute forcing– Trial and error– Referer in HTTP header– Packet sniffing– Cross-site scripting
• The attacker can then install the session ID in his own browser and present it to the server.
• The server would believe that it is communicating with the authenticated user and give the attacker access to data that the victim would have access to.
31
SQL Injection• A web application normally builds queries based on inputs
taken from web/HTML controls, such as textboxes, and then passes the query to the database server.
• An attacker may be able to modify or add queries that are sent to a database server by playing with input to the web application.
• If the application code is unable to detect characters in the user input that have special meaning in SQL, the attacker may be able to do more than what the web application was designed to do.
What Can SQL Injection do?
• Bypass logins• Modify data• Delete rows or entire tables• Execute console commands• Read hidden data• Steal credentials
33
SQL Injection• Code for handling input
username = txtUsername.Text.ToString(); password = txtPassword.Text.ToString();cmdGetUserInfo.CommandText = "SELECT * FROM User WHERE UserName='" + username + "' AND Password='" + password + "'";
34
SQL Injection
• The SQL statement that is assembled after the user submits the form
SELECT * FROM User WHERE Username='andy' OR 'a'='a' AND Password=''
• Since the AND part is evaluated before the OR part, and “a” is always equal to “a”, the statement is in effect evaluated as:SELECT * FROM User WHERE UserName='andy' OR TRUE
• As long as the username “andy” exists, this query will retrieve the row. – Thus, the password becomes useless.
35
Prevention with Good Coding Practice• Use strongly typed variables and database column
definitions.• Assign query results to a strongly typed variable.• Limit data lengths.• Apply data separation and role-based access within the
database.• Avoid creating queries via string concatenation.• A good, though not perfect, prevention is to use stored
procedures.– With stored procedures, attacker input is more likely to be
evaluated as illegal or to return no matches.
36
Stored Procedures• In the previous example, the malicious input (andy OR
‘a’=‘b) will be treated by the database server as the value of the @username parameter rather than part of the SQL statement.
• It is not possible for an attacker to manipulate the entire query. For example,
Create Procedure GetUserInfo AsDeclare @Username varcharDeclare @Password varcharSet @Username = ""Set @Password = ""SELECT * FROM User WHERE Username = @Username
AND Password = @PasswordGO
Other Preventive Measures
• Permissions– Multiple database accounts
• Awareness– Pay attention to where your data comes from– Think like a hacker when programming
• Patch ASAP• Conceal Errors