EMAIL & WEB

Dr. Andy Wu

BCIS 4630 Fundamentals of IT Security

2

Overview

• Email security concerns• Web application security concerns• Server vulnerabilities

– Character encoding• Stateless HTTP: a dilemma• Attack on/from client

– Cross-site scripting (HTML injection)– Session hijacking– SQL injection

3

Email Attacks• Email server and client programs are software applications that,

like any other applications, contain vulnerabilities due to programmer error and oversight.

• Email content and credentials are transmitted in clear text, making them susceptible to sniffing.

• Other common email-related security problems:– Virus (the proverbial attachment)– Worms– Spamming– Phishing– Scams (419s)– Hoax

4

SMTP Vulnerabilities• Attackers can use several commands to exploit SMTP

servers.• Buffer overflows

– Hackers may try to overflow the buffer of the user’s system.– Use abnormally long input when issuing the HELO, MAIL or

RCPT commands.• Attacker scan use malicious code to take control of the

mail server itself.– Permits attackers to take complete control of a mail system.– Debug and Wiz commands can open a back door.

5

SMTP Vulnerabilities• Attackers scan the Internet for any incorrectly

configured SMTP servers.• Scanning e-mail servers

– EXPN and VRFY may allow attackers to acquire information from an e-mail server.

• Spamming e-mail servers– Attacker sends a single e-mail message to a large

number of recipients.– Attacker takes advantage of improperly configured

servers.

6

Forged Email Headers

• Headers that can be forged:– Subject, Date, Message-ID– From, To, CC– Any arbitrary fields such as X-Mailer and X-

Message-Info– Received (except the last one)

• Headers that cannot be forged:– The final Received– IP address of the originating mail server

7

Spam• Spam is the common term for unsolicited commercial e-mail.

– The term comes from a skit on Monty Python's Flying Circus where two people are in a restaurant that only serves spam.

– The key to spam is the concept of repetition of unwanted things.• The biggest incentive for the spammers is the “referral fees” that

they can collect by “referring” people to some commercial sites.– Pornography sites used to be the most popular.– Recently, the most common sites promoted are online pharmacies and

loans.• Spammers utilize mail relays for two purposes:

– To offload the work of sending large amounts of mail– To disguise the source of the mail

8

Open Relay• Chucky (chucky@childsplay.com) wants to send email to alice@com1.com,

bob@com2.com, eve@com3.com...• A properly (ideally) configured email server should only send out emails

originated from its own domain and deliver emails destined to user accounts within its domain.– If Com1’s SMTP server is configured correctly, it will not send out these emails

because Chucky’s email address belongs in another domain (childsplay.com).– If these three emails come from outside, it will simply drop the emails for Bob and

Eve. It, however, will deliver the email to Alice.• If Com1’s email server is mis-configured, it behaves differently.

– Chucky may be able to deliver these emails even though his account is from a different domain (childsplay.com instead of com1.com).

– Even though emails to Bob and Eve are for addresses in other domains (com2.com, com3.com), it will try its best effort to deliver them by forwarding them to other email servers.

9

Fighting Spam

• Ways to fight spam include:– E-mail filtering– Educate users about spam

• Cautious internet surfing• Cautious towards unknown e-mail

– Shut down open relays – Host/server filters– Blacklisting or DNSBL– Greylisting

10

Blocking Spam• Spam can be filtered at the host level with pattern

matching, focusing on the sender, the subject, or the text of the e-mail.

• Spam can also be filtered at the server level by using pattern matching, but some mail software also use blackhole lists of open relays.

• Spammers, however, always come up with even smarter ways to evade detection.– Sending the spam message as an image file seems to be

the most “effective” at this time.

11

Phishing• Tries to obtain users’ confidential information such as

identification data, credit card numbers, bank account numbers, web site credentials by tricking the users into visiting fake Web sites.

• Often delivered with spam from “throw-away” email accounts and spoofed identities.

• Often uses social engineering, e.g., the email urges users to take some action. If users comply and perform actions such as a “security update”, they will be entering confidential information.

12

Phishing Skills• Impersonation is the most popular and simplest method

of deceit.• The attacker builds a complete fake site that looks

almost identical to the real McCoy, often using images from the real site and adopting the same elements of style.

• The attacker can use Web crawlers that look at a site and attempt to download text and links on that site.

• Images can be placed on the fake site by directly linking their sources to the real site.

13

419 Scams

• 419 or Advanced Fee Fraud– Named after the relevant section of the Criminal Code

of Nigeria referring to “Advance Fee Fraud”.– Occurs when the victim pays money to someone in

anticipation of receiving something of greater value.• Victim is approached by an offshore company or individual

who cannot move a huge sum of money overseas due to “foreign exchange control”.

• The victim is ask to transfer a relatively small amount of money to help with the transfer of the huge sum. He/she is offered some percentage of that money in return.

14

Web Apps: What Can Go Wrong• Web platform

– Platform software (OS, IIS, etc.) may contain vulnerabilities.• Client software

– Browser functionalities, e.g., scripting support, plug-ins, can be abused.• Web application

– Authentication mechanism or program logic may have flaws.– Session management mechanisms, e.g., cookies, sessions, can be

manipulated.• Database server

– Malicious database queries compromise confidentiality or execute commands.

• Transport– Traffic between the client and the server can be sniffed.

15

Web Platforms

• Attacks can be launched by:– Finding the vulnerabilities in the platform on

which the Web server is running, e.g., server OS, Web server application.

– Tempering with the information in the browser’s URL bar, HTTP header, input in fields in an HTML form, etc.

– Non-ASCII Encoding schemes can be used to obfuscate the attack and evade detection.

16

Encoding• Web pages and URLs largely use the ASCII character set.

However, some characters have special meanings and could cause confusion if entered as ASCII characters.– Also, HTTP does not allow spaces in the URL.

• Alternative encoding schemes, therefore, were created to encode characters.

• Unfortunately, they are largely HEX-based and the resultant patterns of characters look cryptic compared with their ASCII counterparts.

• To untrained eyes, the meaning of a string of non-ASCII characters is not readily interpretable.

17

URL Coding• Characters are represented in a URL as a percent sign directly followed by the

two-digit HEX equivalent to the character’s ASCII value.• The encoded form is called a “URL escape”.• They are often seen in phishing emails as a way to obfuscate the nature of the

URL.

Char ASCII URL Escape Char ASCII URL Escape

. 72 %2e / 73 %2f

< 86 %3c > 88 %3e

( 66 %28 ) 67 %29

(space) 32 %20 null 0 %00

18

Base64• Base64 is used to code and decode binary data (0s and 1s) as printable

ASCII characters.• It processes 3 bytes (24 bits) at a time. To ensure that the coding results in

printable ASCII characters, it takes 6 bits out of the 24, finds its decimal equivalent, converts it to a printable character, and then the next 6.– Using six bits meaning that there are 2^6 = 64 possibilities:10 digits, 26 lower

caseletters, 26 uppercase letters, the plus sign (+), and the forward slash (/).• Email handles binary in Base64.

Value Character Value Character

0 A 42 a

52 1 61 9

62 + 63 /

19

UTF-7• The English characters can be sufficiently handled with the

default UTF-8 scheme.• To represent characters not found in English, alternatives

have to be used, e.g., Unicode, UTF-7, etc.• UTF-7 is a widely supported scheme. It converts Unicode into

ASCII values.

UTF-8 UTF-7

< +ADw-

> +AD4-

20

IIS Vulnerabilities• In 1997, the L0pht crew showed that Microsoft Internet Information

Server (IIS) treated different representation of the character . (dot) differently.– Requesting the file login.asp displayed the regular HTML page.– Requesting the file login%2easp displayed the source code of the file.

• In 2001, Microsoft reported that entering http://<server>/..%c0%af..%c0%af..%c0%af..%c0%af..%c0%afwindows..%c0%afsystem32..%c0%afcmd.exe (equivalent to http://<server>/../../../../../../windows/system32/cmd.exe, which normally would be blocked) would bypass blocking and give the attacker a command console to run commands on the Web server.

21

A Problematic Clientele• Attacker from his or her own browser can “experiment” with what

he/her enters in the address bar or form fields to profile the application sitting on the server and/or to launch attacks on the weakness he/she finds.

• Attacker can install malicious contents in a victim’s browser or manipulate what and how browser reacts to response sent from the Web server (e.g., cross-site scripting).

• Cookies and session variables were solutions to dilemma caused by the stateless HTTP. They can be stolen or hijacked.

• Browser add-ons can be used for attacks.• JavaScript and ActiveX were meant to add interaction to user

experience but can be abused.

22

A Dilemma in Web Design• HTTP is a stateless protocol.

– The client makes a request; the server serves the requested document; and then the server closes the connection.

– Each request from the client is processed independent of other requests.

– The server does not “remember” previous requests from the same client.

– This allows the server to serve a maximum number of concurrent requests efficiently.

• However, there are many occasions when we want the server to “remember” the client.

23

(Not Necessarily Good) Solutions• Cookies

– Small blocks of ASCII text stored on the client.– Passed within an HTML stream to store data temporarily in a Web

browser instance.– May be too small for Web application’s needs.– Web application cannot rely on the assumption that a user will

accept cookies.

• Sessions– Server-side collections of variables that make up the state.– Once logged on, the client is assigned a session ID.– The client is identified by this session ID in future requests.

24

Cookies• A cookie contains a series of name-value pairs.

– The specification for cookies establishes several specific name-value pairs for defined purposes.

– Additional name-value pairs may be defined at will by a developer.

• Cookies store information that identifies the user, his/her preference, previous activities at the site, etc.

• Cookies pass back and forth between the Web server and the browser, providing a seemingly continuous communication session.

25

Cookies

• Cookies raise some privacy concern.• Although cookies are unable to execute

code or access files, malicious use of cookies occurs when – Cookies are used to track a user’s surfing

habits.– A user’s logon information from one site is sent

to another.

26

Sessions• A Web application is composed by a number of Web pages, many

of which are dynamic. The first time a user accesses any of those pages, he/she starts a “session” with the Web server. When he/she closes the browser window, that particular session ends.

• Most Web application can use session variables.• Once the user logs on, a session is initiated and the user is

assigned a session ID.– Session ID works like a short-term password or a proof of successful

authentication. • Some programmers may store session IDs as cookies on the

user’s computer. The cookie is created when a session starts and is removed when the session ends.

27

Cross-Site Scripting• An attacker can connect to the server and hide malicious scripts on the

server.• He/she then sends the victim a link to the infected page on the server.

In the link, he/she includes text such as the <script>tag that will invoke the malicious script on the server.

• If the victim clicks the link, the page is requested from the server. However, the <script> tag in the link is included as part of the HTML streamed from the server to the client.

• The victim’s browser processes the HTML and when it comes across the <script> tag it invokes the script.– The malicious code can steal the victim’s information such as session ID

cookie and passes it to the attacker.– With the victim’s session ID cookie, the attacker can impersonate the victim.

28

XSS Attack on My 3680 Example

29

XSS Attack• The success of the XSS attack relies on injecting

unexpected HTML code by manipulating the URL, hence another name “HTML injection”.

• To fool the victim and to evade detection, obfuscating the angle brackets and any other unusual characters is essential. This can be done by using URL encoding, UTF-7, etc. For example:

http://localhost:8080/eastwind/validate2.jsp?username=%3Cscript%3Ecross%28%29%3C/script%3E

30

Session Hijacking• An attacker can get access to the session ID of a logged-

in user. Ways to get a session ID:– Guessing– Brute forcing– Trial and error– Referer in HTTP header– Packet sniffing– Cross-site scripting

• The attacker can then install the session ID in his own browser and present it to the server.

• The server would believe that it is communicating with the authenticated user and give the attacker access to data that the victim would have access to.

31

SQL Injection• A web application normally builds queries based on inputs

taken from web/HTML controls, such as textboxes, and then passes the query to the database server.

• An attacker may be able to modify or add queries that are sent to a database server by playing with input to the web application.

• If the application code is unable to detect characters in the user input that have special meaning in SQL, the attacker may be able to do more than what the web application was designed to do.

What Can SQL Injection do?

• Bypass logins• Modify data• Delete rows or entire tables• Execute console commands• Read hidden data• Steal credentials

33

SQL Injection• Code for handling input

username = txtUsername.Text.ToString(); password = txtPassword.Text.ToString();cmdGetUserInfo.CommandText = "SELECT * FROM User WHERE UserName='" + username + "' AND Password='" + password + "'";

34

SQL Injection

• The SQL statement that is assembled after the user submits the form

SELECT * FROM User WHERE Username='andy' OR 'a'='a' AND Password=''

• Since the AND part is evaluated before the OR part, and “a” is always equal to “a”, the statement is in effect evaluated as:SELECT * FROM User WHERE UserName='andy' OR TRUE

• As long as the username “andy” exists, this query will retrieve the row. – Thus, the password becomes useless.

35

Prevention with Good Coding Practice• Use strongly typed variables and database column

definitions.• Assign query results to a strongly typed variable.• Limit data lengths.• Apply data separation and role-based access within the

database.• Avoid creating queries via string concatenation.• A good, though not perfect, prevention is to use stored

procedures.– With stored procedures, attacker input is more likely to be

evaluated as illegal or to return no matches.

36

Stored Procedures• In the previous example, the malicious input (andy OR

‘a’=‘b) will be treated by the database server as the value of the @username parameter rather than part of the SQL statement.

• It is not possible for an attacker to manipulate the entire query. For example,

Create Procedure GetUserInfo AsDeclare @Username varcharDeclare @Password varcharSet @Username = ""Set @Password = ""SELECT * FROM User WHERE Username = @Username

AND Password = @PasswordGO

Other Preventive Measures

• Permissions– Multiple database accounts

• Awareness– Pay attention to where your data comes from– Think like a hacker when programming

• Patch ASAP• Conceal Errors