http & security (some of the slides in this file were adapted from oppliger’s online slides at...
TRANSCRIPT
HTTP & Security
(Some of the slides in this file were adapted from Oppliger’s online slides at http://www.ifi.unizh.ch/~oppliger/Presentations/WWWSecurity2e/index.htm.)
Web Security 2
Chapter 2
• HTTP Network utility programs (netcat, achilles)• User authentication, authorization & access
control• Basic HTTP authentication• Digest access authentication• Certificate-based authentication• Config. of web servers
Web Security 3
HTTP revisited
• A request/response protocol between a web browser and a web server
• An request is in the form of an URL.• Processing of a request:
1. The url is resolved by the DNS to get the IP address of the web server;
2. A TCP connection is established between the browser and the server at port 80;
3. The browser sends an HTTP request over this connection to the server.
• Processing of a response ?
Web Security 4
HTTP Request MethodsTable 4-1. HTTP/1.0 Methods
Method Description
GET Retrieves the information requested from the file system. If the requested file is a static HTML file, the file's contents will be displayed. However, if the file is a dynamic ASP file, for example, the Web server will process the ASP file, execute its commands, and send the output of those commands to the requesting browser.
Example: GET /default.htm HTTP/1.0. Note: You must hit ENTER twice after HTTP/1.0.
HEAD The HEAD method is almost identical to the GET method, with only one key difference: It won't return the requested data. However, the power of the HEAD is that it will respond with meta-information such as server response code, date header, server header, and the like. This characteristic allows an attacker to enumerate a Web server's running Web software (sometimes). Example: HEAD/ HTTP/1.0. Note: You must hit ENTER twice after HTTP/1.0.
POST The POST method requests that the server accept the enclosed information and act on it. POST methods are most commonly used when CGI or server-side scripting is involved. Note: A valid Content-Length header is required for all POST requests.
• GET vs POST:
1. In GET, query data are part of the method in the URL. In POST, query data can be embedded in a separate form.
2. GET are ‘pure’ queries, causing no changes in the system; POST may cause changes in the state of the system.
• Source: McClure, Stuart, Saumil Shah, and Shreeraj Shah. Web Hacking: attacks and defense. Addison Wesley. 2003.
Web Security 5
HTTP Data Typing Its data typing feature allows systems to be
built independently of the data being transferred.
The Content-Type entity-header field indicates the media type of the Entity-Body sent to the recipient or, in the case of the HEAD method, the media type that would have been sent had the request been a GET.
Content-Type = "Content-Type" ":" media-type Media types are defined in Section 3.6 of RFC1945.An example of the field is Content-Type: text/html
Web Security 6
HTTP Response• An HTTP request from a client is handled by the
server and responded to accordingly. To respond, the server sends back a series of message components that can be categorized as follows:– Response code—a numeric code that corresponds to an
associated response.– Header fields—additional information about the response.– Data—the content or body of the response.
• With these three components, the client browser understands the server's response and interacts with the server.
Web Security 7
HTTP Response Codes• Berners-Lee, et al. RFC 1945 HTTP/1.0, May 1996.
(ftp://ftp.rfc-editor.org/in-notes/rfc1945.txt) • The first digit of the Status-Code defines the class of
response. The last two digits do not have any categorization role.
• There are 5 values for the first digit: – 1xx: Informational - Not used, but reserved for future use – 2xx: Success - The action was successfully received,
understood, and accepted. – 3xx: Redirection - Further action must be taken in order to
complete the request – 4xx: Client Error - The request contains bad syntax or cannot
be fulfilled – 5xx: Server Error - The server failed to fulfill an apparently valid
request
Web Security 8
HTTP v1.0 status codes• Status-Code =
"200" ; OK | "201" ; Created | "202" ; Accepted | "204" ; No Content | "301" ; Moved Permanently | "302" ; Moved Temporarily | "304" ; Not Modified | "400" ; Bad Request | "401" ; Unauthorized | "403" ; Forbidden | "404" ; Not Found | "500" ; Internal Server Error | "501" ; Not Implemented | "502" ; Bad Gateway | "503" ; Service Unavailable
• More status codes in v1.1: See ftp://ftp.rfc-editor.org/in-notes/rfc2616.txt
Web Security 9
Network Utility Programs
Netcat
http://netcat.sourceforge.net/download.php (GNU netcat on
sourceforge.net)
Cryptcat a lightweight version of netcat with integrated transport
encryption capabilities.
http://sourceforge.net/projects/cryptcat/
Web Security 10
Network Utility Programs
Example Use of Netcat To get a web page:
nc sce.uhcl.edu 80
GET / HTTP/1.0HTTP/1.1 200 OK
Server: Microsoft-IIS/5.0
Date: Wed, 26 Feb 2003 15:08:22 GMT
Connection: Keep-Alive
Content-Length: 10166
Content-Type: text/html
Set-Cookie: ASPSESSIONIDSASQDDAR=MECEBLAAEIKECJGFFELEBJMA; path=/
Cache-control: private
<html>
<head>
<title>SCE Home Page</title> …
Web Security 11
Network Utility Programs
Example Use of Netcat To get the meta information of a web page:
nc sce.uhcl.edu 80HEAD / HTTP/1.0
HTTP/1.1 200 OKServer: Microsoft-IIS/5.0Date: Wed, 26 Feb 2003 15:11:33 GMTConnection: Keep-AliveContent-Length: 10166Content-Type: text/htmlSet-Cookie:
ASPSESSIONIDSASQDDAR=PECEBLAAKMPGGDIHEGJOAJLJ; path=/
Cache-control: private
Web Security 12
Network Utility Programs
Other Uses of Netcat
Have Netcat listen at a particular port:
(AT the listening side) nc -L -p 53 -e cmd.exe
(At the remote side) nc –v hostAddress 53
• Allows the administrator to see if a port is available, for example, through a firewall.
Web Security 13
Achilles
Acts like a web proxy
Allows a person to intercept and modify information
sent from a web server to a web browser
Download: source codes: http://sourceforge.net/projects/achilles/
an older local copy with executable: achilles-0-27.zip
Proxy configuration on the browser is needed.
Web Security 14
• Achilles Configurations:1. Start the proxy2. Check the first 4 ‘intercept modes’3. In the web browser, set ‘localhost’ and port 5000 to be the proxy server4. Then try to access a page (The request will be sent to the Achilles window instead.)
Web Security 15
HTTP Security In most scenarios, authentication is not needed for a
client to access the web server, because the server is
configured to accept requests from anonymous users. In some cases (such as Intranet), authentication is
needed to restrict access. User authentication: The process of verifying the
identity of a requesting user User authorization: The process of granting the
privileges to access particular resources
Web Security 16
HTTP Authentication
• RFC2617HTTP Authentication: Basic and Digest Access Authentication. J. Franks, P. Hallam-Baker, J. Hostetler, S. Lawrence, P. Leach, A. Luotonen, L. Stewart. June 1999.
• Two authentication schemes:– Basic authentication– Digest access authentication
Web Security 17
HTTP Security The "basic" authentication scheme is based on the
model that the user agent must authenticate itself with a
user-ID and a password for each realm. The server will authorize the request only if it can
validate the user-ID and password for the protection
space of the Request-URI. There are no optional
authentication parameters. The "basic" authentication scheme is not a secure
method of user authentication, nor does it prevent the
Entity-Body from being transmitted in clear text across
the physical network used as the carrier.
Web Security 18
HTTP Digest Authentication
Proposed as a simple replacement of the HTTP basic
authentication scheme The password is not transmitted in clear Instead, the server challenges the client with a nonce, and
the client must respond with a corresponding response A valid response contains a checksum (by default, the MD5
checksum) of the username, the password, the given nonce
value, the HTTP method, and the requested URI.
The requested URL is part of the response meaning the
response is only good for one URL.
Web Security 19
HTTP Authentication
Drawbacks of Digest access authentication: Still a password-based authentication method (with
the limitations) Not supported by all browsers and servers
Neither the HTTP basic authentication or digest
authentication can be used to encrypt data SSL/TLS may be used if data encryption is
needed certificate-based authentication
Web Security 20
HTTPS
HTTP over SSL
SSL encrypts traffic between two hosts, significantly reducing
the ability of an attacker to access sensitive traffic and
record information such as passwords.
But, SSL does not truly provide security, if the SSL certificate is
exposed. Tools such as ssldump can be used to decrypt
SSL traffic.
A network packet analyzer: Snort (http://www.snort.org/)
Web Security 21
HTTP Security Considerations
The GET and HEAD methods should never have the
significance of taking an action other than retrieval.
These methods should be considered “safe”. True?
It is not possible to ensure that the server does not
generate side-effects as a result of performing a GET
request.
Web Security 22
HTTP Security Considerations
Abuse of Server Log Information:
A server is in the position to save personal data
about a user's requests which may identify their
reading patterns or subjects of interest.
This information is clearly confidential in nature and
its handling may be constrained by law in certain
countries.
Web Security 23
HTTP Security Considerations
Transfer of Sensitive Information:– HTTP cannot regulate the content of the data that is transferred,
nor is there any a priori method of determining the sensitivity of any particular piece of information within the context of any given request.
– Revealing the specific software version of the server may allow the server machine to become more vulnerable to attacks against software that is known to contain security holes. Implementers should make the Server header field a configurable option.
– Proxies which serve as a portal through a network firewall SHOULD take special precautions regarding the transfer of header information that identifies the hosts behind the firewall.
Web Security 24
HTTP Security Considerations Attacks Based on File and Path Names:
Implementations of HTTP origin servers should be careful to restrict
the documents returned by HTTP requests to be only those that
were intended by the server administrators.
For example, Unix, Microsoft Windows, and other operating systems
use ".." to indicate a directory level above the current one.
Files intended for reference only internally to the server (such as
access control files, configuration files, and script code) must be
protected from inappropriate retrieval.
Web Security 25
Configuration of Web Server
User group configuration
Authentication files
Authorization
Examples:
Apache Web server: see the book
IIS web server in Windows 2003