security of web servers and web applications
DESCRIPTION
Presentation for Software Freedom Kosova Conference 2011TRANSCRIPT
![Page 1: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/1.jpg)
IT-Security
Software Freedom Kosova 2011
Security of Web Servers and Web Applications
![Page 2: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/2.jpg)
Who‘s Talking?
Amir Neziri lives and works in Germany
Double Degree in Master of Science: Master in Computer Science
and Master in IT-Security from TU-Darmstadt/Germany Currently I’m writing Master Thesis about Data Security in Cloud
Services
Profession: Software Engineer, Consultant for Web- and Software- Security
http://www.linkedin.com/in/amirneziri https://www.xing.com/profile/Amir_Neziri
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 2
![Page 3: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/3.jpg)
Security of Web Servers and Web Applications
Why is it so important today?
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 3
![Page 4: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/4.jpg)
Motivation – Political Damage
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 4
![Page 5: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/5.jpg)
Motivation – Political Damage
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 5
![Page 6: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/6.jpg)
…another shocking news
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 6
![Page 7: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/7.jpg)
…another shocking news
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 7
![Page 8: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/8.jpg)
Motivation – Political Damage
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 8
![Page 9: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/9.jpg)
Motivation – Economic Damage
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 9
![Page 10: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/10.jpg)
Motivation – Economic Damage
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 10
![Page 11: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/11.jpg)
So….
Are we last now????
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 11
NO!
![Page 12: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/12.jpg)
Agenda
Components and Architecture
Security Attacks
Defenses
Securing (Web) Server
Securing Web Applications
Take home message
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 12
![Page 13: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/13.jpg)
Components & Architecture
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 13
![Page 14: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/14.jpg)
Security Attacks
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 14
![Page 15: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/15.jpg)
Security Attacks
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 15
![Page 16: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/16.jpg)
Security Attacks
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 16
![Page 17: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/17.jpg)
Security Attacks
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 17
![Page 18: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/18.jpg)
Security Attacks
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 18
![Page 19: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/19.jpg)
Security Attacks
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 19
![Page 20: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/20.jpg)
Defenses
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 20
Source: http://www.trigonit.com/tech-blog/bid/57835/IT-Support-Wireless-Network-Security-Secure-Encrypt-and-Be-Safe
![Page 21: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/21.jpg)
Securing the operating system
Variety of possible sources of information Federal Office for Information Security (BSI, Germany)
Server Security https://www.bsi.bund.de/cln_156/ContentBSI/grundschutz/kataloge/baust/b0
3/b03.html IT-Security Catalog
National Security Agency (NSA, USA) Recommendations and guidelines for installation and
Configuration of operating systems with focus onsecurity
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 21
![Page 22: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/22.jpg)
Security is a Process
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 22
![Page 23: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/23.jpg)
Example: Linux Systems
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 23
![Page 24: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/24.jpg)
Example: Linux Systems
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 24
![Page 25: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/25.jpg)
Linux Systems - Installation
Installation from CD Authentic Source Contains no updates
Installation from Network Authentic and trustworthy Source is needed
Minimal Functionality Example: Server Systems do not need GUI
Example Web-Server Installation : Web-Server, Secure-Shell, Secure File Transfer
ATTENTION: Do not use unsecure protocols like FTP
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 25
![Page 26: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/26.jpg)
Example: Linux Systems
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 26
![Page 27: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/27.jpg)
Linux Systems - Configuration
Get all running Services nmap localhost or netstat -lnp --ip netstat -lnp --inet6
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 27
![Page 28: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/28.jpg)
Linux Systems - Configuration
Shut down unused Services
Hide Services with Port Knocking Example:
Web Server Service is public hide SFTP-, SSH- Services
Use Onetime Passwords by generating them with Password generators
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 28
![Page 29: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/29.jpg)
Example: Linux Systems
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 29
![Page 30: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/30.jpg)
Linux Systems – Maintenance / Updates
Always update the installed Software
Debian/Ubuntu apt-get update && apt-get upgrade or apt-get update && apt-get dist-upgrade
IMPORTANT: The Kernel should be always up-to-date
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 30
![Page 31: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/31.jpg)
Example: Linux Systems
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 31
![Page 32: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/32.jpg)
Linux Systems - Monitoring
File System Integrity Checker
Open Source Tool for checking Integrity: Tripwire http://www.tripwire.org/ http://sourceforge.net/projects/tripwire/
Analyze Log Files Authentication Errors /-Problems: /var/log/auth.log Web-Access and Errors : /var/log/apache2/*.log
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 32
![Page 33: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/33.jpg)
Linux Systems - Monitoring
Automated fraud detection Example sshguard (http://www.sshguard.net/)
SSH-Guard Analyzes Log Files of SSH-Services Detects Attack Attempts and blocks Attacker temporary ( by setting
firewall rules )
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 33
![Page 34: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/34.jpg)
Securing Web-Server – Main Steps
1. User- /Groups settings for Web Server Processes 2. File System Settings3. Permissions for executable Software
Nobody except root should write into Binary-Folders of Apache
4. Reduce functions to your needs Apache can be extended with Modules, e.g.: mod_cgi, mod_ssl…
5. Suppress Fingerprinting
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 34
![Page 35: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/35.jpg)
Securing Web-Server – Main Steps
6. Restrict used Hardware Resources to avoid DoS-Attacks Change Default TimeOut Restrict HTTP-Requests
7. Restrict access to Web Resources Often resources are not to be accessible for everyone htaccess is a simple mechanism for access Protection htaccess is activated by a file .htaccess to protected directory
(or above in one)
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 35
Source: http://www.howtomonster.com/2007/08/12/how-to-restrict-access-to-a-web-site-folder/
![Page 36: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/36.jpg)
Access Control - .htaccess
Simple Example
Site-Configuration controls use of .htaccess files:
AllowOverride None: .htaccess is ignored
AllowOverride All: .htaccess may overwrite (almost) all global settings
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 36
![Page 37: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/37.jpg)
Access Control
Structure of the password file:
UserName:Hash
Example: myUser:GxkVrKPk8WSbM
Default Hash-Function: crypt
Created by the tool htpasswd
Transfer of password: As HTTP Header “Authorization” UserName:Password Base64 encoded Example: Authorization: Basic d2lraTpwZWRpYQ==
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 37
![Page 38: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/38.jpg)
Web Application Security
Various Sources of Information OWASP Top 10
The Open Web Application Security Project
CWE/SANS Top 25 Common Weakness Enumeration
Exploit Databases http://www.exploit-db.com/webapps/
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 38
![Page 39: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/39.jpg)
www.exploit-db.com/webapps/
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 39
![Page 40: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/40.jpg)
Web Application Security
2011 CWE/SANS Top 25 Most Dangerous Software Errors
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 40
Source: http://cwe.mitre.org/top25/
![Page 41: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/41.jpg)
Web Application Security
Buffer Overflows: Statistics Still a major threat (e.g. in Internet Explorer or Acrobat Reader, etc.)
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 41
Source: http://www.trigonit.com/tech-blog/bid/57835/IT-Support-Wireless-Network-Security-Secure-Encrypt-and-Be-Safe
![Page 42: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/42.jpg)
Web Application Security
2010 OWASP Top 10
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 42
Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
![Page 43: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/43.jpg)
Web Application Security - BackTrack
Operating System based on Ubuntu
Pentetrating testing and digital forensics
Available as Live CD or USB
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 43
Source: http://www.backtrack-linux.org/screenshots/
![Page 44: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/44.jpg)
Web Application Security - BackTrack
BackTrack arranges tools into 12 categories: Information Gathering Vulnerability Assessment Exploitation Tools Privilege Escalation Maintaining Access Reverse Engineering RFID Tools Stress testing Forensics Reporting Tools Services Miscellaneous
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 44
![Page 45: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/45.jpg)
Take Home Message
Web Security is very important for everyone (e.g. e-banking…)
Server Security information sources Federal Office for Information Security (BSI, Germany) National Security Agency (NSA, USA)
Web Applicaiton Security information sources The Open Web Application Security Project (OWASP) Top 10 CWE/EANS Top 25 Exploit Databases
Security Tool: BackTrack
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 45
![Page 46: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/46.jpg)
Questions???
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 46
![Page 47: Security of Web Servers and Web Applications](https://reader033.vdocument.in/reader033/viewer/2022052523/5559f74fd8b42aa8098b48fa/html5/thumbnails/47.jpg)
11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 47