Application vulnerabilities and

defenses
 Defining the problem of web
security
• Born out of advent of dynamic scripting
technologies like:
– Javascript
– ASP
– PHP

• Allow user input to interact with web site

instead of just displaying static pages.
2
 What can go wrong?
• Risks that affect both client and server
– Eavesdropping
– Fraud
• Risks to the end user
– Active content
– Privacy infringement
• Risks to the web site
– Webjacking
– Server and LAN break-ins
– Denial-of-service attacks

3
 Two Sides of Web Security
• Web browser (front end)
– Can be attacked by any website it visits
– Attacks lead to malware installation (keyloggers,
botnets), document theft, loss of private data
• Web application (back end)
– Runs at website
• Banks, online merchants, blogs, Google Apps, etc.
– Written in Javascript, PHP, ASP, JSP, Ruby, …
– Many potential bugs: XSS, SQL injection, XSRF
– Attacks lead to stolen credit cards, defaced sites, etc.
4
 Application Attacks
• Attacks that target applications
– Category continues to grow
– Web application attacks
– Client-side attacks
– Buffer overflow attacks
• Zero day attacks
– Exploit previously unknown vulnerabilities
– Victims have no time to prepare or defend

5
 Web Application Attacks
• Web applications an essential element of
organizations today
• Approach to securing Web applications
– Hardening the Web server
– Protecting the network

6
 Web Application Attacks
(cont’d.)
• Common Web application attacks
– Cross-site scripting
– SQL injection
– XML injection
– Command injection / directory traversal

7
 Web Applications
• Big trend: software as a (Web-based) service
– Online banking, shopping, government, etc.
– Cloud computing
• Applications hosted on Web servers
– Written in a mixture of PHP, Java, Perl, Python,
C, ASP
• Security is rarely the main concern
– Poorly written scripts with inadequate input
validation
– Sensitive data stored in world-readable files
8
 How Are Legitimate Web Sites
Compromised?
• SQL Injection Attacks
• Cross-site scripting (XSS) attacks
• Vulnerabilities in the Web server or forum hosting
software (e.g., shell attacks)
• Malicious Advertisements
– Many Web sites today display advertisements hosted
by third-party advertising sites
– Volume of ads published automatically makes
detection difficult
– Random appearances further compounds the
detection
• Search Engine Result Redirection
• Attacks on the backend virtual hosting companies
9
 Botnets
• Bots: Autonomous programs performing tasks
• Plenty of “benign” bots
– e.g., weatherbug
• Botnets: group of bots
– Typically carries malicious connotation
– Large numbers of infected machines
– Machines “enlisted” with infection vectors like worms
• Available for simultaneous control by a master
• Size: up to 350,000 nodes

10
 “Rallying” the Botnet
• Easy to combine worm, backdoor functionality
• Problem: how to learn about successfully
infected machines?

• Options
– Email
– Hard-coded email address
11
 Botnet Control
Dynamic
DNS

Infected Botnet
Machine Controller
(IRC server)

• Botnet master typically runs some IRC server on a well-

known port (e.g., 6667)
• Infected machine contacts botnet with pre-programmed
DNS name (e.g., big-bot.de)
• Dynamic DNS: allows controller to move about freely
12
Botnet History: How we got here
• Early 1990s: IRC bots
– eggdrop: automated management of IRC channels

• 1999-2000: DDoS tools

– Trinoo, TFN2k, Stacheldraht

• 1998-2000: Trojans
– BackOrifice, BackOrifice2k, SubSeven

Fast spreading capabilities

• 2001- : Worms pose big threat
– Code Red, Blaster, Sasser
13
Put these pieces together and add a controller…
Putting it together
1. Miscreant (botherd) launches worm,
virus, or other mechanism to infect
Windows machine.

2. Infected machines contact botnet

controller via IRC.

3. Spammer (sponsor) pays miscreant

for use of botnet.

4. Spammer uses botnet to send

spam emails.

14
 Botnet Detection and Tracking
• Network Intrusion Detection Systems (e.g., Snort)
– Signature: alert tcp any any -> any any (msg:"Agobot/Phatbot
Infection Successful"; flow:established; content:"221

• Honeynets: gather information

– Run unpatched version of Windows
– Usually infected within 10 minutes
– Capture binary
• determine scanning patterns, etc.

– Capture network traffic

• Locate identity of command and control, other bots, etc.
15
 Detection: In-Protocol
• Snooping on IRC Servers
• Email (e.g., CipherTrust ZombieMeter)
– > 170k new zombies per day
– 15% from China
• Managed network sensing and anti-virus
detection
– Sinkholes detect scans, infected machines, etc.
• Drawback: Cannot detect botnet structure

16
 Using DNS Traffic to Find Controllers
• Different types of queries may reveal info
– Repetitive A queries may indicate bot/controller
– MX queries may indicate spam bot
– PTR queries may indicate a server
• Usually 3 level: hostname.subdomain.TLD (top-level
domain)
• Names and subdomains that just look rogue
– (e.g., irc.big-bot.de)

17
 DNS Monitoring
• Command-and-control hijack
– Advantages: accurate estimation of bot
population
– Disadvantages: bot is rendered useless; can’t
monitor activity from command and control
• Complete TCP three-way handshakes
– Can distinguish distinct infections
– Can distinguish infected bots from port scans,
etc.
18
 Traffic Monitoring
• Goal: Recover communication structure
– “Who’s talking to whom”

• Tradeoff: Complete packet traces with

partial view, or partial statistics with a
more expansive view

19
 New Trend: Social Engineering
• Bots frequently spread through Instant Messenger(IM)
– A bot-infected computer is told to spread through IM
– It contacts all of the logged in buddies and sends them a
link to a malicious web site
– People get a link from a friend, click on it, and say “sure,
open it” when asked

20
 Botnet Operation
• General • Redirection
– Assign a new random nickname to the bot – Redirect a TCP port to another host
– Cause the bot to display its status – Redirect GRE traffic that results to proxy
– Cause the bot to display system information PPTP VPN connections
– Cause the bot to quit IRC and terminate itself
–
–
Change the nickname of the bot
Completely remove the bot from the system
• DDoS Attacks
– Display the bot version or ID – Redirect a TCP port to another host
– Display the information about the bot – Redirect GRE traffic that results to proxy
– Make the bot execute a .EXE file PPTP VPN connections

• IRC Commands • Information theft

– Cause the bot to display network information
– Disconnect the bot from IRC – Steal CD keys of popular
– Make the bot change IRC modes games
– Make the bot change the server Cvars
– Make the bot join an IRC channel • Program termination
– Make the bot part an IRC channel
– Make the bot quit from IRC
– Make the bot reconnect to IRC

21
 Early Botnets: AgoBot (2003)
• Drops a copy of itself as svchost.exe or
syschk.exe

• Propagates via Grokster, Kazaa, etc.

• Also via Windows file shares

22
 PhatBot (2004)
• Direct descendent of AgoBot

• More features
– Harvesting of email addresses via Web and local
machine
– Steal AOL logins/passwords
– Sniff network traffic for passwords

• Control vector is peer-to-peer (not IRC)

23
 Botnet Application: Phishing
“Phishing attacks use both social engineering
and technical subterfuge to steal consumers'
personal identity data and financial account
credentials.” -- Anti-spam working group

• Social-engineering schemes
– Spoofed emails direct users to counterfeit web sites
– Trick recipients into divulging financial, personal data

• Anti-Phishing Working Group Report (Oct. 2005)

– 15,820 phishing e-mail messages 4367 unique phishing sites identified.
– 96 brand names were hijacked.
– Average time a site stayed on-line was 5.5 days.

24
 Which web sites are being phished?

Source: Anti-phishing working

group report, Dec. 2005

• Financial services by far the most targeted sites

25
 Botnet Application: Click Fraud
• Pay-per-click advertising
– Publishers display links from advertisers
– Advertising networks act as middlemen
• Sometimes the same as publishers (e.g., Google)

• Click fraud: botnets used to click on pay-per-

click ads

• Motivation
– Competition between advertisers
– Revenue generation by bogus content provider
26
 Botnet detection
• Botnet membership detection
– Existing techniques
• Require special privileges
• Disable the botnet operation
– Under various datasets (packet traces, various
numbers of vantage points, etc.)

• Click fraud detection

• Phishing detection
27
 Prevention
• Architectural considerations
– Properly-Segmented Network
– Firewalls Between Segments
– Input Validation
• Third-Party Tools
– Vulnerability Scanners

28
 Prevention –
Architectural Considerations
• 3-Tier/Layer design approach – minimize
the attack surface

– UI/Interface
– Logic
– Data

29
 Prevention –
Architectural Considerations
• Network Topology

– Isolating public networks from intranets

– Use of firewalls between network segments

30
 Prevention –
Third-Party Tools
• Vulnerability Scanners
– Most will probe the web application for a set
of known security holes.

– Nikto
• Aware of “over 3300 potentially dangerous
files/CGIs, versions on over 625 servers, and
version specific problems on over 230 servers. “
(Nikto Website)

31
 Conclusions
1. Defense is shifting from network to application
layer.
Firewalls, anti-virus, SSL input validation, WAF
2. Vulnerabilities should be identified.
1. Static analysis of source code.
2. Web proxies and scanners for testing.
3. Vulnerabilities should remediated.
1. Web application firewalls for immediate short-term
fixes.
2. Repairing source code for long term fixes.

32
Client side security

33
 Three components to security
• Three perspectives
– User’s point of view
– Server’s point of view
– Both parties
• Three parts
– Client-side security
– Server-side security
– Document confidentiality

34
 Client-side security
• Measures to protect the user’s privacy and
the integrity of his computer
• Example technological solutions
– Protection from computer viruses and other
malicious software
– Limit the amount of personal information that
browser’s can transmit without the user’s
consent

35
 GETTING ONTO A USER’S COMPUTER

Source: Web Based Attacks, Symantec 2009

36
 Server-side security
• Measures to protect the server and the
machine it runs from break-ins, site
vandalism, and denial-of-service attacks.
• Solutions range
– installing firewall systems
– tightening operating systems security
measures

37
 Document confidentiality
• Measures to protect private information
from being disclosed to third parties.
• Example risks:

• Solutions range
– Password to identify users
– Cryptography

38
 Client-Side Attacks
• Web application attacks are server-side
attacks
• Client-side attacks target vulnerabilities in
client applications
– Interacting with a compromised server
– Client initiates connection with server, which
could result in an attack

39
 Client-Side Attacks (cont’d.)
• Client-side attacks are performed on
Active Content
• Java applets, Active X controls, JavaScript, and
VBScript

– ActiveX is an object, called a control, that contains programs and

properties that perform certain tasks
– ActiveX controls only run on Windows 95, 98, or 2000
– Once downloaded, ActiveX controls execute like any other
program, having full access to your computer’s resources

40
 Client-Side Attacks (cont’d.)
• Drive-by download
– Client computer compromised simply by viewing a Web
page
– Attackers inject content into vulnerable Web server
• Gain access to server’s operating system
– Attackers craft a zero pixel frame to avoid visual detection
– Embed an HTML document inside main document
– Client’s browser downloads malicious script
– Programs that interpret or execute instructions embedded
in downloaded objects
– Instructs computer to download malware

41
 Client-Side Attacks (cont’d.)
• Code can be embedded into graphic images
causing harm to your computer
• Plug-ins are used to play audiovisual clips,
animated graphics
– Could contain ill-intentioned commands hidden
within the object
– http://home.netscape.com/plugins/
• E-mail attachments can contain destructive
macros within the document
42
 Client-Side Attacks (cont’d.)
• Header manipulation
– HTTP header contains fields that characterize
data being transmitted
– Headers can originate from a Web browser
• Browsers do not normally allow this
• Attacker’s short program can allow modification
• Examples of header manipulation
– Referer
– Accept-language
43
 Client-Side Attacks (cont’d.)
• Referer field indicates site that generated the
Web page
– Attacker can modify this field to hide fact it came
from another site
– Modified Web page hosted from attacker’s computer
• Accept-language
– Some Web applications pass contents of this field
directly to database
– Attacker could inject SQL command by modifying
this header

44
 Client-Side Attacks (cont’d.)
• Cookies and Attachments
– Cookies store user-specific information on user’s local
computer
– Cookies remember user names, passwords, and other
commonly referenced information
• Web sites use cookies to identify repeat visitors
• Examples of information stored in a cookie
– Travel Web sites may store user’s travel itinerary
– Personal information provided when visiting a site
• Only the Web site that created a cookie can read it

45
 Client-Side Attacks (cont’d.)
• First-party cookie
– Cookie created by Web site user is currently
visiting
• Third-party cookie
– Site advertisers place a cookie to record user
preferences
• Session cookie
– Stored in RAM and expires when browser is
closed
46
 Client-Side Attacks (cont’d.)
• Persistent cookie
– Recorded on computer’s hard drive
– Does not expire when browser closes
• Secure cookie
– Used only when browser visits server over
secure connection
– Always encrypted

47
 Client-Side Attacks (cont’d.)
• Flash cookie
– Uses more memory than traditional cookie
– Cannot be deleted through browser
configuration settings
– Flash cookie settings can be changed
• Cookies pose security and privacy risks
– May be stolen and used to impersonate user
– Used to tailor advertising
– Can be exploited by attackers

48
 Client-Side Attacks (cont’d.)
• Session hijacking
– Attacker attempts to impersonate user by
stealing or guessing session token
• Malicious add-ons
– Browser extensions provide multimedia or
interactive Web content
– Active X add-ons have several security
concerns

49
Session hijacking
50
 Client-Side Attacks (cont’d.)
• Buffer overflow attacks
– Process attempts to store data in RAM beyond
boundaries of fixed-length storage buffer
– Data overflows into adjacent memory locations
– May cause computer to stop functioning
– Attacker can change “return address”
• Redirects to memory address containing malware
code

51
Buffer overflow attack

52
 How to Protect Yourself
(Client side)
• Update and Patch Software
– Get latest OS, Browser, Application patches
– Browser Plug-in updates often forgotten
• Endpoint Protection Software
– Anti-virus software for signature based detection and behavioral
monitoring
– Update Protection Software Subscription
• Could miss 70,000 new unique virus variants for one week
• Be Suspicious
– Avoid things that seem too good to be true
• Adopt Strong Password Policy
• Client/server communication using data (XML/JSON) rather than
presentation (HTML.)

53