Web Security and Mobile Code

Diomidis Spinellis
Department of Management Science and Technology
Athens University of Economics and Business
Athens, Greece
dds@aueb.gr

Web Security Requirements

Confidentiality (client and server)
Integrity (client and server)
Availability (mostly server issue)

User Privacy: What are we Protecting?

Identity (name, email)
Location (IP address, domain name, physical location)
Visited sites
Search engine input
Shopping habits
Form data

Data Traces

Traces are left on:

Address-bar history
Local history file
Local cache
Cookie file
Explicitly set proxy log file
Transparent proxy log file
Remote log files
Remote databases
Packet tracing dumps

Web Server Data

Typical data available to the web server:

GET http://www.google.com/ HTTP/1.1
Host: www.google.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6) Gecko/20040113
Accept: application/x-shockwave-flash,text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,image/jpeg,image/gif;q=0.2,*/*;q=0.1
Accept-Language: en-us,en;q=0.8,el;q=0.5,de;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: windows-1253,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Cookie: PREF=ID=33a5ab74b4a12719:LD=en:CR=2:TM=1070012757:LM=1070012764:S=bEOIfrJZzBGyc5LD

Log File Contents

Normal Users

217.195.129.242 - - [23/Jun/2004:15:38:25 +0300] "GET /pubs/jrnl/2000-IST-Components/html/comp.html HTTP/1.0" 200 49099 "http://find.in.gr/results.page?data=unix+command" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)"
217.195.129.242 - - [23/Jun/2004:15:38:25 +0300] "GET /pubs/jrnl/2000-IST-Components/html/process.gif HTTP/1.0" 200 6429 "http://www.spinellis.gr/pubs/jrnl/2000-IST-Components/html/comp.html" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Q312461)"
backport.reaktor-i.com - - [23/Jun/2004:16:00:05 +0300] "GET /sw/umlgraph/doc/index.html HTTP/1.1" 200 3317 "http://www.spinellis.gr/sw/umlgraph/" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040207 Firefox/0.8"
backport.reaktor-i.com - - [23/Jun/2004:16:00:08 +0300] "GET /sw/umlgraph/doc/cd-intro.html HTTP/1.1" 200 2188 "http://www.spinellis.gr/sw/umlgraph/doc/index.html" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040207 Firefox/0.8"

Crawler

65.197.137.37 - - [22/Jun/2004:13:33:58 +0300] "GET /robots.txt HTTP/1.1" 200 35 "-" "ZipppBot/0.25 (Zippp; http://www.zippp.net; webmaster@zippp.net)"
65.197.137.37 - - [22/Jun/2004:13:33:59 +0300] "GET /pubs/conf/1994-OOPSLA-Multipar/html/mlom.html HTTP/1.1" 200 19166 "-" "ZipppBot/0.25 (Zippp; http://www.zippp.net; webmaster@zippp.net)"

Web Server Exploitation Attempts

[Thu Jun 10 11:36:59 2004] [error] [client 148.244.150.52] script not found or unable to stat: /webdata/istlab-cgi-bin/FormMai
l.pl
[Thu Jun 10 11:37:03 2004] [error] [client 148.244.150.52] script not found or unable to stat: /webdata/istlab-cgi-bin/mail.pl
[Thu Jun 10 11:37:03 2004] [error] [client 148.244.150.52] script not found or unable to stat: /webdata/istlab-cgi-bin/Mail.pl
[Thu Jun 10 11:37:04 2004] [error] [client 148.244.150.52] script not found or unable to stat: /webdata/istlab-cgi-bin/Form.pl
[Thu Jun 10 11:37:04 2004] [error] [client 148.244.150.52] script not found or unable to stat: /webdata/istlab-cgi-bin/form.pl


[Fri Jun 18 23:05:25 2004] [error] [client 216.245.167.136] File does not exist: /webdata/spinellis/_vti_bin/owssvr.dll
[Fri Jun 18 23:05:25 2004] [error] [client 216.245.167.136] File does not exist: /webdata/spinellis/MSOffice/cltreq.asp
[Fri Jun 18 23:06:17 2004] [error] [client 216.245.167.136] File does not exist: /webdata/spinellis/_vti_bin/owssvr.dll
[Fri Jun 18 23:06:18 2004] [error] [client 216.245.167.136] File does not exist: /webdata/spinellis/MSOffice/cltreq.asp

Packet Dump Output

Web Request

02:40:27.881867 192.168.238.1.1540 > 192.168.238.5.www: P 1:485(484) ack 1 win 6
4240 (DF)
0x0000   4500 020c 5af0 4000 8006 40a3 c0a8 ee01        E...Z.@...@.....
0x0010   c0a8 ee05 0604 0050 6a19 984a 87b4 aae9        .......Pj..J....
0x0020   5018 faf0 59b7 0000 4745 5420 2f6f 7267        P...Y...GET./org
0x0030   616e 2d65 6e68 616e 6365 6d65 6e74 2e68        an-enhancement.h
0x0040   746d 6c20 4854 5450 2f31 2e31 0d0a 486f        tml.HTTP/1.1..Ho
0x0050   7374 3a20 3139 322e 3136 382e 3233 382e        st:.192.168.238.
0x0060   350d 0a55 7365 722d 4167 656e 743a 204d        5..User-Agent:.M
0x0070   6f7a 696c 6c61 2f35 2e30 2028 5769 6e64        ozilla/5.0.(Wind

Password in a Packet Dump

05:50:03.157394 seagull.spinellis.gr.1098 > www.taxisnet.gr.http: P
479:588(109) ack 1 win 16603 (DF)
0x0000 4500 0095 0654 4000 8006 7057 c0a8 880e  E....T@...pW....
0x0010 d4cd 6633 044a 0050 fdf4 e5a9 912f e6a5  ..f3.J.P...../..
0x0020 5018 40db 1033 0000 436f 6e74 656e 742d  P.@..3..Content-
0x0030 7479 7065 3a20 6170 706c 6963 6174 696f  type:.applicatio
0x0040 6e2f 782d 7777 772d 666f 726d 2d75 726c  n/x-www-form-url
0x0050 656e 636f 6465 640d 0a43 6f6e 7465 6e74  encoded..Content
0x0060 2d6c 656e 6774 683a 2033 380d 0a0d 0a70  -length:.38....p
0x0070 7764 3d73 6563 7265 7426 7573 6572 6e61  wd=secret&userna <<<
0x0080 6d65 3d74 6573 7475 7365 7226 7061 7373  me=testuser&pass <<<
0x0090 776f 7264 3d                             word=

Malicious Applets

Once malicious code gets control of the machine it can:

Compromise the user's privacy
Actively snoop the user's keystrokes
Steal resources to:
- Orchestrate a DDoS attack
- Send spam mail
- Spread viruses
Dial long-distance calls
Impersonate on behalf of the user (including certificate authentication)
Distribute sensitive documents

The Java Sandbox Model

Java code is executed through a virtual machine
Java applets can contain untrusted code
Untrusted code is checked for validity
Untrusted code is executed in a sandbox using an appropriate security policy

Bytecode Verification

Bytecode verification checks that:

The file is correctly formatted
The parameter stack will not overflow or underflow
Bytecode instructions use the correct types
No invalid type conversions are performed
No unauthorised member access is performed (through private or protected fields and methods).
Register accesses follow the legal conventions

Common problems

Insecure Java implementation (e.g. type checking)
Inappropriate security policy

Policy Example

As an example the sanbox policy may prohibit:

Reading local files
Writing local files
Deleting local files
Renaming local files
Creating directories
Reading directory contents
Network connections to machines other than the applet's source
Waiting for network connections
Creating new windows
Changing system settings
Loading dynamic libraries
Creating a new clall loader or security manager
Creating classes that already exist

ActiveX and Code Signing

ActiveX applets are based on Microsoft's Component Object Model (COM)
ActiveX applets can access all the machine's resources
They are signed with a digital signature to ensure their origin.
A similar option is also offered for Java code
Users are supposed to trust signed applets as they trust retail software

Problems:

All or nothing proposition
Who do you trust?
Programs from trusted sources may contain vulnerabilities
Programs from trusted sources may unknowingly contain malicious code (e.g. by linking with a library)

Javascript

No relation to Java
Interpreted inside the browser
Browser and its limited runtime environment act as a sandbox
Security problems

Exploitation examples:

Show pop-up windows
Access the history file
Read directory contents
Trick user to send files by email to untrusted sources
Violate firewall security policies (e.g. by recreating an applet tag)

Cookies

Needed to maintain state in stateless HTTP
Useful for e-commerce (e.g. implementing a shopping basket)

Format:

Name=VALUE; expires=DATE; domain=DOMAIN; path=PATH; secure

Example:

www.in.gr	FALSE	/	FALSE	2051222309	SITESERVER	ID=8b048791364ee52dfc1d627045d5c58c
.google.com	TRUE	/	FALSE	2147361448	PREF	ID=33a5ab94b4a12719:LD=en:CR=2:TM=1070212757:LM=1074012764:S=bEbIgrJZzBGyc5LD
.yahoo.com	TRUE	/	FALSE	1271361609	U	mt=Kl4g_p8MhYuN9bHjdexUb81uQuDrHYcx_oFi1Q--&ux=Sqf7/A&un=febgmfte1juft

Only the same host can access a cookie

Security problems

The cookie file stores unencrypted personal data over an extended period
Can be subverted by DNS spoofing
Therefore an attacker can access personal data (e.g. shopping habits)
Other users of a machine can access the cookie file
Problems when cookies are used to make authorisation easier

User Authentication

The basic authentication method transmits the password unencrypted
Example

POST /cgi-bin/smswww HTTP/1.0
Referer: http://www.netcs.com/pages/foo/send.html
Proxy-Connection: Keep-Alive
User-Agent: Mozilla/3.01 (Win95; I)
Host: www.netcs.com
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*
Content-type: application/x-www-form-urlencoded
Content-length: 143
Authorization: Basic aWV0ZopqZXRm

Only useful for "advisory locks"
Better authentication should be implemented through an SSL link and custom application code
Cookies should not be used for authentication

Application-layer Attacks

Scripting vulnerabilities
Buffer overflows
Cookie poisoning
Hidden field manipulation
Parameter tampering
Cross-site scripting
SQL injection

Server Security and Scripting

Server-side scripting (ASP, PHP, mod_perl, CGI) uses interpreted languages (Visual Basic, PHP, sh, Perl, Tcl, Java, Python)
Can be used by attackers to execute code on the server
Compromise the web server (e.g. change security model)
Compromise the database
Compromise the host

Scripting Exploitation Example

The following flawed and insecure Perl program is supposed to run the Unix "finger" command for the user given on a form's USER field:

#!/usr/bin/perl
$query = $ENV{'QUERY_STRING'};
@pairs = split(/\&/, $query);
for (@pairs) {
        ($field, $val) = split(/=/);
        $field =~ s/\+/ /g;
        $field =~ s/\%(\w\w)/sprintf("%c", hex($1))/eg;
        $val =~ s/\+/ /g;
        $val =~ s/\%(\w\w)/sprintf("%c", hex($1))/eg;
        $field{$field} = $val;
}
$|=1;
print "Content-Type: text/plain\n\n";
system "finger $field{USER}\n";

Running the program with USER having the value "dds"

http://www.host.gr/cgi-bin/pe?USER=dds

will give the following result:

Login: dds                              Name: Diomidis Spinellis
Directory: /home/dds                    Shell: /bin/bash
On since Wed Jun 30 12:18 (EET) on ttyp0
   5 minutes 49 seconds idle

Adding to the URI a semicolon (the Unix shell command separator) and the command cat /etc/shadow

http://www.host.gr/cgi-bin/pe?USER=dds;cat%20/etc/shadow

may send us the encoded contents of the system's password file after the results of the finger command.

Login: dds                              Name: Diomidis Spinellis
Directory: /home/dds                    Shell: /bin/bash
On since Wed Jun 30 12:18 (EET) on ttyp0
   5 minutes 49 seconds idle

root:XXXXXXXXXXXXX:0:0:Charlie Root:/root:/bin/bash
bin:*:1:1:bin:/bin:
daemon:*:2:2:The Devil Himself:/sbin:
adm:*:3:4:adm:/var/adm:
lp:*:4:7:lp:/var/spool/lpd:
...

Scripting Guidelines

To avoid exploitation problems:

Run the server as a non-priviledged user
Maintain the server's host security
Avoid scripting languages on web servers
Do not trust form data
Check all user data and remove all metacharacters

State Variable Manipulation

The HTTP protocol is stateless
A number of different mechanisms are used to store state:
- Cookies
- Hidden fields
- Parameters
  http://www.victim.com?param1=x&param2=y&param3=z
These entities are typically not protected
Attackers can manipulate these entities to alter their identity or authorization

Cross-site Scripting

Attacker stores script on victim site
Attacker tricks user into executing script
Victim user enters confidential data
Attacker uses confidential data against victim user

Bibliography

Practical UNIX and Internet Security, 2nd Edition by Simson Garfinkel and Gene Spafford

Ross Anderson. Security Engineering: A Guide to Building Dependable Distributed Systems, pages 367–371, 379–388. John Wiley & Sons, New York, 2001.
David Geer. E-micropayements sweat the small stuff. Computer, 37(8):19–22, August 2004.
Dieter Gollmann. Computer Security, pages 186–199. John Wiley & Sons, New York, 1999.
U. Homann, M. Rill, and A. Wimmer. Flexible value structures in banking. Communications of the ACM, 47(5):34–36, May 2004.
Michael Howard and David LeBlanc. Writing Secure Code, pages 413–438, 477–516. Microsoft Press, Redmond, WA, second edition, 2003.
Gary McGraw and Edward W. Felten. Securing Java: Getting Down to Business with Mobile Code. Wiley, New York, 1999.
Aviel D. Rubin, Daniel Geer, and Marcus J. Ranum. Web Security Sourcebook. John Wiley & Sons, New York, 1997.
Victoria Skoularidou and Diomidis Spinellis. Security architectures for network clients (http://www.dmst.aueb.gr/dds/pubs/jrnl/2003-IMCS-clisec/html/cli-sec.html). Information Management and Computer Security, 11(2):84–91, 2003.