A Back-Stage Pass: What Every Hacker Wants

Presented by:

Art Jones

A Back-Stage PassWhat does the web do?

What is its purpose?

It is a communications media; like print or paint or clay or even music… only digital.

Digital = easy to create, change, copy, move.

Easy = cheap to produce, cheap to distribute.

As with any medium, “good don’t come cheap.”

There are very few masters of more than one medium.

A Back-Stage Pass

• A bit of a history lesson

• Clarify some terms

• Understand how modern web systems work

• See where security breaks down

Some basics…

Web ServiceWeb Client(browser)

DNS Server

1. User requests URL: http://www.psu.edu/webconference.

2. Browser / Operating System get the IP address from DNS Server.

3. Browser opens a connection to the web server’s address, specifying port #80, and issues a message: “GET /webconference”. (Messages use HTTP)

4. Web service looks in its /webconference directory. Because a specific file was not requested, the service checks its rules, and looks for a default name.

5. The web service then copies the file from its directory back to the browser, using HTTP.

Disk Drive

Internet

A very general overview of how a web browser gets a web page…

Terms

• Client = computer that wants data

• Server = computer with the data

• Service = software that provides the data

• DNS = Domain Name Service

• IP = Internet Protocol

• HTTP = Hyper-Text Transfer Protocol

• HTML = Hyper-Text Markup Language

Web ServiceWeb Client(browser)

Internet

CorruptedDNS Server

Things you need to keep in mind:

DNS lookups take time and network bandwidth (usually not much, but consider scaling factors) and DNS Servers can be hacked to re-direct clients. The web server with the real data is never contacted.

EVILWeb Server

•What’s the address for www.psu.edu?

•www.psu.edu = 000.000.000.666

•Give me the data

•Data: please enter your credit card number…

Web Service Internet

Things you need to keep in mind:

Web servers generally allow anonymous access to their data resources. This is accomplished by aliasing the unknown internet user as an account known to the server. (IUSR_Servername, Apache, Anonymous) Data access uses this account’s permissions in the operating system.

Disk Drive

This conversation is anonymous (but can be forced to be authenticated, creating

intra/extra- nets)

This conversation is aliased with a known

account name

Web ServiceWeb Client(browser)

Internet

Certificate Authority Service

Encryption & Authentication

Disk Drive

1. Client requests secure connection to service (https:; port 8080)

2. Service responds: “here is my public key”

3. Client to certificate authority: “I am trying to contact a service, here is the key it gave me.”

4. Certificate authority to client: “looks good to me.”

5. Client to web service: <our conversation can be encrypted now>

Terms

• Encryption

• Authentication

• PKI– Public Key– Private Key

• Certificate

• HTTPS

Web Service Internet

Disk Drive

A closer look at web services

• CGI programs allow dynamic webpage content; HTML is built when a page is requested, instead of existing statically on disk.

• Simple uses would be hit-counters, real-time server reports, generating e-mail from web-based forms, etc.

• Compiled program executes quickly, and code can be kept elsewhere.

CompiledProgram usingThe Common

Gateway Interface(CGI)

Web Service Internet

Disk Drive

A closer look at web services

• Microsoft’s answer to CGI

• Programs saved as .DLL files

• Web service recognized hits to particular file types as requests for ISAPI-generated data.

•Used in MS’s web-based server administration system.

CompiledProgram using

Internet ServicesApplication

Program Interface(ISAPI; sometimes

called ISAPI filters)

Web ServiceInternet

Disk Drive

A closer look at web services

• Cold Fusion’s model: put the web service and the command interpreter in one program.

• This allowed mixing of HTML and program code within a single file.

• Primary use is for database-driven web pages.

CommandInterpreter

Web ServiceInternet

Disk Drive

A closer look at web services

• Microsoft introduced Active Server Pages (ASP), which will interpret code in Visual Basic Script (or Java Script) language.

• Allowed mixing HTML and programming code.

• Implemented as an ISAPI .DLL file, building on their previous system.

• Took advantage of their large base of VB programmers.

ISAPI filter that Interprets

programming code(ASP, PHP)

Web ServiceInternet

Disk Drive

Other Options

ISAPI filter that Interprets

programming code

Compiled Program

Web ServiceInternet

Disk Drive

Tying to databases

Compiled programor

ISAPI filter

DatabaseService

Web ServiceInternet

Disk Drive

Tying to databases

ISAPI filter that Interprets

programming code

ODBC/JDBCDatabase Service(MS-SQL, MySQL,

etc.)

Terms

• CGI

• ISAPI Filter

• ASP/PHP/JSP

• ODBC/JDBC

• CF

Web ServiceInternet

Disk Drive

Security Concerns

Compiled programor

ISAPI filter

DatabaseService

•Scripts are typically run in the context of the web service user (usually an anonymous account)

•Database services usually maintain their own accounts and security permissions (with some really open defaults)

•Communication between the script and the DB must use a DB account

Web Client• IE, Netscape/Mozilla

• Crawlers• Varying platform capabilities

(PDA’s, etc.)

Internet

Client-side operations

• Know your audience.

• Define your audience & give warnings.

• You may have to accommodate non-optimal client platforms (and connections)

Browser• HTML variants• Scripting languages (JavaScript, VB-Script)• Plug-ins to handle non-HTML files• MIME mappings to launch other applications• Java

Internet

Client-side operations

• Browser & other applications launched through the browser run in the context of the user, and will be constrained by the user’s permissions.

• Many e-mail clients work very similarly to web browsers, with scripting, plug-ins, MIME mappings, etc. The big difference is their built-in ability to send messages, allowing worm propagation.

• Biggest security concern is the user

Web Client• Data-seeking programs

Internet

What about XML?

• XML is just another language like HTML

• XML can be used to hold data, independently of presentation

Data is transferred in XML-encoded format

It is up to the client program to do something with the data. Maybe display it;

maybe process it; maybe just store it.

Put these technologies together and you get “Web Services”

• Allows for authoritative sources of data

• Basis for .NET and J2EE architectures.

Lessons:

• Know your specific architecture. Web developers, web and DB admins, and network admins must all cooperate to secure the server side.

• Don’t tell people who don’t need to know. (“…what every hacker wants!”)

• Understand the contexts where programs will run. The servers/services, accounts used at each step, and target clients are all important.

Questions?