a back-stage pass: what every hacker wants presented by: art jones
TRANSCRIPT
A Back-Stage PassWhat does the web do?
What is its purpose?
It is a communications media; like print or paint or clay or even music… only digital.
Digital = easy to create, change, copy, move.
Easy = cheap to produce, cheap to distribute.
As with any medium, “good don’t come cheap.”
There are very few masters of more than one medium.
A Back-Stage Pass
• A bit of a history lesson
• Clarify some terms
• Understand how modern web systems work
• See where security breaks down
Some basics…
Web ServiceWeb Client(browser)
DNS Server
1. User requests URL: http://www.psu.edu/webconference.
2. Browser / Operating System get the IP address from DNS Server.
3. Browser opens a connection to the web server’s address, specifying port #80, and issues a message: “GET /webconference”. (Messages use HTTP)
4. Web service looks in its /webconference directory. Because a specific file was not requested, the service checks its rules, and looks for a default name.
5. The web service then copies the file from its directory back to the browser, using HTTP.
Disk Drive
Internet
A very general overview of how a web browser gets a web page…
Terms
• Client = computer that wants data
• Server = computer with the data
• Service = software that provides the data
• DNS = Domain Name Service
• IP = Internet Protocol
• HTTP = Hyper-Text Transfer Protocol
• HTML = Hyper-Text Markup Language
Web ServiceWeb Client(browser)
Internet
CorruptedDNS Server
Things you need to keep in mind:
DNS lookups take time and network bandwidth (usually not much, but consider scaling factors) and DNS Servers can be hacked to re-direct clients. The web server with the real data is never contacted.
EVILWeb Server
•What’s the address for www.psu.edu?
•www.psu.edu = 000.000.000.666
•Give me the data
•Data: please enter your credit card number…
Web Service Internet
Things you need to keep in mind:
Web servers generally allow anonymous access to their data resources. This is accomplished by aliasing the unknown internet user as an account known to the server. (IUSR_Servername, Apache, Anonymous) Data access uses this account’s permissions in the operating system.
Disk Drive
This conversation is anonymous (but can be forced to be authenticated, creating
intra/extra- nets)
This conversation is aliased with a known
account name
Web ServiceWeb Client(browser)
Internet
Certificate Authority Service
Encryption & Authentication
Disk Drive
1. Client requests secure connection to service (https:; port 8080)
2. Service responds: “here is my public key”
3. Client to certificate authority: “I am trying to contact a service, here is the key it gave me.”
4. Certificate authority to client: “looks good to me.”
5. Client to web service: <our conversation can be encrypted now>
Web Service Internet
Disk Drive
A closer look at web services
• CGI programs allow dynamic webpage content; HTML is built when a page is requested, instead of existing statically on disk.
• Simple uses would be hit-counters, real-time server reports, generating e-mail from web-based forms, etc.
• Compiled program executes quickly, and code can be kept elsewhere.
CompiledProgram usingThe Common
Gateway Interface(CGI)
Web Service Internet
Disk Drive
A closer look at web services
• Microsoft’s answer to CGI
• Programs saved as .DLL files
• Web service recognized hits to particular file types as requests for ISAPI-generated data.
•Used in MS’s web-based server administration system.
CompiledProgram using
Internet ServicesApplication
Program Interface(ISAPI; sometimes
called ISAPI filters)
Web ServiceInternet
Disk Drive
A closer look at web services
• Cold Fusion’s model: put the web service and the command interpreter in one program.
• This allowed mixing of HTML and program code within a single file.
• Primary use is for database-driven web pages.
CommandInterpreter
Web ServiceInternet
Disk Drive
A closer look at web services
• Microsoft introduced Active Server Pages (ASP), which will interpret code in Visual Basic Script (or Java Script) language.
• Allowed mixing HTML and programming code.
• Implemented as an ISAPI .DLL file, building on their previous system.
• Took advantage of their large base of VB programmers.
ISAPI filter that Interprets
programming code(ASP, PHP)
Web ServiceInternet
Disk Drive
Other Options
ISAPI filter that Interprets
programming code
Compiled Program
Web ServiceInternet
Disk Drive
Tying to databases
ISAPI filter that Interprets
programming code
ODBC/JDBCDatabase Service(MS-SQL, MySQL,
etc.)
Web ServiceInternet
Disk Drive
Security Concerns
Compiled programor
ISAPI filter
DatabaseService
•Scripts are typically run in the context of the web service user (usually an anonymous account)
•Database services usually maintain their own accounts and security permissions (with some really open defaults)
•Communication between the script and the DB must use a DB account
Web Client• IE, Netscape/Mozilla
• Crawlers• Varying platform capabilities
(PDA’s, etc.)
Internet
Client-side operations
• Know your audience.
• Define your audience & give warnings.
• You may have to accommodate non-optimal client platforms (and connections)
Browser• HTML variants• Scripting languages (JavaScript, VB-Script)• Plug-ins to handle non-HTML files• MIME mappings to launch other applications• Java
Internet
Client-side operations
• Browser & other applications launched through the browser run in the context of the user, and will be constrained by the user’s permissions.
• Many e-mail clients work very similarly to web browsers, with scripting, plug-ins, MIME mappings, etc. The big difference is their built-in ability to send messages, allowing worm propagation.
• Biggest security concern is the user
Web Client• Data-seeking programs
Internet
What about XML?
• XML is just another language like HTML
• XML can be used to hold data, independently of presentation
Data is transferred in XML-encoded format
It is up to the client program to do something with the data. Maybe display it;
maybe process it; maybe just store it.
Put these technologies together and you get “Web Services”
• Allows for authoritative sources of data
• Basis for .NET and J2EE architectures.
Lessons:
• Know your specific architecture. Web developers, web and DB admins, and network admins must all cooperate to secure the server side.
• Don’t tell people who don’t need to know. (“…what every hacker wants!”)
• Understand the contexts where programs will run. The servers/services, accounts used at each step, and target clients are all important.