Security of Web Servers and Web Applications

IT-Security

Software Freedom Kosova 2011

Security of Web Servers and Web Applications

Who‘s Talking?

Amir Neziri lives and works in Germany

Double Degree in Master of Science: Master in Computer Science

and Master in IT-Security from TU-Darmstadt/Germany Currently I’m writing Master Thesis about Data Security in Cloud

Services

Profession: Software Engineer, Consultant for Web- and Software- Security

http://www.linkedin.com/in/amirneziri https://www.xing.com/profile/Amir_Neziri

11/06/2011 | Software Freedom Kosova 2011 | Security of Web Servers and Web Applications |Amir Neziri 2

Security of Web Servers and Web Applications

Why is it so important today?


Motivation – Political Damage




…another shocking news


…another shocking news




Motivation – Economic Damage


Motivation – Economic Damage


So….

Are we last now????


NO!

Agenda

Components and Architecture

Security Attacks

Defenses

Securing (Web) Server

Securing Web Applications

Take home message


Components & Architecture


Security Attacks


Security Attacks


Security Attacks


Security Attacks


Security Attacks


Security Attacks


Defenses


Source: http://www.trigonit.com/tech-blog/bid/57835/IT-Support-Wireless-Network-Security-Secure-Encrypt-and-Be-Safe

Securing the operating system

Variety of possible sources of information Federal Office for Information Security (BSI, Germany)

Server Security https://www.bsi.bund.de/cln_156/ContentBSI/grundschutz/kataloge/baust/b0

3/b03.html IT-Security Catalog

National Security Agency (NSA, USA) Recommendations and guidelines for installation and

Configuration of operating systems with focus onsecurity


Security is a Process


Example: Linux Systems




Linux Systems - Installation

Installation from CD Authentic Source Contains no updates

Installation from Network Authentic and trustworthy Source is needed

Minimal Functionality Example: Server Systems do not need GUI

Example Web-Server Installation : Web-Server, Secure-Shell, Secure File Transfer

ATTENTION: Do not use unsecure protocols like FTP




Linux Systems - Configuration

Get all running Services nmap localhost or netstat -lnp --ip netstat -lnp --inet6


Linux Systems - Configuration

Shut down unused Services

Hide Services with Port Knocking Example:

Web Server Service is public hide SFTP-, SSH- Services

Use Onetime Passwords by generating them with Password generators




Linux Systems – Maintenance / Updates

Always update the installed Software

Debian/Ubuntu apt-get update && apt-get upgrade or apt-get update && apt-get dist-upgrade

IMPORTANT: The Kernel should be always up-to-date




Linux Systems - Monitoring

File System Integrity Checker

Open Source Tool for checking Integrity: Tripwire http://www.tripwire.org/ http://sourceforge.net/projects/tripwire/

Analyze Log Files Authentication Errors /-Problems: /var/log/auth.log Web-Access and Errors : /var/log/apache2/*.log


Linux Systems - Monitoring

Automated fraud detection Example sshguard (http://www.sshguard.net/)

SSH-Guard Analyzes Log Files of SSH-Services Detects Attack Attempts and blocks Attacker temporary ( by setting

firewall rules )


Securing Web-Server – Main Steps

1. User- /Groups settings for Web Server Processes 2. File System Settings3. Permissions for executable Software

Nobody except root should write into Binary-Folders of Apache

4. Reduce functions to your needs Apache can be extended with Modules, e.g.: mod_cgi, mod_ssl…

5. Suppress Fingerprinting


Securing Web-Server – Main Steps

6. Restrict used Hardware Resources to avoid DoS-Attacks Change Default TimeOut Restrict HTTP-Requests

7. Restrict access to Web Resources Often resources are not to be accessible for everyone htaccess is a simple mechanism for access Protection htaccess is activated by a file .htaccess to protected directory

(or above in one)


Source: http://www.howtomonster.com/2007/08/12/how-to-restrict-access-to-a-web-site-folder/

Access Control - .htaccess

Simple Example

Site-Configuration controls use of .htaccess files:

AllowOverride None: .htaccess is ignored

AllowOverride All: .htaccess may overwrite (almost) all global settings


Access Control

Structure of the password file:

UserName:Hash

Example: myUser:GxkVrKPk8WSbM

Default Hash-Function: crypt

Created by the tool htpasswd

Transfer of password: As HTTP Header “Authorization” UserName:Password Base64 encoded Example: Authorization: Basic d2lraTpwZWRpYQ==


Web Application Security

Various Sources of Information OWASP Top 10

The Open Web Application Security Project

CWE/SANS Top 25 Common Weakness Enumeration

Exploit Databases http://www.exploit-db.com/webapps/


www.exploit-db.com/webapps/



2011 CWE/SANS Top 25 Most Dangerous Software Errors


Source: http://cwe.mitre.org/top25/


Buffer Overflows: Statistics Still a major threat (e.g. in Internet Explorer or Acrobat Reader, etc.)


Source: http://www.trigonit.com/tech-blog/bid/57835/IT-Support-Wireless-Network-Security-Secure-Encrypt-and-Be-Safe


2010 OWASP Top 10


Source: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Web Application Security - BackTrack

Operating System based on Ubuntu

Pentetrating testing and digital forensics

Available as Live CD or USB


Source: http://www.backtrack-linux.org/screenshots/

Web Application Security - BackTrack

BackTrack arranges tools into 12 categories: Information Gathering Vulnerability Assessment Exploitation Tools Privilege Escalation Maintaining Access Reverse Engineering RFID Tools Stress testing Forensics Reporting Tools Services Miscellaneous


Take Home Message

Web Security is very important for everyone (e.g. e-banking…)

Server Security information sources Federal Office for Information Security (BSI, Germany) National Security Agency (NSA, USA)

Web Applicaiton Security information sources The Open Web Application Security Project (OWASP) Top 10 CWE/EANS Top 25 Exploit Databases

Security Tool: BackTrack


Questions???



Education

Security of Web Servers and Web Applications