Experiential Learning Workshop on Web Security Basics · • SSL certiﬁcate management • HTTPS...

Experiential Learning Workshop on

Web Security Basics

July 18, 2018

Dr. Ram P Rustagi Professor, CSE Dept

KSIT, Bangalore [email protected]

+91-8970000559

Experiential Learnaing ; Web Security Basics RPR

mailto:[email protected]

Resources & Acknowledgements

• Resources– https://rprustagi.com/ELNT/Experiential-Learning.html

– Articles in ACCS Journal• https://acc.digital/experiential-learning-of-

networking-technologies-4/•www.github.com/rprustagi

– https://www.rprustagi.com/workshops/ieee/nita• Slides

– https://www.rprustagi.com/workshops/programs• Example web pages, and programs

!2Experiential Learning - Basics of Web Security RPR

https://rprustagi.com/ELNT/Experiential-Learning.html

https://rprustagi.com/ELNT/Experiential-Learning.html

http://www.github.com/rprustagi

http://www.rprustagi.com/workshops/ieee/nita

http://www.rprustagi.com/workshops/programs

Day 2:Understanding Web Security• Overview of HTTP/HTTPS• SSL certificate management• HTTPS deployment challenges• HO1: Deploying SSL, click thru browser

warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• MITM with browser and information stealing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol, CSP• HO4: implementing CSP and HSTS• Summary


Experimental Setup-1

!4Experiential Learnaing ; Web Security Basics

S1

Ha: 10.1.1.1/24 Hb: 10.1.1.2/24

1 2 2

3

Internet

RPR

Experimental Setup-2

!5Experiential Learnaing ; Web Security Basics

S1Ha: 10.1.1.1/24

Hb: 10.1.1.2/24

1 2 2

Hc: 10.1.1.3/24

3

Internet

RPR

Day 1:Understanding Network Layer• Overview• Networking tools: wireshark, nc, wget, ssh• Review of IP and TCP headers• HO1: wireshark, IP and TCP headers• Routing & Forwarding, Subnetting, Unicast/BCast• HO2: Routing, subnetting, traceroute analysis • IP fragmentation, PMTU discovery• Understanding ICMP, NAT• HO3: ICMP errors: Fragmentation, TTL expiry• Unerstanding ARP, Proxy ARP, DHCP, GARP• HO4: Static ARP, Proxy ARP, GARP• Summary

!6Experiential Learnaing ; Web Security Basics RPR

HTTPS Protocol

• Secure web communication requirement– Authentication– Confidentiality– Data Integrity

• Authentication– Client authentication by server by many means

• Credentials, biometric, OTP(SMS), …• Certificate based (not prevalent)

– Server authentication by client• Client are not tech savvy• Browser should do automatically and seamlessly


Web Communication Security

• Confidentiality– Communication free from snooping– Responsibility assumed to lie with web application– Client takes it for granted.

• Integrity– Communication safe from alteration– Responsibility with web application

• Security– To be intrinsic to browser and web application– Practically impossible to educate all end users.


HTTPS Authentication• Server provides website certificate, having

– Website name e.g. mywww.com– Certificate validity period (typically 1 year)– Public key of certificate issuing authority

• Authentication mechanisms– Browser checks for all 3 pieces of information– Any violatation flags a warning

• User has to click-thru to proceed• Examples:

– https://172.217.166.100 #google – https://myweb.com #google IP in /etc/hosts – https://mywww.com #self signed certificate


http://mywww.com

https://172.217.166.100

https://myweb.com

https://mywww.com

HTTPS Communication

• Data confidentiality:– Using SSL protocol, browser sets up a common

encryption key with the web server– This encryption key is used to encrypt/decrypt

data exchanged between browser and web server• Certificate authorities

– Browser is configured with large number of certificate authorities.

– Accepts certificate only from these, e.g.• Amazon, Entrust, Geotrust, GoDaddy, Thawte,

Verisign


HTTPS Communication

• SSL procotol supports client certificates– Rarely seen in practice– When used, may not require credentials based

mechanism• Wireshark supports session decryption

– Provided session key is known or– Private key of certificate autority is known

• Possible for self signed certificates


SSL Certificates

• General Process– Create a private and public key for owned website– Generate a Certificate Signing Request (CSR).– Send CSR to a certificate issuing authority(CA)– Pay the money for certificate– CA will verify the request, website ownership

details etc.– CA will issue the certificate– Install the certificate on the web server


SSL Certificates

• Certificate types– DV (Domain Validation) - the basic type

• Webserver authentication and encryption only– OV (Organization Validation) certificate

• Verifies the actual business that is requesting• Organization name is listed in the certificate

– Extended Validation (EV)• Provides a green address bar in the browser• Requires stronger authentication process to

confirm the identity of business


HTTPS and Proxy Setup

• HTTPS deployment challenges with proxy and network that requires authentication❖ The network site hijacks the URL

❖ e.g. public hotspots, colleges ❖ Redirects to authentication URL ❖ On successful authentication, user is

permitted access ❖ This setup does not work with HTTPS

❖ On hijack of HTTPS traffic, ❖ Browser throws warning


Experiential Learnaing ; Web Security Basics

HTTPS Deployment

• Can a single (same) certificate be installed on multiple servers

• Need to deploy a wild card certificate for subdomains vs individual subdomain certificate

• Can the server be forced to use only HTTPS and disable HTTP

• How does cacheing works with HTTPS– Especially for public cache?

• Reverse Proxy (LB) and web servers• L7 load balancing• Migrating entire content to HTTPS

!18RPR


Hands On 1: SSL Enabled Website

• Generate an SSL certificate for 1 day• Install the SSL certificate on web server.• Access the web pages using HTTPS and analyze the

warning.• Accept the certificate exception in browser• Re-access the web page with HTTPS.• Change the system date to few days (i.e. before the

start date certificate validity period e.g. today)• Access web page with HTTPS and analyze• With with a different name (or IP Address) and

analyze

!20RPR

Example Resources

• Create your own content or download from following URLs https://rprustagi.com/workshops/web/pure.html https://rprustagi.com/workshops/web/mixed.html https://rprustagi.com/workshops/web/mixed-active.html https://rprustagi.com/js/mywww.js


https://rprustagi.com/accs/pure.html

https://rprustagi.com/accs/pure.html

https://rprustagi.com/accs/mixed.html

https://rprustagi.com/accs/mixed.html

https://rprustagi.com/accs/mixed-active.html

https://rprustagi.com/accs/mixed-active.html

https://rprustagi.com/js/mywww.js

Mixed Content Webpage


Secure, No Mixed Content

Potentially Unsecure, Passive Content is not blocked

Potentially Unsecure, Active Content is not blocked

Pure Content

<body> <h2>Img01 with inherited security</h2> <h2>Img02 with insecure access.</h2> <img src="//rprustagi.com/img/img-01.jpg" alt="Img 01"> <img src="//rprustagi.com/img/img-02.jpg" alt="Img 02"> </body>


Mixed Content

<body> <h2>Img01 with inherited security</h2> <h2>Img02 with insecure access.</h2> <img src="//rprustagi.com/img/img-01.jpg" alt="Img 01"> <img src=“http://rprustagi.com/img/img-02.jpg" alt="Img 02"> </body>


Active Mixed Content<body> <script src="http://rprustagi.com/js/mywww.js"> </script> <h1>Mixed Content Demonstration</h2> <button type="button" onclick=“hello()” > insecure access </button> <h2>Image 02 with insecure security access.</h2> <img src="//rprustagi.com/img/img-02.jpg" alt="Img 01”> </body>


Active Mixed Content - javascript

url=“http://rprustagi.com/js/mywww.js">

function hello() { alert("Hello"); }


Insecure Password Field in Form

• Quite often, web developers use form tag – <input type=“password” …> in the form.

• When this form is accessed with HTTP, it becomes in secure access.

• Browsers are by default configured to throw a warning when password field is submitted on HTTP.



AICTE Insecure Access: Firefox

!29RPR


AICTE Insecure Access: Chrome

!30RPR


AICTE Web Portal: No HTTPS

!31RPR


warnings• HTTP mixed content, lock icons• HO2: Using mixed content • MITM challenges, and ARP spoofing• HO3: Implementing MITM with sslstrip• Understanding HSTS protocol• Understanding CSP• HO4: implementing CSP and HSTS• Summary


Setup Requirement


Hands-On 2• Create two web pages

– one with mixed passive content– other with mixed active content.

• Deploy these web pages on your web server deployed with SSL certificate (self signed)

• Import the certificate into browser storage• Access (Firefox) these URLs with HTTP• Access (Firefox) these URLs with HTTPS.

– Analyze the difference • Create a simple web form with password field.• Access the web form using HTTP i.e. no HTTPS.


ARP - Address Resolution Protocol

• Packet delivery to a host requires two addresses

• Logical address - IP Address• Physical address - MAC address

• Need to find mapping from logical to physical• ARP is used - RFC 826

!36Experiential Learning - Network Layer RPR

Fig Src: Forouzan - Data Communication and Networking, SIE

ARP - 4 cases

!37Experiential Learning - Network Layer RPRSrc: Forouzan

ARP

• ARP Request and Reply– ARP Request is broadcast– ARP Reply is Unicast

• Other forms of ARP– Proxy ARP (RFC 1027)– Reverse ARP (RFC 903)– Gratuitous ARP


Proxy ARP

• Router (Proxy ARP Server) replied to all requests

• Used when– splitting a network w/o changing hosts netmask– Taking care of statically configured m/c– Mobile IP


Src: Forouzan

Reverse ARP

• Reverse ARP (RARP)– RFC 903– Used for diskless stations– Organization does not have enough IP Address– Target as MAC Bcast does not cross the router– Needs one RARP server for each subnet

• BOOTP– Improvement over RARP– Has a relay agent to forward across network– has static mapping of MAC to IP

• manageability issues• DHCP - replaces BOOTP


Gratuitous ARP

• Ref: http://wiki.wireshark.org/Gratuitous_ARP

• Gratuitous ARP Request– both src and dstn IP is set to that of m/c – dstn MAC is broadcast i.e. ff:ff:ff:ff:ff:ff – Ordinarily, no reply will occur normally

• if a m/c exists, it may respond

• Gratuitous ARP Reply– a reply to which no request has occurred

•


Gratuitous ARP

• Why Gratuitous ARP– help detect IP conflicts

• if a m/c receives G-ARP req which is its own, implies IP conflict

– helps in updating other m/cs ARP tables• used in clustering solutions, when IP is moved

– helps inform the switch to update its port table– each time an i/f comes up (after down), sends G-ARP

• Practice: use send_arp or arpspoof(dsniff package) to perform gratuitous arp


DHCP: Dynamic Host Configuration Protocol• goal: allow host to dynamically obtain its IP address

from network server when it joins network• renew its lease after lease expiry

• preferably gets the same address• client can reuse its address• support for mobile users who want to join • guarantee one address will be assigned to only one• retain DHCP client address across reboots

• not guaranteed• retain DHCP client configs across server reboots• must coexist with statically assigned addresses• interoperate with BOOTP relay agents


DHCP: Dynamic Host Configuration Protocol

• DHCP overview:– an extension of BOOTP mechanism– host broadcasts “DHCP discover” msg– DHCP server responds with “DHCP offer”

• more than one server can make the offer• client can choose which server to use

– host requests IP address: “DHCP request” msg– DHCP server sends address: “DHCP ack” msg– Renewal happens with DHCP request/ack– On completion, client sends DHCP release

• practically not seen


DHCP: more than IP addresses• DHCP can return more than just allocated IP

address on subnet:• address of first-hop router for client• name and IP address of DNS sever• network mask (indicating network versus host

portion of address)


What is MITM Attack• An attack where the attacker secretly captures

• Possibly alters the communication between two parties

• While parties believe that they are directly communicating with each other


Typical E-commerce Traffic


User

• Typical Usage: User enters ecomm.site • Gets the web page displayed • Proceeds with transaction

http://ecomm.site

Typical E-commerce Traffic Setup


User-A

User-X

AP/Router

ecomm.site

User-A 1. http://ecomm.site

2. 302 Redirect to https://ecomm.site3. New request to https://ecomm.site

4. Setup of HTTPS Session

5. Secure Data Exchange

1.

2.3..

4, & 5.

ecomm.site

Typical E-commerce Traffic with MITM


• Typical Usage: User enters ecomm.site • MITM attacker hijacks the URLs and changes n/w settings • All the back and forth traffic goes via attackr. • Gets the web page displayed • Proceeds with transaction

http://ecomm.site

MITM with ARP Spoofing

• Objective:When A & C communicate, B can snoop❖ Use ARP Spoofing to fool A & C go via B❖ Attacker machine

❖ Become a router to forward traffic❖ Run tcpdump to capture traffic

❖ Why ARP Spoofing works?


172.25.4.x 172.25.4.y 172.25.4.z

A CB

LAN

MITM Attack❖ Convert B into a router

❖ sudo sysctl -w net.ipv4.ip_forward=1 ❖ Insstall ARP Sniffer on B

❖ sudo apt install dsniff ❖ Issue ARP Spoof command on B for A & C

❖ arpspoof -i <i/f> -t <Address of A> -r <Address of C>

❖ Run wireshark on B for IP address of A & C❖ capture filter: host <A> or host <C>

❖ Let A & C chat (nc)❖ Run wireshark on B (between A and C)


User-A

User-X

AP/Router

ecomm.site

User-A 1. http://ecomm.site

3. 302 Redirect to https://ecomm.site

4. New request to https://ecomm.site

5. Setup of HTTPS Session

6b Secure Data Exchange with eavesdropping

1.

2.3.

6a

ecomm.site

4.

56b

User-X (MITM Attacker)

2. http://ecomm.site

6a. HTTP Response & Data Exchange

Typical E-commerce Traffic w/ MITM

54Experiential Learning - Basics of Web Security RPR

Traffic Flow with MITM Attacker

• Step 0: Attacker sets up the hostile environment❖ Using ARP Spoofing, and

❖ Open src package dsniff❖ Makes silent ARP changes in victim m/c❖ Makes silent ARP changes in local router❖ All traffic between user and router goes via

attacker❖ Using SSLStrip

❖ sudo apt install sslstrip ❖ Open src package sslstrip❖ Converts HTTPS urls to HTTP and vice versa


Traffic Flow with MITM Attacker

• Step 1: User types ecomm.site in browser• Step 2: HTTP packets instead of going to local router,

are delivered to attacker’s system.❖ Pkt still has Src IP of victim, and dst IP of ecomm

• Step 3: Attacker forwards the request via local router to ecomm.site (becomes initiator)

• Step 4: ecomm server sends redirect to using https• Step 5: local router sends HTTP Response (IP

packet) to attacker instead of victim❖ Pkt has Src IP of ecomm, and dest IP of victim

❖ Step 6: Attacker initiates HTTPS request to ecomm❖ Step 7: ecomm site responds with web page


http://ecomm.site

http://ecomm.site

Traffic Flow with MITM Attacker❖ Step 8: Attacker manipulates web page

❖ Replaces all references to HTTPS with HTTP❖ SSLStrip does it automatically

❖ Step 9: Victim sees the same look and feel as before.❖ Does not notice that it is not HTTPS

❖ Step 10: Victim enters credentials and sends❖ Step 11: The HTTP packet with credentials is

delivered to attacker ❖ Attacker records the information (e.g.tcpdump)❖ Forwards the response on HTTPS to ecomm

❖ Summary: ecomm site believes everything is HTTPS which is true. Victim is unaware of data stealth.


Why MITM Works?

• User does not enter HTTPS with URL. It just types ecomm.site

• A typical user is not aware that any credential information should be entered ❖ Only if there is Green lock symbol before URL

❖ User has no knowledge of how L3 and L2 of networking works.❖ Has no means of verifying that data is not going to

local router but to an attacker.❖ Any IT dept (of organization) is typically short-

staff and believes that no attacks happening internally.


http://ecomm.site

Web Scenarios for MITM

• Plaintext HTTP mechanism❖ Simple ARPSpoofing is good enough

❖ HTTPS access with HTTP redirection from HTTP❖ SSLStrip is helpful for attacker

❖ Using HSTS❖ First time usage is hackable.


Avoiding MITM Attacks?

• Sol 1: Educate the user❖ User must enter HTTPS before the URL

❖ Practically not possible to educate billion users❖ Sol 2: Enforce the browser vendors to intiate all

traffic with HTTPS❖ Proxies won’t work❖ URL hijack for auth won’t work❖ Note: Chrome marks site is not secure

❖ Sol 3: Empowering IT❖ IT dept runs MITM tools, ❖ Detects any MITM activities❖ Challenges: Typical IT is not capable


Avoiding MITM Attacks?

• Sol 4: A responsible website responds only to HTTPS❖ Does not respond to HTTP❖ Challenge: User stills enters HTTP

❖ It will lose business when user does not see response

❖ Entity does not want to lose business.❖ Sol 5: Make ARP entries static in router and

victim m/c❖ Challenge: Practically impossible❖ User needs to understand how ARP works.


Hands-On 3• Implement ARP Spoofing

– Run ARP Spoofing command on X (Attacker)• Spoof MAC address MACA on B to MACX on B• Spoof MAC address MACB on A to MACX on A

– Convert X into a router– Initiate chat between A and B.– Snoop on chat communication between A and B

and see the data of chat communication on X


HTTP Strict Transport Security❖ HSTS: https://tools.ietf.org/html/rfc6797

❖ A mechanism incorporated by the web server❖ Instructs browser to always initiate requests with

HTTPS❖ Even if user enters http://<website>

❖ Ensures that once a browser receives HSTS header Strict-Transport-Security: max-age=31536000; includeSubDomains

❖ Browser initiates HTTPS always❖ Most useful in public places

❖ Airport, cafes, Malls, Railway stations etc.


https://tools.ietf.org/html/rfc6797

HSTS Deployment

• Prominent sites that use HSTS– Facebook, Amazon, Twitter– Google ??– Airtel (with max-age=0)

• Sites that that are yet to implement HSTS– Ecommerce sites: Flipkart, – Banks e.g. SBI, ICICI Bank, HDFC– Academic institutes: VTU Karnataka, IISc


Inadequacies of HSTS Mechanism

• When user visits website first time, and website responds with HSTS header❖ The MITM attacker can still manipulate the

response and remove HSTS header.❖ User is subject to attack on first time access.


HTTP Headers for Secure Web

• Avoiding XSS❖ use Secure; HttpOnly in Set-Cookie ❖ X-XSS-Protection: 1

❖ Avoid guessing by a browser❖ X-Content-Type: nosniff ❖ Uses content only when Content-Type is

provided❖ Use Content-Security-Policy

❖ https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

❖


https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

Content Security Policy (CSP)

• Common form of attack on websites– Interaction with user where some input is taken

• e.g. blog comments, social media sites, forms etc.– User input injects malicious content

• results in website hacking, stealing of user info etc.• CSP: An approach to prevent such attacks

– Implemented via HTTP headers– Tells browser which content can be dangerous

and should be block based on origin of content• e.g. scripts, CSS, images etc.


CSP Examples• Header set Content-Security-Policy – “default-src ‘none’; script-src ‘self’; img-src ‘self’; style-src ‘self’”

• Blocks contents from any other site than self – script-src self https://code.jquery.com; • Allows content from self and one more

website, and no other –Upgrade-Insecure-Requests •Browser access all links with HTTPS


https://code.jquery.com

https://code.jquery.com

Hands-On 4• Implement HSTS

– Configure a web server to support HSTS– When done for site with self signed certificate, it

is unlikely to be ignored.– Use browser developer tools or (wget) to verify

that HSTS header comes in the response.– Identify websites that have implemented HSTS e.g.

amazon.com• Access these websites with HTTP and verify that

access is made with HTTPS and not with HTTP.


http://amazon.com

Exploration Exercises

• Implement sslstrip and see if you can capture your team mate credentials when s/he accesses http://flipkart.com, or any other ecommerce website.

• Implement CSP for following type of contents– images– scripts– stylesheets (css)

• Implement ICMP errors: ICMP Redirect, PMTU Discovery, TTL Expired, Fragmentation.

• Implement Proxy ARP and Gratuituous ARP


http://flipkart.com


Summary

• HTTPS overview• SSL certificate• Mixed content• MITM attack• ARP spoofing• MITM for browser with sslstrip• HSTS protocol• CSP• Secure HTTP headers

!75RPR

Thank You

!76Experiential Learnaing ; Web Security Basics RPR

Experiential Learning Workshop on Web Security Basics · • SSL certiﬁcate management • HTTPS...

Documents

Transcript of Experiential Learning Workshop on Web Security Basics · • SSL certiﬁcate management • HTTPS...