1

Web Security

2

Eksploitasi WebEksploitasi Web

Tampilan web diubah (deface)

dengan eksploitasi skrip. Situs yang dideface dikoleksi di http://www.alldas.org

Informasi bocor

(misal laporan keuangan semestinya hanya dapat diakses oleh orang/ bagian tertentu)

Digunakan untuk menipu firewall (tunelling ke luar jaringan)

Penyadapan informasi

URLwatch: melihat siapa mengakses apa saja. Masalah privacy

DoS attack

Request dalam jumlah yang banyak (bertubi-tubi), Request yang memblokir (lambat mengirimkan perintah GET)

Malicious Input Attack

Bad input ke priviledge program : Code corruption attack – Buffer overflow, SQL Injection, Cross Site Cripting

3

Security WebSecurity Web

Tampilan web diubah (deface)Secure Configuration pada web server dan web application

Informasi bocorDengan htaccess dan http Digest authentication

Digunakan untuk menipu firewall (tunelling ke luar jaringan)Dengan sohusin

Penyadapan informasiDengan SSL/https

DoS attackFirewall dan mod_security

Malicious Input AttackMod_security dan secure configuration

4

Secure ConfigurationSecure Configuration

Test dengan tools vulnerability scanners misal Nikto Konfigurasi http secara secure :

– Disable Un-Needed Modules – Denial of Service (DoS) Protective Directives – Access Control: Where Clients Come From – Limiting HTTP Request Methods – Removing Default/Sample Files – Updating Ownership and Permissions – Updating the Apachectl Script – Enable Security Modules for Apache

• Secure Socket Layer (SSL) • Mod_Rewrite • Mod_Log_Forensic • Mod_Dosevasive • Mod_Security

5

htaccess di Apachehtaccess di Apache

Isi berkas “.htaccess”AuthUserFile /home/budi/.passme

AuthGroupFile /dev/null

AuthName “Khusus untuk Tamu Budi”

AuthType Basic

<Limit GET>

require user tamu

</Limit>

Membatasi akses ke user “tamu” dan password

Menggunakan perintah “htpasswd“ untuk membuat password yang disimpan di “.passme”

6

HTTP Hyper Text Transfer ProtocolHTTP Hyper Text Transfer Protocol

Widely used to exchange text data accross different plateforms

Used for the WWW on port 80 to exchange HTML files

Standarized in the RFCs

The current 1.1 version offers two authentication schemes; basic and digest

HTTP messages are composed of header-fields and entity (the payload)

Protocol://destination-host/ressource

7

Browser Webserver

GET /basic/ HTTP/1.1

Response 401; unauthorizedWWW-authenticate: Basic realm="Basic Test Zone"

HTTP GET Request with clear username and password:Authorization: Basic dGVzdDp0ZXN0

Response 200; OK<data>

2

3

4

5

1

Password encoded in Base64; no encryption

Sent in clear for every subsequent requests

Sniffing compromises the password

Basic Access AuthenticationBasic Access Authentication

8

Generates : cnonce counter nc URI and method

Browser Web Server

Response HTTP 401 unauthorized

5

1

WWW-authenticate: Digest realm="DigestZone", nonce="3gw6ask",algorithm=MD5, domain="/protected/", qop="auth"

<data>

HTTP GET /protected/test.html Request

Authorization: Digest username="Controler", realm="DigestZone",nonce="3gw6ask", uri="/protected/test.html", algorithm=MD5,

response="65biad5s70de", qop=auth, nc=0001, cnonce="82c875dc"

Response HTTP 200 OK

Authentication-Info: rspauth="d9260eef8e7",cnonce="82c875dc", nc=0001, qop=auth

<data>

HTTP GET /protected/test2.html Request

Authorization: Digest username="Controler", realm="DigestZone",nonce="3gw6ask", uri="/protected/test2.html", algorithm=MD5,

response="4c5c93bc8747i", qop=auth, nc=0002, cnonce="72g4dsfs"

Response HTTP 200 OK

Authentication-Info: rspauth="g45sx4j65s1",cnonce="3gw6ask", nc=0002, qop=auth

<data>

<...>

2

nonce generated

HTTP GET /protected/test.html Request

Communicationchannel

MD5-hash

Prompt user forusername and

password

realm, nonce

nonce, cnonce,URI and method

response

3

4

Match ?

username, realm

No

Yes

401unauthorized;

Back to

200 OKSend document

Password Database lookup;MD5(username:realm:password)

document

Show document,update nc by 1

Prompt for usernameand password again

Back to

code 200

code 401

2

6

3

response

response

MD5-hash

Digest Access AuthenticationDigest Access Authentication

response = MD5[MD5(username:realm:password):nonce:nc:cnonce:qop:MD5(method:URI)]

9

SohusinSohusin

Suhosin is an advanced protection system for PHP installations that was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core

Suhosin comes in two independent parts, that can be used separately or in combination. – The first part is a small patch against the PHP core, that

implements a few low-level protections against bufferoverflows or format string vulnerabilities

– The second part is a powerful PHP extension that implements all the other protections

10

FirewallFirewall

Firewall digunakan untuk mencegah akses yang tidak berhak ke suatu jaringan.

Bekerja dengan cara melindungi, baik dengan :Menyaring

membatasi

menolak

Segmen tersebut dapat merupakan sebuah workstation, server, router, atau local area network (LAN) anda

pc (jaringan local) <==> firewall <==> internet (jaringan lain)

hubungan /kegiatan suatu segmen pada jaringan pribadi dengan jaringan luar yang bukan merupakan ruang lingkupnya

11

Mod_SecurityMod_Security

ModSecurity is a web application firewall (WAF), to detect and/or prevent attacks before they reach web applications.

ModSecurity can monitor the HTTP traffic in real time in order to detect attacks.

12

Secure Socket Layer (SSL)Secure Socket Layer (SSL)

Menggunakan enkripsi untuk mengamankan transmisi data

Mulanya dikembangkan oleh Netscape - OpenSSL