Web Security
description
Transcript of Web Security
1
Web Security
2
Eksploitasi WebEksploitasi Web
Tampilan web diubah (deface)
dengan eksploitasi skrip. Situs yang dideface dikoleksi di http://www.alldas.org
Informasi bocor
(misal laporan keuangan semestinya hanya dapat diakses oleh orang/ bagian tertentu)
Digunakan untuk menipu firewall (tunelling ke luar jaringan)
Penyadapan informasi
URLwatch: melihat siapa mengakses apa saja. Masalah privacy
DoS attack
Request dalam jumlah yang banyak (bertubi-tubi), Request yang memblokir (lambat mengirimkan perintah GET)
Malicious Input Attack
Bad input ke priviledge program : Code corruption attack – Buffer overflow, SQL Injection, Cross Site Cripting
3
Security WebSecurity Web
Tampilan web diubah (deface)Secure Configuration pada web server dan web application
Informasi bocorDengan htaccess dan http Digest authentication
Digunakan untuk menipu firewall (tunelling ke luar jaringan)Dengan sohusin
Penyadapan informasiDengan SSL/https
DoS attackFirewall dan mod_security
Malicious Input AttackMod_security dan secure configuration
4
Secure ConfigurationSecure Configuration
Test dengan tools vulnerability scanners misal Nikto Konfigurasi http secara secure :
– Disable Un-Needed Modules – Denial of Service (DoS) Protective Directives – Access Control: Where Clients Come From – Limiting HTTP Request Methods – Removing Default/Sample Files – Updating Ownership and Permissions – Updating the Apachectl Script – Enable Security Modules for Apache
• Secure Socket Layer (SSL) • Mod_Rewrite • Mod_Log_Forensic • Mod_Dosevasive • Mod_Security
5
htaccess di Apachehtaccess di Apache
Isi berkas “.htaccess”AuthUserFile /home/budi/.passme
AuthGroupFile /dev/null
AuthName “Khusus untuk Tamu Budi”
AuthType Basic
<Limit GET>
require user tamu
</Limit>
Membatasi akses ke user “tamu” dan password
Menggunakan perintah “htpasswd“ untuk membuat password yang disimpan di “.passme”
6
HTTP Hyper Text Transfer ProtocolHTTP Hyper Text Transfer Protocol
Widely used to exchange text data accross different plateforms
Used for the WWW on port 80 to exchange HTML files
Standarized in the RFCs
The current 1.1 version offers two authentication schemes; basic and digest
HTTP messages are composed of header-fields and entity (the payload)
Protocol://destination-host/ressource
7
Browser Webserver
GET /basic/ HTTP/1.1
Response 401; unauthorizedWWW-authenticate: Basic realm="Basic Test Zone"
HTTP GET Request with clear username and password:Authorization: Basic dGVzdDp0ZXN0
Response 200; OK<data>
2
3
4
5
1
Password encoded in Base64; no encryption
Sent in clear for every subsequent requests
Sniffing compromises the password
Basic Access AuthenticationBasic Access Authentication
8
Generates : cnonce counter nc URI and method
Browser Web Server
Response HTTP 401 unauthorized
5
1
WWW-authenticate: Digest realm="DigestZone", nonce="3gw6ask",algorithm=MD5, domain="/protected/", qop="auth"
<data>
HTTP GET /protected/test.html Request
Authorization: Digest username="Controler", realm="DigestZone",nonce="3gw6ask", uri="/protected/test.html", algorithm=MD5,
response="65biad5s70de", qop=auth, nc=0001, cnonce="82c875dc"
Response HTTP 200 OK
Authentication-Info: rspauth="d9260eef8e7",cnonce="82c875dc", nc=0001, qop=auth
<data>
HTTP GET /protected/test2.html Request
Authorization: Digest username="Controler", realm="DigestZone",nonce="3gw6ask", uri="/protected/test2.html", algorithm=MD5,
response="4c5c93bc8747i", qop=auth, nc=0002, cnonce="72g4dsfs"
Response HTTP 200 OK
Authentication-Info: rspauth="g45sx4j65s1",cnonce="3gw6ask", nc=0002, qop=auth
<data>
<...>
2
nonce generated
HTTP GET /protected/test.html Request
Communicationchannel
MD5-hash
Prompt user forusername and
password
realm, nonce
nonce, cnonce,URI and method
response
3
4
Match ?
username, realm
No
Yes
401unauthorized;
Back to
200 OKSend document
Password Database lookup;MD5(username:realm:password)
document
Show document,update nc by 1
Prompt for usernameand password again
Back to
code 200
code 401
2
6
3
response
response
MD5-hash
Digest Access AuthenticationDigest Access Authentication
response = MD5[MD5(username:realm:password):nonce:nc:cnonce:qop:MD5(method:URI)]
9
SohusinSohusin
Suhosin is an advanced protection system for PHP installations that was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core
Suhosin comes in two independent parts, that can be used separately or in combination. – The first part is a small patch against the PHP core, that
implements a few low-level protections against bufferoverflows or format string vulnerabilities
– The second part is a powerful PHP extension that implements all the other protections
10
FirewallFirewall
Firewall digunakan untuk mencegah akses yang tidak berhak ke suatu jaringan.
Bekerja dengan cara melindungi, baik dengan :Menyaring
membatasi
menolak
Segmen tersebut dapat merupakan sebuah workstation, server, router, atau local area network (LAN) anda
pc (jaringan local) <==> firewall <==> internet (jaringan lain)
hubungan /kegiatan suatu segmen pada jaringan pribadi dengan jaringan luar yang bukan merupakan ruang lingkupnya
11
Mod_SecurityMod_Security
ModSecurity is a web application firewall (WAF), to detect and/or prevent attacks before they reach web applications.
ModSecurity can monitor the HTTP traffic in real time in order to detect attacks.
12
Secure Socket Layer (SSL)Secure Socket Layer (SSL)
Menggunakan enkripsi untuk mengamankan transmisi data
Mulanya dikembangkan oleh Netscape - OpenSSL