Internet infrastructure Prof. dr. ir. André Mariën

(c) A. Mariën -

Web servers • HTTP protocol • Request/reply operation • MIME-like format for both – Requests – Replies

• Data model initially: – File system like: /.../.../.../x.y – Content: text/plain, text/html, text/gif

(c) A. Mariën -

Importance of HTML, initially • Mark-up language – Declarative GUI production

• Supports hyperlinks – Hide addressing

• Multi-media: – Formatted text – Images – Forms

(c) A. Mariën -

URI • “://” • Address: [user@]host[:port] • Request examples – path?querystring

• HTTP URL – "http:" "//" host [ ":" port ] [ abs_path ]

• Others – LDAP, IMAP, FTP, NEWS, MAILTO (c) A. Mariën -

HTML essentials • Markup – ... – ...

• Anchors – text/image

• Embedded content, example: images –

(c) A. Mariën -

HTML drawbacks • HTML is based on SGML • Lots of freedom and defaults: difficult to parse • Liberal parsing and interpretation in the browsers – Barely structure validation – Proper nesting

• Browser incompatibilities

(c) A. Mariën -

XML • • • •

Drops some complexity of HTML Must have end tag Structure validation Empty elements better defined –

• Replaces ASN.1 as structure description

(c) A. Mariën -

CSS and XSLT • HTML – became more and more complex – Introduced more and more formatting – No longer what, but also how

• Cascading Style Sheets: – Separates layout from structure, again

• XSLT: – Powerful rewriting tool for XML

(c) A. Mariën -

Web clients • A.k.a. Browsers • Multi-protocol client – HTTP, FTP, LDAP, ... – Successor of Gopher clients

• Multi-media – Text – Image

(c) A. Mariën -

Extensions: client side • Javascript – Scripting language • To animate content • To check forms • To create dynamically content

– Java • Active regions • Much more control

(c) A. Mariën -

Extensions: client side: activeX • • • •

Programs with full access Trust based on signing Trust is unlimited: yes or no Integrates very well in the MS client platforms

(c) A. Mariën -

Extensions: client side • Plug-ins – Many examples – PDF plug-in – Flash (shockwave)

• Helper applications – Separate applications – Launched – after confirmation – to handle specific content

(c) A. Mariën -

Extensions: server side • Dynamic content: early systems – CGI: common gateway interface • Launch external program for content generation

– SSI: server side includes • http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.ht ml • http://www.apacheweek.com/features/ssi

(c) A. Mariën -

CGI operation • Coupling: start separate process – Loose coupling – Independence of language, run-time, ...

• API – Parameter passing via process environment – Caller sets relevant variables

• Main drawback – Process started per request

(c) A. Mariën -

SSI • • Main commands: – Include • virtual/file

– Echo • document_name, date_local, ... • CGI variables

– Exec • Cmd/CGI

(c) A. Mariën -

SSI: grandfather of others • JSP: java server pages • ASP: active server pages • PHP: hypertext preprocessor – www.php.net

• Coldfusion • ...

(c) A. Mariën -

ASP: www.asptutorial.inf • • • •

: insert current date Script within HTML: Link of the Day

(c) A. Mariën -

ASP example script The hour is midnight. noon. = 1) and (hour(now) o'clock AM. = 13) and (hour(now) o'clock PM.

(c) A. Mariën -

ASP & SSI combined

(c) A. Mariën -

ASP Session management ... Hi !

(c) A. Mariën -

ASP: shared application data Page views:

(c) A. Mariën -

ASP: request & response • Request object – Request.cookies(“key”);

• Response object – Response.cookies(“otherkey”);

(c) A. Mariën -

Dynamic content styles • HTML + mark-up – Preprocessor – Mark-up: special delimiters for processing – Code inside HTML – ASP, PHP, coldfusion

• Language embedding – Program “scripts” containing HTML mark-up – Perl scripts, servlets

(c) A. Mariën -

Preprocessing HTML + mark-up

processes webservers

preprocessor

HTML

Files/database

(c) A. Mariën -

Language embedding script

processes

webservers

Script interpreter

Files/database

HTML

(c) A. Mariën -

Dynamic content: problems • Separation of duties – Web designers – Web developers

• Preprocessing – Web designers write code

• Language embedding – Developers design pages

(c) A. Mariën -

JSP • http://java.sun.com/products/jsp/ • Strongly related to servlet technology • Servlets: – Java technology to handle web requests – Implemented with servlet runners

(c) A. Mariën -

Servlet runners

Client connections

HTTP listener

Persistent connections

(c) A. Mariën -

servlet runner

To Back-end

Servlets • Standard Java interface – Servlet – HTTPServlet

• Provides Request and Response objects • HTTPServlet: methods – doGet – doPost – doPut

(c) A. Mariën -

Servlets: sessions & applications • HTTPSession object • ServletContext: application context

(c) A. Mariën -

JSP • Looks like a preprocessing page – HTML with embedded tags

• Executes as a servlet – Language embedding flavor

• Translation is automatic • No interpretation during execution

(c) A. Mariën -

JSP tags • See the JSP tag syntax pages: – http://java.sun.com/products/jsp/pdf/card11.pdf

(c) A. Mariën -

JSP: some tags • Declaration: –

• Expression: –

• Directive: –

(c) A. Mariën -

JSP: insert date Hello! The time is now

(c) A. Mariën -

JSP: more complex example Hello! The time is now (c) A. Mariën -

JSP directives

(c) A. Mariën -

Defining methods Hello! The time is now (c) A. Mariën -

Important concept: useBean • Beans: objects with simple interface • JSP writers: GUI designers – Should not write code – Should use beans – Should include bean properties

• Beans: written by developers

(c) A. Mariën -

JSP: beans • Beans: – – –

(c) A. Mariën -

HTTP basics • Request: – GET /x/y/h.html HTTP/1.0

• Reply – 200 HTTP/1.0 OK – Message • Headers: content-type: text/html • Body: ...

(c) A. Mariën -

Essential protocol features • Basic authentication – 401: authorization required – Authorization header

• Redirects – Initially to allow content migration – Now: link control measures

• POST besides GET – Full MIME-style content inside requests

(c) A. Mariën -

HTTP • HTTP/1.1: RFC 2068 • protocol version – HTTP/x.y – currently: 0.9, 1.0, 1.1

(c) A. Mariën -

Request syntax Request-Line *( general-header | request-header | entity-header ) CRLF [ message-body ]

(c) A. Mariën -

Request Line Method Request-URI HTTP-Version CRLF

Method: – GET, HEAD, POST – PUT, DELETE, TRACE – OPTIONS

(c) A. Mariën -

Request Header • Accept, Accept-Charset, Accept-Encoding, Accept-Language • Authorization, Proxy-Authorization, Host • If-Modified-Since • Referer, User-Agent

(c) A. Mariën -

Response Status-Line *( general-header | response-header | entity-header ) CRLF [ message-body ]

(c) A. Mariën -

status code • 1xx: Informational - Request received, continuing process • 2xx: Success - The action was successfully received, understood, and accepted • 3xx: Redirection - Further action must be taken in order to complete the request • 4xx: Client Error - The request contains bad syntax or cannot be fulfilled • 5xx: Server Error - The server failed to fulfill an apparently valid request (c) A. Mariën -

Status Code 1xx • "100" ; Continue "101" ; Switching Protocols

(c) A. Mariën -

Status Code 2xx • "200" "201" "202" "203" "204" "205" "206"

; OK ; Created ; Accepted ; Non-Authoritative Information ; No Content ; Reset Content ; Partial Content

(c) A. Mariën -

Status Code 3xx "300" "301" "302" "303" "304" "305"

; Multiple Choices ; Moved Permanently ; Moved Temporarily ; See Other ; Not Modified ; Use Proxy

(c) A. Mariën -

Status Code 4xx "400" "401" "402" "403" "404" "405" "406" "407"

; Bad Request ; Unauthorized ; Payment Required ; Forbidden ; Not Found ; Method Not Allowed ; Not Acceptable ; Proxy Authentication Required (c) A. Mariën -

Status Code 4xx (Cont.) "408" "409" "410" "411" "412" "413" "414" "415"

; Request Time-out ; Conflict ; Gone ; Length Required ; Precondition Failed ; Request Entity Too Large ; Request-URI Too Large ; Unsupported Media Type (c) A. Mariën -

Status Code 5xx "500" "501" "502" "503" "504" "505"

; Internal Server Error ; Not Implemented ; Bad Gateway ; Service Unavailable ; Gateway Time-out ; HTTP Version not supported

(c) A. Mariën -

Headers • General headers: – Connection, proxying, cache

• Response headers: – Authentication, redirection, caching

• Entity headers: – Content related

(c) A. Mariën -

General Headers • • • • •

Cache-Control Date Pragma Transfer-Encoding Via

(c) A. Mariën -

Response Header • • • •

Location Proxy-Authenticate Server WWW-Authenticate

(c) A. Mariën -

Entity Header • Content-Base, Content-Encoding, ContentLanguage, Content-Length, Content-Location, Content-Type • ETag • Expires, Last-Modified

(c) A. Mariën -

Authentication: Generic • client -> request • server reply: 401 unauthorized – Plus server header: how-to – WWW-authenticate: [, ]

• client -> request – Repeats request but adds authorization information – Authorization:

(c) A. Mariën -

Basic Authentication: Scheme • Server reply: • 401 unauthorized • WWW-Authenticate: Basic realm="WallyWorld”

– Client request • Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==

(c) A. Mariën -

Basic Authentication • base64(UID:password): – “QWxhZGRpbjpvcGVuIHNlc2FtZQ==“

• Note – Base64 is encoding, not encryption

• digest authentication: see RFC 2069

(c) A. Mariën -

End-to-end and Hop-by-hop Headers • End-to-end headers: transmitted to the ultimate recipient • Hop-by-hop headers: meaningful only for a single transport-level connection

(c) A. Mariën -

HTTP/1.1 hop-by-hop Headers • Connection • Keep-Alive • Public • Proxy-Authenticate • Transfer-Encoding All other headers: end-to-end

(c) A. Mariën -

Proxies • Incoming (reverse) proxies • Outgoing proxies – Secure hop – Authorization enforcement

• Caching proxy

(c) A. Mariën -

Proxies client

client

Outgoing Proxy

internet

client

(c) A. Mariën -

Reverse Proxy

Web Server

Outgoing proxy • Proxy protocol – Request contains URL – GET http://server/... HTTP/1.0

• Proxy authentication – Browser control

(c) A. Mariën -

Reverse proxy • Normal HTTP protocol • No specific authentication • Fits in security zone concept – Network zone containing proxy – service zone containing web server – Application zone containing application server

(c) A. Mariën -

WEB APPLICATION FIREWALLS

(c) A. Mariën -

What is a WAF? • OWASP: – “a security solution on the web application level which - from a technical point of view - does not depend on the application itself” – Broad: covers many technological solutions • Separate “hardware” boxes (appliances) • Reverse proxy filters • …

• WASC – "An intermediary device, sitting between a web-client and a web server, analyzing OSI Layer-7 messages for violations in the programmed security policy. A web application firewall is used as a security device protecting the web server from attack."

(c) A. Mariën -

References • https://www.owasp.org/index.php/Category: OWASP_Best_Practices:_Use_of_Web_Applica tion_Firewalls • http://www.modsecurity.org/ – Apache Security by Ivan Ristic, O'Reilly Media, Inc. ISBN - 0596007248 – Preventing Web Attacks with Apache by Ryan Barnett, Addison-Wesley Professional. ISBN 0321321286 (c) A. Mariën -

Fundamental issue • the web was not designed for such complex applications which are currently state of the art. • Core protocol: HTTP – HTTP is not stateful • sessions or stateful applications must be defined separately and implemented securely.

• high degree of complexity of the web scripts, frameworks and web technologies frequently used leads to vulnerabilities (c) A. Mariën - Ubizen

Features Problem

Countermeasure

Cookie protection

Cookies can be signed, encrypted, completely hidden or replaced Cookies can be linked to the client IP

Information leakage

Cloaking filter: outgoing pages can be cleaned (error messages, comments, undesirable information)

Session riding (CSRF)

URL encryption / token

Session timeout

Timeout for active and inactive (idle) sessions can be specified

Parameter tampering

Parameter URL encryption (GET), parameter encryption (GET and POST) Site usage enforcement: sequence of URLs can be fixed or can be detected

Data validation (relating to field/content/context/appl)

length, constant value/range of values whitelist and/or blacklist canonalisation of the data (c) A. Mariën - Ubizen

Concerns • Yet-another-proxy argument: – increased complexity of the IT infrastructure)

• Keeping the WAF configured – Training the WAF – Follow releases of • the web application • The frameworks

– Testing

• False positives – In-stream, so can block business

• More complex troubleshooting • Cost-effectiveness – Just do it in the applications? (c) A. Mariën - Ubizen