Experiential Learning Workshop on
Basics of Web Security
June 29, 2018
RPR/DrAIT/Basics of Web Security
Dr. Ram P Rustagi Professor, CSE Dept
KSIT, Bangalore [email protected]
Resources
• https://rprustagi.com/ELNT/Experiential-Learning.html– Articles in ACCS Journal https://acc.digital
• www.github.com/rprustagi– Source code and examples for articles
• https://www.rprustagi.com/ieee/drait– Slides for this talks– Example web pages– Example programs
• Computer Networks: A Top Down Approach - Kurose, Ross
!2RPR/DrAIT/Basics of Web Security
Day 1: Basics of Networking• Overview• Introduction to basic networking Tools• Hands-on 1: using networking tools• TCP/IP Stack 4 layer model • Analysis of layers in IP, TCP/UDP and HTTP• Handson-2: layers in ping, nc, http• IP addressing, subnetting and routing• Hierchical addressing• Handson-3: Subnet mismatch and reachability• Supernetting, longest prefix match• Handson-4: Overlapping subnets, longest match• Summary
!3RPR/DrAIT/Basics of Web Security
Day 2: Basics of Socket Programming• Overview: sockets• Simple client server programs• Handson-1: Writing TCP and UDP server• Errors in socket programming• Network byte order, buffer mgmt, socket close• Handson-2: Network byte order, socket close• Multiple concurrent client communication• Socket call return value and reliability• Handson-3: Handling concurrent clients, listen• TCP Streaming and UDP Message boundary• Handson-4: TCP streaming & UDP msg boundary• Summary
!4RPR/DrAIT/Basics of Web Security
Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing• Summary
!5RPR/DrAIT/Basics of Web Security
Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing• Summary
!6RPR/DrAIT/Basics of Web Security
HTTPS Protocol
• Secure web communication requirement– Authentication– Confidentiality– Data Integrity
• Authentication– Client authentication by server by many means
• credentials, biometric, OTP(SMS), …• Certificate based (not prevalent)
– Server authentication by client• Client are not tech savvy• Browser should do automatically and seamlessly
!7RPR/DrAIT/Basics of Web Security
HTTPS Protocol…
• Web communication security: Confidentiality– Communication free from snooping– Responsibility assumed to lie with web application– Client takes it for granted.
• Webv communication security: Integrity– Communication safe from alteration– Responsibility with web application
• Security of web communication– To be intrinsic to browser and web application– Practically impossible to educate all end users.
!8RPR/DrAIT/Basics of Web Security
Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing • Summary
!9RPR/DrAIT/Basics of Web Security
HTTPS Authentication
• Server provides website certificate, having– Website name e.g. mywww.com– Certificate validity period (typically 1 year)– Public key of certificate issuing authority
• Authentication mechanisms– Browser checks for all 3 pieces of information– Any violatation flags a warning
• User has to click-thru to proceed• Examples:
– https://172.217.166.100 #google – https://myweb.com #google IP in /etc/hosts – https://mywww.com #self signed certificate
!10RPR/DrAIT/Basics of Web Security
HTTPS Communication
• Data confidentiality:– Using SSL protocol, browser sets up a common
encryption key with the web server– This encryption key is used to encrypt/decrypt data
exchanged between browser and web server• Certificate authorities
– Browser is configured with large number of certificate authorities.
– Accepts certificate only from these, e.g.• Amazon, Entrust, Geotrust, GoDaddy, Thawte, Verisign
!11RPR/DrAIT/Basics of Web Security
HTTPS Communication
• SSL procotol supports client certificates– Rarely seen in practice– When used, may not require credentials based
mechanism• Wireshark supports session decryption
– provided session key is known or– private key of certificate autority is known
• possible for self signed certificates
!12RPR/DrAIT/Basics of Web Security
SSL Certificates• General Process
– Create a private and public key for owned website– Generate a Certificate Signing Request (CSR).– Send CSR to a certificate issuing authority(CA)– Pay the money for certificate– CA will verify the request, website ownership
details etc.– CA will issue the certificate– Install the certificate on the web server
!13RPR/DrAIT/Basics of Web Security
SSL Certificates
• Certificate types– DV (Domain Validation) - the basic type
• Webserver authentication and encryption only– OV (Organization Validation) certificate
• Verifies the actual business that is requesting• Organization name is listed in the certificate
– Extended Validation (EV)• Provides a green address bar in the browser• Requires stronger authentication process to
confirm the identity of business
!14RPR/DrAIT/Basics of Web Security
Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing • Summary
!15RPR/DrAIT/Basics of Web Security
Mixed Content Web Page
• Mixed content web page– A web page having embedded objects with both
HTTP (not HTTPS) but accessed with HTTPS– The object with HTTP is subject to tempering
• An attacker can hijack the request and serve different content
– Browser warns in terms of lock icon status• Mixed content type
– Pure content : no mixed content– Mixed passive content: images– Mixed active content: scripts
!16RPR/DrAIT/Basics of Web Security
Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing • Summary
!17RPR/DrAIT/Basics of Web Security
Mixed Content Webpage
!18RPR/DrAIT/Basics of Web Security
Secure, No Mixed Content
Potentially Unsecure, Passive Content is not blocked
Potentially Unsecure, Active Content is not blocked
Passive Mixed Contenturl: https://rprustagi.com/accs/mixed.html
<body> <h2>Img01 with inherited security</h2> <h2>Img02 with insecure access.</h2> <img src="//rprustagi.com/img/img-01.jpg" alt="Img 01"> <img src="http://rprustagi.com/img/img-02.jpg" alt="Img 02"> </body>
!19RPR/DrAIT/Basics of Web Security
Active Mixed Contenturl: https://rprustagi.com/accs/mixed-active.html <body> <script src="http://rprustagi.com/js/mywww.js"> </script> <h1>Mixed Content Demonstration</h2> <button type="button" onclick=“hello()” > insecure access </button> <h2>Image 02 with insecure security access.</h2> <img src="//rprustagi.com/img/img-02.jpg" alt="Img 01”> </body>
!20RPR/DrAIT/Basics of Web Security
Insecure Password Field in Form• Quite often, web
developers use form tag <input type=“password” …> in the form.
• When this form is accessed with HTTP, it becomes in secure access.
• Browsers are by default configured to throw a warning when password field is submitted on HTTP.
!21RPR/DrAIT/Basics of Web Security
HTTPS and Proxy Setup
• HTTPS deployment challenges with proxy and network that requires authentication❖ The network site hijacks the URL
❖ e.g. public hotspots, colleges ❖ Redirects to authentication URL ❖ On successful authentication, user is
permitted access ❖ This setup does not work with HTTPS
❖ On hijack of HTTPS traffic, ❖ Browser throws warning
!22RPR/DrAIT/Basics of Web Security
Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing • Summary
!23RPR/DrAIT/Basics of Web Security
Setup Requirement
!24RPR/DrAIT/Basics of Web Security
Switch
S1 S2
Hands-On 1• Create two web pages
– one with mixed passive content– other with mixed active content.
• Deploy these web pages on your web server deployed with SSL certificate (self signed)
• Import the certificate into browser storage• Access (Firefox) these URLs with HTTP• Access (Firefox) these URLs with HTTPS.
– Analyze the difference • Create a simple web form with password field.• Access the web form using HTTP i.e. no HTTPS.
!25RPR/DrAIT/Basics of Web Security
Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing • Summary
!26RPR/DrAIT/Basics of Web Security
What is MITM Attack• An attack where the attacker secretly captures
• Possibly alters the communication between two parties
• While parties believe that they are directly communicating with each other
!27RPR/DrAIT/Basics of Web Security
Typical E-commerce Traffic
!28RPR/DrAIT/Basics of Web Security
User
• Typical Usage: User enters ecomm.site • Gets the web page displayed • Proceeds with transaction
Typical E-commerce Traffic Setup
!29RPR/DrAIT/Basics of Web Security
User-A
User-X
AP/Router
ecomm.site
User-A 1. http://ecomm.site
2. 302 Redirect to https://ecomm.site3. New request to https://ecomm.site
4. Setup of HTTPS Session
5. Secure Data Exchange
1.
2.3..
4, & 5.
ecomm.site
Typical E-commerce Traffic with MITM
!30RPR/DrAIT/Basics of Web Security
• Typical Usage: User enters ecomm.site • MITM attacker hijacks the URLs and changes n/w settings • All the back and forth traffic goes via attackr. • Gets the web page displayed • Proceeds with transaction
ARP Spoofing• Objective:When A & C communicate, B can snoop❖ Use ARP Spoofing to fool A & C go via B❖ Attacker machine
❖ Become a router to forward traffic❖ Run tcpdump to capture traffic
❖ Why ARP Spoofing works?
!31RPR/DrAIT/Basics of Web Security
172.25.4.x 172.25.4.y 172.25.4.z
A CB
LAN
MITM Attack❖ Convert B into a router
❖ sudo sysctl -w net.ipv4.ip_forward=1 ❖ Insstall ARP Sniffer on B
❖ sudo apt install dsniff ❖ Issue ARP Spoof command on B for A & C
❖ arpspoof -i <i/f> -t <Address of A> -r <Address of C>
❖ Run wireshark on B for IP address of A & C❖ capture filter: host <A> or host <C>
❖ Let A & C chat❖ Run tcpdump on B (between A and C)
!32RPR/DrAIT/Basics of Web Security
Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing • Summary
!33RPR/DrAIT/Basics of Web Security
User-A
User-X
AP/Router
ecomm.site
User-A 1. http://ecomm.site
3. 302 Redirect to https://ecomm.site
4. New request to https://ecomm.site
5. Setup of HTTPS Session
6b Secure Data Exchange with eavesdropping
1.
2.3.
6a
ecomm.site
4.
56b
User-X (MITM Attacker)
2. http://ecomm.site
6a. HTTP Response & Data Exchange
Typical E-commerce Traffic w/ MITM
Traffic Flow with MITM Attacker
• Step 0: Attacker sets up the hostile environment❖ Using ARP Spoofing, and
❖ Open src package dsniff❖ Makes silent ARP changes in victim m/c❖ Makes silent ARP changes in local router❖ All traffic between user and router goes via
attacker❖ Using SSLStrip
❖ Open src package sslstrip❖ Converts HTTPS urls to HTTP and vice versa
!35RPR/DrAIT/Basics of Web Security
Traffic Flow with MITM Attacker• Step 1: User types ecomm.site in browser• Step 2: HTTP packets instead of going to local
router, are delivered to attacker’s system.❖ Pkt still has Src IP of victim, and dst IP of Amazon
• Step 3: Attacker forwards the request via local router to ecomm.site (becomes initiator)
• Step 4: ecomm server sends redirect to using https• Step 5: local router sends HTTP Response (IP
packet) to attacker instead of victim❖ Pkt has Src IP of ecomm, and dest IP of victim
❖ Step 6: Attacker initiates HTTPS request to amazon
❖ Step 7: ecomm site responds with web page
!36RPR/DrAIT/Basics of Web Security
Traffic Flow with MITM Attacker❖ Step 8: Attacker manipulates web page
❖ Replaces all references to HTTPS with HTTP❖ SSLStrip does it automatically
❖ Step 9: Victim sees the same look and feel as before.❖ Does not notice that it is not HTTPS
❖ Step 10: Victim enters credentials and sends❖ Step 11: The HTTP packet with credentials is
delivered to attacker ❖ Attacker records the information (e.g.tcpdump)❖ Forwards the response on HTTPS to amazon
❖ Summary: ecomm site believes everything is HTTPS which is true. Victim is unaware of data stealth.
!37RPR/DrAIT/Basics of Web Security
Why MITM Works?
• User does not enter HTTPS with URL. It just types ecomm.site
• A typical user is not aware that any credential information should be entered ❖ Only if there is Green lock symbol before URL
❖ User has no knowledge of how L3 and L2 of networking works.❖ Has no means of verifying that data is not going to
local router but to an attacker.❖ Any IT dept (of organization) is typically short-
staff and believes that no attacks happening internally.
!38RPR/DrAIT/Basics of Web Security
Web Scenarios for MITM
• Plaintext HTTP mechanism❖ Simple ARPSpoofing is good enough
❖ HTTPS access with HTTP redirection from HTTP❖ SSLStrip is helpful for attacker
❖ Using HSTS❖ First time usage is hackable.
!39RPR/DrAIT/Basics of Web Security
Avoiding MITM Attacks?• Sol 1: Educate the user
❖ User must enter HTTPS before the URL❖ Practically not possible to educate billion users
❖ Sol 2: Enforce the browser vendors to intiate all traffic with HTTPS❖ Proxies won’t work❖ URL hijack for auth won’t work❖ Note: Chrome marks site is not secure
❖ Sol 3: Empowering IT❖ IT dept runs MITM tools, ❖ Detects any MITM activities❖ Challenges: Typical IT is not capable
!40RPR/DrAIT/Basics of Web Security
Avoiding MITM Attacks?
• Sol 4: A responsible website responds only to HTTPS❖ Does not respond to HTTP❖ Challenge: User stills enters HTTP
❖ It will lose business when user does not see response
❖ Entity does not want to lose business.❖ Sol 5: Make ARP entries static in router and
victim m/c❖ Challenge: Practically impossible❖ User needs to understand how ARP works.
!41RPR/DrAIT/Basics of Web Security
Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing • Summary
!42RPR/DrAIT/Basics of Web Security
HTTP Strict Transport Security❖ HSTS: https://tools.ietf.org/html/rfc6797
❖ A mechanism incorporated by the web server❖ Instructs browser to always initiate requests with
HTTPS❖ Even if user enters http://<website>
❖ Ensures that once a browser receives HSTS header Strict-Transport-Security: max-age=31536000; includeSubDomains
❖ Browser initiates HTTPS always❖ Most useful in public places
❖ Airport, cafes, Malls, Railway stations etc.
!43RPR/DrAIT/Basics of Web Security
HSTS Deployment• Prominent sites that use HSTS
– Facebook, Amazon, Twitter– Google ??– Airtel (with max-age=0)
• Sites that that are yet to implement HSTS– Ecommerce sites: Flipkart, – Banks e.g. SBI, ICICI Bank, HDFC– Academic institutes: VTU Karnataka, IISc
!44RPR/DrAIT/Basics of Web Security
Inadequacies of HSTS Mechanism
• When user visits website first time, and website responds with HSTS header❖ The MITM attacker can still manipulate the
response and remove HSTS header.❖ User is subject to attack on first time access.
!45RPR/DrAIT/Basics of Web Security
HTTP Headers for Secure Web
• Avoiding XSS❖ use Secure; HttpOnly in Set-Cookie ❖ X-XSS-Protection: 1
❖ Avoid guessing by a browser❖ X-Content-Type: nosniff ❖ Uses content only when Content-Type is
provided❖ Use Content-Security-Policy
❖ https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
❖
!46RPR/DrAIT/Basics of Web Security
Content Security Policy (CSP)
• Common form of attack on websites– Interaction with user where some input is taken
• e.g. blog comments, social media sites, forms etc.– User input injects malicious content
• results in website hacking, stealing of user info etc.• CSP: An approach to prevent such attacks
– Implemented via HTTP headers– Tells browser which content can be dangerous
and should be block based on origin of content• e.g. scripts, CSS, images etc.
!47RPR/DrAIT/Basics of Web Security
CSP Examples• Header set Content-Security-Policy – “default-src ‘none’; script-src ‘self’; img-src ‘self’; style-src ‘self’” • Blocks contents from any other site than self
– script-src self https://code.jquery.com; • Allows content from self and one more
website, and no other –Upgrade-Insecure-Requests •Browser access all links with HTTPS
!48RPR/DrAIT/Basics of Web Security
Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing• Summary
!49RPR/DrAIT/Basics of Web Security
Hands-On 2• Implement ARP Spoofing
– Run ARP Spoofing command on X (Attacker)• Spoof MAC address MACA on B to MACX on B• Spoof MAC address MACB on A to MACX on A
– Convert X into a router– Initiate chat between A and B.– Snoop on chat communication between A and B
and see the data of chat communication on X
!50RPR/DrAIT/Basics of Web Security
Hands-On 2• Implement HSTS
– Configure a web server to support HSTS– When done for site with self signed certificate, it is
unlikely to be ignored.– Use browser developer tools or (wget) to verify
that HSTS header comes in the response.– Identify websites that have implemented HSTS e.g.
amazon.com• Access these websites with HTTP and verify that
access is made with HTTPS and not with HTTP.
!51RPR/DrAIT/Basics of Web Security
Day 3: Basics of Web Security• Overview: HTTPS protocol• Server certificate and server authentication• Mixed content and browser warnings• Locks icons and HTTP Status• Handson-1: HTTPS website with mixed content• MITM attack and ARP spoofing• MITM with browser and information stealing• Understanding HSTS, CSP• Handson-2: Implementing ARP Spoofing• Summary
!52RPR/DrAIT/Basics of Web Security
Summary
• HTTPS Overview• Installing SSL certificate• Warnings on invalid certificates• Mixed Content warnings and lock icons• ARP Spoofing• Snooping on someone in the local network
!53RPR/DrAIT/Basics of Web Security
Thank You
!54RPR/DrAIT/Basics of Web Security