Web Security

CS455/555 SPRING 2019

CS455/555 SPRING 2019 2-1

 Project Topics and Groups (Posted in Announcement on Canvas)

Undergraduates:
◦ Lucy Putnam, Teresa Mullenbach, Graham Miller - Credit cards and ATMs
◦ Bryce Hansche, John Pertle, Bradley Miller, Michael Hansen - Android
◦ Dmytro Dundukov, Kyle Schmidt, Mitchel Hall - Ransomware
◦ Alex Watt, Ben Zadow, Tommy Johnson, Nickolas Hexum - TOR
◦ Forest Evanson, Justin Severeid, Mitchell Smidl, Sully Brooks - Antivirus software

Graduates:
◦ Markus Hutnik, Ben Cerbins, Kalin Rudnicki - VPNs and network security
◦ Adam Yakes, Tyler Durr, David Ferenchak - Electronic voting
◦ Josh Chianelli, Jeroen ketelaar, Joey Fedor - SQLMap

SCUN Graduates:
◦ Jianmu Deng, Dong Yi Liang, Ge Ge - Privacy on Facebook
◦ Zhenhao Zhou, Yuanqing Suo, Yuxiao Ma - Malicious URL detection using ML
◦ Hui Li, Liyuan Li, Mingjia Lin, Feifan Zhang - DOS

CS455/555 SPRING 2019 2-2

Announcements
Next two assignments posted:
◦ XSS – due April 12
◦ PKI – due April 26

CS455/555 SPRING 2019 2-3

 Malware
[SOUP13] defines malware as:
“a program that is inserted into a system, usually
covertly, with the intent of compromising the
confidentiality, integrity, or availability of the victim’s
data, applications, or operating system or otherwise
annoying or disrupting the victim.”

CS455/555 SPRING 2019 4

Classifying Malware
Propagation – how it spreads
◦ Self-replication – standalone program that spreads itself
◦ Infection – uses a host file to spread
◦ Social engineering – manipulates users to spread

Payload – what it does

◦ Corruption – modification or destruction of system or data files
◦ Theft of service – uses system resources to act on behalf of the attacker
◦ Theft of information – collects and sends information from the victim to the
attacker
◦ Stealthing – hiding on system in a dormant state

CS455/555 SPRING 2019 5

 Denial-of-Service (DoS)
A form of attack on the availability of some service
l

Categories of resources that could be attacked are:

l

Network bandwidth System Application resources

resources

Relates to the capacity

of the network links
Typically involves a
connecting a server to
Aims to number of valid
the Internet
overload or requests, each of which
crash the consumes significant
network resources, thus limiting
For most organizations handling the ability of the server
this is their connection software to respond to requests
to their Internet Service from other users
Provider (ISP)
CS455/555 SPRING 2019 6
DOS: Network
Other So much traffic to the specific
host Other host that the routers and server
host can’t handle that many packets.

Bot Internet Target

Bot sends
LOTS of Result:
packets to Routers along the paths to the server
target Other Other become congested and all traffic
host host along the route suffer – decreased
throughput for the network.

CS455/555 SPRING 2019 7

DOS: System Resources
Other So much traffic to the specific
host Other host that the routers and server
host can’t handle that many packets.

Bot Internet Target

Bot sends
LOTS of Result:
packets to
Server hardware, OS, and system
target Other Other software are unable to handle the
host host volume and drop packets or signal an
error.

CS455/555 SPRING 2019 8

DOS: Application Resources
Other So much traffic to the specific
host Other host that the routers and server
host can’t handle that many packets.

Bot Internet Target

Bot sends Result:

LOTS of
packets to Thread pool or threads to handle the
target Other requests are overwhelmed
Other exhausting memory and CPU
host host resources.

Note: the DOS attack may be indistinguishable from legitimate traffic,

and legitimate traffic may also beCS455/555
mixed in 2019
SPRING with the DOS traffic. 9
Malware Countermeasure Approaches
Ideal solution to the threat of malware is prevention

Four main elements of prevention:

• Policy
• Awareness
• Vulnerability mitigation
• Threat mitigation

◦ If prevention fails, technical mechanisms can be used to support the

following threat mitigation options:
◦ Detection
◦ Identification
◦ Removal
CS455/555 SPRING 2019 10
Intrusion
l Classes of intruders: l Behavior
l Cyber criminals: l Identify target(s)
l Activists l Initial access
l State-Sponsored l Privilege escalation
Organizations l Information gathering or
l Other attack
l Motivations l Maintain access
l Politics or activism l Cover tracks
l Money/crime
l National/Government
interests

CS455/555 SPRING 2019 11

 Intrusion Detection System (IDS)
l Host-based IDS (HIDS) Comprises three logical components:

l Monitors the • Sensors - collect data

characteristics of a single • Analyzers - determine if intrusion has
host for suspicious activity occurred
l Network-based IDS • User interface - view output or control system
(NIDS) behavior

l Monitors network traffic and analyzes network, transport, and

application protocols to identify suspicious activity
l Distributed or hybrid IDS
l Combines information from a number of sensors, often both host
and network based, in a central analyzer that is able to better
identify and respond to intrusion activity

CS455/555 SPRING 2019 12

 Known bad
Analysis Approaches behavior

ANOMALY DETECTION SIGNATURE/HEURISTIC

Involves the collection of data
relating to the behavior of
legitimate users over a period of
time
Current observed behavior is
analyzed to determine whether
this behavior is that of a legitimate
user or that of an intruder
Collect observed
good behavior
DETECTION
Uses a set of known malicious
data patterns or attack rules
that are compared with current
behavior
Also known as misuse
detection
Can only identify known attacks
for which it has patterns or
rules

CS455/555 SPRING 2019 13

 Collect observed
Anomaly Detection good behavior

A variety of classification approaches are used:

Statistical Knowledge based Machine-learning

• Analysis of the • Approaches use • Approaches

observed an expert system automatically
behavior using that classifies determine a
univariate, observed suitable
multivariate, or behavior classification
time-series according to a model from the
models of set of rules that training data
observed model legitimate using data
metrics behavior mining
techniques

CS455/555 SPRING 2019 14

 Known bad
behavior

Signature approaches
Match a large collection of known patterns of
malicious data against data stored on a system or in
transit over a network

The signatures need to be large enough to minimize

the false alarm rate, while still detecting a sufficiently
large fraction of malicious data

Widely used in anti-virus products, network traffic

scanning proxies, and in NIDS

CS455/555 SPRING 2019 15

 Rule-based heuristic identification

Involves the use of rules for identifying known penetrations or

penetrations that would exploit known weaknesses

Rules can also be defined that identify suspicious behavior, even when
the behavior is within the bounds of established patterns of usage

Typically rules used are specific

Known bad
behavior
SNORT is an example of a rule-based NIDS

CS455/555 SPRING 2019 16

 Host-Based Intrusion
Detection (HIDS)
Adds a specialized layer of security software to
vulnerable or sensitive systems
Can use either anomaly or signature and heuristic
approaches
Monitors activity to detect suspicious behavior
◦ Primary purpose is to detect intrusions, log suspicious events, and send
alerts
◦ Can detect both external and internal intrusions

CS455/555 SPRING 2019 17

Data Sources and Sensors

Common data
sources include:
A fundamental • System call traces
component of • Audit (log file) records
• File integrity checksums
intrusion detection
• Registry access
is the sensor that
collects data
Host-level IDS is typically part of the
operating system’s job
CS455/555 SPRING 2019 18
 Table 8.2 Linux System Calls and Windows DLLs Monitored

(a) Ubuntu Linux System Calls

accept, access, acct, adjtime, aiocancel, aioread, aiowait, aiowrite, alarm, async_daemon,
auditsys, bind, chdir, chmod, chown, chroot, close, connect, creat, dup, dup2, execv, execve, Table 8.2
exit, exportfs, fchdir, fchmod, fchown, fchroot, fcntl, flock, fork, fpathconf, fstat, fstat,
fstatfs, fsync, ftime, ftruncate, getdents, getdirentries, getdomainname, getdopt, getdtablesize,
getfh, getgid, getgroups, gethostid, gethostname, getitimer, getmsg, getpagesize,
getpeername, getpgrp, getpid, getpriority, getrlimit, getrusage, getsockname, getsockopt, Linux System
gettimeofday, getuid, gtty, ioctl, kill, killpg, link, listen, lseek, lstat, madvise, mctl, mincore,
mkdir, mknod, mmap, mount, mount, mprotect, mpxchan, msgsys, msync, munmap,
nfs_mount, nfssvc, nice, open, pathconf, pause, pcfs_mount, phys, pipe, poll, profil, ptrace,
Calls and
putmsg, quota, quotactl, read, readlink, readv, reboot, recv, recvfrom, recvmsg, rename,
resuba, rfssys, rmdir, sbreak, sbrk, select, semsys, send, sendmsg, sendto, setdomainname,
Windows
setdopt, setgid, setgroups, sethostid, sethostname, setitimer, setpgid, setpgrp, setpgrp,
setpriority, setquota, setregid, setreuid, setrlimit, setsid, setsockopt, settimeofday, setuid, DLLs
shmsys, shutdown, sigblock, sigpause, sigpending, sigsetmask, sigstack, sigsys, sigvec,
socket, socketaddr, socketpair, sstk, stat, stat, statfs, stime, stty, swapon, symlink, sync, Monitored
sysconf, time, times, truncate, umask, umount, uname, unlink, unmount, ustat, utime, utimes,
vadvise, vfork, vhangup, vlimit, vpixsys, vread, vtimes, vtrace, vwrite, wait, wait3, wait4,
write, writev

(b) Key Windows DLLs and Executables

comctl32
kernel32
msvcpp
msvcrt
mswsock
ntdll
ntoskrnl
(Table can be found on page 280 in
user32
the textbook)
ws2_32 CS455/555 SPRING 2019 19
Advanced Persistent Threats
(APTs)
Well-resourced, persistent application of a wide variety of intrusion
technologies and malware to selected targets (usually business or political)
Typically attributed to state-sponsored organizations and criminal enterprises
Differ from other types of attack by their careful target selection and stealthy
intrusion efforts over extended periods
High profile attacks include Aurora, RSA, APT1, and Stuxnet

CS455/555 SPRING 2019 20

 Advanced Persistent Threats
(Bad Guys++)
Advanced
• Used by the attackers of a wide variety of intrusion technologies and malware including
the development of custom malware if required
• The individual components may not necessarily be technically advanced but are carefully
selected to suit the chosen target
Persistent
• Determined application of the attacks over an extended period against the chosen target in
order to maximize the chance of success
• A variety of attacks may be progressively applied until the target is compromised

Threats
• Threats to the selected targets as a result of the organized, capable, and well-funded
attackers intent to compromise the specifically chosen targets
• The active involvement of people in the process greatly raises the threat level from that
due to automated attacks tools, and also the likelihood of successful attacks

CS455/555 SPRING 2019 21

 22

Watch the
following
segments of
the video
• 0:30 to
9:05
• 1:03:00 –
end

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/SIA30
2 CS455/555 SPRING 2019

http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
Web Security

CS455/555 SPRING 2019

What’s the Internet: a service view
mobile network
Infrastructure that provides services to
applications: global ISP
◦ Web, VoIP, email, games, e-commerce,
social nets, …

provides programming interface to apps home

network
◦ hooks that allow sending and receiving regional ISP
app programs to connect to Internet
◦ provides service options, analogous to
postal service

institutional
network

CS455/555 SPRING 2019 1-24

Internet protocol stack
application: supporting network applications
◦ FTP, SMTP, HTTP
transport: process-process data transfer application
◦ TCP, UDP
network: routing of datagrams from source to transport
destination
◦ IP, routing protocols
network
link: data transfer between neighboring network
elements
◦ Ethernet, 802.111 (WiFi), PPP link
physical: bits on the wire
physical

CS455/555 SPRING 2019 1-25

Web – Applications built on
the Internet

CS455/555 SPRING 2019 2-26

HTTP Request
o GET /index.html HTTP/1.1 Host: www.example.com
o Need to figure out where www.example.com is using DNS (see next slide)
o TCP needs to establish a connection – skipping SSL at the moment
o Then the request is issued

o Server responds with the HTML webpage corresponding to the request

CS455/555 SPRING 2019 2-27

Hypertext Markup Language (HTML)
o Text formatting – make it pretty! J
o italics <i>text</i>, bold <b>text</b> …

o Lists – organize data

o <ul><li>thing 1</li><li>thing 2</li> … </ul>

o Hyperlinks – connect to internal and external pages

o <a href=“a URL”>text that is clickable</a>

o Scripting code – do cool things!

o <script>some code</script>
o Images – more pretty!! J
o <img src=“URL for image”>
CSS – Cascading Style Sheets
Formatting rules for applying
style consistently across many
webpages

CS455/555 SPRING 2019 2-28

HTML Example

CS455/555 SPRING 2019 2-29

URLs and DNS
o URL – Uniform Resource Locators

1 3 5
http://www.example.com/directory/file.html
2 4 6

1. Protocol - http
2. Subdomain - www
3. Domain – example
4. Top level domain (TLD) - .com
5. Directory tree to files - directory
6. Actual html file - file.html

CS455/555 SPRING 2019 2-30

 video
DNS
o DNS – Domain Name Server
o Responsible for maintaining and serving mappings of URLs to IP addresses
o Hierarchical - .com name server contains all of the mappings for URLs that
end in .com. UWL has a name server that contains all the mappings for URLs
that end in uwlax.edu.
o Distributed – many servers contain information for various websites for fast
and resilient look up
o Typical DNS lookup scenario
o Client asks for URL of local DNS server (hosted by university, ISP, or external
party – configurable on your system)
o If unknown, local DNS server refers the client to a DNS server that is known
to that server with the requested information (a .com server for a .com
address)
o Client asks that server. This process may repeat until a DNS server that
knows the IP address is found.

CS455/555 SPRING 2019 2-31

CS455/555 SPRING 2019 2-32
Web Browser
o Interpret your web interactions as http requests and send
them to the server via the lower levels of the protocol stack
implemented by your OS
o Render the HTML and execute scripts sent via HTTP
responses
o Remember: all data is just bits and HTML is just a text file, the pretty
needs to be rendered by the browser.

CS455/555 SPRING 2019 2-33

Dynamic Websites
o HTML is just a way to make some text look pretty and arrange
elements on a page. Scripts are needed to do interesting things and
respond to events.
o Document Object Model (DOM) is used to organize these elements on
a page and allow scripts to access and manipulate those objects.
o Javascript is a popular language for writing these scripts.

CS455/555 SPRING 2019 2-34

Who are you?
o The internet, and the HTTP protocol is designed to be stateless, but
often a server-client pair would want to store information about the
communication.
o Sessions – a unique identifier that can be used to associate a client
with data stored on the server side. Can be sent on each
communication in the GET or POST. (Server side)
o Cookies – a storage area managed by the browser on behalf of the
server that contains info needed for the communication. (Client side)
o On each communication, the session or cookie data is sent to the
server so the server knows who to associate the request with.
o What kinds of information would sessions and cookies support?
o Examples: Shopping cart contents, user ID for showing only pertinent
information to a logged in user.

CS455/555 SPRING 2019 2-35

Securing the Web
DNS

Client GET/POST
web Server
browser RESPONSE

HTML
Cookies DB
pages

Images

CS455/555 SPRING 2019 2-36

DNS Security
o DNS is vulnerable to spoofing and cache poisoning
o Pharming – when a DNS entry points to a malicious version of a
website designed for phishing attacks
o Cache poisoning – trick a DNS server into caching a false record
o Eve sends many requests to a target DNS server
o While the DNS server is busy, Eve sends responses to her requests
o Eve’s false responses get cached instead of the real mappings

o Solutions to cache poisoning:

o Real DNS server faster than Eve – difficult to achieve
o ID on DNS request must match that of the response – could be easily
guessable or brute forced

CS455/555 SPRING 2019 2-37

Birthday Paradox
o Birthday Paradox: what is the likelihood of two people in the class
having the same birthday?

oActivity:
o Break into small groups 2-4 people.
o Write down your birthdays. If there is a match, shout it out!
o Merge with another group and repeat the process.

o After a few merges, we will write all of the birthdays down and see if we
have a match.

Video

CS455/555 SPRING 2019 2-38

 What are the implications
of this paradox?
Birthday Paradox
o Birthday Paradox: what is the likelihood of two people in the class
having the same birthday?
o If there are 23 people in the room, then the probability of 2 people
having the same birthday is greater than 50%!

o If the ID for a DNS packet is 16 bits, then there are 2^16 different
values. If Eve generates n different values of the ID in her fake DNS
responses, then she would only need 213 different values to have a 50%
chance of success.

Video

CS455/555 SPRING 2019 2-39

DNS Poisoning

CS455/555 SPRING 2019 2-40

DNSSEC
o Need a better approach to DNS – DNSSEC
o Problem: don’t know if the DNS record is correct or not
o Solution: verify the identity of the provider of the information and
have some way to trust that server.
o A digital signature is used to verify the identity of the name server that
provided the information. Each DNS server that is queried for the result also
signs the message to establish a chain of trust.
o Based on public/private key encryption

link

CS455/555 SPRING 2019 2-41

CS455/555 SPRING 2019 2-42
Securing the Web
DNS

Client GET/POST
web Server
browser RESPONSE

HTML
Cookies DB
pages

Images

CS455/555 SPRING 2019 2-43

Session Hijacking
o If an attacker can sniff your packets, then they can discover the session
id being used on the server side to associate with your data. The
attacker could then use that session to impersonate you, hijacking the
communication. A replay attack could also be performed.
o Solution: HTTPS
o session id or cookie information sent to server are encrypted, thus the
attacker should not be able to impersonate the victim.

o Solution: time outs

o having a short period of time for the validity of the session id can reduce the
risk that a replay attack would work.

CS455/555 SPRING 2019 2-44

Phishing
o Phishing is an entity posing as a legitimate site to gain access to
sensitive information.
o Phishing can originate in multiple ways:
o Spam
o DNS cache poisoning (Pharming)
o URL obfuscation (e.g., unicode attack)

o Solutions:
o Good spam filters
o Train the humans to be good spam filters
o DNSSEC
o Typo correction in search engines
o Validation of certificates in web browsers

CS455/555 SPRING 2019 2-45

 Vulnerabilities in Media Content
o Videos, images, and animations are very popular on the internet, thus they are
attractive targets for attackers. By exploiting a vulnerability in a media player, an
attacker can gain access to a large number of systems.
o Javascript, Java applets, ActiveX, and Adobe Flash are very popular for
providing dynamic content and for having vulnerabilities
o Because these languages are executed, read and write data on the client side,
they need permission to do these things in order to give the user an exciting
user experience.
o Solution: protect web applications from the rest of your system. This is called
sandboxing and is used in other contexts as well to provide a way to give
permissions to something that is risky, but not let it affect the rest of the system.
o Solution: verify the developer of the applet. A “trusted” applet should be
signed and its certificate issued by a trusted authority. Can also self-sign an
applet, but most browsers will treat that as untrusted.
CS455/555 SPRING 2019 2-46
 Video
Cross-site Scripting (XSS)
o Very common attack!
o Basic structure: injection of a script into a webpage
o Types:
o Persistent (stored or DOM-based): stays on webpage for a period of time,
and subsequent visitors to the page are also victims of the attack
o Non-persistent or Reflected: construct a URL with the malicious script
embedded in it and trick people into clicking it

https://excess-xss.com/
CS455/555 SPRING 2019 2-47
 Cookie stealing
Persistent XSS Video 3:20

CS455/555 SPRING 2019 2-48

DOM-based XSS

CS455/555 SPRING 2019 2-49

Reflected XSS

CS455/555 SPRING 2019 2-50

Solutions to XSS
o Input validation!!
o Rewrite all ‘<‘ as &lt; and ‘>’ as &gt;
o May want to include HTML in some forms
o HTML Sanitization – allow benign HTML
o Some issues with this because it may not catch everything
o Cookie security
o Tie cookie to a specific IP address – prevent replay attacks
o HttpOnly flag – only allow cookie data to be updated by HTTP from
server, not client-side scripts
o Browser approach
o Disable scripts – many plugins available for this on a variety of
browsers

CS455/555 SPRING 2019 2-51

 video

Cloudflare

CS455/555 SPRING 2019 2-52