Web Security
advertisement
Web Security 1 Eksploitasi Web Tampilan web diubah (deface) dengan eksploitasi skrip. Situs yang dideface dikoleksi di http://www.alldas.org Informasi bocor (misal laporan keuangan semestinya hanya dapat diakses oleh orang/ bagian tertentu) Digunakan untuk menipu firewall (tunelling ke luar jaringan) Penyadapan informasi URLwatch: melihat siapa mengakses apa saja. Masalah privacy DoS attack Request dalam jumlah yang banyak (bertubi-tubi), Request yang memblokir (lambat mengirimkan perintah GET) Malicious Input Attack Bad input ke priviledge program : Code corruption attack – Buffer overflow, SQL Injection, Cross Site Cripting 2 Security Web Tampilan web diubah (deface) Secure Configuration pada web server dan web application Informasi bocor Dengan htaccess dan http Digest authentication Digunakan untuk menipu firewall (tunelling ke luar jaringan) Dengan sohusin Penyadapan informasi Dengan SSL/https DoS attack Firewall dan mod_security Malicious Input Attack Mod_security dan secure configuration 3 Secure Configuration Test dengan tools vulnerability scanners misal Nikto Konfigurasi http secara secure : – Disable Un-Needed Modules – Denial of Service (DoS) Protective Directives – Access Control: Where Clients Come From – Limiting HTTP Request Methods – Removing Default/Sample Files – Updating Ownership and Permissions – Updating the Apachectl Script – Enable Security Modules for Apache • Secure Socket Layer (SSL) • Mod_Rewrite • Mod_Log_Forensic • Mod_Dosevasive • Mod_Security 4 htaccess di Apache Isi berkas “.htaccess” AuthUserFile /home/budi/.passme AuthGroupFile /dev/null AuthName “Khusus untuk Tamu Budi” AuthType Basic <Limit GET> require user tamu </Limit> Membatasi akses ke user “tamu” dan password Menggunakan perintah “htpasswd“ untuk membuat password yang disimpan di “.passme” 5 HTTP Hyper Text Transfer Protocol Widely used to exchange text data accross different plateforms HTTP messages are composed of header-fields and entity (the payload) Used for the WWW on port 80 to exchange HTML files Standarized in the RFCs The current 1.1 version offers two authentication schemes; basic and digest Protocol://destination-host/ressource 6 Basic Access Authentication Browser Webserver GET /basic/ HTTP/1.1 1 3 Response 401; unauthorized WWW-authenticate: Basic realm="Basic Test Zone" HTTP GET Request with clear username and password: Authorization: Basic dGVzdDp0ZXN0 Response 200; OK <data> 5 2 4 Password encoded in Base64; no encryption Sent in clear for every subsequent requests Sniffing compromises the password 7 Digest Access Authentication Generates : cnonce counter nc URI and method Browser Communication channel Web Server nonce generated HTTP GET /protected/test.html Request 1 Prompt user for username and password 2 Response HTTP 401 unauthorized realm, nonce 3 WWW-authenticate: Digest realm="DigestZone", nonce="3gw6ask", algorithm=MD5, domain="/protected/", qop="auth" <data> username, realm HTTP GET /protected/test.html Request Authorization: Digest username="Controler", realm="DigestZone", nonce="3gw6ask", uri="/protected/test.html", algorithm=MD5, response="65biad5s70de", qop=auth, nc=0001, cnonce="82c875dc" response 4 Password Database lookup; MD5(username:realm:password) nonce, cnonce, URI and method Response HTTP 200 OK MD5-hash 5 document Show document, update nc by 1 Authentication-Info: rspauth="d9260eef8e7", cnonce="82c875dc", nc=0001, qop=auth <data> MD5-hash response HTTP GET /protected/test2.html Request Prompt for username and password again Back to 3 response code 200 code 401 6 Match ? Authorization: Digest username="Controler", realm="DigestZone", nonce="3gw6ask", uri="/protected/test2.html", algorithm=MD5, response="4c5c93bc8747i", qop=auth, nc=0002, cnonce="72g4dsfs" Response HTTP 200 OK Authentication-Info: rspauth="g45sx4j65s1", cnonce="3gw6ask", nc=0002, qop=auth <data> 200 OK Send document Yes No 401 unauthorized; Back to 2 <...> response = MD5[MD5(username:realm:password):nonce:nc:cnonce:qop:MD5(method:URI)] 8 Sohusin Suhosin is an advanced protection system for PHP installations that was designed to protect servers and users from known and unknown flaws in PHP applications and the PHP core Suhosin comes in two independent parts, that can be used separately or in combination. – The first part is a small patch against the PHP core, that implements a few low-level protections against bufferoverflows or format string vulnerabilities – The second part is a powerful PHP extension that implements all the other protections 9 Firewall Firewall digunakan untuk mencegah akses yang tidak berhak ke suatu jaringan. Bekerja dengan cara melindungi, baik dengan : Menyaring membatasi menolak hubungan /kegiatan suatu segmen pada jaringan pribadi dengan jaringan luar yang bukan merupakan ruang lingkupnya Segmen tersebut dapat merupakan sebuah workstation, server, router, atau local area network (LAN) anda pc (jaringan local) <==> firewall <==> internet (jaringan lain) 10 Mod_Security ModSecurity is a web application firewall (WAF), to detect and/or prevent attacks before they reach web applications. ModSecurity can monitor the HTTP traffic in real time in order to detect attacks. 11 Secure Socket Layer (SSL) Menggunakan enkripsi untuk mengamankan transmisi data Mulanya dikembangkan oleh Netscape OpenSSL 12
