Web Security, Summer Term 2012 Information Leakage and Improper - - PowerPoint PPT Presentation

web security summer term 2012
SMART_READER_LITE
LIVE PREVIEW

Web Security, Summer Term 2012 Information Leakage and Improper - - PowerPoint PPT Presentation

May 18, 2023 107 likes •241 views

IIG University of Freiburg Web Security, Summer Term 2012 Information Leakage and Improper Error Handling Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 1 Table of Contents

slide-1
SLIDE 1

IIG University of Freiburg

Web Security, Summer Term 2012

Information Leakage and Improper Error Handling

  • Dr. E. Benoist

Sommer Semester

Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 1

slide-2
SLIDE 2

Table of Contents

  • Presentation of the vulnerability
  • Examples

Server Fingerprinting MySQL Error Messages and SQL Injection

  • Recommendations
  • Conclusion

Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 2

slide-3
SLIDE 3

Presentation of the vulnerability

◮ Application can unintentially leak information through

application problems

  • Configuration
  • Internal workings
  • Violate privacy

◮ Internal State can be spotted by measuring the duration

  • f a process
  • Different input may have different time
  • Error handling can be seen (takes more time)

◮ Most of the information is leaked through error

messages

  • Information can be used to launch powerful attacks

Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 3

slide-4
SLIDE 4

Description

◮ Some Application display error messages to users

  • Messages are quite useful to attackers
  • Reveal implementation details or vulnerability

◮ Too much detailed Error messages

  • Displays stack traces
  • Failed SQL statements
  • debugging information

◮ Functions produce different results based on different

inputs

  • Same Username with different passwords
  • should produce the same text for “no such User” and “Bad

Password”

  • However many systems produce different codes

Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 4

slide-5
SLIDE 5

Fingerprinting of Web Server

Access Apache configuration

◮ Simple GET gives the list of all installed modules.

GET /abcde HTTP/1.1 Host: localhost HTTP/1.1 404 Not Found Date: Fri, 13 Jun 2008 09:10:52 GMT Server: Apache/2.2.8 (Unix) DAV/2 mod ssl/2.2.8 \ OpenSSL/0.9.8e PHP/5.2.5 mod apreq2−20051231/2.6.0\ mod perl/2.0.2 Perl/v5.10.0 Content−Length: 374 Content−Type: text/html; charset=iso−8859−1 X−Pad: avoid browser bug <!DOCTYPE HTML PUBLIC ”−//IETF//DTD HTML 2.0//EN”> <html><head> <title>404 Not Found</title> ...

Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 5

slide-6
SLIDE 6

On a production server

◮ Server banner is more restricted

Server: Apache

◮ Server can be changed in the httpd.conf

  • ServerTokens Prod(uctOnly)

Server: Apache

  • ServerTokens Min(imal)

Server: Apache/2.2.8

  • ServerTokens OS

Server: Apache/2.2.8 (Unix)

  • ServerTokens Full(or not specified)

Server: Apache/2.2.8 (Unix) DAV/2 mod_ssl/2.2.8 OpenSSL/0.9.8e\ PHP/5.2.5 mod_apreq2-20051231/2.6.0 mod_perl/2.0.2 Perl/v5.10.0

Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 6

slide-7
SLIDE 7

Finger Printing

◮ Apache and IIS leave traces

  • The order of the HTTP Headers is different
  • The name of HTTP Headers is sometime different

(Content-length vs. Content-Length)

  • HTTP Status Sentence are different 404 Not Found vs. 404

Object Not Found

◮ It can let discover which version you have deployed

  • And which attack should be tried

Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 7

slide-8
SLIDE 8

MySQL Error messages

Very useful for SQL Injection

◮ Indicates if Magic cookie is installed ◮ Indicates if mysql query() is used or prepared

statements

◮ MySQL Error gives a part of the Query

An Attacker Needs

  • The name of the tables
  • The number of fields (useful for a UNION SELECT)
  • The name of some columns

Unknown column ’test’ in ’where clause’

  • . . .

Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 8

slide-9
SLIDE 9

Recommendations

◮ Ensure that the entire team shares a common approach ◮ Disable or limit detailed error handling

  • No debug information
  • stack traces
  • or path information

◮ Ensure that secure paths that have multiple outcomes

return similar or identical error messages

  • in the same time
  • If not possible: wait a random time

Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 9

slide-10
SLIDE 10

Recommendations (Cont.)

◮ Database or Web Server may return exceptional results

  • Can be used for exploiting the system
  • Errors from all layers are adequately checked

◮ Need ONE default error message

  • Prevent the use of Errors specific to one framework

◮ Makes sur HTTP code is always 200

  • Reduce ability of automated scanning tool to determine if a

serious error occurred (500 for instance)

Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 10

slide-11
SLIDE 11

Conclusion

◮ Prefer Logging than Displaying Error Messages

  • You developers have access to log files,
  • Attacker don’t

◮ Your application contains multiple layer

  • Be sure not to let messages from one layer corrupt your site

◮ Security by obscurity is not sufficient !

  • But it is an extra layer of security

Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 11

slide-12
SLIDE 12

References

◮ OWASP Top 10 - 2007

http://www.owasp.org/index.php/Top_10_2007

◮ A Guide for Building Secure Web Applications and Web

Services http://www.lulu.com/content/1401012

Web Security, Summer Term 2012 9.2 Information Leakage and Improper Error Handling 12