Section 1 – Session Control in ASP



ECE4112 Internetwork Security

Lab 12: Web Application Security

Date Assigned: _____________

Date Due: _____________

Last Edited: _____________

1 Lab Authored By: Ankeet Patel and Kirk Roberts

2 Group Number: _________

3 Member Names: ___________________ _______________________

Goal: This lab will introduce to the concept of web applications and a few security vulnerabilities.

Summary: In this lab, you will learn some aspects of web application security. We will be primarily concerned with three sections – user authentication, state management, and SQL injection.

Background: Read pages 299 – 317 from the textbook, Counter Hack. Read to cover cookies and sessions in PHP.

Prelab Questions: None

Lab Scenario: Windows XP machine with Apache web server and PHP installed. MySQL will also be setup during the lab. COPY ALL “sectionX” folders from the NAS folder to “C:\Program Files\EasyPHP1-8\www\”.

Section 1 – Setting Up the Lab

Exercise 1.1 – Installing EasyPHP

Download EasyPHP from and install the application. EasyPHP contains PHP, Apache, and MySQL. You should notice an “e” in the taskbar indicating that EasyPHP is running.

1. Right click on the “e” in the taskbar, go to “Configuration” and then click on “PHP”. Change “register_globals = off” to “register_globals = on”.

2. Open up Windows Explorer and go to “C:\Program Files\EasyPHP1-8\www”

3. Open “index.php”. Open it with any text editor.

4. Delete all the text in the file and replace it with “”.

5. Open Internet Explorere and type in “localhost”. You should see a page displaying information regarding PHP installed on your computer.

Screenshot 1: Copy of this PHP information page.

Exercise 1.2 – Setup the Temporary MySQL Database

[pic]

1. Open Internet Explorer and type in to bring up the PHPAdmin page.

2. Click “Privileges” and then click the “Edit Privileges” icon.

3. Scroll down to “Change password” and type “ece” for the password.

4. Now open “C:\EasyPHP\phpmyadmin\config.inc.php” and find the “$cfg[‘Servers’][$i][‘password’]” line and set it equal to “ece”.

5. Now go back to the PHPAdmin home page and create a new database called “lab”.

6. Copy the file “labdb.txt” from NAS and open a command prompt and navigate to “C:\Program Files\EasyPHP1-8\mysql\bin”.

7. Type “mysql –u root –p lab < labdb.txt” to import the database. Enter “ece” when prompted for the password.

8. Go into the PHPAdmin and click on the “Query Window” icon and type

“select * from members”.

Screenshot 2: Copy of the page showing the contents of the “members” table.

Section 2 – User Authentication

Almost all websites allow members to have access to special features and information. The common entity of all these websites is that they all require their members to login prior to receiving access.

Exercise 2.1 – Simple authentication (very simple!!!)

Open “page1.php” in the “section2” folder in a text editor and look at what’s going on.

Open Internet Explorer and type in and login to the page (login info is in the file).

Q2.1 – What’s the problem with this method of authentication?

Exercise 2.2 – Authentication using a database

Open “page2.php” in the “section2” folder in a text editor and look at what’s going on. You should see some function calls to access the MySQL database we created earlier.

Open Internet Explorer and type in and login to the page. There are currently two users in the database (username/password combo are ankeet/patel and kirk/roberts).

Q2.2 – Why is this better than the method it 2.1?

Q2.3 – What is an even better way of storing passwords?

Section 3 – State Management

HTTP is stateless. Recall that stateless means that the web pages don’t know if the requests are from the same client and pages are recreated and destroyed every trip to the server. Therefore, state management is important for web applications.

There are two main methods of having state control: client-side and server-side.

Client-side

During trips to and from the server, no information is stored on the server. This information will be stored on the client’s computer. Some methods of performing client-side state management include cookies, hidden fields, and query strings.

Server-side

All information regarding the session will be stored on the server rather than the client’s computer. Some methods of server-side state management include session objects and storing session information in databases.

In this lab, we will specifically look at cookies (client-side) and session objects (server-side). The client and server will be the same computer in the lab environment.

Exercise 3.1 – Cookies

A cookie is a small piece of information that scripts store on a client-side machine. The format for setting a cookie is the following:

Set-Cookie: NAME=VALUE; [expires=DATE;] [path=PATH;] [domain=DOMAIN_NAME;] [secure]

This will create a cookie called NAME with the value VALUE. The other parameters are optional. The “expires” field sets a date beyond which the cookie is no longer relevant. Together, the path and domain can be used to specify the URL for which the cookie is relevant. The “secure” keyword means that the cookie will not be sent over a plain HTTP connection. When a browser connects to an URL, it first searches the cookies stored locally. If any of the cookies are relevant to the URL, they will be sent back to the server. [1]

1. Open the “page1.php” file in the “section3” folder in a text editor and look at what’s going on.

2. Open Internet Explorer and type in . Hit refresh every few seconds for about a minute.

Screenshot 3: Copy of the page showing the cookie and session length.

Exercise 3.2 – Sessions

A session is used for state management because it stores session variables for a user. When a user initiates a session, they are given a session identifier (probably a cookie). This identifier is included in all communication between the client and server during the session. The server uses the session identifier to find the correct session before handling the request. [1]

[pic][1]

1. Open the “page2.php” file in the “section3” folder in a text editor and look at what’s going on.

2. Open Internet Explorer and type in . Hit refresh every few seconds for about a minute.

Screenshot 4: Copy of the page showing the session ID and session length.

Exercise 3.3: Achilles

Achilles is a tool used to test the security of web applications. It does this by acting as a proxy server (man-in-the-middle attack during an HTTP session). Achilles is a different from other proxy servers, which relay HTTP packets from the client and server. Achilles intercepts the packet and allows modification of it before passing it on. In this lab, we are not going to focus on the modification of HTTP packets, but will look at the data Achilles can capture. Achilles is available for download from .

1. Right-click on Internet Explorer and click “Properties”. Go to the “Connections” tab and click on “LAN Settings”. Check the box to use a proxy server and put in “127.0.0.1” as the Address and “5000” as the port.

2. Copy “achilles_0_27.zip” to your desktop and unzip the file.

3. Run “Achilles.exe”.

Intercepting Client Data

1. Check the “Intercept mode ON” and “Intercept Client Data” boxes.

2. Start the Achilles proxy.

3. Open Internet Explorer and go to

Q3.1 – What do you see? (i.e. information being collected)

Intercepting Server Data

1. Clear the text from the previous exercise.

2. Check the “Intercept Server Data (text)” box.

3. Start the Achilles proxy.

4. Open Internet Explorer and go to

Q3.2 – What do you see? (i.e. information being collected)

Remember to turn off the proxy when you are done using Achilles!

Q3.3 – What can you do to prevent session attacks?

Section 4 – SQL Injection

Mount the nas4112 directory

Move the SPI Dynamics folder to the Desktop

Unzip the compressed file

Start VMWare

Open the .VMX file from the new SPI Dynamics directory

Start the image

Username is ‘Administrator’, Password is ‘pass’

Open web browser, go to (will re-direct you)

(for troubleshooting, see tutorial on the nas directory [2].)

Create an account by going to “Sign In” at the top of the page. Fill in your actual name, an email you can remember, and a password you don’t actually use. Feel free to actually sign in, but you don’t need to for the purposes of this lab.

On the bottom left, click on “Recover your account password”

Now this is where one would normally input an e-mail to get one’s password sent to that address. However, we’re going to use it for a more devious purpose. This database is halfway patched to prevent SQL Injection: it will prevent certain types of injection but not others. Let’s start with what will work:

In the email field, put just a single-quote (‘), enter a random email address.

Notice the debug error printed in red. The database server checks that every single-quote is accompanied by another, so it detects this error and stops it. Now let’s try to get some actual information out of the database.

In the email field, type:

‘ UNION SELECT name FROM sysobjects WHERE name != ‘d

Screenshot 5: Take a Screenshot of the result.

This SQL Injection attack is mildly useful as it gave us the name of one of the tables in the database. Now let’s use the information we gained from the previous injection to gain more.

In the email field, type:

‘ UNION SELECT name FROM sysobjects WHERE name > ‘Categories

Screenshot 6: Take a Screenshot of the result.

We got the name of yet another table. We can keep going till there are no more table names left in the sysobjects table. If you wanted to do it again, simple change out the table name Categories with the table name you received from the above injection attack:

In the email field, type:

‘ UNION SELECT name FROM sysobjects WHERE name > ‘CustomerAdd

Experts in SQL can use this technique to find out most of the information about the database’s structure and then proceed to use that to extract any information from the database they wish. Since SQL is out of the scope of this lab and since we’re using a server on the virtual machine itself, we can look at the actual database structure and see if we can formulate any more attacks to gain information within the useful tables. Open the database manager:

Start > Programs > Teratrax > Database Manager

Double-click on (local)

Click Connect (make sure Windows Authentication is selected)

Double-click on Databases

Double-click on Store

Double-click on Tables

Now you’ll notice just some of the tables in the database, each of the databases contains several tables, but these are the primary ones.

Double-click on Customers

Scroll down and find your account name

Write down your CustomerID

Scroll to the right and look at the Password field

Ouch, right? If your password is stored simply as plaintext and an attacker can gain access to every field in the database, your password could easily be compromised. Now just imagine if the Customers table stored your credit card number.

Go back to the Password recovery webpage. Now type:

‘ UNION SELECT Password FROM Customers WHERE CustomerID = ‘

Screenshot 7: Take a Screenshot of the result.

How was this possible? Well the field where you are supposed to type your full name gets stored as a variable, attached to an SQL query and sent to the database server. Obviously the full name field should not contain SQL code, but since the field is unchecked, the SQL code gets attached and the database server has no way of knowing the difference.

Q4.1 – What are some ways of preventing SQL Injection Attacks?

Q4.2 – How might you store Passwords so that attackers cannot gain access to them via SQL Injection?

References

[1] Lane, David, and Hugh E. Williams. : PHP Session Management with

Cookies. 22 Apr. 2005 .

[2] SPI Dynamics. VMware Vulnerability Tutorial. 2004

Turn-in Checklist

Outline:

Brief Intro about Lab

VPN Explanation

SSH/SSL

IPSec

Any secure medium

WinXP IPSec Setup Lab

Concentrators Lab

SSH Lab

Turn in

← Answer sheet.

← Screenshots 1-7.

← Any comments or additions

................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download