Upload
trinhxuyen
View
214
Download
0
Embed Size (px)
Citation preview
HÉBERGEMENT WEB Jean-Marc ROBERT École de technologie supérieure Cours GTI 719: Sécurité des réseaux d’entreprise
Offres de service • De nombreux fournisseurs de service offre d’héberger des
sites web pour des clients.
• Ces fournisseurs sont-ils fiables?
• Ces fournisseurs offrent-ils vraiment des services de quialité?
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 2
Sun Tzu - L’art de la guerre • Qui connaît l’autre et se connaît lui-même, peut livrer cent
batailles sans jamais être en péril.
• Qui ne connaît pas l’autre mais se connaît lui-même, pour chaque victoire, connaîtra une défaite.
• Qui ne connaît ni l’autre ni lui-même, perdra inéluctable-ment toutes les batailles.
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 3
Hébergeurs Web • Hébergeurs choisis
o 12 hébergeurs internationaux o 10 hébergeurs nationaux
• Répartition géographique o US Europe o Inde Russie o Algérie Hong Kong o Argentine Indonésie
• Certains hébergeurs limitent l’accès à des personnes résidant dans leur pays (p.e., Chine, Vietnam, Brésil)
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 4
Configuration • Cinq comptes web pour chaque fournisseur
o Image statique d’un site OsCommerce v.2.2 - Pages PHP retournent une versions statique du site
o Page vide “Coming soon …” o Refuse l’accès aux web crawlers (robots.txt)
• Éthique o Les applications permettent l’exploitation des vulnérabilités
seulement si un mot de passe est soumis dans la requête POST.
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 5
Injection de commandes SQL (SQLi) • Set-up
o The product_info.php page was modified to recognize our SQL injection attempts and respond by returning a list of randomly generated credit card numbers along with personal details of fictious people.
• Attack o The fake vulnerable page was visited, then a sequence of GET
requests were sent to the same page adding different payloads to the products_id GET parameter.
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 6
Injection de commandes SQL (SQLi)
o 99’ UNION SELECT null ,CONCAT( first_name , . . . customers_password ) ,1 ,CONCAT( cc_type , . . . cc_expiration ) FROM customers LIMIT 1 ,1/∗
o 99’ UNION ALL SELECT null ,CONCAT( first_name , . . . customers_password ) ,1 ,CONCAT( cc_type , . . . cc_expiration ) FROM customers LIMIT 2 ,1/∗
o 99’ UNION S/∗∗/ELECT null ,CONCAT( first_name , . . . customers_password ) ,1 ,CONCAT( cc_type , . . . cc_expiration ) FROM customers LIMIT 3 ,1/∗
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 7
Téléchargement d’un shell PHP (SH) • Set-up
o This test uses the base static snapshot of the OsCommerce v.2.2 web application, and simulates a Remote File Upload vulnerability in the file admin/categories.php/login.php.
• Attack o Upload of the web shell, followed by a number of commands
issued on the shell. - GET and POST requests containing both Unix commands and file
names . • Rread files (e.g., /etc/passwd) • Execute unix commands (e.g., who, uptime, uname, ls, ps)
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 8
Téléchargement d’un site de Phishing (Phish) • Set-up
o This test uses the base static snapshot of the OsCommerce v.2.2 web application, and simulates a Remote File Upload vulnerability in the file admin/banner_manager.php/login.php.
• Attack o Upload of the tar file and unpack its content. o The victim phase consisted in a script that simulated a victim falling
prey of the scam.
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 9
Trafic malveillant - IRC Bot (Bot) • Set-up
o This test uses our basic OsCommerce installation with no modifications.
• Attack o Open a FTP connection and upload the IRC binary and the PHP file in
a new directory created in the web site’s root folder. If the upload succeeded, an HTTP request was issued to the PHP file launching the IRC client.
o FTP upload was executed using IP addresses from several different countries.
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 10
Codes malveillants (AV) • Setup
o Websites hosting this test used a simpler structure than the previous tests, and consisted in a single static HTML page containing random sentences in English and a few images.
• Attack o Use FTP to upload the malicious files to the account
- c99.php (PHP web shell) detected by 25 out of 42 antivirus products according to VirusTotal.
- sb.exe (2011 Ramnit worm) detected by 36 out of 42 antivirus products according to VirusTotal.
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 11
Détectabilité
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 12
Résultats des expérimentations
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 13
Résultats des expérimentations
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 14
Service de sécurité • Certains hébergeurs fournissent des services de sécurité.
o ou utilisent des tiers.
• Service auquel le client doit s’abonner o P.ex, $30 par mois
• Balayage des pages web publiques o Codes malveillants o Liens malveillants o Réputation du site web (et de l’hébergeur)
- Listes noirs ??? • Service -pro
o Balayage du site FTP
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 15
Résultats des expérimentations
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 16
Conclusions Registration • Top providers invest a considerable effort to collect
information about the users who register with them. This procedure can be an effective technique to prevent criminals from hosting their malicious pages on those providers.
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 17
Conclusions Prevention • About 40% of the providers deployed some kind of security
mechanism to block simple attacks, ranging from SQL injections to exploitation of common web application vulnerabilities.
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 18
Conclusions Detection • Once the customer is registered, most of the providers do
nothing to detect malicious activities or compromised web-sites - therefore providing very little help to their customers.
• We were surprised to discover that 21 out of the 22 tested providers did not even run an antivirus once per month (or they run them with old or insufficient signature sets) on the hosted websites.
• Moreover, none of them considered suspicious having multiple outgoing connection attempts towards an IRC server.
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 19
Conclusions Security Services • The use of inexpensive security add-on services did not
provide any additional layer of security in our experiments. Also the services that were configured to scan the content of our sites via FTP failed to discover the malicious files.
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 20
Références [1] Davide Canali, Davide Balzarotti, and Aurélien Francillon. 2013. The role of web hosting providers in detecting compromised websites. In Proceedings of the 22nd Int. conf. on World Wide Web (WWW '13), 177-188.
2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 21