HÉBERGEMENT WEB
Transcription
HÉBERGEMENT WEB
HÉBERGEMENT WEB Jean-Marc ROBERT École de technologie supérieure Cours GTI 719: Sécurité des réseaux d’entreprise 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 2 Offres de service • De nombreux fournisseurs de service offre d’héberger des sites web pour des clients. • Ces fournisseurs sont-ils fiables? • Ces fournisseurs offrent-ils vraiment des services de quialité? 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 3 Sun Tzu - L’art de la guerre • Qui connaît l’autre et se connaît lui-même, peut livrer cent batailles sans jamais être en péril. • Qui ne connaît pas l’autre mais se connaît lui-même, pour chaque victoire, connaîtra une défaite. • Qui ne connaît ni l’autre ni lui-même, perdra inéluctable- ment toutes les batailles. 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 Hébergeurs Web • Hébergeurs choisis o 12 hébergeurs internationaux o 10 hébergeurs nationaux • Répartition géographique o US o Inde o Algérie o Argentine Europe Russie Hong Kong Indonésie • Certains hébergeurs limitent l’accès à des personnes résidant dans leur pays (p.e., Chine, Vietnam, Brésil) 4 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 Configuration • Cinq comptes web pour chaque fournisseur o Image - statique d’un site OsCommerce v.2.2 Pages PHP retournent une versions statique du site o Page vide “Coming soon …” o Refuse l’accès aux web crawlers (robots.txt) • Éthique o Les applications permettent l’exploitation des vulnérabilités seulement si un mot de passe est soumis dans la requête POST. 5 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 Injection de commandes SQL (SQLi) • Set-up o The product_info.php page was modified to recognize our SQL injection attempts and respond by returning a list of randomly generated credit card numbers along with personal details of fictious people. • Attack o The fake vulnerable page was visited, then a sequence of GET requests were sent to the same page adding different payloads to the products_id GET parameter. 6 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 Injection de commandes SQL (SQLi) o 99’ UNION SELECT null ,CONCAT( first_name , . . . customers_password ) ,1 ,CONCAT( cc_type , . . . cc_expiration ) FROM customers LIMIT 1 ,1/∗ o 99’ UNION ALL SELECT null ,CONCAT( first_name , . . . customers_password ) ,1 ,CONCAT( cc_type , . . . cc_expiration ) FROM customers LIMIT 2 ,1/∗ o 99’ UNION S/∗∗/ELECT null ,CONCAT( first_name , . . . customers_password ) ,1 ,CONCAT( cc_type , . . . cc_expiration ) FROM customers LIMIT 3 ,1/∗ 7 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 Téléchargement d’un shell PHP (SH) • Set-up o This test uses the base static snapshot of the OsCommerce v.2.2 web application, and simulates a Remote File Upload vulnerability in the file admin/categories.php/login.php. • Attack o Upload of the web shell, followed by a number of commands issued on the shell. - GET and POST requests containing both Unix commands and file names . • Rread files (e.g., /etc/passwd) • Execute unix commands (e.g., who, uptime, uname, ls, ps) 8 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 9 Téléchargement d’un site de Phishing (Phish) • Set-up o This test uses the base static snapshot of the OsCommerce v.2.2 web application, and simulates a Remote File Upload vulnerability in the file admin/banner_manager.php/login.php. • Attack o Upload of the tar file and unpack its content. o The victim phase consisted in a script that simulated a victim falling prey of the scam. 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 10 Trafic malveillant - IRC Bot (Bot) • Set-up o This test uses our basic OsCommerce installation with no modifications. • Attack o Open a FTP connection and upload the IRC binary and the PHP file in a new directory created in the web site’s root folder. If the upload succeeded, an HTTP request was issued to the PHP file launching the IRC client. o FTP upload was executed using IP addresses from several different countries. 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 11 Codes malveillants (AV) • Setup o Websites hosting this test used a simpler structure than the previous tests, and consisted in a single static HTML page containing random sentences in English and a few images. • Attack o Use - - FTP to upload the malicious files to the account c99.php (PHP web shell) detected by 25 out of 42 antivirus products according to VirusTotal. sb.exe (2011 Ramnit worm) detected by 36 out of 42 antivirus products according to VirusTotal. 2015-09-01 Détectabilité Jean-Marc ROBERT, ETS, GTI-719 12 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 Résultats des expérimentations 13 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 Résultats des expérimentations 14 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 Service de sécurité • Certains hébergeurs fournissent des services de sécurité. o ou utilisent des tiers. • Service auquel le client doit s’abonner o P.ex, $30 par mois • Balayage des pages web publiques o Codes malveillants o Liens malveillants o Réputation du site web (et de l’hébergeur) - Listes noirs ??? • Service -pro o Balayage du site FTP 15 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 Résultats des expérimentations 16 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 Conclusions Registration • Top providers invest a considerable effort to collect information about the users who register with them. This procedure can be an effective technique to prevent criminals from hosting their malicious pages on those providers. 17 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 18 Conclusions Prevention • About 40% of the providers deployed some kind of security mechanism to block simple attacks, ranging from SQL injections to exploitation of common web application vulnerabilities. 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 19 Conclusions Detection • Once the customer is registered, most of the providers do nothing to detect malicious activities or compromised websites - therefore providing very little help to their customers. • We were surprised to discover that 21 out of the 22 tested providers did not even run an antivirus once per month (or they run them with old or insufficient signature sets) on the hosted websites. • Moreover, none of them considered suspicious having multiple outgoing connection attempts towards an IRC server. 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 20 Conclusions Security Services • The use of inexpensive security add-on services did not provide any additional layer of security in our experiments. Also the services that were configured to scan the content of our sites via FTP failed to discover the malicious files. 2015-09-01 Jean-Marc ROBERT, ETS, GTI-719 21 Références [1] Davide Canali, Davide Balzarotti, and Aurélien Francillon. 2013. The role of web hosting providers in detecting compromised websites. In Proceedings of the 22nd Int. conf. on World Wide Web (WWW '13), 177-188.