1
00:00:01,480 --> 00:00:08,370
Welcome come to a lecture dedicated to application protocols in this session we'll examine the Protocols

2
00:00:08,370 --> 00:00:12,340
of the two highest leaders of the OS and model.

3
00:00:12,400 --> 00:00:20,620
Let's start with the presentation layer presentation layer protocols are responsible for encoding decoding

4
00:00:20,890 --> 00:00:27,150
and displaying in applications the data sent by the lower layer protocols.

5
00:00:27,180 --> 00:00:33,810
This is kind of a standard interface between for example an application written in ph p a Web site written

6
00:00:33,810 --> 00:00:37,620
in HSP dot net and data transport protocols

7
00:00:45,120 --> 00:00:50,890
implementation of presentation layer protocols is crucial for the safety of the entire network application.

8
00:00:52,200 --> 00:00:54,070
Let's discuss a few examples.

9
00:00:57,510 --> 00:01:00,810
The first one concerns the i s server.

10
00:01:00,810 --> 00:01:04,600
This is a Microsoft web server.

11
00:01:04,650 --> 00:01:09,180
One of the earlier versions of the server allowed anonymous access to the hard drive of the computer.

12
00:01:09,180 --> 00:01:11,370
The IRS was installed and run on

13
00:01:15,570 --> 00:01:21,540
its records only had to properly encode the request for access to a selected file in a hexadecimal format.

14
00:01:23,870 --> 00:01:33,360
The server rejected the HTP get requests for files to which a Web site user should not have had access.

15
00:01:33,370 --> 00:01:39,460
However if a hexadecimal number which encoded the files directory was given as the get request attribute

16
00:01:39,910 --> 00:01:47,050
the server fulfilled the request one should not be able to browse a web server folder structure.

17
00:01:51,720 --> 00:01:52,490
To prevent this.

18
00:01:52,490 --> 00:01:59,780
The server checked if anyone used a combination of characters double dot for Slashdot.

19
00:02:00,000 --> 00:02:07,130
If someone tried to use this combination the request was blocked.

20
00:02:07,150 --> 00:02:14,450
However the same request encoded as percent see zero percent A.F. was fulfilled.

21
00:02:17,610 --> 00:02:21,450
The problem was that the same thing could be encoded in many ways.

22
00:02:21,720 --> 00:02:26,850
If you try to secure an application with the mechanism checking if an action is hostile with a default

23
00:02:26,850 --> 00:02:30,740
assumption that it's not you'll fight a lost battle.

24
00:02:31,740 --> 00:02:37,320
When you create a line of defense you always have to show ingenuity.

25
00:02:37,460 --> 00:02:40,470
You have to imagine how else the requests can be encoded.

26
00:02:40,700 --> 00:02:45,550
So in the example mentioned all possible ways of encoding a request should be blocked.

27
00:02:46,500 --> 00:02:48,700
But such an approach is simply impractical

28
00:02:53,090 --> 00:02:57,290
the typical problem of presentation layer protocols is the null by injection

29
00:03:00,020 --> 00:03:08,480
many network applications are created in high level programming languages DHP Java Perl s dot net

30
00:03:12,090 --> 00:03:21,180
these languages use environments or frameworks written in another language usually C or C++ in these

31
00:03:21,180 --> 00:03:28,510
languages and the string is marked in a special way in C or C++ the string doesn't have a specified

32
00:03:28,510 --> 00:03:34,870
length the string ends with the null characters or zeros.

33
00:03:34,880 --> 00:03:37,540
This means that everything that comes after is ignored.

34
00:03:41,600 --> 00:03:43,460
Let's look at a few examples.

35
00:03:45,550 --> 00:03:52,300
Suppose that you write a script in HP allowing someone to download files with a data extension we can

36
00:03:52,300 --> 00:03:56,670
do it as it's shown.

37
00:03:56,830 --> 00:04:06,120
This is a simple function allowing us to download a file with the name specified by the user.

38
00:04:06,290 --> 00:04:10,260
The function will work properly if the user executes it in the following way.

39
00:04:12,560 --> 00:04:20,390
H t t p w w w dot server dot com user ph P file my profile Dat that

40
00:04:23,150 --> 00:04:26,350
are what happens if the function is executed in the following way.

41
00:04:29,050 --> 00:04:39,220
H t t p w w w does server dot com user ph P questionmark file equals datt forward slash doubleback forward

42
00:04:39,220 --> 00:04:48,860
slash doubled up forward slash C forward slash password gnome at the end of this command.

43
00:04:48,860 --> 00:04:54,930
We see a null character indicating the end of the string.

44
00:04:55,070 --> 00:05:01,430
In this case the extension that will not automatically be added.

45
00:05:01,460 --> 00:05:05,810
The problem with translating expressions between different platforms and different ways of encoding

46
00:05:05,810 --> 00:05:09,920
means that a function can be executed differently than its creator had intended.

47
00:05:12,220 --> 00:05:14,690
This is a simple and universal example.

48
00:05:15,130 --> 00:05:17,110
It doesn't apply to BHP only

49
00:05:23,130 --> 00:05:27,390
we see a similar function written in Java.

50
00:05:27,410 --> 00:05:31,730
It will be used for reading files this time with the extension D-B

51
00:05:34,360 --> 00:05:41,300
this time to the correct request namely surfer dot com forward slash my page that J S P.

52
00:05:41,320 --> 00:05:42,130
Question mark.

53
00:05:42,140 --> 00:05:47,400
F n equals report that the B can be replaced by the following

54
00:05:51,090 --> 00:05:53,150
server dot com forward slash.

55
00:05:53,150 --> 00:05:54,020
My page done.

56
00:05:54,050 --> 00:06:01,830
James P. questionmark effen equals server logs that Milde that the.

57
00:06:01,990 --> 00:06:07,840
Again the attacker uses the function in the way the creator hasn't thought of.

58
00:06:07,900 --> 00:06:19,060
The problem is that the issue doesn't concern only the specific web application of company x.

59
00:06:19,140 --> 00:06:23,640
This is the issue of the environment or the language in which these applications are created.

60
00:06:24,580 --> 00:06:27,150
This is a very common problem.

61
00:06:27,160 --> 00:06:31,270
That's why many applications are susceptible to no byte injection attacks.

62
00:06:32,980 --> 00:06:36,220
It doesn't mean that the applications are poorly written.

63
00:06:36,220 --> 00:06:38,880
It just means that they're written in this specific environment.

64
00:06:40,870 --> 00:06:46,120
Some environments can be exploited which means that they allow for certain requests to be encoded in

65
00:06:46,120 --> 00:06:47,600
another way than expected.