Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious."— Presentation transcript:

1 Chapter 9 Web Applications

2 Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious users. HTTP protocol was not designed for applications. –Stateless protocol –Session management creates many security problems Application needs to protect itself as well as other users of the applications.

3 In this chapter Input and output validation HTTP Considerations –Use of POST to keep sensitive information from logs and caches. Maintaining Sessions Using Structs framework for input validation

4 Input and Output Validation A web application cannot depend on the client to do input validation. Attackers are not going to use such clients. An attacker can change any value in the web request: cookies, user-agent, hidden parameters. An attacker can post to a URL in the wrong order.

5 Example String userAgent = request.getHeader(“user-agent”); … String sQuery = “DELETE FROM UP_USER_UA_MAP WHERE USER_ID=“ +userId + “ AND USER_AGENT=‘” + userAgent + “’”; … stmt.executeUpdate(sQuery);

6 Do not trust the client Can’t trust any information supplied by the client to be correct including any headers, hidden fields, cookies or parameters. Can’t trust that the data is properly formatted Can’t trust that the data contains only certain characters Can’t trust that any data elements are of certain length.

7 Assume the browser is an open book Don’t send data to the browser that you don’t want the user to see. –There is no such thing as “secret” hidden fields. Example: E-trade –Etrade used a weak masking algorithm to hide the username/password in a cookie.

8 Example A pre-school website needed to only allow parents to access a secure part of the website. The authentication used a JavaScript to ask the user to enter a password Parents received the password via paper.

9 Protect Your Clients Web applications must not send input from one user to another user without checking it. This problem is known as cross-site scripting (XSS)‏ XSS is one of the most common security problems on the web.

10 Example Hello ${param.name}! Hello Walter Hello !http://evil.org/evil.js

11 XSS attack Attacker creates a malicious URL and uses an inviting e-mail message or some other social engineering trick to get a victim to visit the URL User clicks on the link and it goes to a legitimate site with XSS problem The application in the legitimate site reflects the data back to the user browser and the browser executes the script and may send information like cookies and other data stored in the browser to the attacker.

12 XSS attack XSS is not limited to data reflected back to the browser by the same application Sometimes the data gets stored in a database and several users can get impacted Sometimes one application may store the bad data and another sends it to the users. All applications that send data to the user should check it for validity.

13 MySpace A user was able to post a script on his profiles that was sent to everybody who looked at the profiles The script executed and add him as a friend to the victim As a friend he was able to see data he could not see before.

14 Preventing XSS Perform output validation or output encoding Output encoding changes the output such that it does not get interpreted by the browser Use whitelist not blacklist –Example: a last name can only contain certain characters Encode special characters –JSTL tag by default escapes >,<, &,’ –Java.net.URLEncoder object transforms any character outside the whilelist into their hexadecimal form.

15 Fixing XSS <% String name = request.getParameter(“name”); if (!ID_REGEX.matcher(name).matches()) { throw new ValidationException(“invalid name”); } %> Hello ${param.name}!

16 HTTP Response Splitting Can be accomplished when the application allows user input in response headers and allows the input to contain CR-LF An attacker can then change any header or content as they wish It may confuse a proxy and the second response may get sent to another user.

17 Example String author = request.getParameter(“author”); Cookie cookie = new Cookie(“author”, author); cookie.setMaxAge(cookieExpiration); Response.addCookie(cookie)‏ If author is “Wiley Hacker\r\n\r\nHTTP/1.1 200 OK\r\n … Then the client sees 2 responses.

18 Open Redirect Open redirect means an application will issue a redirect to a site based on user input Open redirects can be used by phishing attacks to send a valid looking URL via email Valid looking URLs in phishing email makes it harder to detect filters and security software

19 Example of open Redirect String nextPage = request.getParameter(“next”); If (nextPage.matches(“a-zA-Z0-9/:?&_\\+]+” { response.sendRedirect(nextPage); }

20 Open Proxy Like open redirect, open proxy can be used by phishing schemes Open proxy can also be used to steal cookies (session cookies) and other information Open proxy can happen when an application fetches information from another website to display for the user.

21 Use POST not GET GET requests expose the parameters in the URL URLs get –Stored in browser history –Logged to the web server logs –Sent to other sites are referer header POST requests are more secure. To protect the data applications should return an error when called with GET

22 Request Ordering HTTP protocol is stateless Applications should never assume the user will go through all the steps in order Applications that pass hidden fields from one request to the next are vulnerable to this type of attack

23 Error handling Errors can reveal information about the internals of the system if displayed to the end user Applications should catch all errors/exceptions and print a friendly message to the user.

24 Request Provenance Name of new user: Password for new user:

25 Request Provenance Name of new user: Password for new user: document.usr_form.submit();

26 Request Provenance Name of new user: Password for new user: <input type=“hidden” name=“req_id” value=“87ae34d92ba7a1”

27 Maintaining Session State Web applications need a session to maintain state using the HTTP stateless protocol Session identifiers can be passed either as a parameter, part of the URL or in cookies Most application contents provide session management via cookies. Programmers should utilize web application containers to manage sessions A good session management chooses session identifiers that cannot be guessed.

28 Session Timeouts A session timeout is necessary to protect against session hijacking –Idle timeout reduces the possibility of somebody taking over an idle session –A max session life makes it impossible for an attacker to keep a session live forever. Servlet specification does not mandate a max session life. It can be implemented using Servlet filters.

29 Session managment Begin a new session after authentication –Attacker creates a session in a public terminal and waits for the user to login Do not accept session identifier supplied as a parameter –Example http://www.example.com/index.jsp?jsessionid=abc123 http://www.example.com/index.jsp?jsessionid=abc123 If session id is using cookies enforce set the cookie to secure only. Do not set the cookie domain to the top-level

Download ppt "Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious."

Similar presentations

Chapter 6 Server-side Programming: Java Servlets

Chapter 6 Server-side Programming: Java Servlets
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.

Christopher M. Pascucci Basic Structural Concepts of.NET Browser – Server Interaction.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Similar presentations

Ads by Google