Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Slides:



Advertisements
Similar presentations
Enabling Secure Internet Access with ISA Server
Advertisements

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
1 Enabling Secure Internet Access with ISA Server.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Lecture 4 Page 1 CS 236 Online Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
JavaScript, Fourth Edition
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.
Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.
Chapter 10 Security and Encryption. Objectives Explain the nature of a threat model Be able to construct a threat model Be aware of common threats to.
Lecture 16 Page 1 Advanced Network Security Perimeter Defense in Networks: Virtual Private Networks Advanced Network Security Peter Reiher August, 2014.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Lecture 15 Page 1 CS 136, Fall 2014 Web Security Computer Security Peter Reiher December 9, 2014.
Lecture 13 Page 1 Advanced Network Security Authentication and Authorization in Local Networks Advanced Network Security Peter Reiher August, 2014.
Lecture 12 Page 1 CS 236 Online Virtual Private Networks VPNs What if your company has more than one office? And they’re far apart? –Like on opposite coasts.
Lecture 19 Page 1 CS 236 Online Advanced Research Issues in Security: Web Security and Privacy CS 236 On-Line MS Program Networks and Systems Security.
COSC 513 Operating Systems Project Presentation: Internet Security Instructor: Dr. Anvari Student: Ying Zhou Spring 2003.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
ITGS Network Architecture. ITGS Network architecture –The way computers are logically organized on a network, and the role each takes. Client/server network.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Lecture 4 Page 1 CS 111 Online Modularity and Virtualization CS 111 On-Line MS Program Operating Systems Peter Reiher.
WHAT IS E-COMMERCE? E-COMMERCE is a online service that helps the seller/buyer complete their transaction through a secure server. Throughout the past.
Lecture 18 Page 1 CS 236, Spring 2008 DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks.
Lecture 19 Page 1 CS 136, Spring 2009 Web Security and Privacy CS 136 Computer Security Peter Reiher June 4, 2009.
Lecture9 Page 1 CS 236 Online Operating System Security, Con’t CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 3 Page 1 CS 236 Online Security Mechanisms CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Vijay V Vijayakumar.  Implementations  Server Side Security  Transmission Security  Client Side Security  ATM’s.
IP Security (IPSec) Matt Hermanson. What is IPSec? It is an extension to the Internet Protocol (IP) suite that creates an encrypted and secure conversation.
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.
Lecture 15 Page 1 CS 136, Spring 2016 Web Security Computer Security Peter Reiher May 24, 2016.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Lecture 14 Page 1 CS 236 Online Secure Programming CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
DNS Security Advanced Network Security Peter Reiher August, 2014
World Wide Web policy.
Protecting Memory What is there to protect in memory?
Web Security CS 136 Computer Security Peter Reiher December 3, 2013
Protecting Memory What is there to protect in memory?
Web Security Computer Security Peter Reiher March 2, 2017
Security Issues.
Outline Basics of network security Definitions Sample attacks
Outline What does the OS protect? Authentication for operating systems
Outline What does the OS protect? Authentication for operating systems
Web Security Lots of Internet traffic is related to the web
Web Security Advanced Network Security Peter Reiher August, 2014
Web Security Advanced Network Security Peter Reiher August, 2014
Web Security CS 136 Computer Security Peter Reiher November 29, 2012
Web Security CS 136 Computer Security Peter Reiher March 11, 2010
Designing IIS Security (IIS – Internet Information Service)
Lecture 34: Testing II April 24, 2017 Selenium testing script 7/7/2019
Outline Basics of network security Definitions Sample attacks
Advanced Research Issues in Security: Web Security and Privacy CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Outline Introduction Memory protection Buffer overflows
Presentation transcript:

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Lecture 16 Page 2 CS 236 Online Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow around web applications An obvious target for attackers

Lecture 16 Page 3 CS 236 Online The Web Security Problem Many users interact with many servers Most parties have little other relationship Increasingly complex things are moved via the web No central authority Many developers with little security experience Many critical elements originally designed with no thought to security Sort of a microcosm of the overall security problem

Lecture 16 Page 4 CS 236 Online Aspects of the Web Problem

Lecture 16 Page 5 CS 236 Online Who Are We Protecting? The server From the client The client From the server The clients From each other A client’s interaction with one server From his interaction with another server Everyone From the network

Lecture 16 Page 6 CS 236 Online What Are We Protecting? The client’s private data The server’s private data The integrity (sometimes also secrecy) of their transactions The client and server’s machines Possibly server availability –For particular clients?

Lecture 16 Page 7 CS 236 Online Some Real Threats Buffer overflows and other compromises –Client attacks server SQL injection –Client attacks server Malicious downloaded code –Server attacks client

Lecture 16 Page 8 CS 236 Online More Threats Cross-site scripting –Clients attack each other Threats based on non-transactional nature of communication –Client attacks server Denial of service attacks –Threats on server availability (usually)

Lecture 16 Page 9 CS 236 Online Yet More Threats Browser security –Protecting interactions from one site from those with another –One server attacks client’s interactions with another Data transport issues –The network attacks everyone else Certificates and trust issues –Varied, but mostly server attacks client

Lecture 16 Page 10 CS 236 Online Compromise Threats Much the same as for any other network application Web server might have buffer overflow –Or other remotely usable flaw Not different in character from any other application’s problem –And similar solutions

Lecture 16 Page 11 CS 236 Online What Makes It Worse Web servers are complex They often also run supporting code –Which is often user-visible Large, complex code base is likely to contain such flaws Nature of application demands allowing remote use

Lecture 16 Page 12 CS 236 Online Solution Approaches Patching Use good code base Minimize code that the server executes Maybe restrict server access –When that makes sense Lots of testing and evaluation –Many tools for web server evaluation

Lecture 16 Page 13 CS 236 Online Compromising the Browser Essentially, the browser is an operating system –You can do almost anything through a browser –It shares resources among different “processes” But it does not have most OS security features While having some of the more dangerous OS functionality –Like arbitrary extensibility –And supporting multiple simultaneous mutually untrusting processes

Lecture 16 Page 14 CS 236 Online But My Browser Must Be OK... After all, I see the little lock icon at the bottom of the page Doesn’t that mean I’m safe? Alas, no What does that icon mean, and what is the security implication?

Lecture 16 Page 15 CS 236 Online The Lock Icon This icon is displayed by your browser when a digital certificate checks out A web site provided a certificate attesting to its identity The certificate was properly signed by someone your browser trusts That’s all it means

Lecture 16 Page 16 CS 236 Online What Are the Implications? All you know is that the web site is who it claims to be –Which might not be who you think it is –Maybe it’s amozon.com, not amazon.com –Would you notice the difference? Only to the extent that a trusted signer hasn’t been careless or compromised –Some have been, in the past

Lecture 16 Page 17 CS 236 Online Another Browser Security Issue What if you’re accessing your bank account in one browser tab And a site showing silly videos of cats in another? What if one of those videos contains an attack script? Can the evil cat script steal your bank account number?

Lecture 16 Page 18 CS 236 Online Same Origin Policy Meant to foil such attacks Built into many web scripting languages Basically, pages from a single origin can access each other’s stuff Pages from a different origin cannot Particularly relevant to cookies

Lecture 16 Page 19 CS 236 Online Web Cookies Essentially, data a web site asks your browser to store Sent back to that web site when you ask for another service from it Used to set up sessions and maintain state (e.g., authentication status) Lots of great information about your interactions with sites in the cookies

Lecture 16 Page 20 CS 236 Online Same Origin Policy and Cookies Script from one domain cannot get the cookies from another domain –Prevents the evil cat video from sending authenticated request to empty your bank account Domain defined by DNS domain name, application protocol –Sometimes also port

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.