Mr. Justin “JET” Turner CSCI 3000 – Fall 2015 CRN Section A – TR 9:30-10:45 CRN – Section B – TR 5:30-6:45
Security Security needs to be addressed at every level of IT Many of the security best practices for other areas overlap web application security For example, if your application stores username/passwords, then you would want to implement password complexity requirements and password expiration In larger businesses, these accounts are centrally managed, and we can offload that work to those other systems
Security - OWASP To help us tackle some of the common security concerns on the web, we are going to look at the “Open Web Application Security Project” (OWASP) OWASP has a significant amount of information on common web security issues, how to identify them, and how to prevent them To get us started, we are going to look at their current Top 10 list (they update this every few years)
OWASP Top 10 - Injection Included in this category is SQL Injection SQL Injection occurs when someone can submit data to a page, either through a form, or through URL variables, and cause a SQL command to perform differently than it is designed to This could be something relatively minor, such as selecting more rows than you planned to output Or, it could be a major issue, such as deleting data from your database, or even deleting the database entirely
OWASP Top 10 - Injection To help prevent this, we need to ensure any data we are using a SQL query is properly validated and sanitized This often includes stripping or escaping characters that might be used in a SQL Injection attack To some degree, we can also attempt to limit the permissions of the account we are connected to our DB with to prevent some of the worst results of SQL Injection As with most of the Top 10 items, validating data is the #1 way of stopping the attack
OWASP Top 10 - Authentication This category includes issues with Authentication and Session Management Some common problems with authentication include Not hashing/encrypting the credentials Passing the credentials over an insecure connection (non https) Not forcing strong enough password complexity and not expiring passwords on a regular basis
OWASP Top 10 - Authentication On the session management side Session IDs are passed in the URL (bookmarked or link sharing can cause a breach in the security process) Sessions do not properly time out after an appropriate amount of time Session IDs aren’t changed on every successful log in Many of the session related issues are caused by having PHP not configured to store sessions properly
OWASP Top 10 - XSS Cross-Site Scripting (XSS) is considered one of the most widespread problems on the internet Just like in SQL Injection, proper input validation can be used to resolve almost all cases of XSS XSS is when a user can affect the content on the page with the content they submit to the page iframe Demo
OWASP Top 10 – Direct Access Insecure Direct Object References primarily refers to pages on your application being accessible without permission This partially leads back to proper session/authentication management, ensuring only authorized users can access a given page If a user can go directly to a URL without authenticating that should require authentication, this is an example of this problem Sometimes just changing URL variables can cause this issue
OWASP Top 10 - Misconfig Security Misconfiguration rounds out the first half of the top 10 list As we looked at last time, there are a lot of configuration options at the server level, and any number of these could be set incorrectly, causing the server or application to become attackable Generally, you want to limit the enabled features to only what you are using and make sure all the software you are using has all relevant security patches applied
Lab 8 – Web Security Create two (2) web pages Page 1 should contain an example of a form vulnerable to SQL Injection Page 2 should contain the exact same form with the vulnerability prevented Include the links to both pages and an example of what to enter to see a safe SQL Injection Ensure that I can see how the SQL Injection succeeds/fails
Next Week Tue Nov 17 Web Security (OWASP 6-10) Thu Nov 19 Lab/Term Project working day Reminders: Lab 8 – Web Security due on Dec 3 rd Term Project is due on Dec 10 th If you want to get partial credit for any assignments, the last day they will be accepted is Dec 3 rd at Midnight D2L will lock out submissions at that time