1. CIT 485: Advanced Cybersecurity
Web Application Security

2. Topics Client-side Technologies Web Application Architectures
Client-side Security
Encoding
Authentication
Session Management
Access Control
Secure Development Lifecycle
Secure Deployment of Web Applications
Attack Trends

3. HTML Hierarchical tree structure of tags.
Tags have optional name=value parameters.
Text nodes may exist between tags.
Special characters:
< > “ ‘ &

4. HTML vs XHTML HTML XHTML
Generously interprets tags, with many variants between browsers.
Interprets string between certain tags as non-HTML text: <style>, <script>, <textarea>, <xmp>.
XHTML
Strict: tags are case sensitive; all tags must be closed and properly nested; attributes must be quoted; etc.
Supports raw text inside any tag via <![CDATA[ … ]]>
Can incorporate sections using other XML-based markup languages like MathML.

5. Uniform Resource Identifiers (URIs)
A URI is a string of characters that identify a web resource that come in two types.
Uniform Resource Names (URNs)
Identify a resource by name within a specific namespace.
Ex: urn:isbn:
Uniform Resource Locators (URLs)
Identify a resource via a representation of its primary access mechanism, e.g. a network address.
Ex:

6. URL Format
Proto is the network protocol, e.g. http, ftp, mailto, etc.
User and pw are optional authentication credentials.
Host is the DNS name or IP address of the server.
Port is the TCP port number; defaults to 80 for http.
Path is the name of the resource on the server, which may or may not represent a filesystem path.
Qstr is a query string typically used by GET requests to send parameters to an application.
Frag is a fragment identifier used by the client to identify a location within a web page. It is not sent to the server. Some client apps use fragments for navigation, so their contents may be security sensitive.
RFC 1738 for URL definitions

7. URL Encoding
Query string is set of key=value pairs separated by &
?q=cloud&lang=en
Whitespace marks end of URL
Special characters must be URL-encoded.
%HH represents character with hex values, e.g. %20 = space.
Special characters include whitespace ? / # &
Any character may be encoded, including proto, path, etc.
URL encoding is also used in the body of POST requests.
RFC 1738 for URL definitions

8. HTML Forms <form> tag <input> tag
action=URL destination for form input.
method=get sends input as query string parameters
method=post sends input as data in POST method
<input> tag
name=name of input.
type attribute specifies
checkbox, radio, text, etc.

9. Hidden Fields <input type=“hidden” name=“user” value=“james”>
Used to propagate data between HTTP requests since protocol is stateless.
Clearly visible in HTML source.
User can modify hidden values since form can be copied, modified to change hidden fields, then used to invoke script.

10. HTTP POST Request Method URL Protocol Version Headers
POST HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/ Firefox/
Accept: text/html, image/png, */*
Accept-Language: en-us,en;q=0.5
Blank Line
name=Jane+Doe&sex=female&color=green&over6feet=true&over200pounds=false&athleticability=NA
Form data

11. JavaScript Common web scripting language.
Standardized as ECMAScript (current version ES2018).
Runs in browser via a Just-In-Time (JIT) compiler.
Can be included in a web page via
Inline <script> blocks.
Remote scripts via <script src=“…>
javascript: URLs in HTML params and CSS.
CSS expression(…) syntax
Event handlers (onload, onclick, onerror, …)
Timers (setTimeout, setInterval)
eval(…) calls from within JavaScript.

12. JavaScript Security Issues
Each <script> block is processed individually in the order encountered on page.
Syntax error won’t stop later <script>s from running.
All scripts can set variables in global namespace.
Scripts can replace built-in classes and functions.
Nested script inclusion requires nested encoding
<div onclick=“setTimeout(‘do_stuff(\’user_string\’)’,1)”>
HTML parser extracts onclick and puts in DOM.
When button clicked, timeout is set.
When timeout triggered, inside script executed.
To be secure, double-encode user_string with JS backslashes, then encode with HTML entities.

13. JSON JSON = JavaScript Object Notation JSON parsing
Lightweight data interchange format.
Based on a subset of JavaScript, but is
Language independent; libraries for any language.
Standards: RFC 4627 and ECMA-404.
JSON parsing
Use JSON.parse(…)
Do not use eval(…) as it will execute any JavaScript code, not just parse JSON.
CSC 482/582: Computer Security

14. JSON Example
{ "firstName": "John", "lastName": "Smith", "age": 25, "address": "streetAddress": "21 2nd Street", "city": "New York", "state": "NY", "postalCode": }, "phoneNumbers": [ { "type": "home", "number": " " }, { "type": "fax", "number": " " } ] }
CSC 482/582: Computer Security

15. eXtensible Markup Language (XML)
XML encodes data in a format readable by both humans and machines.
Uses <> tags like HTML.
Requires all tags be closed and nested properly.
Also uses HTML entity encoding.
DTDs and schemas defined allowed tags for a specific type of data.

16. Document Object Model
DOM connects JavaScript and CSS to HTML documents.
JavaScript can read and modify every element of HTML.
Dynamic HTML (DHTML) = DOM + JavaScript + CSS.
Capability used by threats in cross-site scripting attacks.

17. XMLHttpRequest (XHR) API
JavaScript API to request data from server.
Without loading a new web page in browser.
Can be done asynchronously so web application UI responsive during loads.
Resources typically XML or JSON data.
Allows highly interactive web applications
AJAX = Asynchronous JavaScript and XML
Examples: Google Maps, Gmail, etc.
Can only request resources from server that JavaScript came from (Same Origin Policy.)

18. DHTML vs AJAX

19. Client-Side Security
Everything submitted by client under user’s control.
The user can view HTML and see hidden form fields.
The user can save a page to an HTML file and edit it before submitting a form.
User can dynamically modify pages via browser debuggers.
User can put a proxy in between browser and client to
Modify submitted form data after client-side JavaScript running in browser validated the data as secure.
Modify HTTP headers, including cookies and Referer.

20. DOM Security
Policy: Given any two JavaScript execution contexts, one should be able to access the DOM of the other only if protocols, DNS names, and port numbers of their documents match exactly.
Cannot isolate home pages of different users on same svr.
Disallows communication between login.example.com and payments.example.com.

21. Cookies Maintain state via HTTP headers Examples Encoding
State specified is set of name=value pairs.
Set-Cookie header sent from server.
Cookie header sent from browser.
No RFC specification used til RFC 6265 in 2011.
Examples
Set-Cookie: foo=bar; path=/; expires Fri, 20-Feb :59:00 GMT
Cookie: foo=bar
Encoding
Encode cookies with base64 to avoid metacharacter interpretation (colons, commas, slashes, quotes, etc.)

22. Cookie Fields
Expires: if specified, cookie may be saved to disk and persist across sessions. If not, then cookie persists for duration of browser session. Max-age: similar to Expires, but not supported by IE. Domain: scoping mechanism to allow cookie to be scoped to domain broader than host that sent Set-Cookie header. Path: scopes cookie to a specified path prefix. Secure: prevents cookie from being sent over non-encrypted connections. HttpOnly: removes ability to read cookie via document.cookie API in JavaScript to protect against XSS.
RFC 6265

23. Cookie Security Policy
Domain parameter limits which servers are sent cookie in complex ways (see table). Path parameter limits which paths are sent cookies, but JavaScript from any path can read cookies.
Table 9-3 from The Tangled Web

24. Browser Storage Why aren’t cookies enough? Flash storage
Performance hit: included with every HTTP request.
Limited to about 4KB in size.
Flash storage
Local Stored Objects (LSOs) 100KB per domain.
Client can request more storage with user approval.
Web Storage (aka DOM Storage)
Standard supported by all browsers.
Key/value storage in string format.
5MB of storage per origin.
WebSQL exists but is not supported by IE or FF.

25. Encoding Unicode Encoding URL Encoding Double Encoding
HTML Entity Encoding
Base64 Encoding
Hex Encoding

26. Universal Character Set (UCS)
Can represent all chars for all languages.
Represents characters as code points.
Planes are groups of 65,536 numerical values that represent code points.
1,112,064 code points from 17 planes are accessible with current encodings.
Basic Multilingual Plane (BMP)
The first 65,536 UCS characters.
UCS-2 was an early 16-bit encoding to represent only characters from the BMP.
Supplementary Ideographic Plane
Contains many CJK ideographs.

27. Homograph Attacks
Spoofing attack that relies on fact that different characters are identical visually.
In ASCII, O and 0, 1 and l are identical in some fonts.
See for a list.
Example: Cyrillic has 11 homographs with Latin
U+0430 is ‘a’ in Cyrillic alphabet
U+0061 is ‘a’ in Latin alphabet
Allows attacker to spoof paypal.com.
International Domain Names enabled in 2003.
IDNs stored in DNS using Punycode ASCII.

28. Unicode Encodings UTF-8 UTF-16
Variable length 8-, 16-, 24-, or 32-bit encoding
Can represent any char on the 17 plans.
Backwards compatible: first 128 chars are ASCII.
Over half of web pages use UTF-8 encoding.
UTF-16
Variable length 16-bit or 32-bit encoding
Can represent any char on the 17 planes.
Used in Windows API since W2k.
Java added UTF-16 support in Java 5.
Special syntax for non-BMP in most languages.

29. UTF-8 Problems Not all bit sequences valid, esp. overly long sequences
that can represent same character using techniques in each of 6 rows above to bypass input validation.
Check for validity of UTF-8 strings before checking if strings match whitelist.

30. URL Encoding URL encoding is the encoding of characters as
A % followed by 2 hexadecimal digits
Encoding is ASCII value of character.
Non-ASCII characters typically represented by %-encoding each byte in the UTF-8 representation.
Any character in URL can be %-encoded.
Meaningful characters like whitespace or / that appear in the path or query string must be %-encoded.
Non-printing ASCII characters must be %-encoded.
Form submissions are URL encoded.
Use MIME type application/x-www-form-urlencoded.

31. Double Encoding Double encoding attempts to bypass input filters that
Decode URL-encoded strings.
Check decoded strings for dangerous inputs, then
Pass decoded strings to another system that has the capacity to interpret URL-encoded strings.
Example: path traversal string “../”
URL-encoding is %2E%2E%2F.
We can encode the % as %25 to double encode.
Double-encoding is %252E%252E%252F.
Decoding once produces original URL-encoded string, which will not match a string search for “..” or “/”.

32. HTML Entity Encoding Entity Character < > & & " “
&apos; ‘
€ €
≈ ≈
&#nnnn;
Unicode code point nnnn (decimal)
&#xhhhh;
Unicode code point hhhh (hexadecimal)

33. Base-64 Encoding Binary to text encoding Padding
Each base64 digit represents 6 bits of data.
3 bytes of input will be encoded as 4 base64 digits.
Standard alphabet is [A-Za-z0-9+/], but variants exist.
Padding
Appears at end of base64 string when input length was not a multiple of 3.
Ending with xyz= means last 4 base64 digits represent 2 bytes, not 3 bytes.
Ending with xy== means last 4 digits represent 1 byte.

34. Hex Encoding Encode each byte as 2 hex digits [0-9A-F]
8-bit byte ranges from 0 to 255.
Hex digits equivalent range from 00 to FF.
May use lowercase [0-9a-f] or uppercase [0-9A-F].
Identical to URL encoding without the %.
Easy to decode, but inefficient use of space.
Hex encoding encodes 4 bits per character output.
Base64-encoding uses 6 bits per character output.
Hex encoding ASCII text doubles size.
Used by many web applications.

35. Web Authentication Types
HTTP basic and digest authentication
HTML forms-based authentication
Client TLS certificate authentication
Windows-integrated authentication (NTLM/Kerberos)
Multi-factor Authentication

36. Web Authentication Security
Encrypt with TLS to prevent password sniffing
HTTP Basic and Form-based authentication transmit passwords, so these actions must be encrypted.
Encrypt form as well as form action to prevent MITM.
Use strong credentials
Require unique usernames and long passwords.
Mitigate online password guessing
Add delay after failed login to slow guessing attacks.
Secure password change functionality
Do not send passwords over .
Send one-time reset link to stored address.

37. Session Management Web applications must manage sessions
HTTP is stateless, each request/response independent.
Sessions are application responsibility.
Authentication creates a session
Initial HTTP request/response authenticates user.
Future requests use session to maintain authentication.
If session compromised, attacker can become user.
Even non-authentication sites often use sessions
Need session to maintain any state, such as which page of search results to display or contents of a shopping cart.
Sessions often based on cookies, but also can use URLs.

38. Session Identifier Threats
Session identifiers are used to identify sessions
Unique string or number included in cookie or URL.
String must be encoded as text for HTTP transmission.
Typically base64 or hex encoding is used.
Session identifiers are accessible by the client.
Client can modify session tokens before resending.
Client can obtain + send another user’s session token.
Session identifiers are accessible via a MITM.
Must use TLS to avoid token interception.
Session IDs in URLs are recorded in server logs.

39. Session Identifier Security
Session identifiers should be dynamic
The same token should not be issued to a user each time the user logs in.
Session identifiers should not be meaningful
Should not contain username, UID, access rights, etc.
Session identifiers should not be predictable
Should not be based on a sequence, timestamp, etc.
Session identifiers should have a short lifetime
Reduce window of vulnerability to attack.
Should expire immediately when user logs out.

40. Web Access Control
Vertical: different types of users access different parts of web application.
Administrative and ordinary users.
Horizontal: users access a certain subset of a range of resources of same type.
Webmail users can only access their own .
Electronic bank users can only access own account.
Context-Dependent: ensure access restricted to what is permitted during application state.
Ensure user goes through all steps of a purchase in correct order, not skipping payment or other steps.

41. Access Control Vulnerabilities
No access control.
Application assumes user cannot guess URLs with access to privileged functionality.
Parameter-based access control
Insecure multi-stage processes
Does application enforce order and re-validate data at each step?
Note that Referer header can be spoofed.

42. Security Development Lifecycle
Code Reviews
Risk Analysis
Penetration Testing
Security Testing
Abuse Cases
Security Operations
Security
Operations
Requirements
Design
Coding
Testing
Maintenance
Risk
Analysis
Abuse Cases
Code Reviews +
Static Analysis
Penetration

43. Security in Design
Apply secure design principles throughout design process, such as
Least Privilege
Fail-Safe Defaults
Defense in Depth
Separation of Privilege
Use secure design patterns where applicable.
Perform an architectural risk analysis to evaluate the security of your design and to identify design changes that need to be made to improve security.

44. Code Reviews
A code review is an examination of source code by developers other than the author to find defects.
Benefits
Find defects sooner in the lifecycle.
Find defects with less effort than testing.
Find different defects than testing.
Educate developers about vulnerabilities.
Static analysis tools can assist in finding security bugs.

45. Black Box Testing Advantages of Black Box Testing
Examines system as an outsider would.
Tester builds understanding of attack surface and system internals during test process.
Can use to evaluate effort required to attack system.
Helps test items that aren’t documented.
System
Test Input
Test Output

46. White and Grey Box Testing
White Box
Tester knows all information about system.
Including source code, design, requirements.
Most efficient technique.
Avoids security through obscurity.
Grey Box
Apply both white box and black box techniques.
Test Input
Test Output

47. Penetration Testing Black box test of deployed system.
Allocate time at end of development to test.
Often time-boxed: test for n days.
Schedule slips often reduce testing time.
Fixing flaws is expensive late in lifecycle.
Penetration testing tools
Web application testing proxies like Burp or ZAP.
Fuzzing: send random data to inputs.
Don’t understand application structure or purpose.

48. Security Testing Injection flaws, buffer overflows, XSS, etc.
Functional testing will find missing functionality.
Intendended
Functionality
Actual
Functionality

49. Secure deployment Network perimeter security Secure data in all states
Traditional network segmentation + firewalls.
Web application firewalls to detect and prevent attacks.
Secure data in all states
Ensure data is encrypted in transit not just between browser and web server but all between web, application, and database servers.
Ensure important data encrypted in storage too.
Maintenance processes
Security updates for all servers and dependencies.
Vulnerability management process to update web app.

50. Application Servers Web applications run on an application server
A separate server, like Tomcat for Java Server Pages, or
A component, like mod_php within Apache web server.
Application servers can help provide security through
Authentication, session management, access control,
But there may be vulnerabilities in these features.
Application servers may contain default content
Example applications that often have vulnerabilities.
Application servers must be configured securely and kept up to date on security patches like web server.

51. Shared Hosting
A single web server can host web applications belonging to different organizations.
Cheap, mostly used by very small businesses.
Confidentiality is problematic as web sites share both filesystem and server memory. If someone hacks one site, often able to compromise others on shared host.
Integrity can be problematic for same reasons.
Availability can be affected by traffic to other organizations.
Most common form today is WordPress hosting.
WPscan checks for WordPress vulnerabilities.
Plugins like Bulletproof can help secure WordPress.

52. Attack Trends Cryptocurrency mining Dependency vulnerabilities
Criminals search for any vulnerable web server to upload cryptocurrency mining software to run in background.
Others load malicious JavaScript on vulnerable web servers to install miners on users of your web site.
Dependency vulnerabilities
Web applications depend on a variety of frameworks, libraries, application and database servers, etc.
If these dependencies are not up to date on security patches, the application is vulnerable.
The 2017 Equifax breach of 143 million credit records resulted from an unpatched vulnerability in Apache Struts.

53. References
James Kettle. Top 10 Web Hacking Techniques of of
Tim Mackey. security/thoughts-on-the-latest-apache-struts-vulnerability- /a/d-id/
OWASP. OWASP Top 10 Application Security Risks
Dafydd Stuttart and Marcus Pinto, The Web Application Hacker’s Handbook, 2nd Edition, Wiley, 2011.
Michael Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications, No Starch Press, 2011.

54. Released under CC BY-SA 3.0
This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license
You are free:
to Share — to copy and redistribute the material in any medium
to Adapt— to remix, build, and transform upon the material
to use part or all of this presentation in your own classes
Under the following conditions:
Attribution — You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials.
Share Alike — If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license.
Details and full text of the license can be found at