Presentation is loading. Please wait.

Presentation is loading. Please wait.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web."— Presentation transcript:

1 CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web Derek Mathieson Group Leader Administrative Information Services CERN – Geneva, Switzerland

2 CERN GS-AIS Who Am I

3 CERN GS-AIS Agenda Background Information Impact of Security Flaws Definitions Types of Attack Techniques / Solutions

4 CERN GS-AIS Why Secure Web Application?

5 CERN GS-AIS Impact of Security Flaws Ping of death Morris worm (1988) –6,000 infected computers Santy (2004) –~40,000 infected computers (in 24 hours) Conficker (2008) –Up to 15,000,000 infected computers

6 CERN GS-AIS http://inj3ct0r.com/

7 CERN GS-AIS http://www.exploit-db.com/

8 CERN GS-AIS Definitions Identification Authentication Authorisation Session Management

9 CERN GS-AIS Identification / Authentication How Can You Prove Who You Are? –Biometric Passport –Photo ID –Fingerprint –Username / Password

10 CERN GS-AIS Definitions Entity –A User, another computer system component Identification –Providing credential such that a system can recognise the entity and distinguish it from other entities. Authentication –The process of verifying the identity of an entity.

11 CERN GS-AIS Authentication Factors Something an entity knows: –Password, PIN Something an entity has: –ID Card, private key Something an entity is: –Fingerprint, iris scan, …

12 CERN GS-AIS Authentication Single / Multi-factor Authentication –Password only –Password + Fingerprint Trade-off between –Convenience –Cost –Complexity –Security

13 CERN GS-AIS Identity Theft Forgotten Passwords –Self Service Lost ID Cards –Blocking List Compromised Private Keys –CRL What about Biometrics? No easy solution

14 CERN GS-AIS Passwords Server good practices –Never store them in ‘clear’ –Use encrypted communication protocols (SSL) –Log authentication failures –Use generic error messages: User/password combination not recognised’ –Show user Last login date Previous failed login attempts

15 CERN GS-AIS Web Authentication Techniques Basic Authentication Digest Authentication Form Authentication

16 CERN GS-AIS Basic Authentication

17 CERN GS-AIS Basic Authentication Password : : Username Base64 QWxhZGRpbjpvcGVuIHNlc2FtZQ==

18 CERN GS-AIS Basic Authentication No encryption –Username / Password ‘encoded’ Depends on a secure communication channel

19 CERN GS-AIS Digest Authentication

20 CERN GS-AIS Digest Authentication Password realm Username MD5 348RU349URFJ934FH3FH9… =HA1 URI Method MD5 4I0R9I34F034403RI4I… =HA2 GET /Protected/secrets.html

21 CERN GS-AIS Digest Authentication HA2 HA1 MD5 R3984UR34R43RU… =response nonce

22 CERN GS-AIS Digest Authentication Advantages –Communication is more secure Some doubts over irreversibility of MD5 –Server nonce can avoid replay attacks Disadvantages –Server password file is contains usable credentials in plaintext –Vulnerable to a man-in-the-middle (MitM) attack

23 CERN GS-AIS Digest Authentication Request + Digest Response UserServer Request 401 Unauthorized + nonce

24 CERN GS-AIS Digest Authentication Attacker UserServer Request 401 Unauthorized + basic auth Request 401 Unauthorized + nonce

25 CERN GS-AIS Digest Authentication Attacker UserServer Request + basic Response Request + Digest Response UsernamePassword DerekVerySecret

26 CERN GS-AIS Form Authentication

27 CERN GS-AIS Form Authentication Advantages –Simple to develop –Richer User Interface –Can use multifactor authentication Disadvantages –Depends on a secure communication channel (usually)

28 CERN GS-AIS Other Authentication Methods Single Sign-on –OpenID, Shibboleth, … Integrated Windows Authentication Token-based –One Time Passwords (OTP) SecureID, YubiKey –Public key authentication (SSL client certificates).

29 CERN GS-AIS Authorisation

30 CERN GS-AIS Authorisation An Authorisation system should: –Allow access to resources to users/systems that are permitted to access them. –Prevent access to those that are not permitted.

31 CERN GS-AIS Authorisation System requirements: –Who (entity) –What (resource) –Which operation (read / update / delete / …) –Access Policy

32 CERN GS-AIS Role Based Access Control Roles are identified –e.g. administrator, group leader, developer. Rights are assigned to roles –group leader can access homepage Roles are assigned to entities –Derek is a group leader

33 CERN GS-AIS AIS Roles

34 CERN GS-AIS Role Based Access Control Less complex than individual assignment of access rights Roles can link to organization roles –Automatic maintenance –Less administration

35 CERN GS-AIS Authorisation: Good Practices Check every access Centralise rights management Principal of Least Privilege

36 CERN GS-AIS Session Management

37 CERN GS-AIS Session Management Why do we need it? –HTTP is state-less

38 CERN GS-AIS Session Management Credentials Session ID: 42 UserServer User IDSession ID Session Memory Derek42 Frank43 Jim44 Alex45 Jane46 Billy47 Lilly48

39 CERN GS-AIS Session Management Good Practices –Keep Session ID secret! Use encrypted communications. –Make them unpredictable Based on a random sequence Never re-used –Time limited Use a standard framework

40 CERN GS-AIS Types of Attack Session –Session Fixation / Session ID Forgery –Cross-Site Scripting –Cross-Site Request Forgery Injection –SQL Injection –Command Injection Google Hacks

41 CERN GS-AIS Cross-Site Scripting XSS

42 CERN GS-AIS Cross-Site Scripting The most common publicly-reported security vulnerability –Up to 68% of websites could be vulnerable

43 CERN GS-AIS Cross-Site Scripting (Persistent) … Server User Attacker request response + malicious script

44 CERN GS-AIS Cross-Site Scripting (non-persistent) ‘Click Here’ + malicious script Server User Attacker request + malicious script response + malicious script

45 CERN GS-AIS Cross-Site Scripting: Impact Site defacement

46 CERN GS-AIS USDA.GOV

47 CERN GS-AIS EU President

48 CERN GS-AIS BP.COM

49 CERN GS-AIS Cross-Site Scripting: Impact Site defacement Identity Theft Malware distribution …

50 CERN GS-AIS Cross-Site Scripting: Impact ‘Samy’ XSS Worm on MySpace –Automatically made ‘friend request’ back to author. –Within 20 hours of release over 1,000,000 users were affected. Author: Samy Kamkar –Arrested and on felony charge. Sentenced to three years probation, 90 days community service and an undisclosed amount of restitution.

51 CERN GS-AIS Cross-Site Scripting: Remedies Do not trust any User Input –Form Input –URLs –Cookies –HTTP Request Headers

52 CERN GS-AIS Cross-Site Scripting: Remedies Remove / replace HTML entities –‘White List’ or ‘Black List’ Filter Use Non-HTML Lightweight mark-up –Wiki –bb-code –Textile Use a Site Scanning Tool –We use Acunetix

53 CERN GS-AIS Cross-Site Request Forgery CSRF / XSRF

54 CERN GS-AIS Cross-Site Request Forgery ‘Click Here’ Server User Attacker request response + embedded command Evil Server ‘Hidden’ request

55 CERN GS-AIS Cross-Site Request Forgery <img src="http://bank.example/withdraw? account=bob&amount=1000000&for=mallory"> <img src="http://bank.example/withdraw? account=bob&amount=1000000&for=mallory"> Embedded Image <form name="secretform" method="POST" action="http:bank.example/account"> … <form name="secretform" method="POST" action="http:bank.example/account"> … Hidden Form

56 CERN GS-AIS XSRF: Remedies For End Users: Very Little! –Log out before visiting other sites –Don’t use ‘remember me’ features –Don’t visit ‘untrustworthy’ sites

57 CERN GS-AIS XSRF: Remedies For Website Authors –Include a hidden ‘nonce’ token in forms –Ignore GET parameters when processing a POST –Include Authentication Cookies in POST body (via JavaScript)

58 CERN GS-AIS Injection Exploits SQL Injection

59 CERN GS-AIS SQL Injection SQL Injection is user input allowed to pass through and to the database directly

60 CERN GS-AIS SQL Injection: Example Log on to NetBank User name: Password: Logon b.cameron SELECT id FROM logins WHERE username = '$username' AND password = '$password' SELECT id FROM logins WHERE username = 'b.cameron' AND password = 'SecretWord' SELECT id FROM logins WHERE username = 'b.cameron' AND password = 'X' OR 1 = 1 Attacker X' or 1=1

61 CERN GS-AIS SQL Injection: Remedies Do not trust any User Input –Form Input –URLs –Cookies –HTTP Request Headers Use a Site Scanning Tool

62 CERN GS-AIS SQL Injection: Remedies Prepared Statements –Advantages Precompiled Query: Faster (usually) Database engine does the bind –Disadvantages (a little) More Complex SELECT id FROM logins WHERE username = ? AND password = ?

63 CERN GS-AIS Other Exploits

64 CERN GS-AIS Command Injection Variation of SQL Injection –Injects malicious OS command exec ("ls " + $userPath) exec ("ls /home/myfiles") exec ("ls.; cat /etc/passwd")

65 CERN GS-AIS Google Hacking Database http://www.hackersforcharity.org/ghdb

66 CERN GS-AIS Summary Do not trust any User Input –Form Input –URLs –Cookies –HTTP Request Headers Use a Site Scanning Tool

67 CERN GS-AIS Thank You

Download ppt "CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.

It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities

The 10 Most Critical Web Application Security Vulnerabilities
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Similar presentations

Ads by Google