IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

Similar documents
IERG 4210 Tutorial 08

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Application vulnerabilities and defences

Backend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Security. CSC309 TA: Sukwon Oh

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

RKN 2015 Application Layer Short Summary

Web Application Penetration Testing

A Simple Course Management Website

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

COMP9321 Web Application Engineering

CIS 4360 Secure Computer Systems XSS

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

1 About Web Security. What is application security? So what can happen? see [?]

COMP9321 Web Application Engineering

Your Turn to Hack the OWASP Top 10!

John Coggeshall Copyright 2006, Zend Technologies Inc.

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

P2_L12 Web Security Page 1

Advanced Web Technology 10) XSS, CSRF and SQL Injection

The security of Mozilla Firefox s Extensions. Kristjan Krips

Contents. xvii xix xxiil. xxvii

Web Application Security. Philippe Bogaerts

WEB SECURITY: XSS & CSRF

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

CONTENTS IN DETAIL INTRODUCTION 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 2 CONFIGURING PHP 19

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

COMP9321 Web Application Engineering

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

PHP and MySQL Programming

CS 161 Computer Security

Ruby on Rails Secure Coding Recommendations

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

OWASP TOP 10. By: Ilia

Learning Php Mysql Javascript With Jquery Css Html5

Solutions Business Manager Web Application Security Assessment

Web Security: Vulnerabilities & Attacks

Information Security CS 526 Topic 8

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Certified Secure Web Application Engineer

Exploiting and Defending: Common Web Application Vulnerabilities

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team


Protect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013

Some Facts Web 2.0/Ajax Security

Chrome Extension Security Architecture

Web Attacks CMSC 414. September 25 & 27, 2017

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

Creating an Online Catalogue Search for CD Collection with AJAX, XML, and PHP Using a Relational Database Server on WAMP/LAMP Server

CSE 336. Introduction to Programming. for Electronic Commerce. Why You Need CSE336

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

CS50 Quiz Review. November 13, 2017

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Session objectives. Identification and Authentication. A familiar scenario. Identification and Authentication

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

CSE484 Final Study Guide

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Web Security: Loose Ends

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Create-A-Page Design Documentation

Tutorial: Web Application Security

CSCI 1320 Creating Modern Web Applications

CS 155 Project 2. Overview & Part A

Welcome to the OWASP TOP 10

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Combating Common Web App Authentication Threats

Web Security. Thierry Sans

Online Intensive Ethical Hacking Training

SECURE CODING ESSENTIALS

CSCE 813 Internet Security Case Study II: XSS

Pass, No Record: An Android Password Manager

How to crack asp login page. How to crack asp login page.zip

epldt Web Builder Security March 2017

Dip Your Toes in the Sea of Security. James Titcumb PHP Dorset 2nd June 2014

Information Security CS 526 Topic 11

Project 2: Web Security

CS 161 Computer Security

6.170 Tutorial 7 - Rails Security. Prerequisites. Goals of this tutorial. Resources

Topic 15: Authentication

Proving who you are. Passwords and TLS

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

CSWAE Certified Secure Web Application Engineer

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

Web Penetration Testing

Computer Security CS 426 Lecture 41

CSCE 548 Building Secure Software SQL Injection Attack

An analysis of security in a web application development process

Transcription:

IERG 4210 Tutorial 07 Securing web page (I): login page and admin user authentication Shizhan Zhu

Content for today Phase 4 preview From now please pay attention to the security issue of your website This tutorial focuses on preventing injection, and authentication issues (2 nd part of Lecture 7). For session storage issue we would cover in later tutorial. Authentication of admin user introduction to Hash function - Avoid plain-text password storage Interactive Q&A session for previous phases If you still have difficulties on content for previous content, please refer to: W3school: very detailed tutorials on HTML / CSS / JavaScript and related issues like JSON / database / jquery / Ajax (can have a glimpse on PHP if you have spare time) nodeschool: tutorial on node recommended by the official site

What to do after phase 3? Our page contains possibility being attacked by various malicious activities. We have implemented a user page and an admin page. However, anyone can visit the admin page for now. We need to add admin user management database (only user with special privilege could visit admin page and do operations), in which many security issues are involved. Use cookies to remember authentication, without security vulnerability. Other issues that might result in security vulnerability.

Overview of Phase 4 Six major tasks for phase 4. (I)~(V) for Phase 4a and (VI) for Phase 4b. (I) Preventing XSS injection: Attackers insert client side script into web pages. Example: a story. Common behavior: Input the required form with critical chars < > Solution: have a strict and thorough check throughout your web page form input. Alternatively forbid critical chars as input.

Overview of Phase 4 (II) SQL injection Similarly inserting characters that might change the database retrieve pattern: SELECT * FROM users WHERE name = '' OR '1'='1'; Step 1: Always do pattern checking before searching the database: req.checkbody('username', 'Invalid Username').isLength(4, 512).matches(inputPattern); Where inputpattern is a regular expression. Step 2: Use prepare statement: (See next page)

Overview of Phase 4 pool.query('select * FROM users WHERE username =? AND password =? LIMIT 1', } req.body.username, req.body.password], function (error, result) { Refer to Page 27 of Lecture notes 7. A mild reminder is that, you need to replace the password into a salted one, which would be covered in later slides. Thinking while copying codes.

Overview of Phase 4 (III) CSRF vulnerabilities: Comes from the website s trust on the user. Cookie! Example: You have been authenticated by a site (info stored in cookie). Someone sends you a malicious link (which would invoke some operation like pay some money on e-bank without your approval) and you click it. The solution toward this type of attack would be covered in next week tutorial. (it is related to session management)

Overview of Phase 4 Except for securing your site over above 3 issues, we also need to (IV) Task on authentication the first thing you need to do in phase 4 (mainly covered in later slides) Put up a login page before the admin page Do authentication in this step. Avoid plain password using hash function (V) Session management and CSRF prevent (cookies, covered in tutorial 8) (VI) Apply digital certificate (Content of phase 4b, covered in tutorial 9)

Before working on Phase 4 Node package that might be useful to your project: Express (you should have used it) Handlebars / express-handlebars (you should have used it) Mysql (you should have used it) Body-parser Any-db Express-validator Express-session Connect-redis Other package listed in course / tutorial / spec Always npm install, reduce your workload.

Authentication of admin user Create a new table in your database storeing user information. We need to store user s name, email, password and admin flag. We cannot directly store plain text password, rather, store salted password (which can hardly be retrieved). You want to see what salted password looks like? If you have a Ubuntu with you, try checking: sudo vim /etc/shadow. See the thing after your account name. Ubuntu user password is encrypted with SHA-512, a variant of hash function method. Only brute-force method might directly hack it.

Principle of password verification Server never stores and never compares the original version of password as plain text (denoted as M)! Rather, it compares on h K (M), the result of the designed function h, with key K. Principle when designing the function: 1) Easy to compute h(m) 2) Computationally infeasible to find M from h(m) 3) Computationally infeasible to find collision (X!= Y, but h(x)=h(y)) Here hash function serves as a good function.

Hash function Please take it easy since you don t need to implement the algorithm yourself (call it directly). But if you are interested you can see it in detail via http://en.wikipedia.org/wiki/hmac

Admin login In our case, M is the original password, K is called salt, and h K (M) is the salted password. In our database, we store salt and salted password instead of the original password. During comparison, we calculate the salted input using the stored salt, and compare it with the stored salted password. How to call the related functions? See next page.

Admin login To call the function: hmacpassword(req.body.password) To realize this function: function hmacpassword (password) { var hmac = crypto.createhmac('sha256', passwordsalt); // use crypto package!!! } hmac.update(password); return hmac.digest('base64'); Again, this code assume all users use the same salt. However, you are required to create and store a specific salt for each user. Try your hard to modify it!

Admin login Another mild reminder: what you implement into the project, is the procedure to verify users. However, initially there is no user in your database. Hence, you need work by hand to generate salt, calculate salted password by hand and save them into the database in the offline fashion. You can also build a function that can add user on site, though you need to take more security issues into account

Add the login page 1. Implement all needed function in a new routes, e.g. auth.api.js Salt password Compare with database (mind SQL injection, also other places) What if authenticated, and what if not 2. Implement the login html page: login.handlebars Check for the input (avoid code injection) Decorate the page with other style if you like. Remaining issues: Remember authentication using cookie. It would be covered in next tutorial, along with CSRF prevent issue.

So what to do for Phase 4 should be clear This week, you can work on: (IV) login page and user authentication. (I) and (II) to avoid XSS and SQL injection. Remaining parts, covered in later tutorials: (IV) remember authentication using cookie (III) CSRF prevent (V) Session management (These three things are related, covered in tutorial 8) (VI) Digital certificate. (Content of phase 4b, covered in tutorial 9)

Mild Reminder I would try to release sample codes for your reference this or next week. Please note your instance URL in your REAME file so that TA can check your website effect at once. (Otherwise, I don t have your database and I cannot run your web page on my desktop ) Note that the deadline of phase 4a and 4b are identical. According to the requirement, you need to branch out the branch phase4a rather than phase4. I don t mind if you contain your phase4b implementation in your phase4a submission, but please make sure it must contain your implementation for phase4a.

Interactive Q&A session for previous phases Thanks you!

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback