COMP9321 Web Application Engineering

Similar documents
COMP9321 Web Application Engineering

COMP9321 Web Application Engineering

Application vulnerabilities and defences

Web Application Security. Srikumar Venugopal Week 8, S2, 2014

Web Application Security. Philippe Bogaerts

1 About Web Security. What is application security? So what can happen? see [?]

Your Turn to Hack the OWASP Top 10!

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Application Threats and Remediation. Terry Labach, IST Security Team

Common Websites Security Issues. Ziv Perry

WHY CSRF WORKS. Implicit authentication by Web browsers

Certified Secure Web Application Engineer

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

CSWAE Certified Secure Web Application Engineer

C1: Define Security Requirements

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

GOING WHERE NO WAFS HAVE GONE BEFORE

Web Application Whitepaper

Robust Defenses for Cross-Site Request Forgery Review

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

Executive Summary. Flex Bounty Program Overview. Bugcrowd Inc Page 2 of 7

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Solutions Business Manager Web Application Security Assessment

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

Web Application Vulnerabilities: OWASP Top 10 Revisited

SECURITY TESTING. Towards a safer web world

Sichere Software vom Java-Entwickler

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Web basics: HTTP cookies

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Application Layer Security

Web Applications Penetration Testing

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Content Security Policy

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

CIS 4360 Secure Computer Systems XSS

Application. Security. on line training. Academy. by Appsec Labs

Copyright

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

Welcome to the OWASP TOP 10

Security Testing White Paper

Advanced Web Technology 10) XSS, CSRF and SQL Injection

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Development*Process*for*Secure* So2ware

OWASP TOP 10. By: Ilia

Curso: Ethical Hacking and Countermeasures

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Web basics: HTTP cookies

Web Security, Summer Term 2012

Web Security, Summer Term 2012


Secure Frame Communication in Browsers Review

CSE484 Final Study Guide

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Atlassian. Atlassian Software Development and Collaboration Tools. Bugcrowd Bounty Program Results. Report created on October 04, 2017.

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

CSCE 813 Internet Security Case Study II: XSS

Applications Security

AN E-GOVERNANCE WEB SECURITY AUDIT Deven Pandya 1, Dr. N. J. Patel 2 1 Research Scholar, Department of Computer Application

CSCD 303 Essential Computer Security Fall 2017

SOLUTION BRIEF CA API MANAGEMENT. Enable and Protect Your Web Applications From OWASP Top Ten With CA API Management

Combating Common Web App Authentication Threats

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

Securing Apache Tomcat. AppSec DC November The OWASP Foundation

PRACTICAL WEB DEFENSE VERSION 1

Dell SonicWALL Secure Mobile Access 8.5. Web Application Firewall Feature Guide

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

Application Security Approach

WEB SECURITY: XSS & CSRF

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Business Logic Security

Tabular Presentation of the Application Software Extended Package for Web Browsers

Aguascalientes Local Chapter. Kickoff

Multi-Post XSRF Web App Exploitation, total pwnage

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Bank Infrastructure - Video - 1

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

RiskSense Attack Surface Validation for Web Applications

CSCD 303 Essential Computer Security Fall 2018

Web Security Part B. Davide Balzarotti

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

F5 Application Security. Radovan Gibala Field Systems Engineer

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

En#ty Authen#ca#on and Session Management

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Information Security CS 526 Topic 11

EasyCrypt passes an independent security audit

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Transcription:

COMP9321 Web Application Engineering Semester 2, 2016 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2445 1

Assignment 2 The due date for this assignment 2 is (end of Mid Semester Break): Sunday, 2 October 2016, 23:59:59. Demo will be held during the lab times in week 10. UNSW, CSE, Calendar: https://student.unsw.edu.au/calendar 2

Assignment 3 Released 3

Introduction to Web Application Security Acknowledgements This presentation contains material prepared by Halvard Skogsrud, Senior Software Engineer, Thoughtworks, Inc. Sydney, Australia and from the Open Web Application Security Project (OWASP) http://www.owasp.org 4

Introduction to Web Application Security Warning The objective of this presentation is to show you common security loopholes appearing in Web applications. However, it is not meant to encourage you to attack web applications. Such actions are both a breach of the law in most countries, and of the CSE policy. Hence, by attempting any of the techniques presented in this lecture, you may be prosecuted by law enforcement and face expulsion from the university. 5

Securing your Web Application 6

Securing your Web Application: Threats! 7

Securing your Web Application: Threats! 8

Securing your Web Application: Threats! 9

Securing your Web Application: Threats! 10

Securing your Web Application: Requirements! 11

SQL Injection 12

SQL injection: SQL Injection is a code injection technique. used to attack data-driven applications How: a malicious SQL statements are inserted into an entry field for execution. 13

SQL injection: SQL Injection is a code injection technique. used to attack data-driven applications How: a malicious SQL statements are inserted into an entry field for execution. 14

SQL Injection: What is wrong? 15

SQL Injection: What is wrong? 16

SQL Injection: What is wrong? Google(comment in sql) 17

SQL Injection: What is wrong? 18

SQL Injection: Summary! 19

SQL Injection: Prevention!! To keep malicious inputs contained, any inputs written to the database need to be encoded. SQL encoding: ' OR 1=1 --' is encoded to \ \'\ OR\ 1\=1\ \-\-' https://en.wikipedia.org/wiki/secure_input_and_output_handling 20

SQL Injection: Prevention!! 21

Cross Site Scripting (XSS) 22

Cross Site Scripting (XSS) Cross-site scripting (XSS): is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. 23

Cross Site Scripting (XSS) Cross-site scripting (XSS): is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. 24

Cross Site Scripting (XSS) Cross-site scripting (XSS): is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side script into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. e.g., a combination of URI scheme, hostname, and port number. 25

Cross Site Scripting (XSS): What is wrong? 26

Cross Site Scripting (XSS): What is wrong? Suppose the victim is given this URL by the attacker (www.badguy.com): 27

Cross Site Scripting (XSS): What is wrong? Suppose the victim is given this URL by the attacker (www.badguy.com): The web page would then be injected with the following script: 28

Cross Site Scripting (XSS): Summary! 29

Cross Site Scripting (XSS): Prevention!! 30

Cross Site Scripting (XSS): Prevention!! 31

Cross Site Request Forgery (CSRF) 32

Cross Site Request Forgery (CSRF) Cross-site request forgery also known as a one-click attack or session riding abbreviated as CSRF or XSRF is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts 33

Cross Site Request Forgery (CSRF) Cross-site request forgery also known as a one-click attack or session riding abbreviated as CSRF or XSRF is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts Exploit: is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software 34

Cross Site Request Forgery (CSRF) Cross-site request forgery also known as a one-click attack or session riding abbreviated as CSRF or XSRF is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts Exploit: is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack. 35

Cross Site Request Forgery (CSRF) 36

Cross Site Request Forgery (CSRF) 37

Cross Site Request Forgery (CSRF): Prevention!! A CAPTCHA is a type of challengeresponse test used in computing to determine whether or not the user is human. 38

Unvalidated Input 39

Unvalidated Input 40

Unvalidated Input 41

Unvalidated Input: Summary 42

Unvalidated Input: Prevention! 43

Broken Authentication 44

Broken Authentication Google(SHA-1) 45

Fixing Authentication: How To?! Google(MITM) 46

Fixing Authentication: Salting Passwords! In cryptography, a salt is a random data that is used as an additional input to a one-way function that hashes a password or passphrase. The primary function of salts is to defend against dictionary attacks versus a list of password hashes and against pre-computed rainbow table attacks. e.g. the salt and the password can be concatenated and processed with a cryptographic hash function, and the resulting output (but not the original password) can be stored with the salt in a database. 47

Fixing Authentication: Salting Passwords! Why add Salt? If each password is simply hashed, identical passwords will have the same hash: There are two drawbacks: 1. Due to the birthday paradox, the attacker can find a password very quickly especially if the number of passwords in the database is large. In probability theory, the birthday problem or birthday paradox concerns the probability that, in a set of n randomly chosen people, some pair of them will have the same birthday. See: http://en.wikipedia.org/wiki/birthday_paradox 48

Fixing Authentication: Salting Passwords! Why add Salt? If each password is simply hashed, identical passwords will have the same hash. There are two drawbacks: 1. Due to the birthday paradox, the attacker can find a password very quickly especially if the number of passwords in the database is large. 2. An attacker can use a list of precomputed hashes to break passwords in seconds. A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. See: http://en.wikipedia.org/wiki/rainbow_table 49

Fixing Authentication: Salting Passwords! In order to solve these problems, a salt can be concatenated to the password before the digest operation. A salt is a random number of a fixed length. This salt must be different for each stored entry. It must be stored as clear text next to the hashed password. In this configuration, an attacker must handle a brute force attack on each individual password. The database is now birthday attack/rainbow crack resistant. consists of systematically checking all possible keys or passwords until the correct one is found. In the worst case, this would involve traversing the entire search space. 50

Fixing Authentication: Salting Passwords! 51

Fixing Authentication: Salting Passwords! 52

Fixing Authentication: Salting Passwords! 53

Session Management 54

Session Management: Problem or Solution?! 55

Session Management: Problem or Solution?! 56

Session Management: Problem or Solution?! Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly] 57

Transport Layer Security 58

Transport Layer Security (e.g. HTTPS) 59

Transport Layer Security (e.g. HTTPS) Google(Secure Sockets Layer, SSL) Google(Certification Authority, CA) 60

HTTPS: Basics 61

HTTPS: Public-Key Cryptography 62

HTTPS: Shared-Key Cryptography 63

HTTPS: Hashing 64

HTTPS: Certificates 65

HTTPS: Signatures 66

HTTPS: How to? Limitations?! How to? Follow the steps at: https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html 67

Application Layer Security 68

References http://www.owasp.org https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html 69

70

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback