Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security UMTS (3G) security LTE (4G) security WEB Security Browser/WWW security Web services security BROWSER SECURITY Modified from Mayra Sacanamboy
Topics Introduction Web Application Components Common Vulnerabilities Improving security in Web applications Introduction What does World Wide Web security mean? For Webmasters: confidence that their site won t be hacked or used as a gateway to get into their LANS For Web users: it is the ability to browse securely through the web But in general Introduction World Wide Web security Procedures Technologies Practices Effects: Infrastructure Client Network/Transport Web Application Web Application is a client/server software application that interacts with users or other systems using HTTP(S). Browser HTML & CSS HTTP request (web)server Back-end server
Web Threat Models Web attacker Control attacker.com Can obtain SSL/TLS certificate for attacker.com ($0) User visits attacker.com Some important Components 1. Authentication 2. Browser Security 3. Scripts and Active Code 4. Technologies : e.g. Ajax Network attacker Passive: Wireless eavesdropper Active: Evil router, DNS poisoning Malware attacker Attacker escapes browser sandbox Authentication Of a user or entity using HTTP basic HTTP digest For secure authentication SSL (https://...) Cookies Used to store state on user s machine Browser If expires=null: this session only GET HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (only over SSL) Browser GET Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state
Cookie authentication Browser Web Server Auth server POST login.cgi Username & pwd Set-cookie: auth=val Validate user auth=val Store val SAME ORIGIN POLICY (SOP) GET restricted.html Cookie: auth=val restricted.html auth=val Check val If YES, restricted.html YES/NO Document Object Model (DOM) Object-oriented interface used to read and write docs web page in HTML is (tree) structured data DOM provides representation of this hierarchy Examples Properties: document.alinkcolor, document.url, document.forms[ ], document.links[ ], document.anchors[ ] Methods: document.write(document.referrer) Also Browser Object Model (BOM) window, document, frames[], history, location, navigator (type and version of browser) Browser Same Origin Policy (SOP) Web sites from different domains cannot interact except in very limited ways Applies to: Cookies: cookie from origin A not visible to origin B DOM: script from origin A cannot read or set properties for origin B For DOM access, two origins are the same if and only if tuple ( domain-name, port, and protocol ) is equal Safari note: until 3.0 SOP was only (domain-name, port)
SOP Examples Example HTML at www.lu.com Disallowed access: <iframe src="http://kth.com"></iframe> alert( frames[0].contentdocument.body.innerhtml ) alert( frames[0].src ) Allowed access: <img src="http://kth.com/logo.gif"> alert( images[0].height ) Navigating child frame is allowed (but reading frame[0].src is not): frames[0].location.href = http://mysite.com/ Web Browser: the new OS Origins are similar to processes One origin should not interfere with another Cooperation: often sites want to communicate Google AdSense: <script src="http://googlesyndication.com/show_ads.js"> Mash-ups Gadget aggregators (e.g. igoogle or live.com) To communicate with B, site A must give B full control: <script src=http://siteb.com/script.html> now script from site B runs in origin of site A Browser Security Cookie Data file originated by a web server, with the client s information (machine name, keystrokes the user types, etc) Types Per-session, secure Persistent, nonsecure Cookies = vulnerability ~ privacy Structure Of A Cookie Scripts and Active Code Scripts Programs executed on the server side performing advanced operations. E.g: perl, c, php, etc Active Code Programs designed to perform detailed task on the client s side. E.g: javascript, Java Applets, ActiveX, Domain Flag Path Secure Expiration Name Value www.redhat.com FALSE / FALSE 1154029490 Apache 64.3.40.151.16018996349247480
Scripts and Active Code Vulnerabilities Misusing interpreters: putting the script interpreter in the same place as the scripts directory. http://www.victim.com/cgi-bin/perl.exe?-e+%27unlink+%3c*%3e%27 Web Server --> perl e unlink <*> Scripts and Active Code Passing unchecked user input to command interpreters: user input is passed to a command shell, allowing remote users to execute shell commands on the web server. Opening files based on unchecked user input. When writing user inputs to disk. Flawed memory management: is in the domain of programming languages that do not perform memory management internally such as c, c++. Scripts and Active Code Security Model Java Applets => sandbox JavaScript sandbox same origin policy object signing Scripts and Active Code ActiveX Is a binary code that extend the functionality of a web application; it can take any action as the user. Security is partially controlled by the web designer and a third party. Security Options safe for initializing safe for scripting
3.4 AJAX (Asynchronous JavaScript and XML) presentation management using XHTML, CSS, and the Document Object Model; Asynchronous data retrieval using XMLHttpRequest; and, JavaScript AJAX Synchronous Asynchronous Two common vulnerabilities Cross Site Scripting (XSS) Sql Injection Common Vulnerabilities: XSS Cross Site Scripting (XSS) An attacker injects malicious code, usually client-side scripts, into web applications from outside sources. Types - Stored - Reflected Due to lack of input/output filtering
Reflection XSS Common Vulnerabilities 3: result page with embedded script Sql Injection 2: form with embedded script Trusted server An attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make changes to data 4: cookie 1. Page click Attacker s server Common Vulnerabilities Sql Injection: SELECT * FROM users WHERE login = Bush AND password = '123' (If it returns something then login!) PHP/PostgreSql Server login syntax $sql = "SELECT * FROM users WHERE login = '". $formusr. "' AND password = '". $formpwd. "'"; Security Guidelines Validate Input and Output Fail Securely (Closed) Keep it Simple Use and Reuse Trusted Components Defense in Depth Only as Secure as the Weakest Link Security By Obscurity Won't Work Least Privilege Compartmentalization (Separation of Privileges)
Topics WEB SERVICES Federated Identity Management XML signatures (not treated) Federated Identity Management refers to having a common set of policies, practices and protocols in place to manage a digital identity and trust into IT users and devices between organizations Single sign-on (SSO) systems allow a single user authentication process between multiple IT systems or even organizations. OpenID SAML: security assertion markup language XACML: descriptive policy language