Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Similar documents
Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Microservices. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Backend Development. SWE 432, Fall Web Application Development

Authentication CS 4720 Mobile Application Development

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

1000 Ways to Die in Mobile OAuth. Eric Chen, Yutong Pei, Yuan Tian, Shuo Chen,Robert Kotcher and Patrick Tague

Persistence & State. SWE 432, Fall 2016 Design and Implementation of Software for the Web

OAuth securing the insecure

Real-world security analyses of OAuth 2.0 and OpenID Connect

Copyright

Distributed Architectures & Microservices. CS 475, Spring 2018 Concurrent & Distributed Systems

Persistence. SWE 432, Fall 2017 Design and Implementation of Software for the Web

Cookies, sessions and authentication

RKN 2015 Application Layer Short Summary

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

openid connect all the things

C1: Define Security Requirements

OAuth and OpenID Connect (IN PLAIN ENGLISH)

Building a Secure PI Web API Environment

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Evaluating the Security Risks of Static vs. Dynamic Websites

Information Security CS 526 Topic 8

Nigori: Storing Secrets in the Cloud. Ben Laurie

Security and Privacy

Man-In-The-Browser Attacks. Daniel Tomescu

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

We will resume at 3:30 pm Enjoy your break!

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Application vulnerabilities and defences

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

JavaScript Fundamentals_

Grandstream Networks, Inc. Captive Portal Authentication via Twitter

OAuth2.0: the Promise and Pitfalls. Sergey Ozernikov Security Consultant OWASP NZ Day 4 th February 2016

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

NIELSEN API PORTAL USER REGISTRATION GUIDE

Administering Jive Mobile Apps

SECURING ASP.NET CORE APPLICATIONS

Bank Infrastructure - Video - 1

Whiteboard Hacking / Hands-on Threat Modeling. Introduction

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

CS 161 Computer Security

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

SECURITY STORY WE NEVER SEE, TOUCH NOR HOLD YOUR DATA

Introduction to SciTokens

Last mile authentication problem

MAN-IN-THE-MACHINE: EXPLOIT ILL-SECURE COMMUNICATION INSIDE THE COMPUTER


Grandstream Networks, Inc. Captive Portal Authentication via Facebook

Network-based Origin Confusion Attacks against HTTPS Virtual Hosting

Web Security Model and Applications

Web Application Penetration Testing

Sichere Software vom Java-Entwickler

CS 494/594 Computer and Network Security

October 08: Introduction to Web Security

HTTP Security Headers Explained

How to Configure Authentication and Access Control (AAA)

Security Philosophy. Humans have difficulty understanding risk

Integrating with ClearPass HTTP APIs

Non conventional attacks Some things your security scanner won t find OWASP 23/05/2011. The OWASP Foundation.

Security. CSC309 TA: Sukwon Oh

CS November 2018

P2_L12 Web Security Page 1

Security and Authentication

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

last time: command injection

Backend Development. SWE 432, Fall 2017 Design and Implementation of Software for the Web

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Security Fundamentals

Grandstream Networks, Inc. Captive Portal Authentication via Facebook

SOCIAL LOGIN FOR MAGENTO 2 USER GUIDE

Oracle Communications WebRTC Session Controller

The SciTokens Authorization Model: JSON Web Tokens & OAuth

Your Auth is open! Oversharing with OpenAuth & SAML

Security Guide Release 7.1

JAMES BENNETT DJANGOCON EUROPE 3RD JUNE 2015 THE NET IS DARK AND FULL OF TERRORS

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

Authentication Methods

Best Practices: Authentication & Authorization Infrastructure. Massimo Benini HPCAC - April,

SOCIAL LOGIN FOR MAGENTO 2

WEB SECURITY: XSS & CSRF

CS 161 Computer Security

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

INSE Lucky 13 attack - continued from previous lecture. Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014)

Privacy and Security in Online Social Networks Department of Computer Science and Engineering Indian Institute of Technology, Madras

Client-Side Security Using CORS

Hunting Bugs in Web App. By Suleman Malik

TIBCO Cloud Integration Security Overview

Connect-2-Everything SAML SSO (client documentation)

Liferay Security Features Overview. How Liferay Approaches Security

Backend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15

Web Security Computer Security Peter Reiher December 9, 2014

ISACA Silicon Valley. APIs The Next Hacker Target or a Business and Security Opportunity? Tim Mather, CISO Cadence Design Systems

Browser code isolation

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

What someone said about junk hacking

Transcription:

Security SWE 432, Fall 2017 Design and Implementation of Software for the Web

Today Security What is it? Most important types of attacks Authorization oauth 2

Security Why is it important? Users data is on the web Blog comments, FB, Email, Banking, Can others steal it? or who already has access? LaToza Can others impersonate the user? e.g., post on FB on the user s behalf GMU SWE 432 Fall 2017 3

Security Requirements for Web Apps 1. Authentication Verify the identify of the parties involved Who is it? 2. Authorization Grant access to resources only to allowed users Are you allowed? 3. Confidentiality Ensure that information is given only to authenticated parties Can you see it? 4. Integrity Ensure that information is not changed or tampered with Can you change it? 4

Threat Models What is being defended? What resources are important to defend? What malicious actors exist and what attacks might they employ? Who do we trust? What entities or parts of system can be considered secure and trusted Have to trust something! 5

Web Threat Models: Big Picture HTTP Request HTTP Response client page (the user ) server 6

Web Threat Models: Big Picture HTTP Request HTTP Response client page (the user ) server Do I trust that this request really came from the user? 7

Web Threat Models: Big Picture HTTP Request HTTP Response client page (the user ) Do I trust that this response really came from the server? server Do I trust that this request really came from the user? 8

Web Threat Models: Big Picture HTTP Request HTTP Request HTTP Response HTTP Response client page (the user ) Do I trust that this response really came from the server? malicious actor black hat server Do I trust that this request really came from the user? 9

Web Threat Models: Big Picture Might be man in the middle that intercepts requests and impersonates user or server. HTTP Request HTTP Request HTTP Response HTTP Response client page (the user ) Do I trust that this response really came from the server? malicious actor black hat server Do I trust that this request really came from the user? 10

Security Requirements for Web Apps 1. Authentication Verify the identify of the parties involved Threat: Impersonation. A person pretends to be someone they are not. 2. Authorization 3. Confidentiality Ensure that information is given only to authenticated parties Threat: Eavesdropping. Information leaks to someone that should not have it. 4. Integrity Ensure that information is not changed or tampered with Threat: Tampering. 11

Integrity and Confidentiality What if malicious actor impersonates server? HTTP Request HTTP Request HTTP Response HTTP Response client page (the user ) malicious actor black hat server 12

Man in the middle Requests to server intercepted by man in the middle Requests forwarded But response containing code edited, inserting malicious code Or could Intercept and steal sensitive user data 13

HTTPS: HTTP over SSL Establishes secure connection from client to server Uses SSL to encrypt traffic Ensures that others can t impersonate server by establishing certificate authorities that vouch for server. Server trusts an HTTPS connection iff The user trusts that the browser software correctly implements HTTPS with correctly pre-installed certificate authorities. The user trusts the certificate authority to vouch only for legitimate websites. The website provides a valid certificate, which means it was signed by a trusted authority. The certificate correctly identifies the website (e.g., certificate received for https://example.com" is for "example.com" and not other entity). 14

Using HTTPS If using HTTPS, important that all scripts are loaded through HTTPS If mixed script from untrusted source served through HTTP, attacker could still modify this script, defeating benefits of HTTPS Example attack: Banking website loads jquery through HTTP from a CDN rather than HTTPS Attacker intercepts request for jquery script, replaces with malicious script that steals user data or executes malicious action 15

Authentication How can we know the identify of the parties involved Want to customize experience based on identity But need to determine identity first! Options Ask user to create a new username and password Lots of work to manage (password resets, storing passwords securely, ) Hard to get right (#2 on the OWASP Top 10 Vulnerability List) User does not really want another password Use an authentication provider to authenticate user Google, FB, Twitter, Github, 16

Authentication Provider Creates and tracks the identity of the user Instead of signing in directly to website, user signs in to authentication provider Authentication provider issues token that uniquely proves identity of user Talk more next lecture about how these tokens work 17

Microservices & Authentication If using microservices, how do we decide who is logged in? Typical solution: Sign-on gateway NodeJS, Firebase Google Service Java, MySQL Mod 1 Todos Mod 2 Accounts Mod 3 Mailer REST service REST service REST service Our Cool App Frontend Database Database Database Dumb Backend AJAX Mod Search 4 Engine Mod 5 Analytics Mod Facebook 6 REST service REST service REST service Database Database Database Java, Neo4J C#, SQLServer Python, Firebase LaToza/Bell GMU SWE 432 Fall 2016 18

Microservices & Authentication If using microservices, how do we decide who is logged in? Typical solution: Sign-on gateway NodeJS, Firebase Google Service Java, MySQL Mod 1 Todos Mod 2 Accounts Mod 3 Mailer REST service REST service REST service Our Cool App Frontend Sign-on gateway Dumb Backend AJAX Database Database Database Unauthenticated request Authenticated request Mod Search 4 Engine REST service Mod 5 Analytics REST service Mod Facebook 6 REST service Database Database Database Java, Neo4J C#, SQLServer Python, Firebase LaToza/Bell GMU SWE 432 Fall 2016 19

Authentication & Authorization Putting this sign on gateway will ensure that people are signed in But how do we ensure that someone is authorized to view some given data or make some request? Role of individual services to check back (either with authorization service, or some other service) LaToza/Bell GMU SWE 432 Fall 2016 20

Bigger picture - authentication with multiple service providers Let s consider updating a Todos app so that it can automatically put calendar events on a Google Calendar Logs into, posts new todo Mod 1 Todos REST service Connects as user, creates new event Google Calendar API Database Prof LaToza How does Todos tell Google that it s posting something for Prof LaToza? Should Prof LaToza tell the Todos app his Google password? LaToza/Bell GMU SWE 432 Fall 2016 21

We ve got something for that LaToza/Bell GMU SWE 432 Fall 2016 22

OAuth OAuth is a standard protocol for sharing information about users from a service provider to a consumer app without them disclosing their password to the consumer app 3 key actors: User, consumer app, service provider app E.x. Prof LaToza, Todos App, Google Calendar Service provider issues a token on the user s behalf that the consumer can use Consumer holds onto this token on behalf of the user Protocol could be considered a conversation LaToza/Bell GMU SWE 432 Fall 2016 23

An OAuth Conversation Goal: TodosApp can post events to User s calendar. TodosApp never finds out User s email or password TodosApp User 1: intent 3: redirect to provider 4: permission to share 6: Access resource 5: token created 2: permission (to ask) Google Calendar LaToza/Bell GMU SWE 432 Fall 2016 24

Tokens? A token is a secret value. Holding it gives us access to some privileged data. The token identifies our users and app. Example token: eyjhbgcioijsuzi1niisimtpzci6imu3yjg2njfjmguwm2y3ztk3njqynguxzwfimzi5owixnzrhngvlnwuifq.eyjpc3mioijodhrwczovl3nly3vyzxrva 2VuLmdvb2dsZS5jb20vYXV0aGRlbW8tNzJhNDIiLCJuYW1lIjoiSm9uYXRoYW4gQmVsbCIsInBpY3R1cmUiOiJodHRwczovL2xoNS5nb29nbGV1c2VyY29ud GVudC5jb20vLW0tT29jRlU1R0x3L0FBQUFBQUFBQUFJL0FBQUFBQUFBQUgwL0JVV2tONkRtTVJrL3Bob3RvLmpwZyIsImF1ZCI6ImF1dGhkZW1vLTcyYTQyI iwiyxv0af90aw1lijoxndc3nti5mzcxlcj1c2vyx2lkijoisk1rclfpdtltulrkedy0ylr5z0ezehhey3vimiisinn1yii6ikpnuxjraxu5u1juzhg2ngjue WdBM3h4RGN1SDIiLCJpYXQiOjE0Nzc1MzA4ODUsImV4cCI6MTQ3NzUzNDQ4NSwiZW1haWwiOiJqb25iZWxsd2l0aG5vaEBnbWFpbC5jb20iLCJlbWFpbF92Z XJpZmllZCI6dHJ1ZSwiZmlyZWJhc2UiOnsiaWRlbnRpdGllcyI6eyJnb29nbGUuY29tIjpbIjEwOTA0MDM1MjU3NDMxMjE1NDIxNiJdLCJlbWFpbCI6WyJqb 25iZWxsd2l0aG5vaEBnbWFpbC5jb20iXX0sInNpZ25faW5fcHJvdmlkZXIiOiJnb29nbGUuY29tIn19.rw1pPK377hDGmSaX31uKRphKt4i79aHjceepnA8A 2MppBQnPJlCqmgSapxs-Pwmp-1Jk382VooRwc8TfL6E1UQUl65yi2aYYzSx3mWMTWtPTHTkMN4E-GNprp7hXpqD3PncBh1bq1dThPNyjHLp3CUlPPO_QwaAeSuG5xALhzfYkvLSINty4FguD9vLHydpVHWscBNCDHACOqSeV5MzUs6ZYMnBIitFhbkak6z5OClvxGTGMhvI8 m11hihdwgngndqnnoosiifzlwmqdhif5t3kol-mxtcnq33tvmac43jelxnyb4g7qv2hjioy4mltlxphafceqza3sxgf7vdxbq Decoded: { "iss": "https://securetoken.google.com/authdemo-72a42", "name": Thomas LaToza", "picture": "https://lh5.googleusercontent.com/-m-oocfu5glw/aaaaaaaaaai/aaaaaaaaah0/buwkn6dmmrk/photo.jpg", "aud": "authdemo-72a42", "auth_time": 1477529371, "user_id": "JMQrQiu9SRTdx64bTygA3xxDcuH2", "sub": "JMQrQiu9SRTdx64bTygA3xxDcuH2", "iat": 1477530885, "exp": 1477534485, "email": "latoza@gmail.com", "email_verified": true, "firebase": { "identities": { "google.com": ["109040352574312154216"], "email": ["latoza@gmail.com"] }, "sign_in_provider": "google.com" }, "uid": "JMQrQiu9SRTdx64bTygA3xxDcuH2" LaToza/Bell } GMU SWE 432 Fall 2016 25

Trust in OAuth How does the Service provider (Google calendar) know what the TodosApp is? Solution: When you set up OAuth for the first time, you must register your consumer app with the service provider Let the user decide they were the one who clicked the link after all User TodosApp Evil TodosApp Google Calendar LaToza/Bell GMU SWE 432 Fall 2016 26

Authentication as a Service Whether we are building microservices or not, might make sense to farm out our authentication (user registration/logins) to another service Why? Security Reliability Convenience We can use OAuth for this! We re going to use Firebase s authentication API in our homework this week LaToza/Bell GMU SWE 432 Fall 2016 27

Using an Authentication Service User 1: intent 3: redirect to provider 4: permission to share 6: Access resource 5: token created 2: permission (to ask) Firebase LaToza/Bell GMU SWE 432 Fall 2016 28

Firebase Authentication Firebase provides an entire suite of authentication services you can use to build into your app Can either use federated logins (e.g. login with google, facebook, GitHub credentials) or simple email/ password logins. Use whichever you want. Getting started guide: https://github.com/firebase/ FirebaseUI-Web For backend: https://firebase.google.com/docs/auth/ server/verify-id-tokens Firebase handles browser local storage to track that the user is logged in across pages (woo) LaToza/Bell GMU SWE 432 Fall 2016 29

Authentication: Sharing data between pages Browser loads many pages at the same time. Might want to share data between pages Popup that wants to show details for data on main page Cookies that let user login once for a page and still be logged in when visiting page in separate tab Attack: malicious page User visits a malicious page in a second tab Malicious page steals data from page or its cookies, modifies data, or impersonates user 30

Solution: Same-Origin Policy Browser needs to differentiate pages that are part of same application from unrelated pages What makes a page similar to another page? Origin: the protocol, host, and port http://www.example.com/dir/page.html Different origins: https://www.example.com/dir/page.html http://www.example.com:80/dir/page.html http://en.example.com:80/dir/page.html https://en.wikipedia.org/wiki/same-origin_policy 31

Same-Origin Policy Origin refers to the page that is executing it, NOT where the data comes from Example: In one HTML file, I directly include 3 JS scripts, each loaded from a different server -> All have same origin Example: One of those scripts makes an AJAX call to yet another server -> AJAX call not allowed Scripts contained in a page may access data in a second web page (e.g., its DOM) if they come from the same origin 32

Cross Origin Requests https://developer.mozilla.org/en-us/docs/web/http/access_control_cors 33

CORS: Cross Origin Resource Sharing Same-Origin might be safer, but not really usable: How do we make AJAX calls to other servers? Solution: Cross Origin Resource Sharing (CORS) HTTP header: Access-Control-Allow-Origin: <server or wildcard> In Express: res.header("access-control-allow-origin", "*"); 34

Takeaways Think about all potential threat models Which do you care about Which do you not care about What user data are you retaining Who are you sharing it with, and what might they do with it 35

Readings for next time Intro to microservices https://www.martinfowler.com/articles/ microservices.html 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback