Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Similar documents
Security. SWE 432, Fall 2017 Design and Implementation of Software for the Web

C1: Define Security Requirements


RKN 2015 Application Layer Short Summary

Evaluating the Security Risks of Static vs. Dynamic Websites

Featuring. and. Göteborg. Ulf Larson Thursday, October 24, 13

P2_L12 Web Security Page 1

Application vulnerabilities and defences

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Copyright

Domino Web Server Security

Application Layer Security

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Solutions Business Manager Web Application Security Assessment

WEB SECURITY: XSS & CSRF

Combating Common Web App Authentication Threats

SOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications

TIBCO Cloud Integration Security Overview

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Security. 1 Introduction. Alex S. 1.1 Authentication

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

CS 161 Computer Security

Web Security, Summer Term 2012

Web Security, Summer Term 2012

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

CS 161 Computer Security

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Berner Fachhochschule Haute cole spcialise bernoise Berne University of Applied Sciences 2

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Sichere Software vom Java-Entwickler

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

HTTP Security Headers Explained

Wayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk

Security Best Practices. For DNN Websites

CS 142 Winter Session Management. Dan Boneh

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Information Security. Gabriel Lawrence Director, IT Security UCSD

CPSC 467b: Cryptography and Computer Security

Don t blink or how to create secure software. Bozhidar Bozhanov, LogSentinel

Web Application Penetration Testing

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

OWASP Top 10 The Ten Most Critical Web Application Security Risks

CSRF in the Modern Age

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Security II. Slides from M. Hicks, University of Maryland

Backend IV: Authentication, Authorization and Sanitization. Tuesday, January 13, 15

Bank Infrastructure - Video - 1

Secure Frame Communication in Browsers Review

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

CIS 4360 Secure Computer Systems XSS

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

CSCE 813 Internet Security Case Study II: XSS

Security Course. WebGoat Lab sessions

Welcome to the OWASP TOP 10

Web Application Vulnerabilities: OWASP Top 10 Revisited

Real-world security analyses of OAuth 2.0 and OpenID Connect

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

EasyCrypt passes an independent security audit

Assignment 6: Web Security

WebGoat Lab session overview

Cookies, sessions and authentication

Chapter 9: Key Management

Mobile Malfeasance. Exploring Dangerous Mobile Code. Jason Haddix, Director of Penetration Testing

CSCD 303 Essential Computer Security Fall 2017

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

last time: command injection

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

CS 161 Computer Security

Securing Internet Communication: TLS

COMP9321 Web Application Engineering

Some Facts Web 2.0/Ajax Security

Installation and usage of SSL certificates: Your guide to getting it right

Information Security CS 526 Topic 8

WELCOME. APEX Security Primer. About Enkitec. About the Presenter. ! Oracle Platinum Partner! Established in 2004

Personal Internet Security Basics. Dan Ficker Twin Cities DrupalCamp 2018

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Web Application Security

Web 2.0 Attacks Explained

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Project 2: Web Security

Security and Privacy

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Slides adopted from Laurie Williams. OWASP Top Ten. John Slankas

CSCD 303 Essential Computer Security Fall 2018

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

NET 311 INFORMATION SECURITY

Web Application Security. Philippe Bogaerts

Browser code isolation

Application Design and Development: October 30

Transcription:

Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web

Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project#tab=OWASP_Top_10_for_2013 https://developer.mozilla.org/en-us/docs/web/http/access_control_cors 2

Security Why is it important? Users data is on the web Blog comments, FB, Email, Banking, Can others steal it? or who already has access? Can others impersonate the user? e.g., post on FB on the user s behalf 3

Example https://gmu-swe432.github.io/lecture7demos/ public/lecture7demo2.html 4

Example Todo item: /><script>alert("lasagna FOR PRESIDENT );</script> Why does this work? What else might this be used to do? 5

Security Requirements for Web Apps 1. Authentication Verify the identify of the parties involved Who is it? 2. Authorization Grant access to resources only to allowed users Are you allowed? 3. Confidentiality Ensure that information is given only to authenticated parties Can you see it? 4. Integrity Ensure that information is not changed or tampered with Can you change it? 6

Threat Models What is being defended? What resources are important to defend? What malicious actors exist and what attacks might they employ? Who do we trust? What entities or parts of system can be considered secure and trusted Have to trust something! 7

Web Threat Models: Big Picture HTTP Request HTTP Response client page (the user ) server 8

Web Threat Models: Big Picture HTTP Request HTTP Response client page (the user ) server Do I trust that this request really came from the user? 9

Web Threat Models: Big Picture HTTP Request HTTP Response client page (the user ) Do I trust that this response really came from the server? server Do I trust that this request really came from the user? 10

Web Threat Models: Big Picture HTTP Request HTTP Request HTTP Response HTTP Response client page (the user ) Do I trust that this response really came from the server? malicious actor black hat server Do I trust that this request really came from the user? 11

Web Threat Models: Big Picture Might be man in the middle that intercepts requests and impersonates user or server. HTTP Request HTTP Request HTTP Response HTTP Response client page (the user ) Do I trust that this response really came from the server? malicious actor black hat server Do I trust that this request really came from the user? 12

Security Requirements for Web Apps 1. Authentication Verify the identify of the parties involved Threat: Impersonation. A person pretends to be someone they are not. 2. Authorization 3. Confidentiality Ensure that information is given only to authenticated parties Threat: Eavesdropping. Information leaks to someone that should not have it. 4. Integrity Ensure that information is not changed or tampered with Threat: Tampering. 13

Sharing data between pages Browser loads many pages at the same time. Might want to share data between pages Popup that wants to show details for data on main page Cookies that let user login once for a page and still be logged in when visiting page in separate tab Attack: malicious page User visits a malicious page in a second tab Malicious page steals data from page or its cookies, modifies data, or impersonates user 14

Solution: Same-Origin Policy Browser needs to differentiate pages that are part of same application from unrelated pages What makes a page similar to another page? Origin: the protocol, host, and port http://www.example.com/dir/page.html Different origins: https://www.example.com/dir/page.html http://www.example.com:80/dir/page.html http://en.example.com:80/dir/page.html https://en.wikipedia.org/wiki/same-origin_policy 15

Same-Origin Policy Origin refers to the page that is executing it, NOT where the data comes from Example: In one HTML file, I directly include 3 JS scripts, each loaded from a different server -> All have same origin Example: One of those scripts makes an AJAX call to yet another server -> AJAX call not allowed Scripts contained in a page may access data in a second web page (e.g., its DOM) if they come from the same origin 16

Cross Origin Requests https://developer.mozilla.org/en-us/docs/web/http/access_control_cors 17

CORS: Cross Origin Resource Sharing Same-Origin might be safer, but not really usable: How do we make AJAX calls to other servers? Solution: Cross Origin Resource Sharing (CORS) HTTP header: Access-Control-Allow-Origin: <server or wildcard> In Express: res.header("access-control-allow-origin", "*"); 18

Top 3 Web Vulnerabilities OWASP collected data on vulnerabilities Surveyed 7 firms specializing in web app security Collected 500,000 vulnerabilities across hundreds of apps and thousands of firms Prioritized by prevalence as well as exploitability, detectability, impact https://www.owasp.org/index.php/category:owasp_top_ten_project 19

#3 - XSS: Cross Site Scripting User input that contains a client-side script that does not belong A todo item: /><script>alert("lasagna FOR PRESIDENT );</script> Works when user input is used to render DOM elements without being escaped properly User input saved to server may be served to other users Enables malicious user to execute code on other s users browser e.g., click Buy button to buy a stock, send password data to third party, 20

#2 - Broken Authentication and Session Management Building authentication is hard Logout, password management, timeouts, secrete questions, account updates, Vulnerability may exist if User authentication credentials aren t protected when stored using hashing or encryption. Credentials can be guessed or overwritten through weak account management functions (e.g., account creation, change password, recover password, weak session IDs). Session IDs are exposed in the URL (e.g., URL rewriting). Session IDs don t timeout, or user sessions or authentication tokens, particularly single sign-on (SSO) tokens, aren t properly invalidated during logout. Session IDs aren t rotated after successful login. Passwords, session IDs, and other credentials are sent over unencrypted connections. 21

#1 - Injection User input that contains server-side code that does not belong Usually comes up in context of SQL (which we aren t using) e.g., String query = "SELECT * FROM accounts WHERE custid='" + request.getparameter("id") + "'"; Might come up in JS in context of eval eval(request.getparameter( code )); Obvious injection attack - don t do this! 22

Validating user input Escape Strings that originate from user Type of escaping depends on where data will be used HTML - HTML entity encoding URL - URL Escape JSON - Javascript Escape Done automatically by some frameworks such as React More details: https://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_Cheat_She et 23

Authentication How can we know the identify of the parties involved Want to customize experience based on identity But need to determine identity first! Options Ask user to create a new username and password Lots of work to manage (password resets, storing passwords securely, ) Hard to get right (#2 on the OWASP Top 10 Vulnerability List) User does not really want another password Use an authentication provider to authenticate user Google, FB, Twitter, Github, 24

Authentication Provider Creates and tracks the identity of the user Instead of signing in directly to website, user signs in to authentication provider Authentication provider issues token that uniquely proves identity of user Talk more next lecture about how these tokens work 25

Web Threat Models: Big Picture What if malicious actor impersonates server? HTTP Request HTTP Request HTTP Response HTTP Response client page (the user ) malicious actor black hat server 26

Man in the middle Requests to server intercepted by man in the middle Requests forwarded But response containing code edited, inserting malicious code Or could Intercept and steal sensitive user data 27

HTTPS: HTTP over SSL Establishes secure connection from client to server Uses SSL to encrypt traffic Ensures that others can t impersonate server by establishing certificate authorities that vouch for server. Server trusts an HTTPS connection iff The user trusts that the browser software correctly implements HTTPS with correctly pre-installed certificate authorities. The user trusts the certificate authority to vouch only for legitimate websites. The website provides a valid certificate, which means it was signed by a trusted authority. The certificate correctly identifies the website (e.g., certificate received for https://example.com" is for "example.com" and not other entity). 28

Using HTTPS If using HTTPS, important that all scripts are loaded through HTTPS If mixed script from untrusted source served through HTTP, attacker could still modify this script, defeating benefits of HTTPS Example attack: Banking website loads jquery through HTTP from a CDN rather than HTTPS Attacker intercepts request for jquery script, replaces with malicious script that steals user data or executes malicious action 29

Privacy What does it mean to you? 30

Some definitions of privacy Secrecy Contextual integrity Limited access to the self Control over information Adapted from Conceptions of Privacy by Lorrie Faith Cranor 31

Limited access to self the right to be let alone - Samuel D. Warren and Louis D. Brandeis, The Right to Privacy, 4 Harv. L. Rev. 193 (1890) Our concern over our accessibility to others: the extent to which we are known to others, the extent to which others have physical access to us, and the extent to which we are the subject of others attention. - Ruth Gavison, Privacy and the Limits of the Law, Yale Law Journal 89 (1980) 32

Control over information Privacy is the claim of individuals, groups or institutions to determine for themselves when, how, and to what extent information about them is communicated to others. each individual is continually engaged in a personal adjustment process in which he balances the desire for privacy with the desire for disclosure and communication. Alan Westin, Privacy and Freedom, 1967 33

Data What sorts of data might be collected The products you browsed on Amazon The emails you wrote or were sent to you The location of where you were last Monday Everything you ve bought with a credit card 34

Who might use this data? Service owner Recommendations: based on your past history, you are like to want to watch Data might be shared with third parties (e.g., advertisers) Based on an email you just received from your family, you are likely to want to buy a plane ticket to Seattle. Even aggregate data can have value How do you decide what data to share or not? 35

Mechanisms for enforcing privacy Do Not Track: http://donottrack.us/ Proposed W3C standard implemented by current browsers Aims to give users control by letting them opt out of tracking Hard to implement without regulatory enforcement Nothing today (in US) to ensure that websites follow user preference Other countries (e.g., EU) starting to develop stronger legal protections for privacy https://en.wikipedia.org/wiki/do_not_track 36

Takeaways Think about all potential threat models Which do you care about Which do you not care about What user data are you retaining Who are you sharing it with, and what might they do with it 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback