Unit 1 Web Appln Security Prinicples PDF
Unit 1 Web Appln Security Prinicples PDF
Unit 1 Web Appln Security Prinicples PDF
BCSDCS615
Domain Centric Security
Course Instructor
P. Mohana Priya,
Assistant Professor – I,
Department of IT,
School of Computing,
Sastra Deemed to be University,
Thanjavur – 613 401.
U – I : Web Application Security Principles
• Web Application (or) Web App :
Google Google
Web mail
Docs maps
http://demo.horde.org/imp/basic.php?mailbox=SU5CT1g&page=mailbox
Access Control
• For some web apps, only certain users are
permitted to access the protected resources.
Operation – Listens,
Queries… Resource – DCS class
DCS Books
Subjects - Students
High level overview of ACS
Start
Subject claims
with his /her Identity
uname and Confirmed
password
yes
AuthN
Are the
mechanism
credentials
looks up user
valid ?
credentials in DB
(or) DS
No
Identity
Rejected
Access Control System
Authentication Authorization
Authentication Authorization
• Proving that you are who • Process of determining
you claim to be. whether the validated identity
has the rights to do what they
want to do.
Authentication
• Process in which the subject proves that they are whom they claim to
be.
• Repeated Exposure
– User credentials themselves must be submitted with every single request for
a protected resource.
– The user name and password must be submitted to the web server
with each request, the browser caches the authentication credentials.
– There is no way to log out, the only way to clear the stored
credentials is to close the tab (or) clear the history.
• Similar to the basic authentication scheme except that the MD5 hashing
algorithm is used to transform the password.
– http://tools.ietf.org/html/rfc2617
BASIC ACCESS AUTHENTICATION DIGEST ACCESS AUTHENTICATION
https://Aladdin:[email protected]
.com/index.html
• In BAA, the user credentials such as {user • In DAA, the user credentials are hashed
name : password} are encoded using base64. using MD5 hash function.
• Differences between encoding and • Number Used Only Once (Nonce) is used
encryption : to prevent replay attacks.
• Encoding : Transforms data into another
format using a scheme that is publicly • Hash (Client IP : timestamp : private –
available so that it can easily be reversed. key)
• Encrypting : Transforms data into another
format in such a way that only specific • Security Issues :
individual(s) can reverse the transformation. 1) Man-in-the-Middle Attack
2) Spoofing by counterfeit servers
• RFC - 7617. 3) Storing Passwords
Attacker Server
Client
Database
Single Sign – on (SSO) Authentication
• SSO allows a user to login to a single interface and gain access to
multiple, independently secured systems.
• Online Attacks
– Attempting to guess a password, you can attempt it either against the live
system
• Offline Attacks
– Attempting to guess a password, you can attempt it either against the hashed
or encrypted password values.
Dictionary Attack
• Dictionary :
• Limits are usually placed on brute force attack based on length and
character set.
• Popular tools to perform dictionary and brute force attacks include John
the Ripper, Hydra, Web Slayer and Cain & Abel.
– If key space is larger, the time consumption will be larger to search all the
possibilities.
– Key space :
– Size of the key space can be increased by increasing the minimum length
required.
• The hashed password value is then stored into the database for a specific
user name.
• When the user log into the web application, corresponding username
and password is checked with the database.
– For each password being stored, hashing function is applied over and
over again.
– The o/p of the first hashing function is the i/p for the second hashing
function that results in increasing the security of stored passwords.
• Completely Automated Public Turing Tests To Tell Computers and Humans Apart (CAPTCHA)
• Avoid Remember me (Stay Signed In) Long Cookie expiration with session ID.
• Kindly please don’t REMEMBER ME
Authorization
• Granting (or) denying access based on the set of rules.
• Session management go hand in hand with authorization.
• Session Management :
– Both client and server keeps track of who the user is
– Closely related to what the user is allowed to do and
– What the user is actually doing.
• Session and Session Management is also considered as an another
layer of interaction between web browser and web server.
• Authorization Fundamentals
– Process of deciding whether a user can perform a certain action.
– (eg): Joe accessing a health data application hosted by his doctor’s
office.
– Joe has to be authenticated with his username, social security
number, health insurance account number.
Simple Model of AuthZ
• Health Insurance Portability and Accountability Act (HIPAA).
• Authorization Goals :
• To ensure that users can only perform actions within their privilege
level.
• Determining Access
– Policies comes in different styles as well.
– Access Control List (ACL) are permissions that are applied to specific resource.
– There are three general patterns of Access Control Models you follow :
• Types of Permissions
– Read access
– Write access and
– Execute access
• Read access
– Read access just means the ability to see what something is, to have it’s contents
presented for user perusal.
• Write Access
• Execute Access
• Authorization Layers
– Authorization should happen at many points and many times within a web
application.
• Through various settings (or) configuration files, you can specify which
users and groups can access what URLs.
– There are a number of AuthZ modules that plugin to various web development
frameworks which by default not present in the web application.
– Check the documentation for web development framework (or) ask around on
community support.
• CAS is used to determine whether the code is allowed to run with the
capabilities it wishes to use.
• CAS is related to the idea of assessing whether the code is allowed to run with
the capabilities it wishes to use.
• Databases such as Microsoft’s SQL Server, Oracle and others have their own
implementation on concepts such as users, roles, permissions, and so forth.
• Wrap every request to create, read, update (or) delete data within properly
parameterized stored procedures.
• Revoke the access permissions from all the tables of the users database.
• Map all the interactions between the application and the database user accounts
and reduce the permissions those accounts have to the bare minimum.
Where should you put Authorization Logic ?
• All “smarts” has been incorporated to determine who can and cannot do
what and then grant the application itself full.
• What :
– The first axis in the 3x3 model matrix is the “what” axis.
– Users/Subjects
• Any entity that’s making a request against a resource.
– Operations
• The functionality resources in your web application.
– Objects
• Resources managed by your web application, the underlying
things such as data, that your web application cares about.
• When
– 2nd axis.
– It considers the time when permissions checks need to happen and
approvals granted (or) denied.
– 3x3 Authorization System
– Before loading the interface.
– Before requests are submitted and
– Before granting final access.
• Common Attacks
– Client Side Attacks
– Time of Check To Time of Use (TOCTTOU)(eg. Breakup)
– Time of Check To Time of Use Exploit (eg. Couples)
– Automatically Invalidating the Session
• Web Authorization Best Practices
1. Failing Closed
1. Restart everything in case of failure of anything. (Brutal and
inconvenient policy)
2. Operating with Least Privilege
3. Separating Duties (Regular user and Administrator)
4. Defining Strong Policies.
5. Keeping Accounts Unique
6. Authorizing on Every Request.
7. Centralizing the Authorization Mechanism.
8. Minimizing Custom Authorization Mechanism.
9. Protecting Static resources.
10. Avoiding Insecure Client-Side Authorization Tokens. (Firesheep)
11. Using Server Side Authorization
12. Mistrusting Everybody
Attacks on Authorization
• Forceful Browsing (Obtaining user history)
• Parameter Tampering (Changing inputs , level)
• HTTP Header Manipulation
• Cross-Site Request Forgery
Session Management Fundamentals
• Introduction to Session
• Session State
• Session State Persistent Strategies
• Cookies
• Form Fields and URL query parameters
• Web Storage (HTML5)
• Flash Local Shared Objects (LSO) (Flash cookies)
• Silver-Light Isolated Storage (Encrypting and digitally signing)
• Server Side Storage (Add to Cart)
How to Manage Session State ?
Client Server
1) Have data on
the server end.
• Security attack is normally an accidental error that occurs while developing the
software.
• It helps to find weak areas where an intruder can attack to gain access to the
computer’s features and data.
• When to perform Penetration Testing ?
– Tester analyzes and assesses the information gathered before the test steps for
dynamically penetrating the system. Elements include :
• The estimated time required for evaluating potential security flaws for
the subsequent active penetration testing.
• Report Preparation
– Report preparation must start with overall testing procedures, followed by an
analysis of vulnerabilities and risks.
– The high risks and critical vulnerabilities must have priorities and then
followed by the lower order.
Types of Penetration Testing
• The type of penetration testing normally depends on the scope and the
organizational needs and requirements.
•
Black Box Testing White Box Testing Grey Box Testing
• Tester has no idea • Tester has been • Tester usually
about the systems that provided with whole provides partial or
he is going to test. range of information limited information
• (eg) : about the systems about the internal
• a tester only knows and/or network such as details of the program
what should be the Schema, Source code, of a system.
expected outcome and OS details, IP address,
he does not know how etc.
the outcomes arrives. • It is also known as
structural, glass box,
clear box, and open
box testing.
Black Box Testing White Box Testing Grey Box Testing
Advantages : Advantages : Advantages :
• It helps to find weak areas where an intruder can attack to gain access to the
computer’s features and data.
• When to perform Penetration Testing ?
• To secure the functioning of the system.
• Security system discovers new threats by attackers.
• You add a new network infrastructure.
• You update your system or install new software.
• You relocate your office.
• You set up a new end-user program/policy.
Steps of Penetration Testing
• Planning and Preparation
– It starts with defining the goals and objectives of the penetration testing.
• The common objectives of penetration testing are :
– To identify the vulnerability and improve the security of the technical
systems.
– Have IT security confirmed by an external third party.
– Increase the security of the organizational/personnel infrastructure.
• Reconnaissance
– Analysis of the preliminary information.
– Objective is to obtain a complete and detailed information of the systems.
• Discovery
– A penetration tester will most likely use the automated tools to scan
target assets for discovering vulnerabilities.
• Network Discovery
• Host Discovery
• Service Interrogation
• Analyzing Information and Risks
– Tester analyzes and assesses the information gathered before the test steps for
dynamically penetrating the system. Elements include :
• The estimated time required for evaluating potential security flaws for
the subsequent active penetration testing.
• Report Preparation
– Report preparation must start with overall testing procedures, followed by an
analysis of vulnerabilities and risks.
– The high risks and critical vulnerabilities must have priorities and then
followed by the lower order.
Types of Penetration Testing
• The type of penetration testing normally depends on the scope and the
organizational needs and requirements.
•
Black Box Testing White Box Testing Grey Box Testing
• Tester has no idea • Tester has been • Tester usually
about the systems that provided with whole provides partial or
he is going to test. range of information limited information
• (eg) : about the systems about the internal
• a tester only knows and/or network such as details of the program
what should be the Schema, Source code, of a system.
expected outcome and OS details, IP address,
he does not know how etc.
the outcomes arrives. • It is also known as
structural, glass box,
clear box, and open
box testing.
Black Box Testing White Box Testing Grey Box Testing
Advantages : Advantages : Advantages :
• Reconnaissance Phase
– Gather much information about the subjects involved
– Really important to have a clear idea on the client systems.
– Foot Printing
• Reconnaissance
– Searching of search engine queries to gather data about personal.
– Domain Name Searches
– Social Engg to find out email addresses
• Threat Modeling and Vulnerability Identification Phase
– If know about the client, I can pre-model the pre-attack
phase.
– This phase is also used to find the open ports, live hosts, OS info
etc.,
–
• have studied about your’s and your infrastructure thoroughly.
• Exploitation Phase
– Its my time to harm you…
• Post-Exploitation Phase
–
• Reporting Phase ( An Important Phase)
– You should tell the client exactly what the exploits where that you
used to compromise their systems as well as exactly what steps
should be taken to remediate them.
Active Passive
Reconnai Reconnai
ssance ssance Open Ports
Scanning
Logging is Logging is
Software
possible not possible
and services
HTTrack :
Website
Copier