Web Application Security + OpenID NWEN 304: Advanced Network Applications.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
FI-WARE Testbed Access Control temporary solution.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Martin Kruliš by Martin Kruliš (v1.0)1.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
JavaScript & jQuery the missing manual Chapter 11
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.
Workgroup Discussion on RESTful Application Programming Interface (API) Security Transport & Security Standards Workgroup January 12, 2014.
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Web Applications Testing By Jamie Rougvie Supported by.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Cross Site Scripting and its Issues By Odion Oisamoje.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
ICM – API Server & Forms Gary Ratcliffe.
Securing Angular Apps Brian Noyes
Writing secure Flex applications  MXML tags with security restrictions  Disabling viewSourceURL  Remove sensitive information from SWF files  Input.
Web Login, Cookies Web Login | Old way HTML
Secure Mobile Development with NetIQ Access Manager
Spoofing The False Digital Identity. What is Spoofing?  Spoofing is the action of making something look like something that it is not in order to gain.
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
The OWASP Foundation OWASP XSS Remediation Cassia Martin Romain Gaucher April 7 th, 2011.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Application Security + OAuth2 NWEN 304: Advanced Network Applications.
National College of Science & Information Technology.
Access Policy - Federation March 23, 2016
Group 18: Chris Hood Brett Poche
CSCE 548 Student Presentation Ryan Labrador
Web Application Vulnerabilities
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
API (Application Program Interface)
Federation made simple
World Wide Web policy.
CISC103 Web Development Basics: Web site:
API Security Auditing Be Aware,Be Safe
CS 371 Web Application Programming
Practical Censorship Evasion Leveraging Content Delivery Networks
Server Concepts Dr. Charles W. Kann.
SQL Injection Attacks Many web servers have backing databases
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
PHP / MySQL Introduction
Cross-Site Request Forgeries: Exploitation and Prevention
CISC103 Web Development Basics: Web site:
CSC 495/583 Topics of Software Security Intro to Web Security
Web Security Advanced Network Security Peter Reiher August, 2014
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Presentation transcript:

Web Application Security + OpenID NWEN 304: Advanced Network Applications

Info ICT Careers fair on Friday Tech report out today Teaching evaluations Groups

Cross-site scripting (XSS) An input validation vulnerability. Allows an attacker to inject client-side code (JavaScript) into web pages. This is then served by a vulnerable web application to other users.

Reflected XSS The injected code is reflected off the web server – an error message, – search result, – response includes some/all of the input sent to the server as part of the request Only the user issuing the malicious request is affected StringsearchQuery= request.getParameter(“sear c hQuery”); … PrintWriterout= response.getWriter(); out.println(" "+ "Resultsfor " + searchQuery + " )"; User request: searchQuery= alert("pwnd")

Stored XSS The injected code is stored on the web site and served to its visitors on all page views – user messages, – user profiles, All users affected StringpostMsg = db.getPostMsg(0); … PrintWriterout= response.getWriter(); out.println(" "+ postMsg)"; pstMsg: searchQuery= alert("pwnd")

Solution for injection: santization Santizing all user inputs is difficult -- why? Sanitization is context-dependent – JavaScript user input – CSS value a:hover {color: user input } – URL value Sanitization is attack-dependent, e.g. – JavaScript – SQL Blacklisting vs. whitelisting Roll-your-own vs. reuse

Roll-your-own: example On Twitter if user posts twitter displays: Twitter’s old sanitization algorithm blocked but allowed “. What happens if somebody tweets: \u002fis.gd\u002ffl9A7')”/ Twitter displays: …

Roll-your-own: example Anyone putting mouse over such a twitter feed will run JavaScript that puts a similar mesage in their own feed. The actual attack used: "onmouseover=”…/ – Why the style part?

Roll-your-own: example This is what it looked like:

Reuse: example JQuery has built-in support.text() method for strings and.val() for input parameters. Escapes html code and prevents the browser interpreting a given string. -& becomes &amp -< ->

Now: OpenID Terminology: Identity Authentication Authorisation OpenID

Identity A set of attributes related to an entity Entity: Attributes: Name Address Sex Height Etc. Identity: Work, Personal, Private

Identity

Authentication Positive verification of identity Determines: What you know – pin/password What you have – token/cert/RFID Who you are – Biometric

Authorisation Authorisation determines whether an entity is allowed to perform a given activity Typically inherits from authentication Cases like OAuth let you access protected data (across domains) without having to re- authenticate the user

OpenID, OAuth, and OpenID Connect OpenID = Authentication Making sure the user is who they say they are OAuth = Authorisation Deciding what the user is allowed to do An “access granting protocol” More on this next time OpenID Connect = Authentication (but built on OAuth 2.0)

Password Management: Adobe # Count Ciphertext Plaintext EQ7fIpT7i/Q= j9p+HwtWWT86aMjgZFLzYg== L8qbAD3jl3jioxG6CatHBw== password BB4e6X+b2xLioxG6CatHBw== adobe j9p+HwtWWT/ioxG6CatHBw== djv7ZCI2ws= qwerty dQi0asWPYvQ= LqYzKVeq8I= PMDTbP0LZxu03SwrFUvYGA== photoshop e6MPXQ5G6a8=

OpenID 1.0/2.0 Started around 2005 Motivation: Users have accounts all over the Web User profiles are distinct Multiple passwords problem Goal: Apps/sites can leverage an OpenID provider: A third party authentication service Federated login Users have one account at the provider

OpenID 1.0/2.0 Decentralised mechanism for authentication OpenID protocol: describes authentication process OpenID: - It *is* a URI The user is in control and selects the URI - Pick a provider you trust, similar to - Your own domain (delegate process to another IP) - Have multiple identities OpenID Providers Google, Yahoo!, etc. Yourself – run your own server

OpenID 1.0/2.0 You can claim you own the URI You can prove you own the URI  You can use it to authenticate yourself on other websites  You don’t need to have an account on a new website It can also be extended to include profile information and claims

How it works XSRD (eXtensible Resource Descriptor Sequence): Format for discovery response Describes endpoint to send login requests Credit:

How it works The user authenticates with the openid provider: Example Google OpenID provider ?openid.ns= &openid.return_to= &openid.realm= &openid.assoc_handle=ABSmpf6DNMw &openid.mode=checkid_setup ns – protocol version (obtained from the XRDS) mode – type of message or additional semantics return_to – callback page the provider sends the result realm – domain the user will trust, consistent with return_to assoc_handle – "log in" for web app with openid provider Credit:

OpenID 1.0/2.0 Limitations Never really adopted Works for websites, but not native apps/mobile Difficult to implement (properly) URI’s are hard for many users to understand and remember Relies on XML

OpenID Connect Third iteration of OpenID Released 2014 An identity layer on top of OAuth2.0 Much more developer friendly Leverages standard TLS infrastructure + JSON+ REST= better interoperability and adoption Designed for mobile/apps etc. Scalable security: LaO1-04 Based on s

OpenID Connect

Next time OAuth and you.