CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
WebGoat & WebScarab “What is computer security for $1000 Alex?”
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
The 10 Most Critical Web Application Security Vulnerabilities
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
MongoDB Sharding and its Threats
Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
OWASP Zed Attack Proxy Project Lead
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Security.NET Chapter 1. How Do Attacks Occur? Stages of attack Examples of attacker actions 1. FootprintRuns a port scan on the firewall 2. PenetrationExploits.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Cross-Site Attacks James Walden Northern Kentucky University.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Operating System Security Fundamentals Dr. Gabriel.
Building Secure Web Applications With ASP.Net MVC.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
Identification Authentication. 2 Authentication Allows an entity (a user or a system) to prove its identity to another entity Typically, the entity whose.
Security fundamentals Topic 5 Using a Public Key Infrastructure.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Web2.0 Secure Development Practice Bruce Xia
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
User Authentication  fundamental security building block basis of access control & user accountability  is the process of verifying an identity claimed.
Web Login, Cookies Web Login | Old way HTML
Web Applications on the battlefield Alain Abou Tass.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
ASP.NET 2.0 Security Alex Mackman CM Group Ltd
WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
COMP9321 Web Application Engineering Semester 2, 2017
Building Secure ColdFusion Applications
Web Application Vulnerabilities
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
World Wide Web policy.
API Security Auditing Be Aware,Be Safe
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Cross-Site Forgery
Riding Someone Else’s Wave with CSRF
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Cross Site Request Forgery (CSRF)
Presentation transcript:

CERN – European Organization for Nuclear Research GS Department – Administrative Information Services Secure software development for the World Wide Web Derek Mathieson Group Leader Administrative Information Services CERN – Geneva, Switzerland

CERN GS-AIS Who Am I

CERN GS-AIS Agenda Background Information Impact of Security Flaws Definitions Types of Attack Techniques / Solutions

CERN GS-AIS Why Secure Web Application?

CERN GS-AIS Impact of Security Flaws Ping of death Morris worm (1988) –6,000 infected computers Santy (2004) –~40,000 infected computers (in 24 hours) Conficker (2008) –Up to 15,000,000 infected computers

CERN GS-AIS

CERN GS-AIS

CERN GS-AIS Definitions Identification Authentication Authorisation Session Management

CERN GS-AIS Identification / Authentication How Can You Prove Who You Are? –Biometric Passport –Photo ID –Fingerprint –Username / Password

CERN GS-AIS Definitions Entity –A User, another computer system component Identification –Providing credential such that a system can recognise the entity and distinguish it from other entities. Authentication –The process of verifying the identity of an entity.

CERN GS-AIS Authentication Factors Something an entity knows: –Password, PIN Something an entity has: –ID Card, private key Something an entity is: –Fingerprint, iris scan, …

CERN GS-AIS Authentication Single / Multi-factor Authentication –Password only –Password + Fingerprint Trade-off between –Convenience –Cost –Complexity –Security

CERN GS-AIS Identity Theft Forgotten Passwords –Self Service Lost ID Cards –Blocking List Compromised Private Keys –CRL What about Biometrics? No easy solution

CERN GS-AIS Passwords Server good practices –Never store them in ‘clear’ –Use encrypted communication protocols (SSL) –Log authentication failures –Use generic error messages: User/password combination not recognised’ –Show user Last login date Previous failed login attempts

CERN GS-AIS Web Authentication Techniques Basic Authentication Digest Authentication Form Authentication

CERN GS-AIS Basic Authentication

CERN GS-AIS Basic Authentication Password : : Username Base64 QWxhZGRpbjpvcGVuIHNlc2FtZQ==

CERN GS-AIS Basic Authentication No encryption –Username / Password ‘encoded’ Depends on a secure communication channel

CERN GS-AIS Digest Authentication

CERN GS-AIS Digest Authentication Password realm Username MD5 348RU349URFJ934FH3FH9… =HA1 URI Method MD5 4I0R9I34F034403RI4I… =HA2 GET /Protected/secrets.html

CERN GS-AIS Digest Authentication HA2 HA1 MD5 R3984UR34R43RU… =response nonce

CERN GS-AIS Digest Authentication Advantages –Communication is more secure Some doubts over irreversibility of MD5 –Server nonce can avoid replay attacks Disadvantages –Server password file is contains usable credentials in plaintext –Vulnerable to a man-in-the-middle (MitM) attack

CERN GS-AIS Digest Authentication Request + Digest Response UserServer Request 401 Unauthorized + nonce

CERN GS-AIS Digest Authentication Attacker UserServer Request 401 Unauthorized + basic auth Request 401 Unauthorized + nonce

CERN GS-AIS Digest Authentication Attacker UserServer Request + basic Response Request + Digest Response UsernamePassword DerekVerySecret

CERN GS-AIS Form Authentication

CERN GS-AIS Form Authentication Advantages –Simple to develop –Richer User Interface –Can use multifactor authentication Disadvantages –Depends on a secure communication channel (usually)

CERN GS-AIS Other Authentication Methods Single Sign-on –OpenID, Shibboleth, … Integrated Windows Authentication Token-based –One Time Passwords (OTP) SecureID, YubiKey –Public key authentication (SSL client certificates).

CERN GS-AIS Authorisation

CERN GS-AIS Authorisation An Authorisation system should: –Allow access to resources to users/systems that are permitted to access them. –Prevent access to those that are not permitted.

CERN GS-AIS Authorisation System requirements: –Who (entity) –What (resource) –Which operation (read / update / delete / …) –Access Policy

CERN GS-AIS Role Based Access Control Roles are identified –e.g. administrator, group leader, developer. Rights are assigned to roles –group leader can access homepage Roles are assigned to entities –Derek is a group leader

CERN GS-AIS AIS Roles

CERN GS-AIS Role Based Access Control Less complex than individual assignment of access rights Roles can link to organization roles –Automatic maintenance –Less administration

CERN GS-AIS Authorisation: Good Practices Check every access Centralise rights management Principal of Least Privilege

CERN GS-AIS Session Management

CERN GS-AIS Session Management Why do we need it? –HTTP is state-less

CERN GS-AIS Session Management Credentials Session ID: 42 UserServer User IDSession ID Session Memory Derek42 Frank43 Jim44 Alex45 Jane46 Billy47 Lilly48

CERN GS-AIS Session Management Good Practices –Keep Session ID secret! Use encrypted communications. –Make them unpredictable Based on a random sequence Never re-used –Time limited Use a standard framework

CERN GS-AIS Types of Attack Session –Session Fixation / Session ID Forgery –Cross-Site Scripting –Cross-Site Request Forgery Injection –SQL Injection –Command Injection Google Hacks

CERN GS-AIS Cross-Site Scripting XSS

CERN GS-AIS Cross-Site Scripting The most common publicly-reported security vulnerability –Up to 68% of websites could be vulnerable

CERN GS-AIS Cross-Site Scripting (Persistent) … Server User Attacker request response + malicious script

CERN GS-AIS Cross-Site Scripting (non-persistent) ‘Click Here’ + malicious script Server User Attacker request + malicious script response + malicious script

CERN GS-AIS Cross-Site Scripting: Impact Site defacement

CERN GS-AIS USDA.GOV

CERN GS-AIS EU President

CERN GS-AIS BP.COM

CERN GS-AIS Cross-Site Scripting: Impact Site defacement Identity Theft Malware distribution …

CERN GS-AIS Cross-Site Scripting: Impact ‘Samy’ XSS Worm on MySpace –Automatically made ‘friend request’ back to author. –Within 20 hours of release over 1,000,000 users were affected. Author: Samy Kamkar –Arrested and on felony charge. Sentenced to three years probation, 90 days community service and an undisclosed amount of restitution.

CERN GS-AIS Cross-Site Scripting: Remedies Do not trust any User Input –Form Input –URLs –Cookies –HTTP Request Headers

CERN GS-AIS Cross-Site Scripting: Remedies Remove / replace HTML entities –‘White List’ or ‘Black List’ Filter Use Non-HTML Lightweight mark-up –Wiki –bb-code –Textile Use a Site Scanning Tool –We use Acunetix

CERN GS-AIS Cross-Site Request Forgery CSRF / XSRF

CERN GS-AIS Cross-Site Request Forgery ‘Click Here’ Server User Attacker request response + embedded command Evil Server ‘Hidden’ request

CERN GS-AIS Cross-Site Request Forgery <img src=" account=bob&amount= &for=mallory"> <img src=" account=bob&amount= &for=mallory"> Embedded Image <form name="secretform" method="POST" action=" … <form name="secretform" method="POST" action=" … Hidden Form

CERN GS-AIS XSRF: Remedies For End Users: Very Little! –Log out before visiting other sites –Don’t use ‘remember me’ features –Don’t visit ‘untrustworthy’ sites

CERN GS-AIS XSRF: Remedies For Website Authors –Include a hidden ‘nonce’ token in forms –Ignore GET parameters when processing a POST –Include Authentication Cookies in POST body (via JavaScript)

CERN GS-AIS Injection Exploits SQL Injection

CERN GS-AIS SQL Injection SQL Injection is user input allowed to pass through and to the database directly

CERN GS-AIS SQL Injection: Example Log on to NetBank User name: Password: Logon b.cameron SELECT id FROM logins WHERE username = '$username' AND password = '$password' SELECT id FROM logins WHERE username = 'b.cameron' AND password = 'SecretWord' SELECT id FROM logins WHERE username = 'b.cameron' AND password = 'X' OR 1 = 1 Attacker X' or 1=1

CERN GS-AIS SQL Injection: Remedies Do not trust any User Input –Form Input –URLs –Cookies –HTTP Request Headers Use a Site Scanning Tool

CERN GS-AIS SQL Injection: Remedies Prepared Statements –Advantages Precompiled Query: Faster (usually) Database engine does the bind –Disadvantages (a little) More Complex SELECT id FROM logins WHERE username = ? AND password = ?

CERN GS-AIS Other Exploits

CERN GS-AIS Command Injection Variation of SQL Injection –Injects malicious OS command exec ("ls " + $userPath) exec ("ls /home/myfiles") exec ("ls.; cat /etc/passwd")

CERN GS-AIS Google Hacking Database

CERN GS-AIS Summary Do not trust any User Input –Form Input –URLs –Cookies –HTTP Request Headers Use a Site Scanning Tool

CERN GS-AIS Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.