© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko.

Slides:

Advertisements

Similar presentations

Enabling Secure Internet Access with ISA Server

Advertisements

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

SSL CS772 Fall Secure Socket layer Design Goals: SSLv2) SSL should work well with the main web protocols such as HTTP. Confidentiality is the top.

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

Avaya – Proprietary. Use pursuant to the terms of your signed agreement or Company policy. idEngines® Avaya Identity Engines And Mobile Device Management.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

1 Pertemuan 12 Authentication, Encryption, Digital Payments, and Digital Money Matakuliah: M0284/Teknologi & Infrastruktur E-Business Tahun: 2005 Versi:

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Standardizing Usable Security and Privacy: Taking It To the Next Level, or Settling for Less? Mary Ellen Zurko, IBM Maritza Johnson, Columbia University.

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.

Multiple Tiers in Action

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

FORESEC Academy FORESEC Academy Security Essentials (II)

Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.

Session 11: Security with ASP.NET

OWASP Zed Attack Proxy Project Lead

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

Masud Hasan Secue VS Hushmail Project 2.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

Implementing ISA Server Publishing. Introduction What Are Web Publishing Rules? ISA Server uses Web publishing rules to make Web sites on protected networks.

© 2010 Cisco and/or its affiliates. All rights reserved. 1 (Early) Web Security Mind The Gap Mary Ellen Zurko (aka Mez)

Postacademic Interuniversity Course in Information Technology – Module C1p1 Contents Data Communications Applications –File & print serving –Mail –Domain.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Krishna Mohan Koyya Glarimy Technology Services

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

SE-2840 Dr. Mark L. Hornick1 Web Application Security.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

PHP-based Authentication

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Securing Angular Apps Brian Noyes

Web Authoring with Dreamweaver. Unit Objectives  Be able to define keywords: HTML, HTTP (protocol), browser, web server, client/server, tag, attribute,

Computer Networks with Internet Technology William Stallings Chapter 04 Modern Applications 4.1 Web Access - HTTP.

Secure Socket Layer SSL and TLS. SSL Protocol Peer negotiation for algorithm support Public key encryptionPublic key encryption -based key exchange and.

WEB-API & MVC5 - Identity & Security Mait Poska & Andres Käver, IT Kolledž 2014.

Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.

#SummitNow Consuming OAuth Services in Alfresco Share Alfresco Summit 2013 Will Abson

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Communication protocols 2. HTTP Hypertext Transfer Protocol, is the protocol of World Wide Web (www) Client web browser Web server Request files Respond.

ArcGIS for Server Security: Advanced

Introduction to Information Security

NodeJS Security Using PassportJS and HelmetJS:

Tonga Institute of Higher Education IT 141: Information Systems

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Consuming OAuth Services in Alfresco Share

World Wide Web policy.

Authentication & .htaccess

WEB-API & MVC5 - Identity & Security

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Who owns your phone? Who feels that they have the right to use your phone for their purposes or on your behalf?

Amit Kulkarni February 17, 2004

Tonga Institute of Higher Education IT 141: Information Systems

Tonga Institute of Higher Education IT 141: Information Systems

HTTP GET vs POST SE-2840 Dr. Mark L. Hornick.

Advanced Computer Networks

Western Mass Microsoft Technology Users Group

The new EDAMIS and its security

Presentation transcript:

© 2010 Cisco and/or its affiliates. All rights reserved. 1 Web Security Fear, Surprise, and Ruthless Efficiency Mary Ellen Zurko

© 2010 Cisco and/or its affiliates. All rights reserved. 2

3 Authentication And Password/Secret management A secret is something you tell to one person at a time Or It’s not turtles all the way down

© 2010 Cisco and/or its affiliates. All rights reserved. 4 Defense in depth matters Compliance Passwords – users vs system parts Web server and files

© 2010 Cisco and/or its affiliates. All rights reserved. 5 Security the way Sir Tim intended Server says: WWW-Authenticate: Basic realm="insert realm” User prompted for their password Client says: Authorization: Basic QWxhZGluOnNlc2FtIG9wZW4= User agent remembers and sends for that domain/realm

© 2010 Cisco and/or its affiliates. All rights reserved. 6 Everyone does their own authentication No Single Sign On Password proliferation Password unprotected Encoding is not encrypting Who’s asking you for your password?

© 2010 Cisco and/or its affiliates. All rights reserved. 7 Who vouches for the information on this web page? Trust, Trustworthy, and Trust for What? There’s encryption; it’s Secure! What have you been told about detecting or avoiding phishing?

© 2010 Cisco and/or its affiliates. All rights reserved. 8 Citigroup.com Citibank.com Cititigroup.com Citigroup.de Citibank.co.uk Citigroup.org Thisiscitigroup.org Citibank.info Citicards.com Citicreditcards.com Citibank-cards.us Citimoney.com Citigold.net Citībank.org Citibānk.org Citigrøup.org

© 2010 Cisco and/or its affiliates. All rights reserved. 9

10 Early on, there was S-HTTP Encryption of the HTML document Headers defined to specify type of encryption, type of key management, nonces Supports pre arranged keys, public/private keys, PGP, etc. Server and client negotiate which enhancements they’ll use Flexible End to end (resists Man in the Middle)

© 2010 Cisco and/or its affiliates. All rights reserved. 11 Encryption! Authentication! Security! Network protocol that wraps HTTP Encryption of the tunnel for confidentiality and tamper detection Authentication of the server using public key certificate My browser has 182 “System Roots” Authentication of the client using public key certificate is an option Phishing for passwords and identities

© 2010 Cisco and/or its affiliates. All rights reserved. 12 Who put the D in DHTML? Data and Code should not mix Code is dangerous. Data is not. Speech vs action

© 2010 Cisco and/or its affiliates. All rights reserved. 13 Major technical university’s web site Cross Site Scripting (XSS) Every link modified to redirect through proxy Links to other web sites (e.g. LinkedIn, Facebook) Insecure Direct Object Reference Walk the OS file system

© 2010 Cisco and/or its affiliates. All rights reserved. 14 Who vouches for the code on this web site? Javascript Sandbox + same origin policy Java Permissions “Should this code access your file system, the network?” Web mail Cross site scripting (XSS) HTML escaping of any data Where are my bold text and dancing pigs? Whitelist vs Blacklist Mobile apps – every game creator is a web browser implementer

Thank you. Mary Ellen Zurko Questions? Comments? Brickbats?