Chapter 2. Core Defense Mechanisms

Fundamental security problem All user input is untrusted.

Defense mechanisms Handling user access –To prevent users from gaining unauthorized access Handling user input –To prevent malformed input from causing undesirable behavior Handling attackers –To frustrate the attacker Managing application itself –Enable to monitor and configure

Handling User Access Categories of user –Anonymous users –Ordinary authenticated users –Administrative users Related security mechanisms –Authentication –Session management –Access control

Authentication Conventional authentication model –Username and password Supplemented by –Additional credentials –Multistate login process Examples –Client certificates, smartcards, or challenge- response tokens Defects enable to gain unauthorized access to sensitive data and functionality.

Session Management Session : a set of data structures –Used to track the state of the users Token identifying the session –Unique string mapping to the session –Browser automatically submits this back. –HTTP cookies, hidden form fields, URL query string for this purpose –Expired after a given period Dependent on security of its tokens

Access Control Correct decision –whether each request should be permitted or denied

Handling User Input Submitting unexpected input, crafted to cause behavior that was not intended Must handle user input in a safe manner Input-based vulnerabilities can arise anywhere.

Varieties of Input

Approaches to Input Handling “Reject Known Bad” “Accept Known Good” Sanitization Safe Data Handling Semantic Checks

Boundary Validation

Multistep Validation and Canonicalization ipt> %27 %2727

Diffcult To perform sanitization steps recursively

Handling Attackers To handle and react to attacks Measures –Handling errors –Maintaining audit logs –Alerting administrators –Reacting to attacks

Handling Errors

Maintaining Audit Logs Key events –All events relating to the authentication functionality –Key transactions –Access attempts –Any request containing known attack strings In online banks, logged in full For effectiveness, record time, IP address, session token, user account

Figure 2-7. Poorly protected application logs containing sensitive information submitted by other users

Altering Administrators Anomalous events monitored by alerting mechanism –Usage anomalies –Business anomalies –Requests containing known attack strings –Requests where data that is hidden from ordinary users has been modified Firewall, Intrusion Detection Product –Signature-based and anomaly-based rules

Reacting to Attacks By responding increasingly slowly to the attacker’s requests By terminating the attacker’s session By requiring him to log in or perform other steps before continuing the attack Effective defense-in-depth measure can reduce the likelihood.

Managing the Application Administrative functions are implemented within the application itself through the same web interface as its core non- security functionality.

Chapter Summary Defects in the security mechanism often lead to complete compromise of the application, enabling you to access data belonging to other users, perform unauthorized actions, and inject arbitrary code and commands.

Thank you