Web Application Security Presented by Ben Lake

How the Web Works Hypertext Transfer Protocol (HTTP)  Application-level  Stateless Example  Web Browser Request  Web Server Response GET / HTTP/1.1 Host [Content] HTTP/ OK [Content]

Web Applications Pseudo Definition  A series of HTTP requests to complete a task in an environment in which state is maintained. The difference between a web site and a web application is the ability to maintain state. Examples  Online shopping, banking, class enrollment, bulletin board, etc.

Maintaining State State  A condition of mode or being.  A light has two obvious states: ON or OFF HTTP is a stateless protocol  Every request is individual and maintains no correlation between past requests. Maintaining state over HTTP is an illusion.  This illusion is created by having a key piece of information propagate between requests.

Cookies! Definition  An extension of HTTP that allows state to be maintained by providing a token piece of information between HTTP requests. Put simply, cookies are datagrams stored by a web browser at the request of a web server. How they work  Client sends request  Server sends response with its own request to set a cookie  Client decides to accept or reject cookie  Subsequent requests may or may not contain the cookie Set-Cookie: NAME=VALUE; expires=DATE; path=PATH; domain=DOMAIN_NAME; secure

Cookies! and State Cookies provide a mechanism to maintain state. The data stored in a cookie can be used to identify a user based on previous requests. Examples  Storing the ID numbers of the items you have selected for purchase.  Storing a unique ID number that identifies you as the person taking an online test.

Authentication Definition  The mechanism(s) that provide a means of identifying an individual in a public environment. When state can be maintained, authentication in a Web Application becomes feasible. Authentication allows a system to meet the needs of the individual using it. This includes Web Applications. Examples  Banking - whose account should be accessed?  Course Enrollment - what courses have you taken?  Shopping - what’s on your wish list?

Authenticating and State Authentication allows more robust and customized functionality from Web Applications. There are many ways to authenticate a client.  Scenario 1: Require user to authenticate for every request. Problems: Cumbersome for user. Solutions: Auto populating browser.  Scenario 2: Store authentication information in a cookie. Problems: Probability of authentication information being intercepted greatly increased. Solutions: Use a unique ID.  Scenario 3: Store a unique ID in a cookie assigned when authentication information is verified. Problems: Unique ID can be intercepted and used by another user. Solutions: Rolling ID and/or ID expiration.

Secure Socket Layer (SSL) Definition  A protocol layered on top of TCP to provide a secure (encrypted) transport layer for the communication between two applications. Attributes  Private - The data stream is symmetrically encrypted.  Reliable - Each packet of information is verified via a hash.  Authentic - The servers identity is authenticated using asymmetric encryption. How SSL Works  There is a handshake between the client and server to decide on a protocol version, encryption suite, and encryption method.  The peers verify one another's identity if applicable using public key encryption methods.  A secure connection is established and data is transported transparently by the secure layer.

Conclusion Security is evolving with the every newly adopted standard. Be aware of the technologies you’re utilizing, so that you can make an educated assessment of the security risks you face in any given environment.

References HTTP - ftp://ftp.isi.edu/in-notes/rfc2616.txt Cookies - SSL -