Your SlideShare is downloading. ×
Week 9: Web Security Building Secure Servers
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Week 9: Web Security Building Secure Servers

726
views

Published on


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
726
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
16
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Week 9: Web Security and JavaScript Building Secure Servers
    • The primary means of avoiding intrusion is to keep up to date with security patches for your OS
    • Secondly, your server should only activate the minimum IP ports to fulfill its function. All others should be disabled
    • Check the system regularly for unusual files or system activity, some tools can automate this (eg. tripwire )
    • Put valuable data on another system, connected with a secure link and protected by a firewall
    • Encrypt valuable data and encrypt traffic over the network to avoid network sniffers
  • 2. Firewalls
    • A firewall is a means of restricting the traffic between the internet and a local area network
    • The firewall server is connected directly to the internet and routes packets from the internet to local machines on a separate network
    • The firewall doesn't allow direct access to any local machine and can block or filter traffic on most IP ports
  • 3. Encryption
    • Encryption is a means of hiding the message being transmitted or stored
    • Key based encryption uses a key of a given size (number of bits) to encrypt the message. More bits means more possible keys and therefore more security There are 3.4 x 10^38 128 bit keys
    • Symmetric or secret key encryption uses the same key to encrypt and decrypt a message
      • But how do we exchange the key securely?
    • Asymmetric or public key encryption uses different keys to encrypt and decrypt. The public key can be published for use by anyone to send me a secret message
  • 4. Using Public Key Cryptography
    • In public key cryptography, each key is used to perform a one-way transformation on the message which only the other key can reverse
    • To exchange a secret message: encrypt with receiver's public key, decrypt with private key
    • To verify senders identity: encrypt with senders private key, if public key decrypts then it's authentic
    • To digitally sign a message: generate a string from the message (use a hashing function) and encrypt this string with your private key
    • To verify the signature we decode the string and verify that it matches the string produced by hashing the message
      • Verifies the sender and the message
  • 5. SSL: Secure Socket Layer
    • To avoid sending sensitive data in clear text over the internet, the SSL standard defines a way of establishing an encrypted IP connection
    • Designed by Netscape Communications Corporation
    • URLs that begin with https indicate an SSL connection
    • SSL is based in public key encryption
    • SSL can be used to forward traffic on any internet port, it can secure telnet, pop, ftp or www traffic
    • SSL is an open standard, implemented in web browsers and for various operating system services
  • 6. Who Needs Secure Services
    • Any e-commerce site where sensitive information is being transferred: credit card numbers, names, addresses, etc
    • Service providers such as Hotmail which store personal data for users
    • Repositories of commercial or restricted materials
    • Requirements range from verifying the identity of users to protecting server side storage and encrypting messages between client and server
  • 7. Verifying Identity
    • We've seen how to use CGI scripts to check a user's password against a stored database
    • While this is adequate for low level security it is prone to abuse
    • One solution is to use SSL to transmit the CGI request: the https protocol. This is implemented by the major browsers and connects to the server using SSL
    • To be more sure of your client's identity you can issue them with a digital certificate based on public key cryptography. This can be sent instead of a cookie by supporting browsers
  • 8. Secure Data Transmission
    • Transmission of sensitive data must use some kind of encryption: SSL via https
      • <form action=&quot;https://sourceforge.net/account/login.php&quot; method=&quot;post&quot;>
      • <INPUT TYPE=&quot;HIDDEN&quot; NAME=&quot;return_to&quot; VALUE=&quot;&quot;> Login Name: <input type=&quot;text&quot; name=&quot;form_loginname&quot; VALUE=&quot;&quot;>
      • Password: <input type=&quot;password&quot; name=&quot;form_pw&quot;>
      • <input type=&quot;submit&quot;>
      • </form>
    • The client might also want some way of verifying your identity: you could send your digital certificate to them
  • 9. Digital Certificates
    • If you want to convince your clients that you are who you say you are then you need to give them something that only you can have
    • A digital certificate is just such a thing. This contains:
      • Your name and contact details
      • Your public key
      • Details of a certifying authority
    • This information is then digitally signed with the public key of the certifying authority
    • The user can check the validity of the message and then use your public key to communicate with you
    • This implies that the certifying authority can be trusted!
  • 10. Example
    • Certificate:
    • Data:
    • Version: 0 (0x0)
    • Serial Number: 0 (0x0)
    • Signature Algorithm: md5withRSAEncryption
    • Issuer: C=ZA, SP=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services, CN=www.thawte.com, Email=webmaster@thawte.com
    • Validity Not Before: Nov 14 17:15:25 1996 GMT Not After : Dec 14 17:15:25 1996 GMT
    • Subject: C=ZA, SP=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services, CN=www.thawte.com, Email=webmaster@thawte.com
    • Subject Public Key Info:
    • Public Key Algorithm: rsa Encryption
    • Modulus: 00:9a:92:25:ed:a4:77:69:23:d4:53:05:2b:1f:3a: 55:32:bb:26:de:0a:48:d8:fc:c8:c0:c8:77:f6:5d: 61:fd:1b:33:23:4f:f4:a8:2d:96:44:c9:5f:c2:6e: 45:6a:9a:21:a3:28:d3:27:a6:72:19:45:1e:9c:80: a5:94:ac:8a:67
    • Exponent: 65537 (0x10001)
    • Signature Algorithm: md5withRSAEncryption 7c:8e:7b:58:b9:0e:28:4c:90:ab:20:83:61:9e:ab:78:2b:a4: 54:39:80:7b:b9:d9:49:b3:b2:2a:fe:8a:52:f4:c2:89:0e:5c: 7b:92:f8:cb:77:3f:56:22:9d:96:8b:b9:05:c4:18:01:bc:40: ee:bc:0e:fe:fc:f8:9b:9d:70:e3
  • 11. Security and Client Side Programming
    • Security is a major issue when you allow unknown and untrusted agents to run programs on your computer.
    • There are two general approaches to dealing with this issue:
      • Restrict the things that the client side programs are allowed to do.
      • Implement some kind of validation and verification of the source of programs.
  • 12. Security and Client Side Programming
    • JavaScript takes the first approach, you can't, for example, read and write local files from JavaScript.
    • Other client side languages provide a restricted subset of the full language to untrusted programs. Eg. Java and Safe Tcl .
    • ActiveX takes the second approach. An ActiveX program can do anything but is signed and encrypted to help ensure that it comes from someone you trust.
    • Note that writing to local disk isn't the only security risk. Others include capturing and sending data to remote sites and denial of service.
    • refer to ActiveX security vs. Java security
    • http://www.cs.princeton.edu/sip/java-vs-activex.html
  • 13. Using JavaScript
    • JavaScript is another scripting language not unlike Perl, Tcl and Python.
    • Has the usual control structures etc.
    • JavaScript variables can hold:
      • Numbers: integer and floating point
      • Booleans: true, false
      • Strings: &quot;Hello World!&quot;
      • Objects: myObj = new Object();
      • Null: empty, no value
      • Undefined: value is not defined
    • The usual range of comparison and arithmetic operators.
    • String concatenation with +: &quot;Age:&quot; + &quot;20&quot; gives &quot;Age: 20&quot;
    • C style conditional operators
  • 14. Example
    • // Script by http://www.mimanet.com/scripts/
    • theDate= new Date();
    • var months = new Array('January','February', 'March','April','May','June','July','August', 'September','October','November','December');
    • var day = theDate.getDate();
    • var textdate = 0;
    • if (theDate.getYear() < 2000) textdate = 1900;
    • textdate = months[theDate.getMonth()] + ' ' + day + ', ' + (theDate.getYear() + textdate);
    • document.write(textdate);
  • 15. Using JavaScript
    • JavaScript code is embedded in web page headers within <script></script> tags.
    • Either embed the script directly (note the use of HTML and Javascript comments):
    • <head> <title> ...</title> <script language=&quot;Javascript&quot;> <!-- // your script goes here //--> </script> </head>
    • Or refer to an external script file:
    • <script language=&quot;Javascript&quot; src=&quot;sample.js&quot;>
  • 16. Javascript Event Handlers
    • Initial Javascript gets called when page is read into browser.
    • Can add calls to Javascript for certain events associated with page elements:
    • <tag attribute1 attribute2 onEventName =&quot;javascript code;&quot;>
    • <!-- eg... -->
    • <a href=&quot;&quot; onClick=&quot;popupFunc();&quot;>
    • <img src=&quot;..&quot; onMouseOver=&quot;rollover();&quot;>
    • <body onLoad=&quot;initialiseSomething();&quot;>
    • <form onSubmit=&quot;validateForm();&quot;>
  • 17. JavaScript and the Browser
    • The most important data structure available to your JavaScript program is the browser and it's model of the current HTML page.
    • These are represented in JavaScript as objects and you can query them and in many cases modify them in your scripts.
    • The HTML page is modelled via the Document Object Model. In the newer browsers (IE 5, NS 6) this is very similar to the XML DOM.
    • Scripts also have access to CSS properties of the document elements.
  • 18. Document Object Model
  • 19. Document Object Model
    • // get the first table in the document table = document.getElementsByTagName(&quot;table&quot;).item(0)
    • // get the first td in the second tr row = table.getElementsByTagName(&quot;tr&quot;).item(2) cell = row.getElementsByTagName(&quot;td&quot;).item(0)
    • // get the contents of the cell txt = cell.childNodes.item(0).nodeValue
    • document.write(txt)
  • 20. Some Javascript Idioms
    • Javascript gets used for many tasks within web pages, look at some of the common examples:
    • Mouseover Actions
    • Form validation
    • Popup windows
    • Ajax
  • 21. Imager Rollovers and Pop Up windows
    • <img name='picture' src=“picture.jpg&quot; onMouseOver=&quot;document.picture.src=‘pic2.jpg'&quot; onMouseOut=&quot;document.picture.src=‘pic1.jpg'&quot;/>
    • <script language=&quot;JavaScript&quot;> function mypopup() { win = window.open(&quot;&quot;, &quot;mywindow&quot;, &quot;height=100,width=100&quot;) win.location = &quot;http://www.eelab.usyd.edu.au/&quot; } </script> ... <a href=&quot;#&quot; onClick=&quot;mypopup()&quot;>Click Here!!!</a>
  • 22. Form Validation
    • While we can validate form data on the server, the user would get a quicker response if we did some work on the client side.
    • Simple checks like incomplete submission and even email validation can be carried out in Javascript.
    • Javascript can also access and create cookies
  • 23. Ajax
    • Asynchronous Javascript and XML
    • The browser requests data from the server in the background
    • The data is used to modify the content of the current page
    • Faster response times since whole pages don't need to reload
    • Basic requirement is XMLHttpRequest http://en.wikipedia.org/wiki/XMLHttpRequest
    • Eg: Google Suggest
  • 24. XMLHttpRequest (XHR)
    • XMLHttpRequest ( XHR ) is an API that can be used by JavaScript and other web browser scripting languages to transfer XML and other text data between a web server and a browser. Though it can do synchronous fetches, it is almost always asynchronous, due to the greater UI responsiveness.
    • The data returned from XMLHttpRequest calls will often be provided by back-end databases. Besides XML, XMLHttpRequest can be used to fetch data in other formats such as HTML , JSON or plain text .
    • XMLHttpRequest is an important part of the Ajax web development technique, and it is used by many websites to implement responsive and dynamic web applications . Examples of web applications that make use of XMLHttpRequest include Google Maps , Windows Live's Virtual Earth , the MapQuest dynamic map interface, Facebook , and many others.

×