Your SlideShare is downloading. ×
Week 9: Web Security Building Secure Servers
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Week 9: Web Security Building Secure Servers


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Week 9: Web Security and JavaScript Building Secure Servers
    • The primary means of avoiding intrusion is to keep up to date with security patches for your OS
    • Secondly, your server should only activate the minimum IP ports to fulfill its function. All others should be disabled
    • Check the system regularly for unusual files or system activity, some tools can automate this (eg. tripwire )
    • Put valuable data on another system, connected with a secure link and protected by a firewall
    • Encrypt valuable data and encrypt traffic over the network to avoid network sniffers
  • 2. Firewalls
    • A firewall is a means of restricting the traffic between the internet and a local area network
    • The firewall server is connected directly to the internet and routes packets from the internet to local machines on a separate network
    • The firewall doesn't allow direct access to any local machine and can block or filter traffic on most IP ports
  • 3. Encryption
    • Encryption is a means of hiding the message being transmitted or stored
    • Key based encryption uses a key of a given size (number of bits) to encrypt the message. More bits means more possible keys and therefore more security There are 3.4 x 10^38 128 bit keys
    • Symmetric or secret key encryption uses the same key to encrypt and decrypt a message
      • But how do we exchange the key securely?
    • Asymmetric or public key encryption uses different keys to encrypt and decrypt. The public key can be published for use by anyone to send me a secret message
  • 4. Using Public Key Cryptography
    • In public key cryptography, each key is used to perform a one-way transformation on the message which only the other key can reverse
    • To exchange a secret message: encrypt with receiver's public key, decrypt with private key
    • To verify senders identity: encrypt with senders private key, if public key decrypts then it's authentic
    • To digitally sign a message: generate a string from the message (use a hashing function) and encrypt this string with your private key
    • To verify the signature we decode the string and verify that it matches the string produced by hashing the message
      • Verifies the sender and the message
  • 5. SSL: Secure Socket Layer
    • To avoid sending sensitive data in clear text over the internet, the SSL standard defines a way of establishing an encrypted IP connection
    • Designed by Netscape Communications Corporation
    • URLs that begin with https indicate an SSL connection
    • SSL is based in public key encryption
    • SSL can be used to forward traffic on any internet port, it can secure telnet, pop, ftp or www traffic
    • SSL is an open standard, implemented in web browsers and for various operating system services
  • 6. Who Needs Secure Services
    • Any e-commerce site where sensitive information is being transferred: credit card numbers, names, addresses, etc
    • Service providers such as Hotmail which store personal data for users
    • Repositories of commercial or restricted materials
    • Requirements range from verifying the identity of users to protecting server side storage and encrypting messages between client and server
  • 7. Verifying Identity
    • We've seen how to use CGI scripts to check a user's password against a stored database
    • While this is adequate for low level security it is prone to abuse
    • One solution is to use SSL to transmit the CGI request: the https protocol. This is implemented by the major browsers and connects to the server using SSL
    • To be more sure of your client's identity you can issue them with a digital certificate based on public key cryptography. This can be sent instead of a cookie by supporting browsers
  • 8. Secure Data Transmission
    • Transmission of sensitive data must use some kind of encryption: SSL via https
      • <form action=&quot;; method=&quot;post&quot;>
      • <INPUT TYPE=&quot;HIDDEN&quot; NAME=&quot;return_to&quot; VALUE=&quot;&quot;> Login Name: <input type=&quot;text&quot; name=&quot;form_loginname&quot; VALUE=&quot;&quot;>
      • Password: <input type=&quot;password&quot; name=&quot;form_pw&quot;>
      • <input type=&quot;submit&quot;>
      • </form>
    • The client might also want some way of verifying your identity: you could send your digital certificate to them
  • 9. Digital Certificates
    • If you want to convince your clients that you are who you say you are then you need to give them something that only you can have
    • A digital certificate is just such a thing. This contains:
      • Your name and contact details
      • Your public key
      • Details of a certifying authority
    • This information is then digitally signed with the public key of the certifying authority
    • The user can check the validity of the message and then use your public key to communicate with you
    • This implies that the certifying authority can be trusted!
  • 10. Example
    • Certificate:
    • Data:
    • Version: 0 (0x0)
    • Serial Number: 0 (0x0)
    • Signature Algorithm: md5withRSAEncryption
    • Issuer: C=ZA, SP=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services,,
    • Validity Not Before: Nov 14 17:15:25 1996 GMT Not After : Dec 14 17:15:25 1996 GMT
    • Subject: C=ZA, SP=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services,,
    • Subject Public Key Info:
    • Public Key Algorithm: rsa Encryption
    • Modulus: 00:9a:92:25:ed:a4:77:69:23:d4:53:05:2b:1f:3a: 55:32:bb:26:de:0a:48:d8:fc:c8:c0:c8:77:f6:5d: 61:fd:1b:33:23:4f:f4:a8:2d:96:44:c9:5f:c2:6e: 45:6a:9a:21:a3:28:d3:27:a6:72:19:45:1e:9c:80: a5:94:ac:8a:67
    • Exponent: 65537 (0x10001)
    • Signature Algorithm: md5withRSAEncryption 7c:8e:7b:58:b9:0e:28:4c:90:ab:20:83:61:9e:ab:78:2b:a4: 54:39:80:7b:b9:d9:49:b3:b2:2a:fe:8a:52:f4:c2:89:0e:5c: 7b:92:f8:cb:77:3f:56:22:9d:96:8b:b9:05:c4:18:01:bc:40: ee:bc:0e:fe:fc:f8:9b:9d:70:e3
  • 11. Security and Client Side Programming
    • Security is a major issue when you allow unknown and untrusted agents to run programs on your computer.
    • There are two general approaches to dealing with this issue:
      • Restrict the things that the client side programs are allowed to do.
      • Implement some kind of validation and verification of the source of programs.
  • 12. Security and Client Side Programming
    • JavaScript takes the first approach, you can't, for example, read and write local files from JavaScript.
    • Other client side languages provide a restricted subset of the full language to untrusted programs. Eg. Java and Safe Tcl .
    • ActiveX takes the second approach. An ActiveX program can do anything but is signed and encrypted to help ensure that it comes from someone you trust.
    • Note that writing to local disk isn't the only security risk. Others include capturing and sending data to remote sites and denial of service.
    • refer to ActiveX security vs. Java security
  • 13. Using JavaScript
    • JavaScript is another scripting language not unlike Perl, Tcl and Python.
    • Has the usual control structures etc.
    • JavaScript variables can hold:
      • Numbers: integer and floating point
      • Booleans: true, false
      • Strings: &quot;Hello World!&quot;
      • Objects: myObj = new Object();
      • Null: empty, no value
      • Undefined: value is not defined
    • The usual range of comparison and arithmetic operators.
    • String concatenation with +: &quot;Age:&quot; + &quot;20&quot; gives &quot;Age: 20&quot;
    • C style conditional operators
  • 14. Example
    • // Script by
    • theDate= new Date();
    • var months = new Array('January','February', 'March','April','May','June','July','August', 'September','October','November','December');
    • var day = theDate.getDate();
    • var textdate = 0;
    • if (theDate.getYear() < 2000) textdate = 1900;
    • textdate = months[theDate.getMonth()] + ' ' + day + ', ' + (theDate.getYear() + textdate);
    • document.write(textdate);
  • 15. Using JavaScript
    • JavaScript code is embedded in web page headers within <script></script> tags.
    • Either embed the script directly (note the use of HTML and Javascript comments):
    • <head> <title> ...</title> <script language=&quot;Javascript&quot;> <!-- // your script goes here //--> </script> </head>
    • Or refer to an external script file:
    • <script language=&quot;Javascript&quot; src=&quot;sample.js&quot;>
  • 16. Javascript Event Handlers
    • Initial Javascript gets called when page is read into browser.
    • Can add calls to Javascript for certain events associated with page elements:
    • <tag attribute1 attribute2 onEventName =&quot;javascript code;&quot;>
    • <!-- eg... -->
    • <a href=&quot;&quot; onClick=&quot;popupFunc();&quot;>
    • <img src=&quot;..&quot; onMouseOver=&quot;rollover();&quot;>
    • <body onLoad=&quot;initialiseSomething();&quot;>
    • <form onSubmit=&quot;validateForm();&quot;>
  • 17. JavaScript and the Browser
    • The most important data structure available to your JavaScript program is the browser and it's model of the current HTML page.
    • These are represented in JavaScript as objects and you can query them and in many cases modify them in your scripts.
    • The HTML page is modelled via the Document Object Model. In the newer browsers (IE 5, NS 6) this is very similar to the XML DOM.
    • Scripts also have access to CSS properties of the document elements.
  • 18. Document Object Model
  • 19. Document Object Model
    • // get the first table in the document table = document.getElementsByTagName(&quot;table&quot;).item(0)
    • // get the first td in the second tr row = table.getElementsByTagName(&quot;tr&quot;).item(2) cell = row.getElementsByTagName(&quot;td&quot;).item(0)
    • // get the contents of the cell txt = cell.childNodes.item(0).nodeValue
    • document.write(txt)
  • 20. Some Javascript Idioms
    • Javascript gets used for many tasks within web pages, look at some of the common examples:
    • Mouseover Actions
    • Form validation
    • Popup windows
    • Ajax
  • 21. Imager Rollovers and Pop Up windows
    • <img name='picture' src=“picture.jpg&quot; onMouseOver=&quot;document.picture.src=‘pic2.jpg'&quot; onMouseOut=&quot;document.picture.src=‘pic1.jpg'&quot;/>
    • <script language=&quot;JavaScript&quot;> function mypopup() { win =;&quot;, &quot;mywindow&quot;, &quot;height=100,width=100&quot;) win.location = &quot;; } </script> ... <a href=&quot;#&quot; onClick=&quot;mypopup()&quot;>Click Here!!!</a>
  • 22. Form Validation
    • While we can validate form data on the server, the user would get a quicker response if we did some work on the client side.
    • Simple checks like incomplete submission and even email validation can be carried out in Javascript.
    • Javascript can also access and create cookies
  • 23. Ajax
    • Asynchronous Javascript and XML
    • The browser requests data from the server in the background
    • The data is used to modify the content of the current page
    • Faster response times since whole pages don't need to reload
    • Basic requirement is XMLHttpRequest
    • Eg: Google Suggest
  • 24. XMLHttpRequest (XHR)
    • XMLHttpRequest ( XHR ) is an API that can be used by JavaScript and other web browser scripting languages to transfer XML and other text data between a web server and a browser. Though it can do synchronous fetches, it is almost always asynchronous, due to the greater UI responsiveness.
    • The data returned from XMLHttpRequest calls will often be provided by back-end databases. Besides XML, XMLHttpRequest can be used to fetch data in other formats such as HTML , JSON or plain text .
    • XMLHttpRequest is an important part of the Ajax web development technique, and it is used by many websites to implement responsive and dynamic web applications . Examples of web applications that make use of XMLHttpRequest include Google Maps , Windows Live's Virtual Earth , the MapQuest dynamic map interface, Facebook , and many others.