Unit 08: Security for Web Applications


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Unit 08: Security for Web Applications

  1. 1. Unit 8: Security for Web Applications Security is fundamentally about protecting assets (data, hardware, reputation, etc.). Therefore you should  Identify potential threats  Detect and fix vulnerabilities  Know how to react to an attack A threat is any potential occurrence, malicious or otherwise, that could harm an asset. A vulnerability is a weakness that makes a threat possible, due to poor design, configuration mistakes, and/or inappropriate and insecure coding techniques. An attack is an action that exploits a vulnerability or enacts a threat. Examples:  sending malicious input to an application  flooding a network in an attempt to deny service.dsbw 2011/2012 q1 1
  2. 2. Foundations of Security Authentication (who are you?): the process of uniquely identifying the clients of your applications and services. Authorization (what can you do?): the process that governs the resources and operations that the authenticated client is permitted to access. Non-repudiation: guarantees that a user cannot deny performing an operation or initiating a transaction. Confidentiality: the process of making sure that data remains private and confidential, and that it cannot be viewed by unauthorized people. Integrity: the guarantee that data is protected from accidental or deliberate (malicious) modification. Availability: systems remain available for legitimate users.dsbw 2011/2012 q1 2
  3. 3. Main Threat Categories: poofing: Attempting to gain access to a system by using a false identity, eg. using stolen user credentials or a false IP address. ampering: Unauthorized modification of data, for example as it flows over a network between two computers. epudiation: The ability of users (legitimate or otherwise) to deny that they performed specific actions or transactions. Without adequate auditing, repudiation attacks are difficult to prove nformation disclosure: Unwanted exposure of private data. enial of service: The process of making a system or application unavailable. levation of privilege: Occurs when a user with limited privileges assumes the identity of a privileged user to gain privileged access to an application.dsbw 2011/2012 q1 3
  4. 4. STRIDE CountermeasuresSpoofing user identity Use strong authentication. Do not store secrets (eg., passwords) in plaintext. Do not pass credentials in plaintext over the wire. Protect authentication cookies with SSL.Tampering with data Use data hashing and signing. Use digital signatures. Use tamper-resistant protocols Use protocols that provide message integrity.Repudiation Create secure audit trails. Use digital signatures.Information disclosure Use strong authorization. Use strong encryption. Use protocols that provide message confidentiality. Do not store secrets in plaintext.Denial of service Use resource and bandwidth throttling techniques. Validate and filter input.Elevation of privilege The principle of least privilege: use least privileged accounts to run processes and access resources.dsbw 2011/2012 q1 4
  5. 5. Core Web Application Security PrinciplesCompartmentalize Create different security boundaries, zones, with their own policiesUse least privilege Run processes using accounts with minimal privileges and access rightsApply defense in depth Use multiple gatekeepers to keep attackers at bay, do not rely on a single layer of securityDo not trust user input Assume all input is malicious until proven otherwiseCheck at the gate Authenticate and authorize callers early — at the first gateFail securely If an application fails, do not leave sensitive data accessible. Return friendly errors to end users that do not expose internal system details.Secure the weakest Identify it, strengthen it, fix itlinkCreate secure defaults Make default users/actions/authorizations set up with least privilegeReduce your attack Disable or remove unused services, protocols, andsurface functionality.dsbw 2011/2012 q1 5
  6. 6. Web Application Security: The Three-Tiered Approachdsbw 2011/2012 q1 6
  7. 7. Integrating Security in the WebApp Processdsbw 2011/2012 q1 7
  8. 8. The RACI Chart(Responsible, Accountable, Consulted, Kept Informed) System Security Tasks Architect Developer Tester Administrator Professional Security Policies R A Threat Modeling A I I R Security Design Principles A I I C Security Architecture A C R Architecture and Design R A Review Code Development A R Technology Specific Threats A R Code Review R I A Security Testing C I A C Network Security C R A Host Security C A I R Application Security C I A R Deployment Review C R I I Adsbw 2011/2012 q1 8
  9. 9. Network Threats and CountermeasuresThreat Description CountermeasureInformation Port scanning and footprinting to Configure routers to restrict theirGathering detect device types and vulnerable responses to footprinting requests. operating systems and application Disable unused protocols and versions. unnecessary ports.Sniffing Monitoring traffic on the network for Use encrypted protocols (SSL, data such as plaintext passwords or IPSec) configuration informationSpoofing Hiding one’s true identity on the Filter packets network by using fake source addressesSession Deceiving a server or a client into Use encrypted session negotiationHijacking accepting the upstream host as the and communication channels. actual legitimate hostDenial of Denying legitimate users access to a Increase the size of the TCPService server or services, e.g by sending connection queue, decrease the more requests to a server than it can connection establishment period, handle (SYN flood attack) and employ dynamic backlog mechanisms.dsbw 2011/2012 q1 9
  10. 10. Host Threats and CountermeasuresThreat Description CountermeasureViruses, Trojan horses, Updated service packs andand worms software patchesFootprinting port scans, ping sweeps, and Disable unnecessary NetBIOS enumeration to protocols and ports glean valuable system-level informationPassword Cracking Use strong passwords, limit the number of retry attempts, do not use default account namesDenial of Service Deviate traffic to other hostsArbitrary Code Execution Executing malicious code on Lock down system your server by using buffer commands and utilities overflow attacks.Unauthorized Access Unauthorized access to Lock down files and folders restricted information or with restricted permissions. operationsdsbw 2011/2012 q1 10
  11. 11. Application ThreatsCategory ThreatsInput validation Buffer overflow; cross-site scripting; SQL injection; canonicalizationAuthentication Network eavesdropping; brute force attacks; dictionary attacks; cookie replay; credential theftAuthorization Elevation of privilege; disclosure of confidential data; data tampering; luring attacksConfiguration Unauthorized access to administration interfaces; unauthorized accessmanagement to configuration stores; retrieval of clear text configuration data; lack of individual accountability; over-privileged process and service accountsSensitive data Access sensitive data in storage; network eavesdropping; data tamperingSession management Session hijacking; session replay; man in the middleCryptography Poor key generation or key management; weak or custom encryptionParameter manipulation Query string manipulation; form field manipulation; cookie manipulation; HTTP header manipulationException management Information disclosure; denial of serviceAuditing and logging User denies performing an operation; attacker exploits an application without trace; attacker covers his or her tracksdsbw 2011/2012 q1 11
  12. 12. Application CountermeasuresCategory CountermesuresInput Validation Do not trust input; consider centralized input validation. Do not rely on client-side validation. Be careful with canonicalization issues. Constrain. reject, and sanitize input. Validate for type, length, format, and range.Authentication Partition site by anonymous, identified, and authenticated area. Use strong passwords. Support password expiration periods and account disablement. Do not store credentials (use one-way hashes with salt). Encrypt communication channels to protect authentication tokens. Pass Forms authentication cookies only over HTTPS connections.Authorization Use least privileged accounts. Consider authorization granularity. Enforce separation of privileges. Restrict user access to system-level resources.Configuration Use least privileged process and service accounts. Do not storeManagement credentials in plaintext. Use strong authentication and authorization on administration interfaces. Do not use the LSA. Secure the communication channel for remote administration. Avoid storing sensitive data in the Web space.Sensitive Data Avoid storing secrets. Encrypt sensitive data over the wire. Secure the communication channel. Provide strong access controls on sensitive data stores. Do not store sensitive data in persistent cookies. Do not pass sensitive data using the HTTP-GET protocol.dsbw 2011/2012 q1 12
  13. 13. Application Countermeasures (cont.)Category CountermeasuresSession Management Limit the session lifetime. Secure the channel. Encrypt the contents of authentication cookies. Protect session state from unauthorized access.Cryptography Do not develop your own. Use tried and tested platform features. Keep unencrypted data close to the algorithm. Use the right algorithm and key size. Avoid key management (use DPAPI). Cycle your keys periodically. Store keys in a restricted location.Parameter Manipulation Encrypt sensitive cookie state. Do not trust fields that the client can manipulate (query strings, form fields, cookies, or HTTP headers). Validate all values sent from the client.Exception Management Use structured exception handling. Do not reveal sensitive application implementation details. Do not log private data such as passwords. Consider a centralized exception management framework.Auditing and Logging Identify malicious behavior. Know what good traffic looks like. Audit and log activity through all of the application tiers. Secure access to log files. Back up and regularly analyze log files.dsbw 2011/2012 q1 13
  14. 14. Web Application Security: Summarydsbw 2011/2012 q1 14
  15. 15. Cryptography “ The coding of messages so as to render them unintelligible to other than authorized recipients. Many techniques are known for the conversion of the original message, known as plaintext, into its encrypted form, known as ciphertext, cipher, or code ” Dictionary of Computing. Oxford University Press, 2004dsbw 2011/2012 q1 15
  16. 16. Roles for Cryptography Authentication: Digital signatures can be used to identify a participant in a web transaction or the author of an email message Authorization: Cryptographic techniques can be used to distribute a list of authorized users that is all but impossible to falsify. Confidentiality: Encryption is used to scramble information sent over networks and stored on servers so that eavesdroppers cannot access the datas content Integrity: Methods that are used to verify that a message has not been modified while in transit. Often, this is done with digitally signed message digest codes. Nonrepudiation: Cryptographic receipts are created so that an author of a message cannot realistically deny sending a messagedsbw 2011/2012 q1 16
  17. 17. Symmetric Key Cryptographydsbw 2011/2012 q1 17
  18. 18. Public Key (aka Asymmetric) Cryptographydsbw 2011/2012 q1 18
  19. 19. Authentication with Public Key Cryptographydsbw 2011/2012 q1 19
  20. 20. Digital envelopedsbw 2011/2012 q1 20
  21. 21. Cryptography-based Internet Protocols Virtual Private Networks (VPN)  Internet Protocol Security (IPSEC)  Point-to-Point Tunneling Protocol (PPTP)  Layer Two Forwarding (L2F)  Layer Two Tunneling Protocol (L2TP) E-mail Encryption  Secure Multipurpose Internet Mail Extensions (S/MIME)  Pretty Good Privacy WWW i e-commerce  SSL/TSL  Secure Electronic Transaction (SET)dsbw 2011/2012 q1 21
  22. 22. SSL/TSL SSL – Secure Socket Layer TLS – Transport Layer Security Both provide a secure transport connection between clients and servers:  Authentication of the server, using digital signatures  Authentication of the client, using digital signatures  Data confidentiality through the use of encryption  Data integrity through the use of message authentication codes History:  SSL was developed by Netscape  SSL version 3.0 has been widely used on the Internet  SSL evolved into TLS (RFC 2246)  TLS can be viewed as SSL v3.1dsbw 2011/2012 q1 22
  23. 23. SSL architecture SSL SSL Change SSL applications Handshake Cipher Spec Alert (e.g., HTTP) Protocol Protocol Protocol SSL Record Protocol TCP IPdsbw 2011/2012 q1 23
  24. 24. SSL Components SSL Record Protocol  fragmentation  compression  message authentication and integrity protection  encryption SSL Handshake Protocol  negotiation of security algorithms and parameters  key exchange  server authentication and optionally client authentication SSL Alert Protocol  error messages (fatal alerts and warnings) SSL Change Cipher Spec Protocol  a single message that indicates the end of the SSL handshakedsbw 2011/2012 q1 24
  25. 25. SSL sessions and connections An SSL session is an association between a client and a server SSL sessions are stateful: the session state includes security algorithms and parameters A SSL session may include multiple secure connections between the same client and server SSL sessions are used to avoid expensive negotiation of new security parameters for each connectiondsbw 2011/2012 q1 25
  26. 26. SSL Record Protocol: Processing application data fragmentation SSLPlaintext type version length compression SSLCompressed type version length msg authentication and encryption (with padding if necessary) SSLCiphertext type version length MAC paddingdsbw 2011/2012 q1 26
  27. 27. SSL Handshake Protocol client server client_hello Phase 1: Negotiation of the session ID, key exchange server_hello algorithm, MAC algorithm, encryption algorithm, and exchange of initial random numbers certificate Phase 2: Server may send its certificate and key server_key_exchange exchange message, and it may request the client certificate_request to send a certificate. Server signals end of hello phase. server_hello_done certificate Phase 3: Client sends certificate if requested and may client_key_exchange send an explicit certificate verification message. certificate_verify Client always sends its key exchange message. change_cipher_spec finished Phase 4: Change cipher spec and finish handshake change_cipher_spec finisheddsbw 2011/2012 q1 27
  28. 28. References http://www.w3.org/Security/Faq/www-security-faq.html Web Security, Privacy & Commerce, 2nd Edition, by Simson Garfinkle with Gene Spafford, OReilly, 2001. Improving Web Application Security: Threats and Countermeasures, by Microsoft Corporation, Microsoft Press, 2003dsbw 2011/2012 q1 28