The Codex of Business Writing Software for Real-World Solutions 2.pptx
Is the Web at Risk?
1. is the web @ risk ?
World Internet Project Meeting 2010
ISCTE-IUL/SoTA/ADETTI-IUL Carlos Serrão
Instituto Superior de Ciências do Trabalho e da Empresa carlos.serrao@iscte.pt
Instituto Universitário de Lisboa carlos.j.serrao@gmail.com
School of Technology and Architecture
ADETTI-IUL http://www.carlosserrao.net
http://blog.carlosserrao.net
http://www.linkedin.com/in/carlosserrao
2. Is the Web …
… at risk?
… a risk?
… putting YOU at risk?
WHY? HOW?
WHEN?
9. evolving, growing
network
Small data part on Large amounts of Data on the Cloud
a specific web-site data on a large
(or limited number number of sites Applications on the
of web-sites) Applications on the Web and Cloud
desktop and Web
Applications on the
(more and more) Data almost
desktop
Part of the data inexistent on the
Most data is on the still on desktop desktop (still on
desktop (but also mobile) mobile)
Data processing on Data processing on Data processing
the desktop the desktop, but almost inexistent
also on the web
user
10. evolving, growing
network
Small data part on Large amounts of Data on the Cloud
a specific web-site data on a large
(or limited number number of sites Applications on the
of web-sites) Applications on the Web and Cloud
desktop and Web
Applications on the
(more and more) Data almost
desktop
Part of the data inexistent on the
Most data is on the still on desktop desktop (still on
desktop (but also mobile) mobile)
Data processing on Data processing on Data processing
the desktop the desktop, but almost inexistent
also on the web
user
11. evolving, growing
network
Small data part on Large amounts of Data on the Cloud
a specific web-site data on a large
(or limited number number of sites Applications on the
of web-sites) Applications on the Web and Cloud
desktop and Web
Applications on the
(more and more) Data almost
desktop
Part of the data inexistent on the
Most data is on the still on desktop desktop (still on
desktop (but also mobile) mobile)
Data processing on Data processing on Data processing
the desktop the desktop, but almost inexistent
also on the web
user
12. security++
what do we have today?
anti-virus
anti-malware
anti-spyware
firewalls
intrusion detection systems
…
are they enough?
13. security++
YES, but…
dothey protect the user from the web
applications?
cana Web application be compromised to
hurt legitimate users?
sure it can.
14. security++
How?
Do you trust your favorite web-applications?
Google
Gmail
Doyou trust your favorite social-web
applications?
Facebook
Twitter
Do you trust your homebanking?
Do you trust your government web-sites?
15. security++
The security perimeter has huge
security holes in the application
Application Layer
layer
Legacy Systems
Human Resrcs
Web Services
Directories
Custom Developed
Databases
Application Code
Billing
APPLICATION
ATTACK
App Server
Web Server
Network Layer
Hardened OS
Firewall
Firewall
24. A2: Cross Site Scripting (XSS)
injecting malicious payload on the web
app from the end-user side to be
redirected to other users (victims)
25. A2: Cross Site Scripting (XSS)
1 Attacker sets the trap – update my profile
Application with
stored XSS
Attacker enters a
vulnerability
malicious script into a
web page that stores
the data on the server
Knowledge Mgmt
Communication
Administration
Bus. Functions
E-Commerce
Transactions
2 Victim views page – sees attacker profile
Accounts
Finance
Custom Code
Script runs inside
victim’s browser with
full access to the DOM
and cookies
3 Script silently sends attacker Victim’s session cookie
26. A5: Cross Site Request Forgery (CSRF)
an attacker can build its own malicious
website and initiate request on the user’s
browser
27. A5: Cross Site Request Forgery (CSRF)
Attacker sets the trap on some website on the internet
1 (or simply via an e-mail)
Application with CSRF
Hidden <img> tag vulnerability
contains attack
against vulnerable
site
Knowledge Mgmt
Communication
Administration
Bus. Functions
Transactions
E-Commerce
Accounts
Finance
While logged into vulnerable site,
2 victim views attacker site
Custom Code
3
Vulnerable site sees
<img> tag loaded by legitimate request
browser – sends GET from victim and
request (including performs the action
credentials) to requested
vulnerable site
28. A5: Cross Site Request Forgery (CSRF)
Alice transfer 100€ to Bob
Bob
through bank.com
POST http://bank.com/transfer.do HTTP/1.1
...
...
...
Content-Length: 19;
acct=BOB&amount=100
realizes that the same bank.com web application can execute
Pirate the transfer using a URL with parameters
GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1
will try to use Alice to transfer 100.000€ to its own account
http://bank.com/transfer.do?acct=MARIA&amount=100000
sends an HTML email to Alice with an URL to click
<a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my
Pictures!</a>
or, sends an HTML email to Alice with a image to hide the attack
<img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1"
height="1" border="0">
Alice if Alice is authenticated at bank.com with an active session
the transfer is performed
29. consequences
This is serious!!!
And we are just
looking at the
tip of the
iceberg!
30. [quick] conclusions
Extra-care with the web applications you
trust your data
Extra-care on the way you handle your
email
Always act suspicious upon something
“strange” on the web
WebApp developers take care on what you
do – your code is part of the security
perimeter