SlideShare a Scribd company logo

Web application security part 02

Download as PPTX, PDF
G
G Prachi

The document discusses various topics related to web application security including authenticating users, SSL protocol, padlock icons, user interface attacks, and Pretty Good Privacy (PGP). It provides details on cookie-based and token-based authentication, how SSL works to establish encrypted links, different padlock icons and what they indicate, types of user interface attacks like clickjacking and cursorjacking, and how PGP provides authentication, confidentiality, compression and compatibility for securing emails.

Technology
1 of 41
Web Application Security Part - 02
List of Topics • Authenticating Users • The SSL Protocol • The lock icon • User Interface Attacks • Pretty Good Privacy
Authenticating Users
Authenticating Users • Authenticating user is a process to check genuineness of the user • User Authentication can be done in following ways 1. Cookie Based Authentication 2. Token Based Authentication
Cookie Based Authentication • Cookie based authentication is considered as stateful authentication method (Server based authentication). • In here, it is needed to store authentication records in client side and server side both. • Server basically keeps and maintains active session details in the data storage and front end cookie will be created to hold session identifier. • The main disadvantage of using this authentication method is, server has to store all the session data for each and every user and increases the overhead in the server.
Flow of Cookie Based Authentication 1. Enter login credentials 2. Server verifies given credentials, creates a session and stores in database. 3. Cookie + Session ID will be kept in client side(User browser) 4. For consequent requests, session ID will be verified against database. 5. Session will be destroyed from client and server side once the use logs out.
Token Based Authentication • This is the mostly used authentication methods which is suitable for single page applications, web APIs and for IOT development • Token based authentication is defined as stateless and server does not keep records about the user logged in. But the token will be generated using credentials provided. • The main advantage of token based authentication is client side and server side is decoupled for the authentication mechanism which can provide an uninterrupted workflow. • No session information stored means simply your application can scale and add more machines as necessary without worrying about where the user logged in
Flow of Token Based Authentication 1. User provides credentials 2. Server verifies credentials and returns a signed token. 3. Token is stored in client side 4. Subsequent requests to the server will be sent with the token as authentication header (HTTP header). 5. Server verifies the token (JSON web token) and return required data. 6. Token is destroyed in client, once the user logs out.
The SSL Protocol
What is SSL? • SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication. • The usage of SSL technology ensures that all data transmitted between the web server and browser remains encrypted.
What is SSL Certificate? • SSL or TLS (Transport Layer Security) certificates are data files that bind a cryptographic key to the details of an organization. • When SSL/TLS certificate is installed on a web server, it enables a secure connection between the web server and the browser that connects to it. • The website's URL is prefixed with "https" instead of "http" and a padlock is shown on the address bar. If the website uses an extended validation (EV) certificate, then the browser may also show a green address bar.
What is SSL used for? • The SSL protocol is used by millions of online business to protect their customers, ensuring their online transactions remain confidential. • A web page should use encryption when it expects users to submit confidential data, including personal information, passwords, or credit card details. • All web browsers have the ability to interact with secured sites so long as the site's certificate is issued by a trusted CA.
How SSL Works? 1. An end-user asks their browser to make a secure connection to a website 2. The browser obtains the IP address of the site from a DNS server then requests a secure connection to the website. 3. To initiate this secure connection, the browser requests that the server identifies itself by sending a copy of its SSL certificate to the browser.
How SSL Works? 4. The browser checks the certificate to ensure: 1. That it is signed by a trusted CA 2. That it is valid - that it has not expired or been revoked 3. That it confirms to required security standards on key lengths and other items. 4. That the domain listed on the certificate matches the domain that was requested by the user. 5. When the browser confirms that the website can be trusted, it creates a symmetric session key which it encrypts with the public key in the website's certificate. The session key is then sent to the web server.
How SSL Works? 6. The web server uses its private key to decrypt the symmetric session key. 7. The server sends back an acknowledgement that is encrypted with the session key. 8. From now on, all data transmitted between the server and the browser is encrypted and secure.
Padlock Icon in browsers
Padlock Icon in browsers • As part of its security features, web browsers uses a special set of symbols that alerts users to a website's validity. • Shown in the left corner of the address bar, these icons provide vital information about a site's certificates and connections.
Decoding the Padlock Icons on Google Chrome • The different padlocks and icons shown next to the URL bar on Google Chrome let you know whether a site uses TLS or SSL certificates. • These certificates allow you to distinguish between a valid site and an invalid one. • Padlock types include Green Lock Icon, Yellow exclamation Point, Blank Page Icon, Lock icon with Yellow Triangle and Red Padlock Icon
Padlock Icons Green Padlock Icon • The green padlock indicates that a webpage connection is secure. This means that a website's identity has been verified by a trusted third-party authority and that it has a valid certificate for the URL that you're trying to reach. • Site certificates are produced by any website that requires some sort of authentication (such as a username and password) to access a page's full services. An easy way to tell if a site is secure is to check its URL — encrypted sites (those that use SSL) will usually begin with https, while non-encrypted sites use an http URL.
Padlock Icons Yellow Exclamation Point • A yellow exclamation mark indicates that the website has not provided the browser with a certificate. This is normal for regular HTTP sites, as certificates are only usually provided if the site uses SSL. Blank Page Icon • Any "normal" http websites, will be shown with a blank page icon displayed before it. These pages can be accessed without prior authentication.
Padlock Icons Lock Icon with Yellow Triangle • A lock icon with a yellow triangle indicates that Chrome can see a site's certificate but that the site has weak security. In this case, we recommended that you proceed with caution, as your connection may not be private. Red Padlock Icon • If you see a red padlock with an x next to a URL, this is an indication of problems with a site's certificate. Exercise extreme caution when proceeding onto the site — refrain from entering any personal data or sensitive information. It is likely that somebody is trying to impersonate the requested website in order to capture your information.
Certificate of a Web Page • If a web site has a valid certificate, it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization. When you type a URL or follow a link to a secure web site, your browser will check the certificate for the following characteristics: 1. the web site address matches the address on the certificate 2. the certificate is signed by a certificate authority that the browser recognizes as a "trusted" authority
How to check a Certificate • A secure way to find information about the certificate is to look for the certificate feature in the menu options. This information may be under the file properties or the security option within the page information. 1. who issued the certificate - You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte, or Entrust). 2. who the certificate is issued to - The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect. 3. expiration date - Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years.
User Interface Attacks
User Interface Attacks • In systems where multiple applications or websites share the same display, the user can be tricked to interact with false UI elements. • For example, a malicious website may be able to draw an overlay over a button that causes the user click the button unintentionally. • Such attacks are called clickjacking or UI redressing.
How Clickjacking Works • Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions. • A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. • On a clickjacked page, the attackers load another page over it in a transparent layer.
How Clickjacking Works • The users think that they are clicking visible buttons, while they are actually performing actions on the invisible page. • The hidden page may be an authentic page. • Therefore, the attackers can trick users into performing actions which the users never intended.
Cursorjacking • Cursorjacking is a variant of Clickjacking Attack. • Cursorjacking is a UI redressing technique to change the cursor from the location the user perceives, discovered in 2010 by Eddy Bordi, a researcher at Vulnerability.fr • Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario Heiderich by hiding the cursor. • Jordi Chancel, a researcher at Alternativ-Testing.fr, discovered a cursorjacking vulnerability using Flash, HTML and JavaScript code in Mozilla Firefox (fixed in Firefox 30.0) which can lead to arbitrary code execution and webcam spying. • A second CursorJacking vulnerability was again discovered by Jordi Chancel in Mozilla Firefox on Mac OS X systems (fixed in Firefox 37.0) using once again Flash, HTML and JavaScript code which can lead also to the spying of the webcam and the execution of a malicious addon allowing the execution of a malware on the computer of the trapped user.
Password Manager Attack • A 2014 paper from researcher at the Carnegie Mellon University discooovered this attack. • He found that while browsers refuse to autofill if the protocol on the current login page is different from the protocol at the time the password was saved, some password managers would insecurely fill in passwords for the http version of https-saved passwords. • Most managers did not protect against iFrame- and redirection-based attacks and exposed additional passwords where password synchronization had been used between multiple devices.
Pretty Good Privacy (PGP)
Pretty Good Privacy (PGP) • PGP is an open source, freely available software package for E-mail security • PGP has grown very quickly and now is widely used. Reasons for it’s growth are: 1. It is freely available worldwide in versions that run on variety of platforms. In addition commercial versions provides vendor support. 2. The package includes RSA, DSS, and Diffie-Hellman for public- key encryption, CAST-128, IDEA, and 3DES for symmetric encryption, and SHA-1 for hash coding.
Operational Description of PGP • Authentication • Confidentiality • Compression • E-Mail Compatibility • Segmentation
Authentication • This is achieved through Digital Signature Service provided by PGP 1. The sender creates a message 2. SHA-1 is used to generate 160 bit hash code of the message 3. The hash code is encrypted with RSA using the sender’s private key, and the result is prepended to the message. 4. The receiver uses RSA with the sender’s public key to decrypt and recover the hash code. 5. The receiver generates a new hash code for the message and compares it with the decrypted hash code. If the two match, the message is accepted as authentic.
Confidentiality • PGP another service is confidentiality, which is encrypting messages for transmitting or to store files locally. • In both cases, the symmetric encryption algorithm CAST-128 may be used. Alternatively, IDEA or 3DES may be used. And the 64-bit cipher feedback (CFB) mode is used. • In PGP, each symmetric key is used only once. The session key is bound to the message. To protect the key, it is encrypted with the receiver’s public key.
Confidentiality 1. The sender generates a message and a random 128-bit number to be used as a session key for this message only. 2. The message is encrypted using CAST-128 (or IDEA or 3DES) with the session key. 3. The session key is encrypted with RSA using the recipient’s public key and is prepended to the message. 4. The receiver uses RSA with its private key to decrypt and recover the session key. 5. The session key is used to decrypt the message.
Compression • PGP compresses the message after applying the signature but before encryption. This has the benefit of saving space both for e-mail transmission and for file storage. • The signature is generated before compression for two reasons: 1. It is preferable to sign an uncompressed message so that one can store only the uncompressed message together with the signature for future verification. 2. If you generate signature after compression then there is a need recompression for message verification, PGP’s compression algorithm presents a difficulty.
Compression • Message encryption is applied after compression to strengthen cryptographic security. Therefore cryptanalysis is more difficult. • The compression algorithm used here is ZIP Algorithm
E-Mail Compatibility • The resulting message block consists of a stream of arbitrary 8-bit octets. • However, many electronic mail systems only permit the use of blocks consisting of ASCII text. • To accommodate this restriction, PGP provides the service of converting the raw 8-bit binary stream to a stream of printable ASCII characters • The scheme used for this purpose is radix-64 conversion. Each group of three octets of binary data is mapped into four ASCII characters. This format also appends a CRC to detect transmission errors.
E-Mail Compatibility • The use of radix 64 expands a message by 33%. Fortunately, the session key and signature portions of the message are relatively compact, and the plaintext message has been compressed. • In fact, the compression should be more than enough to compensate for the radix-64 expansion
Segmentation and Reassembly • E-mail facilities often are restricted to a maximum length. To accommodate this, PGP automatically subdivides a messsage that is too large into segments that are small enough to send via e-mail. • The segmentation is done after all of the other processing, including the radix-64 conversion.
Summary of PGP Services Function Algorithm Used Description Digital Signature DSS/SHA or RSA/SHA A hash code of message is created using SHA-1. this message digest is encrypted using DSS or SHA using the senders private key and is included with the message Message Encryption CAST or IDEA or Three Key Triple DES with Diffie Hellman or RSA A message is encrypted using CAST-128 or IDEA or 3DES with a one time session key generated by the sender. The session Key is encrypted using Diffie-Hellman or RSA with the recipient's public key and included with the message. Compression ZIP A message may be compressed for storage or transmission using ZIP E-Mail Compatibility Radix-64 Conversion To provide transparency for e-mail applications, an encrypted message may be converted to an asci string using radix-64 conversion

Recommended

Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
G Prachi
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
G Prachi
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
Information Technology
 
User authentication
User authenticationUser authentication
User authentication
CAS
 
Ch03 Protecting Systems
Ch03 Protecting SystemsCh03 Protecting Systems
Ch03 Protecting Systems
Information Technology
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
Information Technology
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Sachintha Gunasena
 

Recommended

Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security models
G Prachi
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
G Prachi
 
Dealing with legacy code
Dealing with legacy codeDealing with legacy code
Dealing with legacy code
G Prachi
 
Ch08 Authentication
Ch08 AuthenticationCh08 Authentication
Ch08 Authentication
Information Technology
 
User authentication
User authenticationUser authentication
User authentication
CAS
 
Ch03 Protecting Systems
Ch03 Protecting SystemsCh03 Protecting Systems
Ch03 Protecting Systems
Information Technology
 
Ch04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and AttacksCh04 Network Vulnerabilities and Attacks
Ch04 Network Vulnerabilities and Attacks
Information Technology
 
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & EncryptionEntrepreneurship & Commerce in IT - 11 - Security & Encryption
Entrepreneurship & Commerce in IT - 11 - Security & Encryption
Sachintha Gunasena
 
Authentication
AuthenticationAuthentication
Authentication
primeteacher32
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
newbie2019
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
EduclentMegasoftel
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
Information Technology
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
Geevarghese Titus
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
ArthyR3
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh
 
Ch05 Network Defenses
Ch05 Network DefensesCh05 Network Defenses
Ch05 Network Defenses
Information Technology
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITY
Nishant Pawar
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access control
Leo Mark Villar
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9koolkampus
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
David Johansson
 
Web security
Web securityWeb security
Web security
Muhammad Usman
 

More Related Content

What's hot

Authentication
AuthenticationAuthentication
Authentication
primeteacher32
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
newbie2019
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
EduclentMegasoftel
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
yashwanthlavu
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
Priyanka Aash
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
Information Technology
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
Sam Bowne
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
Geevarghese Titus
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
ArthyR3
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
Shah Sheikh
 
Ch05 Network Defenses
Ch05 Network DefensesCh05 Network Defenses
Ch05 Network Defenses
Information Technology
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
Mark Jayson Fuentes
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
Sam Bowne
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
TriNimbus
 
INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITY
Nishant Pawar
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access control
Leo Mark Villar
 
Intruders
IntrudersIntruders
Intruders
Dr.Florence Dayana
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9koolkampus
 

What's hot (19)

Authentication
AuthenticationAuthentication
Authentication
 
Chapter 13 web security
Chapter 13 web securityChapter 13 web security
Chapter 13 web security
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
WEB APPLICATION SECURITY
WEB APPLICATION SECURITYWEB APPLICATION SECURITY
WEB APPLICATION SECURITY
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Ch09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability AssessmentsCh09 Performing Vulnerability Assessments
Ch09 Performing Vulnerability Assessments
 
Ch02 System Threats and Risks
Ch02 System Threats and RisksCh02 System Threats and Risks
Ch02 System Threats and Risks
 
5. Identity and Access Management
5. Identity and Access Management5. Identity and Access Management
5. Identity and Access Management
 
Introduction to cyber security
Introduction to cyber securityIntroduction to cyber security
Introduction to cyber security
 
Cs8792 cns - unit v
Cs8792 cns - unit vCs8792 cns - unit v
Cs8792 cns - unit v
 
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
DTS Solution - Yehia Mamdouh - Release your pet worm on your infrastructure....
 
Ch05 Network Defenses
Ch05 Network DefensesCh05 Network Defenses
Ch05 Network Defenses
 
A new web application vulnerability assessment framework
A new web application vulnerability assessment frameworkA new web application vulnerability assessment framework
A new web application vulnerability assessment framework
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017
 
INFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITYINFORMATION AND CYBER SECURITY
INFORMATION AND CYBER SECURITY
 
Data security authorization and access control
Data security authorization and access controlData security authorization and access control
Data security authorization and access control
 
Intruders
IntrudersIntruders
Intruders
 
Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9Intruders and Viruses in Network Security NS9
Intruders and Viruses in Network Security NS9
 

Similar to Web application security part 02

O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
Bixlabs
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
David Johansson
 
Web security
Web securityWeb security
Web security
Muhammad Usman
 
All About SSL/TLS
All About SSL/TLSAll About SSL/TLS
All About SSL/TLS
RapidSSLOnline.com
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
Dumindu Pahalawatta
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
Arash Ramez
 
Symantec SSL Explained
Symantec SSL ExplainedSymantec SSL Explained
Symantec SSL Explained
Symantec Website Security
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
Peter LaFond
 
Https
HttpsHttps
Https
Billa Kota Sriram
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
Cleo
 
The Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptxThe Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptx
awakish
 
Understanding transport-layer_security__ssl
Understanding transport-layer_security__sslUnderstanding transport-layer_security__ssl
Understanding transport-layer_security__ssl
Mainak Goswami
 
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityHow Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
GlobalSign
 
Digital Certificates and Secure Web Access
Digital Certificates and Secure Web AccessDigital Certificates and Secure Web Access
Digital Certificates and Secure Web Access
bluntm64
 
The world of encryption
The world of encryptionThe world of encryption
The world of encryption
Mohammad Yousri
 
Digital certificate
Digital certificateDigital certificate
Digital certificate
Komal Agarwal
 
Ssl
SslSsl
Ssl
huia
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
rhassan84
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
rhassan84
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
JUSTSTYLISH3B2MOHALI
 

Similar to Web application security part 02 (20)

O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David JohanssonInfoSecurity Europe 2015 - Identities Exposed by David Johansson
InfoSecurity Europe 2015 - Identities Exposed by David Johansson
 
Web security
Web securityWeb security
Web security
 
All About SSL/TLS
All About SSL/TLSAll About SSL/TLS
All About SSL/TLS
 
Introduction to Information Security
Introduction to Information SecurityIntroduction to Information Security
Introduction to Information Security
 
Certificate pinning in android applications
Certificate pinning in android applicationsCertificate pinning in android applications
Certificate pinning in android applications
 
Symantec SSL Explained
Symantec SSL ExplainedSymantec SSL Explained
Symantec SSL Explained
 
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
WordCamp Raleigh 2017 - Move from HTTP to HTTPS or become irrelevant - Peter ...
 
Https
HttpsHttps
Https
 
SSL Communication and Mutual Authentication
SSL Communication and Mutual AuthenticationSSL Communication and Mutual Authentication
SSL Communication and Mutual Authentication
 
The Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptxThe Importance of Monitoring SSL Certificates _ Awakish.pptx
The Importance of Monitoring SSL Certificates _ Awakish.pptx
 
Understanding transport-layer_security__ssl
Understanding transport-layer_security__sslUnderstanding transport-layer_security__ssl
Understanding transport-layer_security__ssl
 
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and SecurityHow Cloud-Based Service Providers Can Integrate Strong Identity and Security
How Cloud-Based Service Providers Can Integrate Strong Identity and Security
 
Digital Certificates and Secure Web Access
Digital Certificates and Secure Web AccessDigital Certificates and Secure Web Access
Digital Certificates and Secure Web Access
 
The world of encryption
The world of encryptionThe world of encryption
The world of encryption
 
Digital certificate
Digital certificateDigital certificate
Digital certificate
 
Ssl
SslSsl
Ssl
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
Impact of digital certificate in network security
Impact of digital certificate in network securityImpact of digital certificate in network security
Impact of digital certificate in network security
 
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdfI would appreciate help with these 4 questions. Thank You.1) Expla.pdf
I would appreciate help with these 4 questions. Thank You.1) Expla.pdf
 

More from G Prachi

The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architecture
G Prachi
 
Security risk management
Security risk managementSecurity risk management
Security risk management
G Prachi
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
G Prachi
 
Network defenses
Network defensesNetwork defenses
Network defenses
G Prachi
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
G Prachi
 
Basic web security model
Basic web security modelBasic web security model
Basic web security model
G Prachi
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
G Prachi
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
G Prachi
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
G Prachi
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
G Prachi
 
Administering security
Administering securityAdministering security
Administering security
G Prachi
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
G Prachi
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
G Prachi
 
Program security
Program securityProgram security
Program security
G Prachi
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptography
G Prachi
 
Information security introduction
Information security introductionInformation security introduction
Information security introduction
G Prachi
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedom
G Prachi
 
Computation systems for protecting delimited data
Computation systems for protecting delimited dataComputation systems for protecting delimited data
Computation systems for protecting delimited data
G Prachi
 
Survey of file protection techniques
Survey of file protection techniquesSurvey of file protection techniques
Survey of file protection techniques
G Prachi
 
Protection models
Protection modelsProtection models
Protection models
G Prachi
 

More from G Prachi (20)

The trusted computing architecture
The trusted computing architectureThe trusted computing architecture
The trusted computing architecture
 
Security risk management
Security risk managementSecurity risk management
Security risk management
 
Malicious software and software security
Malicious software and software securityMalicious software and software security
Malicious software and software security
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Network protocols and vulnerabilities
Network protocols and vulnerabilitiesNetwork protocols and vulnerabilities
Network protocols and vulnerabilities
 
Basic web security model
Basic web security modelBasic web security model
Basic web security model
 
Least privilege, access control, operating system security
Least privilege, access control, operating system securityLeast privilege, access control, operating system security
Least privilege, access control, operating system security
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Control hijacking
Control hijackingControl hijacking
Control hijacking
 
Computer security concepts
Computer security conceptsComputer security concepts
Computer security concepts
 
Administering security
Administering securityAdministering security
Administering security
 
Database security and security in networks
Database security and security in networksDatabase security and security in networks
Database security and security in networks
 
Protection in general purpose operating system
Protection in general purpose operating systemProtection in general purpose operating system
Protection in general purpose operating system
 
Program security
Program securityProgram security
Program security
 
Elementary cryptography
Elementary cryptographyElementary cryptography
Elementary cryptography
 
Information security introduction
Information security introductionInformation security introduction
Information security introduction
 
Technology, policy, privacy and freedom
Technology, policy, privacy and freedomTechnology, policy, privacy and freedom
Technology, policy, privacy and freedom
 
Computation systems for protecting delimited data
Computation systems for protecting delimited dataComputation systems for protecting delimited data
Computation systems for protecting delimited data
 
Survey of file protection techniques
Survey of file protection techniquesSurvey of file protection techniques
Survey of file protection techniques
 
Protection models
Protection modelsProtection models
Protection models
 

Recently uploaded

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Aggregage
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Paige Cruz
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
Alex Pruden
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 

Recently uploaded (20)

Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
Generative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionGenerative AI Deep Dive: Advancing from Proof of Concept to Production
Generative AI Deep Dive: Advancing from Proof of Concept to Production
 
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfObservability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdf
 
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofszkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex Proofs
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 

Web application security part 02

  • 2. List of Topics • Authenticating Users • The SSL Protocol • The lock icon • User Interface Attacks • Pretty Good Privacy
  • 4. Authenticating Users • Authenticating user is a process to check genuineness of the user • User Authentication can be done in following ways 1. Cookie Based Authentication 2. Token Based Authentication
  • 5. Cookie Based Authentication • Cookie based authentication is considered as stateful authentication method (Server based authentication). • In here, it is needed to store authentication records in client side and server side both. • Server basically keeps and maintains active session details in the data storage and front end cookie will be created to hold session identifier. • The main disadvantage of using this authentication method is, server has to store all the session data for each and every user and increases the overhead in the server.
  • 6. Flow of Cookie Based Authentication 1. Enter login credentials 2. Server verifies given credentials, creates a session and stores in database. 3. Cookie + Session ID will be kept in client side(User browser) 4. For consequent requests, session ID will be verified against database. 5. Session will be destroyed from client and server side once the use logs out.
  • 7. Token Based Authentication • This is the mostly used authentication methods which is suitable for single page applications, web APIs and for IOT development • Token based authentication is defined as stateless and server does not keep records about the user logged in. But the token will be generated using credentials provided. • The main advantage of token based authentication is client side and server side is decoupled for the authentication mechanism which can provide an uninterrupted workflow. • No session information stored means simply your application can scale and add more machines as necessary without worrying about where the user logged in
  • 8. Flow of Token Based Authentication 1. User provides credentials 2. Server verifies credentials and returns a signed token. 3. Token is stored in client side 4. Subsequent requests to the server will be sent with the token as authentication header (HTTP header). 5. Server verifies the token (JSON web token) and return required data. 6. Token is destroyed in client, once the user logs out.
  • 10. What is SSL? • SSL (Secure Sockets Layer) is a standard security protocol for establishing encrypted links between a web server and a browser in an online communication. • The usage of SSL technology ensures that all data transmitted between the web server and browser remains encrypted.
  • 11. What is SSL Certificate? • SSL or TLS (Transport Layer Security) certificates are data files that bind a cryptographic key to the details of an organization. • When SSL/TLS certificate is installed on a web server, it enables a secure connection between the web server and the browser that connects to it. • The website's URL is prefixed with "https" instead of "http" and a padlock is shown on the address bar. If the website uses an extended validation (EV) certificate, then the browser may also show a green address bar.
  • 12. What is SSL used for? • The SSL protocol is used by millions of online business to protect their customers, ensuring their online transactions remain confidential. • A web page should use encryption when it expects users to submit confidential data, including personal information, passwords, or credit card details. • All web browsers have the ability to interact with secured sites so long as the site's certificate is issued by a trusted CA.
  • 13. How SSL Works? 1. An end-user asks their browser to make a secure connection to a website 2. The browser obtains the IP address of the site from a DNS server then requests a secure connection to the website. 3. To initiate this secure connection, the browser requests that the server identifies itself by sending a copy of its SSL certificate to the browser.
  • 14. How SSL Works? 4. The browser checks the certificate to ensure: 1. That it is signed by a trusted CA 2. That it is valid - that it has not expired or been revoked 3. That it confirms to required security standards on key lengths and other items. 4. That the domain listed on the certificate matches the domain that was requested by the user. 5. When the browser confirms that the website can be trusted, it creates a symmetric session key which it encrypts with the public key in the website's certificate. The session key is then sent to the web server.
  • 15. How SSL Works? 6. The web server uses its private key to decrypt the symmetric session key. 7. The server sends back an acknowledgement that is encrypted with the session key. 8. From now on, all data transmitted between the server and the browser is encrypted and secure.
  • 16. Padlock Icon in browsers
  • 17. Padlock Icon in browsers • As part of its security features, web browsers uses a special set of symbols that alerts users to a website's validity. • Shown in the left corner of the address bar, these icons provide vital information about a site's certificates and connections.
  • 18. Decoding the Padlock Icons on Google Chrome • The different padlocks and icons shown next to the URL bar on Google Chrome let you know whether a site uses TLS or SSL certificates. • These certificates allow you to distinguish between a valid site and an invalid one. • Padlock types include Green Lock Icon, Yellow exclamation Point, Blank Page Icon, Lock icon with Yellow Triangle and Red Padlock Icon
  • 19. Padlock Icons Green Padlock Icon • The green padlock indicates that a webpage connection is secure. This means that a website's identity has been verified by a trusted third-party authority and that it has a valid certificate for the URL that you're trying to reach. • Site certificates are produced by any website that requires some sort of authentication (such as a username and password) to access a page's full services. An easy way to tell if a site is secure is to check its URL — encrypted sites (those that use SSL) will usually begin with https, while non-encrypted sites use an http URL.
  • 20. Padlock Icons Yellow Exclamation Point • A yellow exclamation mark indicates that the website has not provided the browser with a certificate. This is normal for regular HTTP sites, as certificates are only usually provided if the site uses SSL. Blank Page Icon • Any "normal" http websites, will be shown with a blank page icon displayed before it. These pages can be accessed without prior authentication.
  • 21. Padlock Icons Lock Icon with Yellow Triangle • A lock icon with a yellow triangle indicates that Chrome can see a site's certificate but that the site has weak security. In this case, we recommended that you proceed with caution, as your connection may not be private. Red Padlock Icon • If you see a red padlock with an x next to a URL, this is an indication of problems with a site's certificate. Exercise extreme caution when proceeding onto the site — refrain from entering any personal data or sensitive information. It is likely that somebody is trying to impersonate the requested website in order to capture your information.
  • 22. Certificate of a Web Page • If a web site has a valid certificate, it means that a certificate authority has taken steps to verify that the web address actually belongs to that organization. When you type a URL or follow a link to a secure web site, your browser will check the certificate for the following characteristics: 1. the web site address matches the address on the certificate 2. the certificate is signed by a certificate authority that the browser recognizes as a "trusted" authority
  • 23. How to check a Certificate • A secure way to find information about the certificate is to look for the certificate feature in the menu options. This information may be under the file properties or the security option within the page information. 1. who issued the certificate - You should make sure that the issuer is a legitimate, trusted certificate authority (you may see names like VeriSign, thawte, or Entrust). 2. who the certificate is issued to - The certificate should be issued to the organization who owns the web site. Do not trust the certificate if the name on the certificate does not match the name of the organization or person you expect. 3. expiration date - Most certificates are issued for one or two years. One exception is the certificate for the certificate authority itself, which, because of the amount of involvement necessary to distribute the information to all of the organizations who hold its certificates, may be ten years.
  • 25. User Interface Attacks • In systems where multiple applications or websites share the same display, the user can be tricked to interact with false UI elements. • For example, a malicious website may be able to draw an overlay over a button that causes the user click the button unintentionally. • Such attacks are called clickjacking or UI redressing.
  • 26. How Clickjacking Works • Clickjacking is possible because seemingly harmless features of HTML web pages can be employed to perform unexpected actions. • A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. • On a clickjacked page, the attackers load another page over it in a transparent layer.
  • 27. How Clickjacking Works • The users think that they are clicking visible buttons, while they are actually performing actions on the invisible page. • The hidden page may be an authentic page. • Therefore, the attackers can trick users into performing actions which the users never intended.
  • 28. Cursorjacking • Cursorjacking is a variant of Clickjacking Attack. • Cursorjacking is a UI redressing technique to change the cursor from the location the user perceives, discovered in 2010 by Eddy Bordi, a researcher at Vulnerability.fr • Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario Heiderich by hiding the cursor. • Jordi Chancel, a researcher at Alternativ-Testing.fr, discovered a cursorjacking vulnerability using Flash, HTML and JavaScript code in Mozilla Firefox (fixed in Firefox 30.0) which can lead to arbitrary code execution and webcam spying. • A second CursorJacking vulnerability was again discovered by Jordi Chancel in Mozilla Firefox on Mac OS X systems (fixed in Firefox 37.0) using once again Flash, HTML and JavaScript code which can lead also to the spying of the webcam and the execution of a malicious addon allowing the execution of a malware on the computer of the trapped user.
  • 29. Password Manager Attack • A 2014 paper from researcher at the Carnegie Mellon University discooovered this attack. • He found that while browsers refuse to autofill if the protocol on the current login page is different from the protocol at the time the password was saved, some password managers would insecurely fill in passwords for the http version of https-saved passwords. • Most managers did not protect against iFrame- and redirection-based attacks and exposed additional passwords where password synchronization had been used between multiple devices.
  • 31. Pretty Good Privacy (PGP) • PGP is an open source, freely available software package for E-mail security • PGP has grown very quickly and now is widely used. Reasons for it’s growth are: 1. It is freely available worldwide in versions that run on variety of platforms. In addition commercial versions provides vendor support. 2. The package includes RSA, DSS, and Diffie-Hellman for public- key encryption, CAST-128, IDEA, and 3DES for symmetric encryption, and SHA-1 for hash coding.
  • 32. Operational Description of PGP • Authentication • Confidentiality • Compression • E-Mail Compatibility • Segmentation
  • 33. Authentication • This is achieved through Digital Signature Service provided by PGP 1. The sender creates a message 2. SHA-1 is used to generate 160 bit hash code of the message 3. The hash code is encrypted with RSA using the sender’s private key, and the result is prepended to the message. 4. The receiver uses RSA with the sender’s public key to decrypt and recover the hash code. 5. The receiver generates a new hash code for the message and compares it with the decrypted hash code. If the two match, the message is accepted as authentic.
  • 34. Confidentiality • PGP another service is confidentiality, which is encrypting messages for transmitting or to store files locally. • In both cases, the symmetric encryption algorithm CAST-128 may be used. Alternatively, IDEA or 3DES may be used. And the 64-bit cipher feedback (CFB) mode is used. • In PGP, each symmetric key is used only once. The session key is bound to the message. To protect the key, it is encrypted with the receiver’s public key.
  • 35. Confidentiality 1. The sender generates a message and a random 128-bit number to be used as a session key for this message only. 2. The message is encrypted using CAST-128 (or IDEA or 3DES) with the session key. 3. The session key is encrypted with RSA using the recipient’s public key and is prepended to the message. 4. The receiver uses RSA with its private key to decrypt and recover the session key. 5. The session key is used to decrypt the message.
  • 36. Compression • PGP compresses the message after applying the signature but before encryption. This has the benefit of saving space both for e-mail transmission and for file storage. • The signature is generated before compression for two reasons: 1. It is preferable to sign an uncompressed message so that one can store only the uncompressed message together with the signature for future verification. 2. If you generate signature after compression then there is a need recompression for message verification, PGP’s compression algorithm presents a difficulty.
  • 37. Compression • Message encryption is applied after compression to strengthen cryptographic security. Therefore cryptanalysis is more difficult. • The compression algorithm used here is ZIP Algorithm
  • 38. E-Mail Compatibility • The resulting message block consists of a stream of arbitrary 8-bit octets. • However, many electronic mail systems only permit the use of blocks consisting of ASCII text. • To accommodate this restriction, PGP provides the service of converting the raw 8-bit binary stream to a stream of printable ASCII characters • The scheme used for this purpose is radix-64 conversion. Each group of three octets of binary data is mapped into four ASCII characters. This format also appends a CRC to detect transmission errors.
  • 39. E-Mail Compatibility • The use of radix 64 expands a message by 33%. Fortunately, the session key and signature portions of the message are relatively compact, and the plaintext message has been compressed. • In fact, the compression should be more than enough to compensate for the radix-64 expansion
  • 40. Segmentation and Reassembly • E-mail facilities often are restricted to a maximum length. To accommodate this, PGP automatically subdivides a messsage that is too large into segments that are small enough to send via e-mail. • The segmentation is done after all of the other processing, including the radix-64 conversion.
  • 41. Summary of PGP Services Function Algorithm Used Description Digital Signature DSS/SHA or RSA/SHA A hash code of message is created using SHA-1. this message digest is encrypted using DSS or SHA using the senders private key and is included with the message Message Encryption CAST or IDEA or Three Key Triple DES with Diffie Hellman or RSA A message is encrypted using CAST-128 or IDEA or 3DES with a one time session key generated by the sender. The session Key is encrypted using Diffie-Hellman or RSA with the recipient's public key and included with the message. Compression ZIP A message may be compressed for storage or transmission using ZIP E-Mail Compatibility Radix-64 Conversion To provide transparency for e-mail applications, an encrypted message may be converted to an asci string using radix-64 conversion