Web Technologies (12/12): Web Application Security

Dr.SabinBuragaprofs.info.uaic.ro/~busaco/
Web Technologies
Web application security
☣a general presentation

“Experience is that marvelous thing
that enables you to recognize a mistake
when you make it again.”
F.P. Jones

What is data security?

data security
Security is the process of maintaining
an acceptable perceptible risk level

data security
Security is the process of maintaining
an acceptable perceptible risk level
“Security is a process, not an end state.”
Mitch Kabay

data security
Web application security risks
OWASP – Open Web Application Security Project
www.owasp.org
cracker

data security
Confidentiality
Authentication
Authorization
Integrity
Non-repudiation
Privacy
Availability

data security
Confidentiality
impossibility of a third entity to access data
transmitted between two receivers

data security
Confidentiality
solution:
private connections between the two end-points
of the communication channel
data is transferred through a tunnel provided by
a VPN – Virtual Private Network

data security
Confidentiality
HTTPS (HyperText Transfer Protocol Secure)
goal: bidirectional encryption + “safe” authentication,
preventing the man-in-the-middle attacks and data
interception/modification (eavesdropping, tampering)
RFC 7230

data security
Confidentiality
HTTPS (HyperText Transfer Protocol Secure)
HTTP over TLS (Transport Layer Security)
URLs are using the https schema – standard port: 443
use case: HTTPS on Stack Overflow (2017)
https://nickcraver.com/blog/2017/05/22/https-on-stack-overflow/

data security
Confidentiality
solution:
data encryption via various approaches (algorithms)
a practical introduction at www.crypto101.io
general specification: Web Cryptography API
(W3C Recommendation, 2017)
www.w3.org/TR/WebCryptoAPI/

data security
Examples of cryptographic solutions – specialized libraries
and/or provided by Web development environments :
OpenSSL (C library; many ports)
Java Cryptography Architecture
Forge (JavaScript) – github.com/digitalbazaar/forge
System.Security.Cryptography (.NET Framework)
crypto (Node.js) – www.npmjs.com/package/crypto-js
Mcrypt, phpseclib, Zend Framework Encryption (PHP)
Cryptography Toolkit (Python) – www.pycrypto.org/
more at github.com/sobolevn/awesome-cryptography

data security
Confidentiality
attention: exploiting the vulnerabilities of libraries
example (2014): heartbleed
major weakness of the open-source library OpenSSL
http://heartbleed.com/
example (2015): FREAK
was based on the TLS browser vulnerabilities
https://freakattack.com/
advanced

data security
Authentication
a mechanism that allows users to access
a service after checking the user identity
– usually, by name + password

data security
Authentication
solution:
the Web server provides support for basic authentication
or authentication based on digest (hash) algorithms
– e.g., SHA-2 (SHA-256, SHA-512, etc.), SHA-3
http://csrc.nist.gov/groups/ST/hash/

data security
Authentication
examples:
mod_auth_basic, mod_auth_digest, mod_authn_dbd,…
(Apache modules)
http://httpd.apache.org/docs/howto/auth.html
ngx_http_auth_basic_module, ngx_http_auth_request_module
(Nginx modules)
for other solutions, visit http://wiki.nginx.org/Modules
advanced

data security
Authentication
solution:
using/implementing authentication services
for example, OpenID Connect
for end-users (humans), use multi-factor authentication
– e.g., Two Factor Auth (2FA): twofactorauth.org
advanced
see one of
previous lectures

data security
Authorization
specifies the actions (roles) that a user or user
application can accomplish in a specific context

data security
Authorization
specifies the actions (roles) that a user or user
application can accomplish in a specific context
associated with authentication
allows defining the policies to control
the access to services (functionalities)

data security
Authorization
solution:
access rights (permissions)
+
ACLs – Access Control Lists
context: authorizing access to the available data
provided by a Web application – e.g., via OAuth
RFC 6819 – https://tools.ietf.org/html/rfc6819

data security
Authorization
solution:
RBAC – Role-Based Access Control
example:
a regular user as an administrator in a specific context

data security
Integrity
in this context, involves detecting the attempts
to modify – in an unauthorized manner –
the transmitted data (data tampering)

data security
Integrity
solutions:
digest algorithms
digital signatures
(stored, possibly, in XML documents – XML Signature)
could be transported also via SOAP messages

data security
Non-repudiation
ensures that the sender of a message
can not say that (s)he has not sent it

data security
Non-repudiation
solution:
digital certificates
store data regarding the identity of an entity
holding a secret:
password, credit card number, digital certificate, …

data security
PKI (Public Key Infrastructure)
a suite of hardware, software, human resources +
policies & procedures for digital certificate management
(creation, distribution, use, storage, revocation)

securitatea datelor
certificate
authority
validation
authority
registration
authority
PKI allows users to communicate “securely” on an insecure
public network, including checking the user identity
by using digital certificates issued by an authority
advanced
www.herongyang.com/PKI/

data security
Web of trust – WOT
(Phil Zimmermann, 1992)
alternative to PKI
adopts PGP (Pretty Good Privacy)

securitatea datelor
an implementation regarding the Website reputation
based on users’ opinions: www.mywot.com

data security
Availability
the need for a particular resource
to be accessed at the right time

data security
Availability
the need for a particular resource
to be accessed at the right time
aspect of interest: service quality
stipulated via SLA (Service-Level Agreement)
uptime, average speed to answer, turn-around time,
abandonment rate, mean time to recover,…
advanced

`
securitatea datelor
advanced
the availability of specific Web services

data security
Availability
causes of unavailability:
DoS (Denial of Service) attacks
DDoS (Distributed DoS) attacks
poor implementation

data security
Privacy
refers to the rights to be respected regarding
the character (the subject) of the transferred data
http://privacy.org/
often considered similar to confidentiality
Bruce Schneier, Security and Privacy in a Hyper-connected
World (2016) – www.youtube.com/watch?v=cJMG34UzIyk

data security
Privacy
breaches:
inadequate data storage on server – information disclosure
XSS (Cross-Site Scripting) attacks
phishing attacks – www.honeynet.org/papers/phishing/
inappropriate system configuration

data security
Web security should consider:
client
user interaction
personal data storage: cookies, off-line data, cache,…
asynchronous transfers – Ajax/Comet or WebSockets
(unauthorized) execution of JavaScript programs
existence of suspicious plugins/extensions
…

data security
data in transit
wired/wireless network security
safe message exchange between various entities
data non-repudiation
…

data security
server
Web server(s) security
application, framework, library,… security
availability of provided services

data security
client
data in transit
server
Attacks can target any of these 3 aspects!

data security
Vulnerabilities
weaknesses of a hardware/software system
allowing unauthorized users to access it
may also occur due to poor administration

data security
Vulnerabilities
no system is 100% secure

Aspects regarding a security attack?

attacks
Environment assessment
identifying the public ports/services
discovering the applications’ types + versions
generating errors + examining obtained messages
finding sensitive information:
source-code, comments, hidden fields of Web forms,…

inspecting the technologies used
by a Web application: BuiltWith

attacks
Determining the target of the attack
authentication mechanism (login)
Web form fields
session management
infrastructure – data storage servers,
additional services (e.g., proxy),…

attacks
HTTP-level
analyzing data packets (network sniffing):
works for unencrypted HTTP data streams
a prevention solution: HTTPS

attacks
HTTP-level
session hijacking:
attacker determines the user SID and
uses it for his/her own purpose
example: analyzing the Referer header field
Referer: https://www.ebank.info/view/account?id=98151
&jsessid=BAC13606AC22B81E5137F45F95EE7573
details: www.geeksforgeeks.org/session-hijacking/

attacks
HTTP-level
session hijacking:
attacker determines the user SID and
uses it for his/her own purpose
classic prevention solutions:
removing the SID from URL
storing the SID in User-Agent field
using a variable SID

attacks
HTTP-level
using the HTTP status code to expose data
details in Mike Cardwell, Abusing HTTP Status Codes
to Expose Private Information (2011)
www.grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information

attacks
Server Side Request Forgery (SSRF)
abusing the Web server functionality
to access or alter internal resources
by using a URL, the attacker could alter parameters used
by an application in order to create malicious requests
modus operandi + counteraction solutions:
www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
www.netsparker.com/blog/web-security/server-side-request-forgery-vulnerability-ssrf/

attacks
SQL injection
involves the writing of SQL queries that allow displaying,
altering, deleting data from databases via Web forms or
directly using URLs
for details, consult Testing for SQL Injection:
www.owasp.org/index.php/Testing_for_SQL_Injection_%28OTG-INPVAL-005%29
real cases: https://laurent22.github.io/so-injections/

attacks
SQL injection – example:
select * from customers where name=$name and pass=$pass
with $name from a Web form having as value '' or 1=1 --

attacks
http://e-banking.org/access_client.php?client=3
in script: select credit_card from clients where client=$client

attacks
http://e-banking.org/access_client.php?client=3
in script: select credit_card from clients where client=$client
what happens if the URL is
http://www.sit.org/access_client.php?client=client ?
or if, instead of select, the delete command is used?

attacks
SQL injection
variations:
creating incorrect SQL statements
to have access to “interesting” error messages

attacks
http://www.site.org/search?id=1+OR+xy=1
we can obtain a message like:
[Microsoft][ODBC SQL Server Driver] [SQL Server] Invalid column name 'xy'.
SELECT group_id, securityName, maxSalesCharge, price,
security_id, trade_date FROM funds
WHERE group_id = 1 OR xy=1 ORDER BY price DESC

attacks
http://www.site.org/search?id=1+OR+xy=1
we can obtain a message like:
[Microsoft][ODBC SQL Server Driver] [SQL Server] Invalid column name 'xy'.
SELECT group_id, securityName, maxSalesCharge, price,
security_id, trade_date FROM funds
WHERE group_id = 1 OR xy=1 ORDER BY price DESC
the attacker could continue – for example – with:
http://www.site.org/search?id=1;DELETE+FROM+funds+--

attacks
SQL injection
prevention solutions:
neutralizing SQL meta-characters, prepared statements,
using ORM (Object-Relational Mapping) frameworks,
stored procedures,…
$sql = "select * from users
where user = '" . $user . "'";
$result = $db.query
("select * from users
where user = ?", $user);
correctwrong

attacks
SQL injection
solutions for vulnerability testing (penetration tools):
sqlmap – sqlmap.org
SQL Ninja – sqlninja.sourceforge.net
SQL Power Injector – www.sqlpowerinjector.com
details at www.owasp.org/index.php/Blind_SQL_Injection
advanced

attacks
NoSQL injection
exploiting the programming language exposed by
NoSQL server, including the weaknesses of the provided
API and/or the data transfer format (JSON, XML)
example: Hacking Node.js and MongoDB (2014)
http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
for details, read
www.owasp.org/index.php/Testing_for_NoSQL_injection
advanced

attacks
Shell command injection
running external commands via CGI scripts or
from Web application servers (PHP, Python, Ruby)
prevention solution:
forbidding the use of system (), exec (), etc. functions

attacks
SQL injection + command injection
using SQL to execute shell commands
from the database server
example:
SELECT * FROM users WHERE name = 'tuxy' AND
pass = ' '; xp_cmdshell 'taskkill /F /IM sqlservr.exe' --'

attacks
XPath injection
using XPath expressions to have access to data from
a XML document or to perform various actions
via XPath functions
has consequences also on malign XSLT transformations
 for example, causing DoS
details at www.agarri.fr/blog/

attacks
Path traversal
ability to access unauthorized filesystems
– e.g., outside the directories
where the Web application resides
example:
http://e-photos.info/listphotos.jsp?dir=../../

attacks
Path traversal
ability to access unauthorized filesystems
– e.g., outside the directories
where the Web application resides
example in the XML context (XXE – XML External Entity):
http://cwe.mitre.org/data/definitions/611.html
<!DOCTYPE doc [ <!ENTITY xxe SYSTEM "file:///tmp/sessions/..."> ]>
advanced

attacks
Real example – attack on PostgreSQL
connecting with low privileges
getting global/pg_auth by using XXE
overwriting this file via XSLT
re-connecting with admin privileges
restoring global/pg_auth with XSLT
launching postgres_payload.rb – resource provided by
the Metasploit project: www.metasploit.com
advanced

attacks
Poisonous null-byte attack
using NULL character to place scripts on server
which can then be executed
example:
an “image” upload – img.php%00.jpg
“Thank you! See your picture at img.php”

attacks
Cross-Site Scripting (XSS)
allows “injection” into the system of JavaScript
programs, in order to be directly executed
in the browser
works especially on interactive Web sites
(e.g., forums, blogs, wikis)

attacks
Stored XSS
the attacker injects a JS script (also, called payload)
which is permanently stored in the target application
e.g., into the database of the Web application
usually, a CMS (Content Management System)
advanced

attacks
Reflected XSS
the payload script is transmitted by the attacker’s Web
server as a part of a HTTP response message
(malicious script is remotely delivered to each victim)
the user is persuaded to visit a special URL via social
engineering techniques (e-mail, social networks,…)
advanced

attacks
DOM-based XSS
the payload is stored – after an illegal manipulation of
the JS code – into the DOM tree available on browser
details in the Ferruh Mavituna’s article (2017)
www.netsparker.com/blog/web-security/dom-based-cross-site-scripting-vulnerability/
advanced

attacks
XSS – typical examples:
<img src="javascript:code" />
redirecting the user to the other URL,
getting cookies or blocking the browser
including malicious code (malware)
to be executed by the Web browser
via elements like <embed>, <img> or <object>

attacks
XSS – other malevolent actions:
<script type="text/javascript">
setInterval (function () {
var w = window.open ();
w.document.write (document.documentElement.outerHTML ||
document.documentElement.innerHTML);
}, 33);
</script> recursive window
creation via DOM
(à la fork bomb)
advanced

attacks
XSS – other malevolent actions:
placing malware program inside Web applications
– e.g., fake jQuery code
case studies:
https://blog.sucuri.net/category/website-malware-infections/
advanced

attacks
XSS
provides the premises for circumventing the policy
on interaction between client-level scripts and resources
from the same Internet domain: Same Origin Policy
usually, a program belonging to site.org can not obtain
data from a Web page belonging to the othersite.org domain
advanced

attacks
A real example:
exploiting a XSS vulnerability in the HTML filter of
MySpace, when a user viewed Tuxy’s profile, the JavaScript
code automatically made him/her a friend of Tuxy + used
Ajax to insert the malevolent script to the current profile
social network worm (2005)
http://samy.pl/popular/tech.html
after 20 hours, 1005831 requestsMySpace “crushed”

attacks
Other genuine examples:
XSS weakness detected in GMail for iOS
(Roy Castillo, 2013)
http://goo.gl/agbZz3
XSS vulnerability of the Tumblr application
(Andrew Lang, 2016)
blog.andrewlang.net/post/152805939304/tumblr-xss-exploit

attacks
Cross-Site Request Forgery (CSRF)
forces the authenticated user into an application
to perform unwanted actions – e.g., data corruption
real cases:
getting the list of contacts
for an authenticated GMail user (2005)
changing postal address + renting films by the persons
having Netflix accounts (2006)

attacks
Cross-Site Request Forgery (CSRF)
can also lead to the identify theft (phishing)
or to the injection of malware code on the client
www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
a solution to mitigate the risk of CSRF attacks:
CSRFGuard library
https://github.com/aramrami/OWASP-CSRFGuard

attacks
Cross Site History Manipulation (CSHM)
security breach eluding Same Origin Policy,
which allows the navigation history to be manipulated by
a malicious program – e.g., detecting user authentication
status on a site, user tracking, accessing parameters
associated to a URL,…
http://tinyurl.com/qyurynm

attacks
Other phishing Web attacks
using JavaScript code to modify the content presented
to the user by the Web browser or
to manipulate the user to visit hidden links
jeremiahgrossman.blogspot.com/2008/09/cancelled-clickjacking-owasp-appsec.html
clickjacking

attacks
using JavaScfript code to generate in a browser tab
a replica of a log-in form regarding an application
– e.g., Facebook, GMail
www.azarask.in/blog/post/a-new-type-of-phishing-attack/
tabnabbing

attacks
adopting social engineering techniques
“any act that influences a person to take an action
that may or may not be in their best interest”
manipulating the user – e.g., theft of passwords –
by using intimidation, blackmail, authority, flattery,
person substitution, vanity, etc.
www.social-engineer.org

attacks
A real example:
Email spam campaign impersonating Google Docs
(May 2017)
reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/

attacks
Prevention solutions:
forbidding the use of HTML markups
HTML escaping via a specialized library
markup filtering
separating data presentation from actual processing
etc.
www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

attacks
Problems caused by URI/IRIs
misleading the user about the Internet domain
of a Website
example: http://www.reddit.com@63.241.3.69/
+
wrong encoding of hex codes
certain Web servers’ vulnerabilities

attacks
Problems caused by URI/IRIs
using Unicode characters
problems with decoding URLs considered “safe”
sites adopting IDN – International Domain Names
homography-based attacks
details at www.unicode.org/reports/tr36/
example: www.xudongz.com/blog/2017/idn-phishing/

attacks
Problems regarding the use of passwords
most authentication processes use passwords

attacks
the more user needs to memorize multiple passwords,
the more the password-based authentication system
is prone to security breaches:
choosing weak passwords, used for a long time
sharing passwords in groups of friends/colleagues
writing down passwords on the paper – eventually at sight
using the same password for multiple Web applications

attacks
attack example:
using a dictionary or brute-force on Twitter
discovering the “happiness” as password
associated to an admin account
https://blog.codinghorror.com/dictionary-attacks-101/
typical prevention solution:
admin accounts separated from regular accounts

attacks
Web trojans
seemingly useful Web sites/applications
accidentally visited by users
– for example, through automatic redirection
additionally, XSS/CSRF or social engineering techniques
could be adopted

attacks
Web trojans
examples: fake antiviruses, online purchases of
pharmaceuticals, modified Web search software
large-scale abusive advertising
+
e-payment extortions (credit card or Bitcoin)
http://cseweb.ucsd.edu/~savage/papers/CCS12Priceless.pdf

attacks
Examples:
injecting altered JS libraries inside a CMS
– e.g., Joomla, Wordpress,…
Fake jQuery Scripts in Nulled WordPress Plugins
blog.sucuri.net/2015/05/fake-jquery-scripts-in-nulled-wordpress-pugins.html
jQuery.min.php Malware Affects Thousands of Websites
blog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of-websites.html
injecting fake plug-ins
for example, bbPress for WordPress
blog.sucuri.net/2017/01/fake-bb_press-plugin.html

attacks
Web trojans
prevention solutions:
adopt a ticket system (crumbs)
each action that can be performed by user has associated
a random ticket (number) which will be used only once
advanced

(instead of) break

attacks
Denial of service
exploiting certain application components,
so the functionalities can not be offered to real clients
usually, initiation of a recursive processing
(possibly, through self-reproducing programs)
M. Abliz, Internet Denial of Service Attacks and Defense Mechanisms (2011)
https://people.cs.pitt.edu/~mehmud/docs/abliz11-TR-11-178.pdf

attacks
Denial of service
exploiting certain application components,
so the functionalities can not be offered to real clients
usually, initiation of a recursive processing
(possibly, through self-reproducing programs)
fork bomb – e.g., for Ruby: loop { fork { __FILE__ } }
XML bomb
zip bomb – http://research.swtch.com/zip
advanced

Real example (billions of lols)
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1; &lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
…
]>
<lolz>&lol9;</lolz>
B. Sullivan, XML Denial of Service Attacks and Defenses (2009)
msdn.microsoft.com/magazine/ee335713
www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing

attacks
Ransomware
stopping a type of attack on a Web site – e.g., DDoS or
content encryption – only if the owner pays
a “protection fee” (i.e. using Bitcoin)
actual examples:
blog.sucuri.net/2015/12/ddos-extortions-campaigns.html
blog.sucuri.net/2016/01/ransomware-strikes-websites.html

attacks
Ransomware
The OWASP Anti-Ransomware Guide (May 2017):
www.owasp.org/index.php/OWASP_Anti-Ransomware_Guide_Project
detection via traps – honeypots (April 2016):
Using honeypots to spot ransomware infections
www.owasp.org/images/0/03/OWASP_RansomwareHoneypots.pptx
advanced

attacks
Tentatives of accessing allegedly vulnerable resources
or administration sections of a Web site
208.113.197.80 GET /wp-admin/
5.196.16.176 GET /~jromai/romaijournal//images/stories/post.gif
185.22.64.241 GET /~busaco/docs/jdownloads/screenshots/has.php.j?rf
5.196.16.176 POST /index.php?option=com_jce&task=plugin&file=imgmanager&
method=form&cid=20&6bc427c8a7981f4fe1f5ac65c=cf6dd3cf1923c950586
38.87.45.121 GET /~vcosmin/WikiLogica/index.php?title=BuckYoung847
74.220.207.111 GET /wp-admin/admin-ajax.php?action=revslider_ajax_action
74.220.207.111 GET /index.php?gf_page=upload
195.30.97.113 POST //index.php?option=com_jdownloads&Itemid=0&view=upload
5.153.237.232 POST /~flash/wiki/index.php?title=Special:Userlogin&action=submitlogin
46.102.103.137 POST /~flash/wiki/index.php?title=Special:Userlogin&action=submitlogin

attacks
The detection of possible vulnerabilities – due to
incorrect/default settings of Web servers and/or
Web applications – can be accomplished
by using a search engine
see also Google Hack Honeypot project (2007)
ghh.sourceforge.net
other resources of interest at www.honeynet.org
advanced

Examples of actions:
detecting versions of programs having known bugs:
"Apache/2.0.52 server at"
access to .bak files: inurl:index.php.bak
detecting admin pages: "admin login"
default installations: intitle:"welcome to" intitle:internet IIS
locating database systems’ interfaces:
inurl:main.php phpMyAdmin
searching for applications or log files:
inurl:error.log +filetype:log –cvs
getting error messages generated by applications or
database servers: "ASP.NET_SessionId" "data source="
advanced

atacuri
alternative: searching for potentially vulnerable programs
in publicly available source code repositories
GitHub case: code execution detection – e.g., exec($_GET
advanced

prevention
Use case: securing Apache HTTP server
remove non-essential modules
mod_autoindex, mod_dav, mod_info, mod_includes, mod_status,…
restrict default permissions for various directories:
/, /var/www/html (Website root directory),
(public_)html/ user directories
run server as a user having minimal permissions,
by limiting the access to system resources
advanced

prevention
“immunize” important configuration files
run Apache in a chroot jail
see also github.com/ZenProjects/Apache-mod-chroot
prohibit the creation of server “signature”
for the pages generated automatically:
ServerSignature Off and ServerTokens Prod
use mod_ssl module to enable HTTPS connections
advanced

prevention
check/adjust the permissions of public files
limit/disable file uploads
limit the use of .htaccess file for regular users
prohibit the access to users table of MySQL
configure the application servers to not send
error messages to the browser – at PHP: display_errors off
advanced

prevention
run script in “safe” mode
Perl in taint mode, PHP: safe_mode on, allow_url_fopen off
sign code as being “safe” – for Java/.NET
update the sites only with secured methods:
ssh, scp, sftp
for guidelines and good practices, consult
http://httpd.apache.org/docs/2.4/misc/security_tips.html
advanced

prevention
On Web application servers/platforms
various examples:
ASP.NET – https://github.com/aspnet/Security
Node.js – nodesecurity.io
PHP – http://phpsecurity.readthedocs.org/
Python – www.pythonsecurity.org
Ruby on Rails – http://tinyurl.com/pbmzgm8
avansat

Ways of surviving in case of attack?

survival
The system must carry out its mission
even if some components/parts of the system
are affected or disused
fulfilling most important functionalities (mission-critical)
identifying essential services
example:
providing a read-only copy of the content

survival
Important system properties:
resisting to attacks
recognizing the attacks and their effects
adapting to attacks

survival
Resisting to attacks
strategies to reject the attack:
mandatory data validation
user authentication
granting minimum privileges
key-only access to Web services or APIs
…
advanced

survival
Recognizing the attacks and their effects
strategies for restoring data, limiting effects,
maintaining/restoring compromised services
Web farms – possibly, in the cloud
RAID (Redundant Array of Independent Disks)
SAN (Storage Area Network)
backups: full or incremental
…
advanced

survival
Adapting to attacks
strategies to improve the survival chance (rate)
analysis (audit)
learning from mistakes
using the expertise of specialized companies
…
advanced

response to incidents
Aggressive responses – e.g., hack back –
are prohibited
advanced

Aggressive responses – e.g., hack back –
are prohibited
commonly, the SANS (System Administration,
Networking, and Security) methodology is adopted
stages:
preparationidentificationcontainment
eradicationrecoveryfollow-up
www.sans.org/security-resources/
advanced

Forensics
the process of cracker “catching”
investigation of digital evidence
for use in criminal or civil courts of law
http://forensicswiki.org/
advanced

Forensics
usually, is performed after a security incident
involves the analysis of hardware (disks, RAM),
“trash” (information detritus), logs,
configuration files, and others
various software tools:
www.cert.org/digital-intelligence/tools/
resources.infosecinstitute.com/computer-forensics-tools/
advanced

Forensics
the action of “erasing” traces = anti-forensics
several details at
http://forensicswiki.org/wiki/Anti-forensic_techniques
advanced

monitoring & testing
Tests to verify…
capacity of serving clients
robustness
running in extreme situations

To be taken into consideration:
Web browser characteristics (+default settings)
platform(s): hardware, operating system,...
user interface: screen resolution, color depth,…
caching policy (+proxy security)
support for various document types’ rendering
(plugin security)
used programming language(s)
(including application server(s), libraries, etc.)

Specific tests regarding programming:
buffer overflow
example: the length of URIs sent by client
real case:
Apple iTunes for Windows (version < 8.2) allowed
the arbitrary code execution when using itms: URL schema
http://www.securitytracker.com/id/1022313
advanced

parsing issues
processing of URIs, data received from Web forms,
cookies, (X)HTML entities, XML data,
HTTP, XML-RPC, and SOAP requests,
SQL statements, JSON data, etc.
advanced
N. Seriot, Parsing JSON is a Minefield (2016)
http://seriot.ch/parsing_json.php

problems of data conversion
for example, ASCII  Unicode
best practices:
RFC 5137 – https://tools.ietf.org/html/rfc5137
advanced

problems of data rendering
example:
displaying the lastname firstname pair when
lastname="<script>document.location="
firstname="'aURI'</script>"
advanced

problems of escaping
example:
character escaping for cs/b string
cs%2Fb
cs%%252Fb
cs%25%32%46b
advanced

problems of escaping
direct data “injection” via URI or by using the Web
interface or via a file (illegal upload) or using a program
(e.g., remote application administration),...
verify the escaping with dedicated tools
an example: www.htmlescape.net
advanced

Solutions and strategies:
defensive programming
enforcing coding standards
unit testing

Solutions and strategies:
include a system for error prevention, detection,
and reporting + a system for bug tracking
use a version control system
revisit the lecture
about Web engineering

Specific tests concerning the privacy:
user data must be treated as safe and confidential
What data will be available in the client cache?
Cookies/LocalStorage data may contain sensitive data,
potentially exploited by malicious people?
How the cache is invalidated?
avansat

Tests regarding component integration:
the security of an application depends on
the security of the most vulnerable component

Tests regarding component integration:
the security of an application depends on
the security of the most vulnerable component
not verifying the user identity on server,
considering the fact that this verification was already
performed on the browser
real case: www.ifc0nfig.com/dominos-pizza-and-payments/

Tests regarding data obfuscation:
data should not be stored in predictable locations
content itself can lead to security issues
– information disclosure
e.g., Webcam access – context: IoT (Internet Of Things)
www.ifc0nfig.com/a-close-look-at-the-philips-in-sight-ip-camera-range/
advanced

Breaches regarding information disclosure:
accessing hidden fields of the Web forms
and/or
comments from HTML, CSS, JavaScript source-code
advanced

inspecting the robots.txt file
scanning configuration files or
temporary directories – e.g., traffic reports
User-agent: *
Disallow: /plenum/data/5510903.doc
Disallow: organization/193959.pdf
Disallow: /en/community/thread/12819
…
details at http://thiébaud.fr/robots.txt.html
advanced

error messages emitted by Web applications
files having incorrect extensions
access to source-code of script available on server
visualizing the content of server directories
scanning network traffic
(URIs, asynchronously transmitted XML/JSON data,…)
advanced

unwanted access to the data regarding the occurred errors
+ the source-code of a Web application
(in this case, Node.js using the Express framework)
advanced

Specific tests regarding the deployment:
a suitable preparation for application deployment
detecting flow problems
properly handling the 4xx and 5xx HTTP status codes,
the access to authenticated resources
(e.g., getting data without user authentication),
the abnormal script execution, etc.
advanced

Specific tests regarding the deployment:
testing the interaction with the Web application
programs simulating virtual visitors
experiment Selenium – www.seleniumhq.org
performing load testing
scenarios and result interpretation
advanced

Stressing tools could reveal information about…
performance
e.g., response time, content generation time, etc.
details at “Client-Side Web Application Development”
https://profs.info.uaic.ro/~busaco/teach/courses/cliw/
advanced

scalability
memory usage, disk usage, number of connections
regarding other services, behavior, etc.
advanced

correctness
reports on the (flawed) operation of some components
e.g., by using the log files
advanced

security issues
advanced

tools (examples)
AppScan, skipfish, w3af, WebInspect
vulnerability scanners
Burp, Paros, WebScarab
Web testing suites
native tools for developers
provided by Web browsers + specific extensions
also, consult http://sectools.org/tag/web-scanners/
advanced

to remember
Web application security:
must take into consideration
the whole architecture, functionality,
source-code, and content

to remember
Web application security:
does not target the vulnerabilities
of operating system or auxiliary programs

to remember
The vulnerabilities of a Web application
are not necessarily “famous” and
can often be independent of the security
of the system on which the site is deployed
a list of Internet vulnerabilities, including the Web ones:
www.cve.mitre.org/data/downloads/

OWASP Top 10 Most Critical Web Application Security
Risks (2017 – Release Candidate, April 2017)
www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

advanced
risk factors associated to most important vulnerabilities

OWASP Top 10 Mobile Risks – 2016
Improper Platform Usage
Insecure Data Storage
Insecure Communication
Insecure Authentication
Insufficient Cryptography
Insecure Authorization
Client Code Quality
Code Tampering
Reverse Engineering
Extraneous Functionality
www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
advanced

to remember
Web application security principles
service separation
different systems for Web server, application server,
storage (database) server, etc.

to remember
limit privileges
regarding file systems and databases,
permissions for users
running specific applications – e.g., Apache, Tomcat,…

to remember
hide secrets – e.g., passwords, SIDs,…
use standard libraries
maintain + study the log files
perform tests and adjustments (Web tunning)
updated!

de reținutRules/good practices (Sverre Huseby, 2004):
Do not underestimate the power of the dark side
Use POST requests when actions have side effects
In a server-side context,
there is no such thing as client-side security
Always generate a new session ID once the user logs in
Never pass detailed error messages to the client
Identify every possible meta-character to a subsystem
When possible, pass data separate from control information
Do not blindly trust the API documentation
Identify all sources of input to the application
When filtering data, use white-listing rather than black-listing
advanced

de reținutRules/good practices (Sverre Huseby, 2004):
Create application-level logs
Never use client-side scripts for security
Pass as little internal state information as possible to the client
Don’t assume that requests will come in a certain order
Filter all data before including them in a Web page,
no matter what the origin
Stick to existing cryptographic algorithms, do not create your own
Never store clear-text passwords
Assume that server-side code is available to attackers
Security is not a product; it is a process
advanced

to remember
Security risks are not a concern only for the owner
of the Web site/application, but also for end-user

to remember
Security risks are not a concern only for the owner
of the Web site/application, but also for end-user
typical actions:
spying on user (user tracking)
inserting unwanted messages (ad injection malware)
events + resourses:
www.ieee-security.org  www.w3.org/Security/
http://googleonlinesecurity.blogspot.com/
advanced

to remember
Discomforts caused by an insecure Web site/app:
financial – loss of money/information
performance – e.g., blocking/slowing down actions
psychological – dissatisfactioninfluence on UX
social – e.g., work incapacity, lack of communication,…
time – cumbersome browsing, redirecting, etc.

“conclusion”
Web application security
☣context, attacks, vulnerabilities, prevention,
rules of good practice, case studies

Good
luck!

Web Technologies (12/12): Web Application Security

Recommended

Recommended

More Related Content

What's hot

What's hot (8)

Similar to Web Technologies (12/12): Web Application Security

Similar to Web Technologies (12/12): Web Application Security (20)

More from Sabin Buraga

More from Sabin Buraga (20)

Recently uploaded

Recently uploaded (20)

Web Technologies (12/12): Web Application Security