Web Application

Security

Example Web Application

Internet

DMZ

HTTP
request

IIOP
T9
etc.

Cleartext or
SSL
transport

Web
client:
IE,
Mozilla,
etc.
HTTP reply
(HTML,
JavaScript,
VBScript,
etc.)

AJP

Apache
IIS
Netscape
etc.

DB
Web app
Web app

App
server
(optional)

Web
server

Servlet
engine
J2EE
server

ColdFusio
n
Oracle

Internal
network

Protected
network

Web app
Web app

Perl
C++
CGI
Java
ASP
PHP
etc.

DB

ADO
ODB
C

JDB
C
etc.

Oracl
e
SQL
Serv
er

Basic Web
Technology

URLs

Global identifiers of network-retrievable documents

Example:
http://stanford.edu:81/class?name=cs155#homework

Protocol

Hostname

Port

Path

Special characters are encoded as hex:

%0A = newline
%20 = space

Query

Fragment

HTTP Request
Method

File

HTTP version

Headers

GET /index.html HTTP/1.1

Accept: image/gif, image/x-bitmap, image/jpeg, */*
Accept-Language: en
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)
Connection: Keep-Alive
Host: www.example.com

Blank line
Data none for GET

HTTP Response
HTTP version

Status code

Reason phrase

Headers

HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0
Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT
Content-Length: 2543
<HTML> Some data... blah, blah, blah </HTML>

Data

SECURE SOCKET LAYER

 SSL

Client & Server Authentication

Data Integrity

SSL Handshake

Mixed Content: HTTP and HTTPS

Page loads over HTTPS, but contains content over HTTP

IE: displays mixed-content dialog to user

Firefox: displays a red slash over lock icon (no dialog)

Flash files over HTTP are loaded with no warning (!)

Note: Flash can script the embedding page

Flash files over HTTP do not trigger the slash

Safari: does not attempt to detect mixed content

Mixed Content: HTTP and HTTPS

silly dialogs

Mixed content and network attacks

after login all content served over HTTPS

Developer error:

Somewhere on bank site write

<script src=http://www.site.com/script.js> </script>

Active network attacker can now hijack any session

Better way to include content:

<script src=www.site.com/script.js> </script>
served over the same protocol as embedding page

Cookies: client state

14

Cookies
Used

to store state on users machine

GET

Browser

Server

HTTP Header:
Set-cookie: NAME=VALUE ;
domain = (who can read) ;
expires = (when expires) ;
If expires=NULL:
this session only
secure = (only over SSL)

Browser

GET
Cookie: NAME = VALUE

Server

HTTP is stateless protocol; cookies add state

Cookie authentication
Browser

Web Server
POST login.cgi
Username & pwd

Set-cookie: auth=val

GET restricted.html
Cookie: auth=val

If YES,
restricted.html

Auth server
Validate user
auth=val
Store val

restricted.html
auth=val
YES/NO

Check val

DOCUMENT OBJECT MODEL

What is the DOM?

The DOM is a platform- and language-neutral interface

that will allow programs and scripts to dynamically acces
s and update the content, structure and style of documen
ts.

The document can be further processed and the results

of that processing can be incorporated back into the pres
ented page.

Ref: http://www.w3c.org/

The DOM Interface Hierarchy

NamedNodeMap

DOMImplementation

NodeList

DOMException

Node

Fundamental Interface

Document
CharacterData

Comment

Attr

Text

Element
DocumentType
Notation
Entity
EntityReference
ProcessingInstruction

Extended Interface

CDATASection

The Relation Graph

XML
document

Web Client side program (e.g.: JavaScript)

Web Server side program (e.g.: ASP)
Console program (e.g.: C++, Java)

DOM

Output

Document Object Model (DOM)

Object-oriented interface used to read and write docs

web page in HTML is structured data

DOM provides representation of this hierarchy

Examples

Properties:

document.alinkColor
document.URL
document.forms[ ]
document.links[ ]
document.anchors[ ]

Methods:

document.write(document.referrer)

Document Object Model (DOM)

Also Browser Object Model (BOM)

Window
document
frames[]
History
Location
navigator (type and version of browser)

OWASP project
OWASP

project (http://www.owasp.org)
Open Web Application Security Project
Minimum standards for web application
security
International membership
Interesting project:

Developing and maintaining secure web

applications following the ISO17799 standard
Web application assessment tools

OWASP Top 10
Unvalidated input
Broken access control
Broken authentication and session management
Cross site scripting
Buffer overflows
Injection flaws
Improper error handling
Insecure storage
Denial of service
Insecure configuration management

Hidden Field

(View Source)
Tag HIDDEN

Cookie Poisoning
Cookie

S
ession

cookie

Session ID

Weak authenticators: security risk

Predictable cookie authenticator

Verizon Wireless - counter
user logs in, gets counter, can view sessions of other users

Weak authenticator generation: [Fu et al. 01]

WSJ.com: cookie = {user, MACk(user) }

Weak MAC exposes K from few cookies.

Apache Tomcat: generateSessionID()

MD5(PRNG) but weak PRNG

Predictable SessionIDs

[GM05].

Storing data on browser?

Unreliable:

User can change/clear values

Silly example: Shopping cart software
Set-cookie:shopping-cart-total = 150 ($)
User edits cookie file (cookie poisoning):
Cookie: shopping-cart-total = 15 ($)

Similar to problem with hidden fields

<INPUT TYPE=hidden NAME=price VALUE=150>

29

Application Buffer Overflow

Picture-in-picture attacks

Trained users are more likely to fall victim to this

[JSTB07]

The status Bar

Trivially

spoofable

<a href=http://www.paypal.com/
onclick=this.href = http://www.evil.com/;>
PayPal</a>

Cross Site Script

script

 Cookie XSS

Forceful Browsing

/client
/client/client1/data
Path Traversal (../../../)

Google

keyword : index of parent

directory

Hacking Over SSL

NIDS
SSL NIDS

SQL Poisoning & Injections

SQL statement

Database Server

 SQL Injection

www.test.com/cgi-bin/productdesc.asp?category=10;

SQL
v_cat = request("category") #v_cat=10;
sqlstr="SELECT description FROM product WHERE
category='" & v_cat & "'"
set rs=conn.execute(sqlstr)

Database

SELECT description FROM product WHERE category=10;

 SQL Injection

SQL Injection

www.test.com/cgi-bin/productdesc.asp?category=10
UNION SELECT name,pwd FROM admins;--

SQL

v_cat = request("category") # v_cat= 10 UNION SELECT

name, pwd FROMadmins;-sqlstr="SELECT description FROM product WHERE
category='" & v_cat & "'"
set rs=conn.execute(sqlstr)

Database

SELECT description FROM product WHERE category=10

UNION SELECT name, pwd FROM admin;--

Java Script Injection

Javascript


Java Script Injection
Session

Hidden Field Session

Invalid
Java Script Injection
javascript:alert(document.cookie);
javascript:void(document.cookie="authorizatio
n=true");

Error Handling
Error message

Debug

Other Modification Technique

Proxy

HTTP Header
Client Web Server
Paros Porxy
TemperData Plugin
Mozila Firefox HTTP
Header

Network Architecture
Secure Web Application

Vulnerability Scanner
Penetration Testing

Secure Network Architecture

Layer
Firewall

IPS Monitor

Application Proxy Firewall

Secure Web Applications

Secure Coding

Secure Coding
input & output validation
SSL
HTML forms
Cookies
HTTP REFERER Header
POST & GET method
logout (logout
mechanism)
Error Handling

 input & output validation

Client Side Script

NEVER TRUST CLIENT SIDE DATA !!!

Sanity Checking






Tag

 HTML forms
Hidden element
SSL
Method Get Method Post

 Cookies
2 (Persist , Non-Persist)

3

User Authentication
State Management
Saving user preference

 Cookie

Cookies Plaintext

Cookies

Cookies
Cookies
Cookies

Token ID

Cookies Timeout Cookies

Authentication

header
User-Agent , Acce

 HTTP REFERER Header

script attack

HTTP
REFERER

 POST & GET method

GET : Proxy , Firewall , Web
Server Log

Post : Web Server

logout mechanism
Cookies
Cookies
session
session

Error Handling
Error Handling Error
Description


Error Description
Error Desciption

System Scanner and Security

Infrastructure Software

NMAP
NESSUS
OpenVAS
SQLmap

Penetration Testing

Hacker

Black box testing

White box testing