Professional Documents
Culture Documents
CSS Unit III Web Security Lanscape
CSS Unit III Web Security Lanscape
Lanscape
By
Dr. Shruti Bharadwaj
CSE Department
Access Control: Principle of Least Privileadge
• The principle of least privileadge is the idea that at any user, program, or
process should have only the bare minimum privileges necessary to perform
its function.
• For example, a user account created for pulling records from a database
doesn’t need admin rights, while a programmer whose main function is
updating lines of legacy code doesn’t need access to financial records.
• The principle of least privilege can also be referred to as the principle of
minimal privilege (POMP) or the principle of least authority (POLA).
Access Control
• Each process in UNIX has process ID, inherited from creating process and
process can change ID. Special root ID allowed all access.
• File has access control list(ACL), grants permission to user ID(Owner, group
and other.
• Each file has owner and group.
• Permissions set by owner are read, write and execute. Owner, group and
other. Represented by vector of four octal values.
• Only owner, root can change permission.
• Each process has three ids Real User ID, effective user ID and saved user ID.
Weakness in Isolation and Privileges
• Network-facing Daemons
Root processes with network ports open to all remote parties, e.g., sshd,
ftpd, sendmail,
• Rootkits
System extension via dynamically loaded kernel modules
• Environment Variables
System variables such as LIBPATH that are shared state across applications.
An attacker can change LIBPATH to load an attacker provided file as a
dynamic library
• Shared Resources
Since any process can create files in /tmp directory, an untrusted process
may create files that are used by arbitrary system processes
• Time-of-Check-to-Time-of-Use (TOCTTOU)
Typically, a root process uses system call to determine if initiating user has
permission to a particular file, e.g. /tmp/X.
After access is authorized and before the file open, user may change the file
/tmp/X to a symbolic link to a target file /etc/shadow.
Access Control in Windows
• Some basic functionality similar to Unix like specify access for groups and users , Read,
modify, change owner, delete.
• Some additional concepts of tokens and security attributes .
• Generally – More flexible than Unix because it can define new permissions and can give
some but not all administrator privileges
• Identify subject using SID that is Security ID (SID)
Identity (replaces UID)
SID revision number
48-bit authority value
variable number of Relative Identifiers (RIDs), for uniqueness
Users, groups, computers, domains, domain members all have SID
• Process has set of tokens
o Security context
Privileges, accounts, and groups associated with the process or thread
Presented as set of tokens
o Impersonation token
Used temporarily to adopt a different security context, usually of another user
o Security Reference Monitor
Uses tokens to identify the security context of a process or thread
--Continue
Object has security descriptor
• Clickjacking allows an attacker to trick your users into clicking parts of your interface without their
consent.
• A simple way to describe this is, an attacker will embed your application in their site as an iframe.
• On top of the iframe they can show a completely different interface.
• You‟re thinking you‟re clicking buttons on your own interface, while in fact you are hitting the
„Delete my account‟ button in for example GMail.
• Because this technique completely operates with frames, it can be circumvented by using a
„Frame busting‟ technique. As a bonus, this will also disallow for example Digg to steal and
monetize your content.
• Frame busting can be achieved with a simple javascript technique: <script type=”text/javascript”>
• If(top !==self) top.location.replace(self.location.href); </script>
SQLi(Structured Query Language Injection) Attack
• Attackers can use SQL Injections to find the credentials of other users in the database. They can
then impersonate these users. The impersonated user may be a database administrator with all
database privileges.
• SQL lets you select and output data from the database. An SQL Injection vulnerability could allow
the attacker to gain complete access to all data in a database server.
• SQL also lets you alter data in a database and add new data. For example, in a financial
application, an attacker could use SQL Injection to alter balances, void transactions, or transfer
money to their account.
• You can use SQL to delete records from a database, even drop tables. Even if the administrator
makes database backups, deletion of data could affect application availability until the database
is restored. Also, backups may not cover the most recent data.
• In some database servers, you can access the operating system using the database server. This
may be intentional or accidental. In such case, an attacker could use an SQL Injection as the initial
vector and then attack the internal network behind a firewall.
How to Prevent SQLi
To keep your web application safe, everyone involved in building the web application
must be aware of the risks associated with SQL Injections. You should provide suitable
security training to all your developers, QA staff, DevOps, and SysAdmins. You can start
by referring them to this page.
Treat all user input as untrusted. Any user input that is used in an SQL query introduces a
risk of an SQL Injection. Treat input from authenticated and/or internal users the same
way that you treat public input.
Don’t filter user input based on blacklists. A clever attacker will almost always find a way
to circumvent your blacklist. If possible, verify and filter user input using strict whitelists
only.
--Continue
Older web development technologies don’t have SQLi protection. Use the latest version of
the development environment and language and the latest technologies associated with
that environment/language. For example, in PHP use PDO instead of MySQLi
Don’t try to build SQLi protection from scratch. Most modern development technologies
can offer you mechanisms to protect against SQLi. Use such mechanisms instead of
trying to reinvent the wheel. For example, use parameterized queries or stored procedures.
• With a little help of social engineering (such as sending a link via email or chat), an
attacker may trick the users of a web application into executing actions of the attacker’s
choosing.
• If the victim is a normal user, a successful CSRF attack can force the user to perform
state changing requests like transferring funds, changing their email address, and so
forth.
• If the victim is an administrative account, CSRF can compromise the entire web
application.
• The most practicable makers that help in the timely detection of CSRF are:
Websites allowing session management through GET requests. Third-
parties can get easy access to such sites. So, they are more prone to CSRF
attacks. Make sure your site is not among them.
Web Proxies are very helpful in CSRF detection. As it keeps track of HTTP
requests’ journey from beginning to end, you can replay requests without
initiating an interaction with the client-side interface of the app.
Prevention of XSRF
• CSRF-token-based prevention
CSRF tokens can be utilized by website owners or administrators for it. The
app security team should figure out the attack-prone part of server-side
functions and introduce the CSRF token in the HTML form of that vulnerable
operational part. Make sure that the intended HTML form is not a
component of session cookies. Also, utilize a cryptographically secured
Sharing a lot in common with Secure Flag and HTTPOnly, it equips the browser
adequately for handling the cookies as well as cross-site requests at once.
‘Lax’ is the default value that maintains security for web solutions when they
The value ‘none’ is used you want to use cookies for accessing cross-site URLs.
--Continue
• Utilizing user interaction for CSRF protection
It is the easiest way to implement a CSRF prevention strategy. It involves the use of re-
authentication, one-time token creation, and CAPTCHA deployment. All these techniques increase
user interaction and leave less scope for threat attacks to barge in. Also, it enhances the user
experience.
• Controlling Login CSRF
One can prevent CSRF from impacting the login forms by generating pre-sessions for each user and
introducing CSRF tokens in those sessions. It makes the early authentication safe. But, ensure
that this pre-session should be destroyed once the real session is initiated. Ignoring this will give
invitation to the session-fixation attack.
Regularly updating software will greatly reduce the vulnerabilities that leave a site or
application open to XSS vulnerabilities. You should also audit all of your applications
to determine which you need and which you rarely use.
• Sanitize And Validate Input Fields
Input fields are the most common point of entry for XSS attack scripts. Therefore,
you should always screen and validate any information input into data fields. This
is particularly important if the data will be included as HTML output to protect
against reflected XSS attacks.
A Web Application Firewall(WAF) can be a powerful tool for protecting against XSS
attacks. WAFs can filter bots and other malicious activity that may indicate an attack.
Attacks can then be blocked before any script is executed.
• Content Security Policy
A content security policy (CSP) can define the functions a website is allowed to
perform. They can be used to prevent a website from accepting any in-line scripts.
This may be the strongest method at your disposal as it can completely block XSS
attacks or at least greatly reduce the possibility of them.