Professional Documents
Culture Documents
Web Applications
Updated 1-19-21
Web Applications
fl
n
fl
s
fl
t
fi
e
• Link Ch 1b
Study by Text Authors
SinVR Hack
• Unauthenticated request allows anyone to download
PII from users
• Link Ch 1f
PII
• Link Ch 1c
• Link Ch 1d
The Core Security Problem
Possible Attacks
fl
s
fi
e
The Future
• Some vulnerabilities
are decreasin
• #1 security
measure:
UPDATE
• Logic aws and
failure to use
controls properly are
not decreasin
• Link Ch 1e
fl
S
Ch 1
CNIT 129S: Securing
Web Applications
fi
Handling User Access
• Authenticatio
• Session managemen
• Access Control
n
Authentication
• Username and password is most common
metho
• Better: additional credentials and multistage
logi
• Best: client certi cates, smart cards, challenge-
response token
• Also: self-registration, account recovery,
password change
n
fi
Common Login Problems
• Predictable username
• Password that can be guesse
• Defects in logic
s
Session Management
• Session: a set of data structures that track the
state of the use
• A token identi es the session, usually a cooki
• Can also use hidden form elds or the URL
query strin
• Sessions expire
g
fi
r
fi
e
Access Control
• Each request must be permitted or denie
• Multiple roles within applicatio
• Frequent logic errors and awed assumptions
fl
n
fi
fi
s
"
Sanitization
Semantic Checks
fi
"
Boundary Validation
• Trust boundar
• Divides a trusted zone from an untrusted zon
• Clean data that passes a boundar
• Such as from the user into an application
y
Boundary Validation
Example
Example SOAP Request
• Link Ch 2a
Boundary Validation Example
Filtering Problems
Multistep Validation
• App rst removes
../
• Then remove
..\
• Attacker send
....\/
fi
s
Canonicalization
• App gets URL-encoded data from Web browse
• Apostrophe is %2
• Percent is %2
• To block apostrophes, app lters %2
• But URL is decoded twice by mistak
• %2527 becomes %27 becomes apostrophe
5
fi
e
Handling Attackers
• Handling error
• Maintaining audit log
• Alerting administrator
• Reacting to attacks
s
Handling Errors
• Show appropriate error message
• Unhandled errors lead to overly-informative
error messages like this
Audit Logs
• Authentication events: login success and
failure, change of passwor
• Key transactions, such as credit card payment
• Access attempts that are blocked by access
control mechanism
• Requests containing known attack string
• For high security, log every client request in full
s
Protecting Logs
• Logs should contain time, IP addresses, and
usernam
• May contain cookies and other sensitive dat
• Attackers will try to erase and/or read log
• Log must be protecte
• Place on an autonomous system that only
accepts update message
• Flush logs to write-once media
e
Alerting Administrators
fi
Firewalls
fi
s
Reacting to Attacks
Ch 2