Web Security
15-349: Introduction to Computer
and Network Security
Anatomy of a web application
Anatomy of a web application
id=scACRSm...
<!DOCTYPE html><html><...
HTML
PHP
Java
ASP/.Net
Ruby
Python
Server JS
Dynamic Webpage Content
Ajax - fetching data without refreshing the page
id=scACRSm...
Ajax
Javascript
anything
HTML
PHP
Java
ASP/.Net
Ruby
Python
Server JS
“Hello World !” with Ajax
client.html
helloService.php
“Hello CMU!”
name=CMU
“Hello World !” - Behind the Scene
client.html
helloService.php
“Hello CMU!”
name=CMU
The Web in a nutshell
•
Server Side Languages (PHP, Ruby, Python, .NET, Java)
➡
Engineer a document based on server resources
(database, external programs, ...)
•
Client Side Languages (Javascript, Flash)
➡
Manipulate the document and interact with the user
•
Communication client/server
➡
HTTP protocol with POST and GET arguments
Incomplete Mediation
The most widespread vulnerabilities in web applications
source “Web Application Security Statistics 2008”
from The Web Application Security Consortium
Information Leakage
Information Leakage
“AT&T Inc. apologized to Apple Inc. iPad 3G tablet computer
users whose e-mail addresses were exposed during a security
breach disclosed last week.”
source Business Week - June 14 2010
“There’s no hack, no infiltration, and no breach, just a really
poorly designed web application that returns e-mail address
when ICCID is passed to it.”
source Praetorian Prefect - June 9 2010
Solution
✓
Authentication
✓
Access Control
Authentication and Access Control
•
How to authenticate users on the Web?
•
Where are passwords stored and checked?
•
How are passwords transmitted over the network?
•
How to implement a session?
•
How to implement access control?
Insufficient Transport Layer Protection
Do you trust the network?
id=scACRSm...
<!DOCTYPE html><html><...
interesting!
Solution
✓
HTTPS (HTTP over SSL)
•
SSL to encrypt HTTP content
✓
•
POST arguments included
but not the headers
๏
GET arguments not included
Incomplete Mediation
The Shopping Cart Attack
The order is generated
based on the request
The total is calculated by
a script on the client
*
1 10
order=(#2956,10,9,90)
Thank you for your order!
Client Trusted Domain
Server Trusted
Domain
* Notice that Amazon is not vulnerable to this attack
Solution
๏
The client side is not a trusted domain
✓
Sensitive operations must be done on the server
i.e in the trusted domain
SQL Injection
SQL Password Checking Attack
loginPage.html
whatever OR 1=1
name=Alice&pwd=123456
checkPassword.php
<?php
$uid = SQLQuery("SELECT uid FROM LoginTable
WHERE login=" . $_POST['name'] .
"AND password =" . $POST['pwd ']);
AccessGranted!
Deny!
Access
if ($uid)
echo "Access Granted";
else
echo "Access Denied";
?>
Solution
๏
Input data cannot be trusted
✓
Sanitize input data
➡
Escape input input (weak)
➡
Validate input inputs (strong)
Cross-Site Scripting (XSS)
Cross-Site Scripting Attack (XSS attack)
“Hello <script language="javascript">alert(“XSS attack”);</script>!”
“Hello CMU!”
name=CMU
name=<script language="javascript">alert(“XSS attack”);</script>
XSS Attack = Javascript Code Injection
Tell me, why is it bad?
Solution
✓
Sanitize “tainted” output data
i.e data made from input data