Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Computer Networks

Slides

advertisement 
Web page security
dr. Simona Ramanauskaitė
1
Security concepts
To remember
2
CIA triad
3
Security objectives
Confidentiality


Only the legitimate user can understand what was sent
Integrity


No one can replace part or all of the message content
Availability


The information must be available whenever we need it
Authenticity


The recipient must be sure, who sent the message. No one can pretend to be a different
person
Non repudiation


The sender and the recipient can not deny that they sent or get a message
Control of access


4
Source of information should be completely controlled from unauthorized access
Security attacks
Interruption


Violated availability;
Interception


Violated confidentiality;
Modification


Violated integrity;
Fabrication


5
Violated authentication;
Normal flaw
Sender
6
Receiver
Interruption
Sender
7
Receiver
Attacker
Interception
Sender
8
Receiver
Attacker
Modification
Sender
9
Receiver
Attacker
Fabrication
Sender
10
Receiver
Attacker
Solutions for solving security problems





Coding of information – cryptography solutions;
Software access control – manage user accounts;
Technical access control – magnetic cards, biometrics;
Information security policy – frequent change of
password;
Control of personnel – make sure that secrets will be
safe from publicity;
11
McCumber cube
12
Secret vs Safe

Secret


No one knows (how it works, where it is, when it will be sent,
etc)
Safe


13
Everyone knows (how it works, where it is, when it will be
sent, etc)
Unauthorized person can not use (read, use, change, etc.)
System development process
Penetration Testing
Code Review
Security Requirements
Risk Analysis
Risk-Based
Security Tests
Abuse cases
Requirement and
Use cases
14
Risk Analysis
Architecture
and Design
Test Plans
Code
Tests and
Test Results
Security
Operations
Feedback from
the Field
Web page security
15
Types of Threats
Network
Threats against
the network
Spoofed packets, etc.
Threats against the host
Buffer overflows, illicit paths, etc.
Threats against the application
SQL injection, XSS, input tampering, etc.
16
Host
Application
Threats Against the Network
Threat
Information gathering
Examples
Eavesdropping
Denial of service (DoS)
Port scanning
Using trace routing to detect network topologies
Using broadcast requests to enumerate subnet
hosts
Using packet sniffers to steal passwords
SYN floods
Spoofing
ICMP echo request floods
Malformed packets
Packets with spoofed source addresses
Threats Against the Host
Threat
Arbitrary code
execution
File disclosure
Denial of service (DoS)
Unauthorized access
Exploitation of open
ports and protocols
Examples
Buffer overflows in ISAPI DLLs (e.g., MS01-033)
Directory traversal attacks (MS00-078)
Malformed HTR requests (MS01-031)
Virtualized UNC share vulnerability (MS00-019)
Malformed SMTP requests (MS02-012)
Malformed WebDAV requests (MS01-016)
Malformed URLs (MS01-012)
Brute-force file uploads
Resources with insufficiently restrictive ACLs
Spoofing with stolen login credentials
Using NetBIOS and SMB to enumerate hosts
Connecting remotely to SQL Server
Threats Against the Application
Threat
SQL injection
Cross-site scripting
Hidden-field
tampering
Eavesdropping
Session hijacking
Identity spoofing
Information
disclosure
Examples
Including a DROP TABLE command in text typed
into an input field
Using malicious client-side script to steal cookies
Maliciously changing the value of a hidden field
Using a packet sniffer to steal passwords and
cookies from traffic on unencrypted connections
Using a stolen session ID cookie to access someone
else's session state
Using a stolen forms authentication cookie to pose
as another user
Allowing client to see a stack trace when an
unhandled exception occurs
Web page concept
20
Cross-site scripting conditions
A Web application accepts user input



URL
Input fields
The input is used to create dynamic content
The input is insufficiently validated


21
XSS-Attack: General Overview
Attacker
Web Server
Post Forum Message:
Subject: GET Money for FREE !!!
Body:
<script> attack code </script>
Did you know this?
.....
GET Money for FREE !!!
<script> attack code </script>
Get /forum.jsp?fid=122&mid=2241
Re: Error message on startup
.....
I found a solution!
.....
Can anybody help?
.....
Error message on startup
.....
1. Attacker sends malicious code
2. Server stores message
GET Money for FREE !!!
<script> attack code </script>
3. User requests message
4. Message is delivered by server
5. Browser executes script in message
22
Client
!!! attack code !!!
Inserted code





Long “words”
HTML code
JavaScript code
SQL code
…
23
Applications defenses

Writing secure code






24
Validating input
Accessing databases securely
Using forms authentication securely
Storing secrets securely
Securing session state
Handling errors properly
Let’s try it
Examine the web page http://mima112.puslapiai.lt/ to get all
possible security bugs
Suggest some ways how there bugs could be eliminated
25
Long words

Sabotage


Changes the web page design
Protection


26
Word wrap
Careful web design
Page refresh

Sabotage



Flood, record duplication
Game cheating
Protection



27
Session or cookie usage
Redirect
Captcha
Remote form submission

Sabotage



Flood, record duplication
Game cheating
Protection


28
Checking of form source
Session or cookie usage
HTML data submission

Sabotage


Changes the web page design
Protection



29
Data validation
Strip tags
Replace HTML special chars
CSS code submission

Sabotage


Changes the web page design
Protection


30
Data validation
Strip tags
Script submission

Sabotage



Changes the web page design
Executed unauthorized code
Protection



31
Data validation
Strip tags
Replace HTML special chars
SQL code insertion

Sabotage


Changes system data
Protection



32
Data validation
Add slashes, escape undesired string
Usage of prepared statements and parameterized queries
Existing secret catalog

Sabotage


Secrets can be revealed by brutal force or monitoring tools
Protection

33
Trust on secure, rather than secret
Existing secret parameters

Sabotage


Secrets can be revealed by brutal force or monitoring tools
Protection

34
Trust on secure, rather than secret
Any questions?
(Lithuania, Siauliai University, Data security, Arduino, …)
E-mail: simram@it.su.lt
Skype: mima112
Facebook: sim.ram.7
Related documents
The Need for Security
The Need for Security
NATIONAL PARKS PROJECT – SCRIPT GUIDANCE
NATIONAL PARKS PROJECT – SCRIPT GUIDANCE
The ABC`s of Creating and Presenting a 9 week Study Group
The ABC`s of Creating and Presenting a 9 week Study Group
Methods of electronic communication
Methods of electronic communication
Blocking and Annotation
Blocking and Annotation
Business Plan Scope Sheet - Cleveland Clinic Academy
Business Plan Scope Sheet - Cleveland Clinic Academy
How Cities Work - Urban Systems Collaborative
How Cities Work - Urban Systems Collaborative
Winners 2009/10
Winners 2009/10
websecurity
websecurity
Sabotage in a Fishery Ngo Van Long and Stephanie F. McWhinnie
Sabotage in a Fishery Ngo Van Long and Stephanie F. McWhinnie
Download
advertisement