Bài giảng Web Technologies and e-Services - Bài 12: Web security

IT4409: Web Technologies and e-Services Web Security 1 Outline 1. What is web security? 2. HTTPS 3. Session Management 4. Authentication 5. Common Web Attacks 2 What is web security? vWebsite security is the act/practice of protecting websites from unauthorized access, use, modification, destruction, or disruption. (Mozilla) v Effective website security requires design effort across the whole of the website: § Web application § Configuration of the web server § Policies for creating and renewing passwords § Client-side code. 3 Facts and Stats v 95% of breached records came from only three industries in 2016 v There is a hacker attack every 39 seconds v 43% of cyber attacks target small business v The average cost of a data breach in 2020 will exceed $150 million v In 2018 hackers stole half a billion personal records v Over 75% of healthcare industry has been infected with malware over 2018 v Large-scale DDoS attacks increase in size by 500% 4 Facts and Stats v Approximately $6 trillion is expected to be spent globally on cybersecurity by 2021 v By 2020 there will be roughly 200 billion connected devices v Unfilled cybersecurity jobs worldwide will reach 3.5 million by 2021 v 95% of cybersecurity breaches are due to human error v More than 77% of organizations do not have a Cyber Security Incident Response plan v Most companies take nearly 6 months to detect a data breach, even major ones v Share prices fall 7.27% on average after a breach v Total cost for cybercrime committed globally has added up to over $1 trillion dollars in 2018 5 Outline 1. What is web security? 2. HTTPS 3. Session Management 4. Authentication 5. Common Web Attacks 6 HTTPS v Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP, which is the primary protocol used to send data between a web browser and a website. 7 • HTTPS is encrypted in order to increase security of data transfer. • This is particularly important when users transmit sensitive data, such as by logging into a bank account, email service, or health insurance provider. HTTPS v HTTPS uses an encryption protocol to encrypt communications. v The protocol is called Transport Layer Security (TLS), although formerly it was known as Secure Sockets Layer (SSL). § The private key - this key is controlled by the owner of a website and it’s kept, as the reader may have speculated, private. This key lives on a web server and is used to decrypt information encrypted by the public key. § The public key - this key is available to everyone who wants to interact with the server in a way that’s secure. Information that’s encrypted by the public key can only be decrypted by the private key. 8 Outline 1. What is web security? 2. HTTPS 3. Session Management 4. Authentication 5. Common Web Attacks 9 Session Management v A web session is a sequence of network HTTP request and response transactions associated to the same user. vModern and complex web applications require the retaining of information or status about each user for the duration of multiple requests. v Therefore, sessions provide the ability to establish variables – such as access rights and localization settings – which will apply to each and every interaction a user has with the web application for the duration of the session. 10 Session Management vWeb applications can create sessions to keep track of anonymous users after the very first user request. 11 Session Management v The disclosure, capture, prediction, brute force, or fixation of the session ID will lead to session hijacking (or sidejacking) attacks. v An attacker is able to fully impersonate a victim user in the web application. v Attackers can perform two types of session hijacking attacks, targeted or generic. 12 Outline 1. What is web security? 2. HTTPS 3. Session Management 4. Authentication 5. Common Web Attacks 13 Major security issues v Prevent unauthorized users from accessing sensitive data § Authentication: identifying users to determine if they are one of the authorized ones § Access control: identifying which resources need protection and who should have access to them v Prevent attackers from stealing data from network during transmission § Encryption (usually by Secure Sockets Layer) 14 Authentication v Collect user ID information from end users (“logging in”) § usually by means of browser dialog / interface § user ID information normally refers to username and password v Transport collected user ID information to the web server § unsecurely (HTTP) or securely (HTTPS = HTTP over SSL) v Verify ID and passwd with backend Realm (“security database”) § Realm maintains username, password, roles, etc., and can be organized by means of LDAP (Lightweight Directory Access Protocol), RDBMS, Flat-file, etc. § Validation: the web server checks if the collected user ID & passwd match with these in the realms. v Keep track of previously authenticated users for further HTTP operations 15 WWW-Authenticate v The authentication request received by the browser will look something like: § WWW-Authenticate = Basic realm=“defaultRealm” • Basic indicates the HTTP Basic authentication is requested • realm indicates the context of the login • realms hold all of the parts of security puzzle • Users • Groups • ACLs (Access Control Lists) v Basic Authentication § userid and password are sent base 64 encoded (might as well be plain text) § hacker doesn’t even need to unencode all he has to do is “replay” the blob of information he stole over and over ( this is called a “replay attack”) 16 WWW-Authenticate v Digest Authentication § attempts to overcome the shortcomings of Basic Authentication § WWW-Authenticate = Digest realm=“defaultRealm” nonce=“Server SpecificString” § see RFC 2069 for description of nonce, each nonce is different § the nonce is used in the browser in a 1-way function (MD5, SHA- 1.) to encode the userid and password for the server, this function essentially makes the password good for only one time v Common browsers don’t use Digest Authentication but an applet could as an applet has access to all of the Java Encryption classes needed to create the creation of a Digest. 17 Outline 1. What is web security? 2. HTTPS 3. Session Management 4. Authentication 5. Common Web Attacks 18 Common Web Attacks v XSS v CSRF 19 • SQLi • Brute-force • File upload • Command injection Client side Server side Cross-Site Scripting - XSS v Cross-site scripting (XSS) is a security exploit which allows an attacker to inject into a website malicious client-side code. v This code is executed by the victims and lets the attackers bypass access controls and impersonate users. v XSS was the seventh most common Web app vulnerability in 2017 - OWASP 20 Cross-Site Scripting - XSS 21 Cross-Site Scripting - XSS v There are three main types of XSS attacks. These are: v Reflected XSS, where the malicious script comes from the current HTTP request. v Stored XSS, where the malicious script comes from the website's database. v DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code. 22 Cross-Site Scripting - XSS How to prevent XSS attacks v Filter input on arrival v Encode data on output v Use appropriate response headers v Content Security Policy 23 Cross-Site Scripting - XSS 24 Cross-Site Request Forgery - CSRF v Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. 25 Cross-Site Request Forgery - CSRF v Preventing CSRF attacks: § Include a CSRF token within relevant requests v The token should be: § Unpredictable with high entropy, as for session tokens in general. § Tied to the user's session. § Strictly validated in every case before the relevant action is executed. 26 SQL Injection v A SQL injection attack consists of insertion or “injection” of a SQL query via the input data from the client to the application. v SQL injection vulnerabilities enable malicious users to execute arbitrary SQL code on a database, allowing data to be accessed, modified, or deleted irrespective of the user's permissions. 27 SQL Injection 28 SQL Injection 29 SQL Injection v How to prevent: Using parameterized queries (also known as prepared statements) instead of string concatenation within the query. v Before: § String query = "SELECT * FROM products WHERE category = '"+ input + "'"; § Statement statement = connection.createStatement(); § ResultSet resultSet = statement.executeQuery(query); v After: § PreparedStatement statement = connection.prepareStatement("SELECT * FROM products WHERE category = ?"); § statement.setString(1, input); § ResultSet resultSet = statement.executeQuery(); 30 SQL Injection 31 Brute force v A brute force attack, also known as an exhaustive search, is a cryptographic hack that relies on guessing possible combinations of a targeted password until the correct password is discovered. § Combination of letters and numbers § Use a dictionary v Prevent password cracking: § Long and complex password § Account lock out 32 Brute force 33 File upload v Uploaded files represent a significant risk to applications. v The first step in many attacks is to get some code to the system to be attacked. v Then the attack only needs to find a way to get the code executed. 34 File upload v Prevention Methods: § The file types allowed to be uploaded should be restricted to only those that are necessary for business functionality. § Never accept a filename and its extension directly without having a whitelist filter. § The application should perform filtering and content checking on any files which are uploaded to the server. § It is necessary to have a list of only permitted extensions on the web application. § All the control characters and Unicode ones should be removed from the filenames and their extensions without any exception. § Limit the filename length. § Uploaded directory should not have any “execute” permission and all the script handlers should be removed from these directories. § Limit the file size to a maximum value in order to prevent denial of service attacks. § The minimum size of files should be considered. § Use Cross Site Request Forgery protection methods. 35 File upload 36 Command Injection v Command injection is an attack in which the goal is execution of arbitrary commands on the host operating system via a vulnerable application. 37 Command Injection v How to prevent: § Validating against a whitelist of permitted values. § Validating that the input is a number. § Validating that the input contains only alphanumeric characters, no other syntax or whitespace. 38 Command Injection 39 Thank you for your attentions! 40