Web Application Security
description
Transcript of Web Application Security
![Page 1: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/1.jpg)
Computer Science and Engineering 1
Web Application Security
![Page 2: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/2.jpg)
ReadingReading
• Required:– Stuttard and Pinto: Chapter 3
• Recommended: Csilla Farkas, Michael N. Huhns: Securing Enterprise Applications: Service-Oriented Security (SOS). CEC/EEE 2008: 428-431.
http://www.cse.sc.edu/~farkas/publications/SOS-cec.pdf
Computer Science and Engineering 2
![Page 3: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/3.jpg)
Key Problem FactorsKey Problem Factors
• Underdeveloped security awareness• Custom development• Deceptive simplicity• Resource and time constraints• Overextended technologies• Increased demands on functionality
Computer Science and Engineering 3
![Page 4: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/4.jpg)
New Security PerimeterNew Security Perimeter
• Before web applications:
– Network perimeter protection (DMZ)
– Firewall
• With web applications:
– Firewall must allow access to the application server
– Server may connect to back-end systems
– Back-end system is behind several layers of defensive technologies
– Web application vulnerability may allow the attacker to access back-end system
Computer Science and Engineering 4
![Page 5: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/5.jpg)
Demilitarized Zone (DMZ)
• Perimeter Service:– Operates at application layer– Work in conjunction with existing firewall
technologies– Hide internal application details
• External customerExternal customer: corresponds with the perimeter service’s external contracts
• Internal applicationInternal application: response is relayed to the customer by the perimeter service
![Page 6: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/6.jpg)
How to handle Vulnerable How to handle Vulnerable Applications?Applications?
• Honest users may use compromised applications• Compromised applications allow malicious attacker to
access the victim’s back-end system• Malicious user gains privileges of the victimized user• Client-side attacks• Weakness of authentication via email notifications (e.g.,
forgotten password)
Computer Science and Engineering 6
![Page 7: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/7.jpg)
Computer Science and Engineering 7
Web Application SecurityWeb Application Security
Layered security:
1. Software-level (single service) security
2. Business-level (service composition) security
3. Network-level security
![Page 8: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/8.jpg)
Computer Science and Engineering 8
Application DevelopmentApplication Development
• Inherent Security of Applications
• Security granularity
Security Software Software Security
![Page 9: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/9.jpg)
Computer Science and Engineering 9
Secure Software DevelopmentSecure Software Development
• Develop software that is free of flawsDevelop software that is free of flaws
– Software engineering – functional requirements
– Security, reliability, QoS – non-functional requirements
• Protect against malicious code
• ReadingReading:
– G. McGraw, Software Security , http://www.cigital.com/papers/download/bsi1-swsec.pdf
– US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html
Computer Science and Engineering 9
![Page 10: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/10.jpg)
Computer Science and Engineering 10
Web Services CompositionWeb Services Composition
• Create complex applications on the fly from individual services
• BPEL4WS, WSBPEL• How to express security and reliability needs?• How to verify that these needs are satisfied?• How to resolve conflict between business needs and
security requirements?
![Page 11: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/11.jpg)
Computer Science and Engineering 11
Web Services TransactionsWeb Services Transactions
• Traditional database transaction managements vs. SOA application needs
• How can we evaluate correct execution? ACID properties? Serializability?
• WS transaction framework:– Atomic (short-term) transactions– Business activity (long-term) transactions
• What are the security implications of WS transactions?
![Page 12: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/12.jpg)
Computer Science and Engineering 12
Service-Level DependenciesService-Level Dependencies
• Old threats reappearing in new context: deadlocks, denial-of-service, network flooding, etc.
• How to detect and prevent the occurrence of these threats?
• In composition, independently developed services are dependent on each other
• No information about internal processing of the workflow components
![Page 13: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/13.jpg)
Computer Science and Engineering 13
New Approaches to Improve New Approaches to Improve Security and ReliabilitySecurity and Reliability
• Develop criteria to evaluate correctness of composite application execution– E.g., WS transactions: compensation-based transactions
• Increase reliability using redundant services• Offer security as service• Develop defense models using distributed and
collaborative components– E.g., detect malicious behavior based on collaborative nodes,
verify execution correctness by comparing outcome of different services, deploy intelligent software decoy, etc.
![Page 14: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/14.jpg)
Web Application Web Application Development TechnologiesDevelopment Technologies
• SOA• HTTP• Web Functionality• Encoding Schemes
Computer Science and Engineering 14
![Page 15: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/15.jpg)
SOA Types SOA Types
• Service Architecture• Service Composition Architecture• Service Inventory Architecture• Service-Oriented Enterprise Architecture
Computer Science and Engineering 15
![Page 16: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/16.jpg)
SOA CharacteristicsSOA Characteristics
• Business driven• Vendor neutral• Enterprise centric• Composition centric
Computer Science and Engineering 16
![Page 17: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/17.jpg)
Service ArchitectureService Architecture
• Where to implement the security?• Revealing error messages?• Access to protected resources?
Computer Science and Engineering 17
![Page 18: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/18.jpg)
Service Composition Service Composition ArchitectureArchitecture
• Complex composition? • Changes and re-composition?• Security design?• Conflict between security and business goals?• Proprietary vs. standardized development?
Computer Science and Engineering 18
![Page 19: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/19.jpg)
SOA Orientation PrinciplesSOA Orientation Principles
• Standardized service contract• Service lose coupling• Service abstraction• Service reusability• Service autonomy• Service statelessness• Service discoverability• Service composability
Computer Science and Engineering 19
![Page 20: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/20.jpg)
Service Inventory Service Inventory ArchitectureArchitecture
• Common security measures?• Range of potential consumers?• Shared security policies vs. inference?• Cross-domain service composition?• Performance degradation?
Computer Science and Engineering 20
![Page 21: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/21.jpg)
Industry standardsIndustry standards
• XML– XML encryption– XML Signature– Canonical XML– Decryption Transformation for XML Signature
• WS-Security• Security Assertion Markup Language (SAML)
Computer Science and Engineering 21
![Page 22: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/22.jpg)
SOA Service SOA Service CommunicationCommunication
• Simple Object Access Protocol (SOAP)-based • REST based (no additional messaging layer)
• Communication over HHTP
Computer Science and Engineering 22
![Page 23: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/23.jpg)
The HTTP ProtocolThe HTTP Protocol
• Hyper Text Transfer Protocol– Application layer– Layered on top of TCP – Client Server Model– Request-response communication
• Originally developed to retrieve static text-based resources
Computer Science and Engineering 23
![Page 24: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/24.jpg)
HTTP RequestHTTP Request
• Request line
1. HTTP method
2. Requested URL
3. HTTP version
E.g., GET /search?q= Web+Technologies HTTP/1.1
• Header lines– Host, Referer, Cookie, User-Agent, Connection,
etc.• Request body
Computer Science and Engineering 24
![Page 25: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/25.jpg)
HTTP ResponseHTTP Response
• Status line
1. HTTP version
2. Numeric status call indicating the result of the request
3. Txt reason phrase describing the status of the response
• Header lines
– Server (web server software), Pragma (for the browser), Expires (content), Content-Type, Content-Length
• Response body
Computer Science and Engineering 25
![Page 26: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/26.jpg)
Status CodesStatus Codes
• 1xx – Informational• 2xx – the request was successful• 3xx – the client is redirected to a different resource• 4xx – the request contains an error of some kinds• 5xx – the server encountered an error fulfilling the
request
Computer Science and Engineering 26
![Page 27: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/27.jpg)
HTTP MethodsHTTP Methods
• GET – retrieves a resources– Send parameters to the requested resource– Be Aware! URLs are stored and displayed -> do not
include sensitive data in the query string • POST – performs an action
– Request parameters sent in the URL query string or in message body
– Be Aware! Back button use warning • Other methods: Head, Trace, Put, etc.
Computer Science and Engineering 27
![Page 28: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/28.jpg)
RESTREST
• Representational State Transfer– Request and response messages contain
representation of the current state of the system’s resources
– HTTP conforms to the REST architecture• REST-based web services
– Based on HTTP not on SOAP
Computer Science and Engineering 28
![Page 29: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/29.jpg)
HTTPSHTTPS
• HTTP tunneled through SSL• HTTP Proxies
– Using HTTP– Using HTTPS
• Proxy is a man-in-the-middle
• Pure TCP level relay
Computer Science and Engineering 29
![Page 30: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/30.jpg)
HTTP AuthenticationHTTP Authentication
• Basic: sends user credentials as a Base64-encoded string in a request header
• NTLM: Challenge-response using Windows NTLM protocol
• Digest: challenge-response using MD5 and checksum of a nonce with the user’s credentials
Computer Science and Engineering 30
![Page 31: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/31.jpg)
State and SessionState and Session
• Client and server exchange and process data• Application needs to maintain the state of each user
interactions– Server side structure: session– Client side: sent by the server and protected from
tampering• Stateless HTTP token to identify user sessions
Computer Science and Engineering 31
![Page 32: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/32.jpg)
FunctionalityFunctionality
• Server side technologies:– Scripting languages– Web application platform– Web server software– Databases– Back-end components
• Client-side technologies: – Browser Extension technologies
Computer Science and Engineering 32
![Page 33: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/33.jpg)
Computer Science and Engineering 33
WS Security Standards
• OASISOASIS Web Services Security (WSS) Web Services Security (WSS) – Integrity and authentication: sign SOAP msgs.– Confidentiality: encrypt SOAP msgs.– Attach security tokens
• Security tokensSecurity tokens• Security Assertion Markup Language (SAML) assertions• Kerberos tickets• User credentials• X.509 certificate• Custom defined tokens
![Page 34: Web Application Security](https://reader035.fdocuments.net/reader035/viewer/2022081603/568153ed550346895dc1ed19/html5/thumbnails/34.jpg)
Next ClassNext Class
• Mapping Applications
Computer Science and Engineering 34