Web2.0 Secure Development Practice Bruce Xia [email protected].
-
Upload
norah-wright -
Category
Documents
-
view
213 -
download
0
Transcript of Web2.0 Secure Development Practice Bruce Xia [email protected].
![Page 2: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/2.jpg)
Agenda
Background Background
User Access Control User Access Control
Session ManagementSession Management
Output FilteringOutput Filtering
Data Security and Misc Data Security and Misc
![Page 3: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/3.jpg)
Background
PhishingPhishing
A.A.A.A.
XSSXSS
Info leakage
Info leakage
CSRFCSRF
Web2.0 Top 5
Authentication and Authorization
![Page 4: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/4.jpg)
Continue…
Background Background
User Access Control User Access Control
Session ManagementSession Management
Output FilteringOutput Filtering
Data Security Data Security
![Page 5: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/5.jpg)
Access Control (1)
![Page 6: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/6.jpg)
Access Control (2)
– Hiding UI is not a secure way to do authentication.
– Do not use Javascript/VBscript to determine actions only.
Do not depend on client side control
![Page 7: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/7.jpg)
Access Control (3)
– Did not check if the resource is belong to the specific user.
http://www.xxxx.com/mblog/delete.php?userID=98522&blogID=5843258546&rnd=0.6626736132893711
Always check data ownership
![Page 8: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/8.jpg)
www.abc.com/adduser.php?from=LoginSuccess&username=xxxx&pass=xxxxx&type=1
– HTTP request parameters in URL or in POST form data is easy to be modified.
Access Control (4)
from=LoginSuccess
Do not rely on any flag parameters
![Page 9: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/9.jpg)
www.abc.com/adduser.php?from=LoginSuccess&username=xxxx&pass=xxxxx&type=1
(“from” was validated already in session)
– Critical operations and external published URLs is not protected
Access Control (5)
Protect critical operations (CSRF)
![Page 10: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/10.jpg)
Access Control (6)
www.abc.com/adduser.php?from=LoginSuccess&username=xxxx&pass=xxxxx&type=1
Ticket = SHA(username+secureKey)
Ticket = SHA(username+secureKey+nonce)
– Add nonce or timestamp in important actions request.
Protect for replay attack
![Page 11: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/11.jpg)
Continue…
Background Background
User Access Control User Access Control
Session ManagementSession Management
Output FilteringOutput Filtering
Data Security and Misc Data Security and Misc
![Page 12: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/12.jpg)
Session Management
Clear sessions after login or logout Cookie management
– Protect for cookie value that only used by server – Life time setting– “Secure" and “HttpOnly" flag – Domain name and path
...
![Page 13: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/13.jpg)
Continue…
Background Background
User Access Control User Access Control
Session ManagementSession Management
Output FilteringOutput Filtering
Data Security and Misc Data Security and Misc
![Page 14: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/14.jpg)
Output Filtering – XSS
Filtering user data by APIs– Output any user data, filter with proper
encoding API. – JSON data encoding method.
Run code scan tool
![Page 15: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/15.jpg)
Continue…
Background Background
User Access Control User Access Control
Session ManagementSession Management
Output FilteringOutput Filtering
Data Security and Misc Data Security and Misc
![Page 16: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/16.jpg)
URL Redirection Monitor unusual account activity HTTPS– Verify CN– Verify date validity– CRL query
Save important data
Phishing and Data Security
![Page 17: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/17.jpg)
Information Leakage
POST method HTTP Trace Unify same message Personal information
![Page 18: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/18.jpg)
Information leakage
Do not include any sensitive information in error message / exception content
![Page 19: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/19.jpg)
Misc
Use standard algorithms AES with hash DES, MD5 Math.random and java.util.Random Page Charset
![Page 20: Web2.0 Secure Development Practice Bruce Xia brucexym@gmail.com.](https://reader036.fdocuments.net/reader036/viewer/2022070415/5697bfe91a28abf838cb6b18/html5/thumbnails/20.jpg)
Summarize
PhishingPhishing
A.A.A.A.
XSSXSS
Info leakage
Info leakage
CSRFCSRF
We’ve discussed