1 / 67

Secure software development for the World Wide Web

Secure software development for the World Wide Web. Derek Mathieson Group Leader Administrative Information Services CERN – Geneva, Switzerland. Who Am I. Agenda. Background Information Impact of Security Flaws Definitions Types of Attack Techniques / Solutions.

teige
Download Presentation

Secure software development for the World Wide Web

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Secure software development for the World Wide Web Derek MathiesonGroup LeaderAdministrative Information Services CERN – Geneva, Switzerland

  2. Who Am I

  3. Agenda • Background Information • Impact of Security Flaws • Definitions • Types of Attack • Techniques / Solutions

  4. Why Secure Web Application?

  5. Impact of Security Flaws • Ping of death • Morris worm (1988) • 6,000 infected computers • Santy (2004) • ~40,000 infected computers (in 24 hours) • Conficker (2008) • Up to 15,000,000 infected computers

  6. http://inj3ct0r.com/

  7. http://www.exploit-db.com/

  8. Definitions • Identification • Authentication • Authorisation • Session Management

  9. Identification / Authentication • How Can You Prove Who You Are? • Biometric Passport • Photo ID • Fingerprint • Username / Password

  10. Definitions • Entity • A User, another computer system component • Identification • Providing credential such that a system can recognise the entity and distinguish it from other entities. • Authentication • The process of verifying the identity of an entity.

  11. Authentication Factors • Something an entity knows: • Password, PIN • Something an entity has: • ID Card, private key • Something an entity is: • Fingerprint, iris scan, …

  12. Authentication • Single / Multi-factor Authentication • Password only • Password + Fingerprint • Trade-off between • Convenience • Cost • Complexity • Security

  13. Identity Theft • Forgotten Passwords • Self Service • Lost ID Cards • Blocking List • Compromised Private Keys • CRL • What about Biometrics? No easy solution

  14. Passwords • Server good practices • Never store them in ‘clear’ • Use encrypted communication protocols (SSL) • Log authentication failures • Use generic error messages: • User/password combination not recognised’ • Show user • Last login date • Previous failed login attempts

  15. Web Authentication Techniques • Basic Authentication • Digest Authentication • Form Authentication

  16. Basic Authentication

  17. Basic Authentication Username : Password Base64 QWxhZGRpbjpvcGVuIHNlc2FtZQ==

  18. Basic Authentication • No encryption • Username / Password ‘encoded’ • Depends on a secure communication channel

  19. Digest Authentication

  20. Digest Authentication Username realm Password MD5 =HA1 348RU349URFJ934FH3FH9… GET /Protected/secrets.html Method URI MD5 =HA2 4I0R9I34F034403RI4I…

  21. Digest Authentication HA1 nonce HA2 MD5 =response R3984UR34R43RU…

  22. Digest Authentication • Advantages • Communication is more secure • Some doubts over irreversibility of MD5 • Server nonce can avoid replay attacks • Disadvantages • Server password file is contains usable credentials in plaintext • Vulnerable to a man-in-the-middle (MitM) attack

  23. Digest Authentication Request + Digest Request 401 Unauthorized + nonce Response User Server

  24. Digest Authentication Request Request 401 Unauthorized + basic auth 401 Unauthorized + nonce Attacker User Server

  25. Digest Authentication Request + Digest Request + basic Response Response Attacker User Server

  26. Form Authentication

  27. Form Authentication • Advantages • Simple to develop • Richer User Interface • Can use multifactor authentication • Disadvantages • Depends on a secure communication channel (usually)

  28. Other Authentication Methods • Single Sign-on • OpenID, Shibboleth, … • Integrated Windows Authentication • Token-based • One Time Passwords (OTP) • SecureID, YubiKey • Public key authentication (SSL client certificates).

  29. Authorisation

  30. Authorisation • An Authorisation system should: • Allow access to resources to users/systems that are permitted to access them. • Prevent access to those that are not permitted.

  31. Authorisation • System requirements: • Who (entity) • What (resource) • Which operation (read / update / delete / …) • Access Policy

  32. Role Based Access Control • Roles are identified • e.g. administrator, group leader, developer. • Rights are assigned to roles • group leader can access homepage • Roles are assigned to entities • Derek is a group leader

  33. AIS Roles

  34. Role Based Access Control • Less complex than individual assignment of access rights • Roles can link to organization roles • Automatic maintenance • Less administration

  35. Authorisation: Good Practices • Check every access • Centralise rights management • Principal of Least Privilege

  36. Session Management

  37. Session Management • Why do we need it? • HTTP is state-less

  38. Session Management Credentials Session ID: 42 User Server Derek 42 Frank 43 Jim 44 Alex 45 Jane 46 Billy 47 Lilly 48 Session Memory

  39. Session Management • Good Practices • Keep Session ID secret! • Use encrypted communications. • Make them unpredictable • Based on a random sequence • Never re-used • Time limited • Use a standard framework

  40. Types of Attack • Session • Session Fixation / Session ID Forgery • Cross-Site Scripting • Cross-Site Request Forgery • Injection • SQL Injection • Command Injection • Google Hacks

  41. Cross-Site Scripting XSS

  42. Cross-Site Scripting • The most common publicly-reported security vulnerability • Up to 68% of websites could be vulnerable

  43. Cross-Site Scripting (Persistent) request <script>…</script> response +malicious script Attacker Server User

  44. Cross-Site Scripting (non-persistent) ‘Click Here’ + malicious script request + malicious script response +malicious script Attacker Server User

  45. Cross-Site Scripting: Impact • Site defacement

  46. USDA.GOV

  47. EU President

  48. BP.COM

  49. Cross-Site Scripting: Impact • Site defacement • Identity Theft • Malware distribution • …

  50. Cross-Site Scripting: Impact • ‘Samy’ XSS Worm on MySpace • Automatically made ‘friend request’ back to author. • Within 20 hours of release over 1,000,000 users were affected. • Author: SamyKamkar • Arrested and on felony charge. • Sentenced to three years probation, 90 days community service and an undisclosed amount of restitution.

More Related