COMP5347 Web Application Development Web Application Security
Dr. Basem Suleiman
School of Computer Science
The University of Sydney
Page 1
COMMONWEALTH OF Copyright Regulations 1969 WARNING
This material has been reproduced and communicated to
you by or on behalf of the University of Sydney pursuant to Part VB of the Copyright Act 1968 (the
Act).
The material in this communication may be subject
to copyright under the Act. Any further reproduction or communication of this material by you may be the subject of copyright protection under the Act.
Do not remove this notice.
The University of Sydney
Page 2
COMP5347 Web Application Development
Outline
– General security Concerns
– Authentication and Authorization – Cryptography
– Problems with user input
The University of Sydney
COMP5347 Web Application Development
Page 3
Security Concerns
– In the Web, security threats exist in so many different forms
– Threatstosinglecomputerandtonetwork
– Webapplicationneedstopayattentiontoboth • Server side/client side/network
• Many are managed by underlying systems
The University of Sydney
COMP5347 Web Application Development
Page 4
Security Concepts
– Security concepts in server app security – Authentication
• HowdoIknowyouarewhoyousayyouare?
– Authorization
• Here is what you are allowed to do/see
– Confidentiality
• Data is accessed by access/read by authorized users
– Data Integrity
• No one can look at or mess with legal user’s data and
communication
The University of Sydney
COMP5347 Web Application Development
Page 5
–
–
–
Security Mechanisms
Authentication: we need a way to configure authentication factors and store the data somewhere
– Single Factor
– Multiple Factor
Authorisation: we need a way to specify who can access what resources
– Role-based access level control is the most common practice
• E.g. ACL of file system: owner, group, others may have different READ, WRITE, EXECUTE permissions on files and directories.
Confidentiality and data integrity
– We need a way to encrypt message (request/response)
• HTTPS
– We need a way to identify client/server
• DigitalCertificate
The University of Sydney
COMP5347 Web Application Development
Page 6
Outline
– General security Concerns
– Authentication and Authorization – Local implementation
– Third party implementation of authentication – Open Authorization
– Cryptography
– Problems with user input
The University of Sydney
COMP5347 Web Application Development
Page 7
Authentication Factors
– Authentication factors are the things you can ask someone for in an effort to validate that they are who they claim to be.
• Majority of the websites uses single factor, password based authentication method.
• Security questions are also common, mainly used when you need to retrieve your passwords
• There are a few websites that use both password and security question or a code sent to your mobile phone
The University of Sydney
COMP5347 Web Application Development
Page 8
Local Implementation of Authentication
– Implementation of Authentication
– A way (usually a form on a web page) to allow users to sign up
– A place to store the credential information: username/password pair, security question and answer pairs
• Memory, file, database or LDAP system
– A way (usually a form on a web page) for users to sign in by supplying
their credentials
– Someapplicationlogictomatchedthesuppliedandstoredcredentials
– A way for user to retrieve or reset their credentials
The University of Sydney
COMP5347 Web Application Development
Page 9
Local Implementation of Authorization
– Authorization (role-based)
– A way to store the mapping between user and role
• Memory File, Database or LDAP system
– A way to specify the which role(s) can take, which action(s) on which resources
• Most of the resources are expressed as URL or directory structure as used in REST API
• Actions can be application defined, or use HTTP methods
• A mapping would look like: roles: [‘guest’, ‘member’], allows: [
{resources: ‘blogs’, permissions:[‘get‘]},
{resources: [‘forums’, ‘news’], permissions:[‘get’, ‘put’, ‘delete’]}]
– Some application logic (usually a middleware in express application) to enforce the access level control
The University of Sydney
COMP5347 Web Application Development
Page 10
–
Third-party Authentication
Authentication can be delegated to third party
– E.g. sign-up (create a username and password and maybe supply a few other info)
or sign-in with Google Account or Facebook account
• The sign-in with account from other websites delegates the whole process
– Google or Facebook would authenticate the user
Third-party authentication schemes like OpenID are popular with developers
and are used under the hood by many major websites
– Eliminate the needs of developers to implement relatively standard authentication mechanisms again and again
• Frameworks can do most of the work but there are still configuration and other jobs for developers
– Major websites (OpenID providers) may have better mechanisms to protect the stored credentials
• Ensure safeness, availability, durability and others
– Eliminate the needs of end users to remember many pairs of username password for
–
different websites. The University of Sydney
COMP5347 Web Application Development
Page 11
OpenID Explained
https://en.wikipedia.org/wiki/OAuth#OpenID_vs._pseudo-authentication_using_OAuth http://openidexplained.com/
The University of Sydney
COMP5347 Web Application Development
Page 12
OAuth (Open Authorization)
– OpenID aims to have a unified identity for online users
– REST APIs created requirement for variations of standard authentication and
authorization process
– How can I authorizes someone (some app) to use my resources without sharing my credentials with that app. E.g.,
• Flickr APIs allow registered users to upload photos, create streams, etc.
• A mobile app uses those APIs to allow easy upload of photos from a mobile phone
• This mobile app needs to act on behalf of the registered users on Flickr
• It is not an good idea for the mobile app to collect credentials directly from the user and send them to Flickr.
– MediaWiki also provide APIs that needs authentication/authorization – OAuthisthepopularschemeforthispurpose
The University of Sydney
COMP5347 Web Application Development
Page 13
OAuth General Process
The University of Sydney
COMP5347 Web Application Development
Page 14
OAuth Roles
– OAuth uses four user roles
– The resource owner is normally the end user who can gain access to the
resource (though it can be a computer as well).
– The resource server hosts the resources and can process requests using access tokens.
– Theclientistheapplicationmakingrequestsonbehalfoftheresource owner.
– Theauthorizationserverissuestokenstotheclientuponsuccessful authentication of the resource owner. Often this is the same as the resource server.
– Implementation details vary
– E.g.,GoogleAPIusingOauth2.0
The University of Sydney
COMP5347 Web Application Development
Page 15
OpenID, OAuth and OpenID Connect
The University of Sydney
COMP5347 Web Application Development
Page 16
OpenID Connect is a combination of OpenID and OAuth
Implementation in Node.js
– Different authorization or authentication providers may have slightly different implementation of the authentication and authorization process
– passport module makes it easy to use many popular third party services through various strategies
– Italsosupportslocalimplementation
– acl module provides simple role-based authorization
implementation
The University of Sydney
COMP5347 Web Application Development
Page 17
Outline
– General security Concerns
– Authentication and Authorization – Cryptography
– Problems with user input
The University of Sydney
COMP5347 Web Application Development
Page 18
The Problem of Transmission
The University of Sydney
COMP5347 Web Application Development
Page 19
An easy solution
The University of Sydney
COMP5347 Web Application Development
Page 20
– –
Early Cipher Attempt
The Vigenère cipher, named for the sixteenth-century cryptographer, uses a keyword to encode a message.
The key phrase is written below the message and the letters are added together to form the cipher text as illustrated
The University of Sydney
COMP5347 Web Application Development
Page 21
Modern Block Ciphers
– block ciphers encrypt and decrypt messages using an iterative replacing of a message with another scrambled message using 64 or 128 bits at a time.
• The Data Encryption Standard (DES) and its replacement,
• The Advanced Encryption Standard (AES)
– Are two-block ciphers still used in web encryption today
The University of Sydney
COMP5347 Web Application Development
Page 22
Symmetric Key Problem
– All ciphers covered so far use the same key to encode and decode a message
– Symmetricciphers
– OrSymmetrickeyencryption
– Distribution of the key among communication pair is a problem
– HowdoAliceensurethatsheissharingthekeywithBob,insteadof
someone pretending to be Bob
– How do Alice ensure that when the key is transmitted to Bob, it is not intercepted by others
The University of Sydney
COMP5347 Web Application Development
Page 23
Public Key Encryption
– Public key cryptography solves symmetric key encryption problem of having to exchange secret key
– Uses two mathematically related digital keys – public key (widely disseminated) and private key (kept secret by owner)
– Both keys are used to encrypt and decrypt message
– Once a key is used to encrypt message, same key cannot be used to decrypt
message
– For example, sender uses recipient’s public key to encrypt message; recipient uses his/her private key to decrypt it
– Modern Algorithm: RSA
The University of Sydney
COMP5347 Web Application Development
Page 24
Public Key Encryption
Alice Bob mccm
Enc
Dec
The University of Sydney
COMP5347 Web Application Development
Page 25
PKBob
SKBob
Where to get those Public Keys?
– How do we know this is really Bob’s public key?
– We need a trusted third party (Certification Authority)
Browser Server Alice Bob
CA
choose (SK,PK)
PKCA
check proof
SKCA
PKCA
The University of Sydney
COMP5347 Web Application Development
Page 26
Bob’s key is PK
PK and
proof “I am Bob”
issue Cert with SKCA :
Bob’s key is PK
Digital Certificates
– Digital certificate: Digital document that includes:
▪ Name of subject or company
▪ Subject’s public key
▪ Digital certificate serial number
▪ Expiration date
▪ Issuance date
▪ Digital signature of certification authority (trusted third party (institution) that issues certificate
▪ Other identifying information
The University of Sydney
COMP5347 Web Application Development
Page 27
HTTPS
– HTTPS is the HTTP protocol running on top of the Transport Layer Security (TLS).
– It’s easy to see from a client’s perspective that a site is secured by the little padlock icons in the URL bar used by most modern browsers
The University of Sydney
COMP5347 Web Application Development
Page 28
TLS (Transport Layer Security )
– Its predecessor is SSL (Secure Sockets Layer)
– Main functions:
– Authenticatetransmissionparties(mainlytheserver)usingpublic-key encryption
– Ensure confidentiality of message using symmetric key encryption to encrypt the data transmitted
– Usehandshakeprotocoltoauthenticatepartiesandtosharethe symmetric key
– Ensureintegrityofmessagebyintegritychecking
The University of Sydney
COMP5347 Web Application Development
Page 29
TLS handshake
– Performed every time the client makes a secure connection to a server
– The goals of handshake between server and client are:
– To negotiate on an acceptable protocol version
– To select an appropriate set of ciphers
– To authenticate server or client (optionally)
– To securely distribute shared secret (symmetric key)
Alice (Browser)
Bob (Server)
HTTPS connection to port 8443
Bob’s certificate with Bob’s Pk Symm. Key encrypted with Bob’s Pk
Random Symm. Key
Handshake complete
Exchange data encrypted using symmetric key
Random Symm. Key
The University of Sydney
COMP5347 Web Application Development
Page 30
Server Authentication
The browser complains that the server’s digital certificate is not issued by a trusted CA
The University of Sydney
COMP5347 Web Application Development
Page 31
Outline
– General security Concerns
– Authentication and Authorization – Cryptography
– Security Issues with User Input
The University of Sydney
COMP5347 Web Application Development
Page 32
User Input
– Most web application provides some way for users to input data
– This is often used to explore vulnerabilities of the system
– Iftheinputisusedfordatabaseoperation • SQLinjection
– Iftheinputisembeddedasresponsetotheuser
• Cross-Site Scripting(XSS)
– Web developers should not trust the input – Validateinput
– Usesafecoding
The University of Sydney
COMP5347 Web Application Development
Page 33
SQL Injection Example: Table Drop
void addStudent(String lastName, String firstName) {
}
String query = “INSERT INTO students (last_name, first_name) VALUES (‘” + lastName + “‘, ‘” + firstName + “‘)”;
getConnection().createStatement().execute(query);
Input: firstName == “Martin” && lastName == “Fowler”
INSERT INTO students (last_name, first_name) VALUES (‘Fowler’, ‘Martin’)
Input: FirstName == “XKCD” && LastName == “Robert’);DROP TABLE Students; –” INSERT INTO students (last_name, first_name) VALUES (‘XKCD’, ‘Robert’);
DROP TABLE Students;– ‘) The University of Sydney
COMP5347 Web Application Development
Page 34
https://xkcd.com/327/
SQL Injection Example: login bypass
SELECT * FROM users WHERE username = ‘$username’ AND password = ‘$password’
If a user types in a user name as: or 1=1– and some random password
The DB query becomes:
SELECT * FROM users WHERE username = ‘ ‘ or 1=1–‘ AND password = ” The issues in both cases are that user’s raw inputs are used in a string
concatenation operation to generate the query statement
A typical solution, apart from input validation is to use parameter binding
instead of string concatenation.
http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
The University of Sydney
COMP5347 Web Application Development
Page 35
–
SQL Injection Threat In NoSQL
In MongoDB, if raw input is used to construct query, similar thing could happen:
POST http://target/ HTTP/1.1 Content-Type: application/json
{
“username”: {“$gt”: “”}, “password”: {“$gt”: “”}
}
On the server side we have some query similar to this:
db.users.find({username: username, password: password});
It becomes this:
db.users.find({username: {“$gt”: “”}, password: {“$gt”: “”}});
http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
The University of Sydney
COMP5347 Web Application Development
Page 36
Cross Site Scripting Example
var communicationType = req.body.communicationType
if (communicationType==“email”)) {
sendByEmail();
} else if (communicationType == “text)) {
sendByText();
} else {
res.send(“Can’t send by type ” + communicationType));
}
If the value of communicationType is like the following :
• This response contains executable script
• The browser will generate a request to the url in src intending to load the image
• The url is dynamically constructed and append cookies on user’s computer associated
with this web site: http://evil.martinfowler.com/steal?actualCookies
The University of Sydney
COMP5347 Web Application Development
Page 37
Cross Site Scripting Example
The University of Sydney
COMP5347 Web Application Development
Page 38
Input handling
– Positive validation or whitelisting – Specifyacceptableformatsofinput
• E.g. valid email, valid value range, etc.
– ManyHTML5inputtypeshavebuild-invalidationrules
– Negative validation or blacklisting – Specifyunacceptableformats
• E.g. filtering • Escaped:
– <script>alert("hello");</script>
The University of Sydney
COMP5347 Web Application Development
Page 40
Reference
– Fundamentals of Web Development – Chapter16
– The Basics of Web Application Security
– https://martinfowler.com/articles/web-security-basics.html
The University of Sydney
COMP5347 Web Application Development
Page 41
Next Week (Week 12)
Lecture: Industry Speaker Lecture Recording
Tutorial: Group project Demos starts 6pm (details on Ed)
The University of Sydney
Page 42