comp9321 web application engineering - …cs9321/17s2/lectures/lec09/lec-09.pdfcross site request...
TRANSCRIPT
![Page 1: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/1.jpg)
COMP9321 Web Application EngineeringSemester 2, 2017
Dr. Amin BeheshtiService Oriented Computing Group, CSE, UNSW Australia
Week 9
1COMP9321, 17s2, Week 9
http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465
![Page 2: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/2.jpg)
2COMP9321, 17s2, Week 9
Assignment 1 Marks on GradeBook
Assignment 2Due: end of Mid Semester Break: Sunday, Oct 1 2017, 23:59:00
Assignment 3Released
Course Noticeboard
![Page 3: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/3.jpg)
Introduction to Web Application Security
3COMP9321, 17s2, Week 9
Acknowledgements
This presentation contains material prepared by Halvard Skogsrud, SeniorSoftware Engineer, Thoughtworks, Inc. Sydney, Australia and from the OpenWeb Application Security Project (OWASP) http://www.owasp.org
![Page 4: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/4.jpg)
Introduction to Web Application Security
4COMP9321, 17s2, Week 9
Warning
The objective of this presentation is to show you common security loopholesappearing in Web applications. However, it is not meant to encourage you toattack web applications. Such actions are both a breach of the law in mostcountries, and of the CSE policy. Hence, by attempting any of the techniquespresented in this lecture, you may be prosecuted by law enforcement and faceexpulsion from the university.
![Page 5: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/5.jpg)
Securing your Web Application
5COMP9321, 17s2, Week 9
![Page 6: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/6.jpg)
Securing your Web Application: Threats!
6COMP9321, 17s2, Week 9
![Page 7: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/7.jpg)
Securing your Web Application: Threats!
7COMP9321, 17s2, Week 9
![Page 8: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/8.jpg)
Securing your Web Application: Threats!
8COMP9321, 17s2, Week 9
![Page 9: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/9.jpg)
Securing your Web Application: Threats!
9COMP9321, 17s2, Week 9
![Page 10: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/10.jpg)
Securing your Web Application: Requirements!
10COMP9321, 17s2, Week 9
![Page 11: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/11.jpg)
SQL Injection
11COMP9321, 17s2, Week 9
![Page 12: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/12.jpg)
SQL Injection
12COMP9321, 17s2, Week 9
SQL injection:
• is a code injection technique.• used to attack data-driven applications
• How: a malicious SQL statements are inserted into an entry field forexecution.
![Page 13: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/13.jpg)
SQL Injection
13COMP9321, 17s2, Week 9
SQL injection:
• is a code injection technique.• used to attack data-driven applications
• How: a malicious SQL statements are inserted into an entry field forexecution.
![Page 14: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/14.jpg)
SQL Injection: What is wrong?
14COMP9321, 17s2, Week 9
![Page 15: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/15.jpg)
SQL Injection: What is wrong?
15COMP9321, 17s2, Week 9
![Page 16: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/16.jpg)
SQL Injection: What is wrong?
16COMP9321, 17s2, Week 9
Google(comment in sql)
![Page 17: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/17.jpg)
SQL Injection: What is wrong?
17COMP9321, 17s2, Week 9
![Page 18: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/18.jpg)
SQL Injection: Summary!
18COMP9321, 17s2, Week 9
![Page 19: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/19.jpg)
SQL Injection: Prevention!!
19COMP9321, 17s2, Week 9
To keep malicious inputs contained, any inputs written to the database need to be encoded.
SQL encoding: ' OR 1=1 --' is encoded to \ \'\ OR\ 1\=1\ \-\-'
https://en.wikipedia.org/wiki/Secure_input_and_output_handling
Example: https://blogs.msdn.microsoft.com/sqlphp/2008/09/30/how-and-why-to-use-parameterized-queries/
![Page 20: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/20.jpg)
SQL Injection: Prevention!!
20COMP9321, 17s2, Week 9
![Page 21: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/21.jpg)
Cross Site Scripting (XSS)
21COMP9321, 17s2, Week 9
![Page 22: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/22.jpg)
Cross Site Scripting (XSS)
22COMP9321, 17s2, Week 9
Cross-site scripting (XSS):
• is a type of computer security vulnerability typically found in web applications.• XSS enables attackers to inject client-side script into web pages viewed by other
users. • A cross-site scripting vulnerability may be used by attackers to bypass access
controls such as the same-origin policy.
![Page 23: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/23.jpg)
Cross Site Scripting (XSS)
23COMP9321, 17s2, Week 9
Cross-site scripting (XSS):
• is a type of computer security vulnerability typically found in web applications.• XSS enables attackers to inject client-side script into web pages viewed by other
users. • A cross-site scripting vulnerability may be used by attackers to bypass access
controls such as the same-origin policy.
• Same-origin policy is an important concept in the web application security model.
• Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.
![Page 24: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/24.jpg)
Cross Site Scripting (XSS)
24COMP9321, 17s2, Week 9
Cross-site scripting (XSS):
• is a type of computer security vulnerability typically found in web applications.• XSS enables attackers to inject client-side script into web pages viewed by other
users. • A cross-site scripting vulnerability may be used by attackers to bypass access
controls such as the same-origin policy.
• Same-origin policy is an important concept in the web application security model.
• Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin.
e.g., a combination of URI scheme, hostname, and port number.
![Page 25: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/25.jpg)
Cross Site Scripting (XSS): What is wrong?
25COMP9321, 17s2, Week 9
![Page 26: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/26.jpg)
Cross Site Scripting (XSS): What is wrong?
26COMP9321, 17s2, Week 9
Suppose the victim is given this URL by the attacker (www.badguy.com):
![Page 27: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/27.jpg)
Cross Site Scripting (XSS): What is wrong?
27COMP9321, 17s2, Week 9
The web page would then be injected with the following script:
Suppose the victim is given this URL by the attacker (www.badguy.com):
![Page 28: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/28.jpg)
Cross Site Scripting (XSS): Summary!
28COMP9321, 17s2, Week 9
![Page 29: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/29.jpg)
Cross Site Scripting (XSS): Summary!
29COMP9321, 17s2, Week 9
What is the worst an attacker can do with JavaScript?
• Malicious JavaScript has access to all the same objects the rest of the web page has, including access to cookies.
• JavaScript can read and make arbitrary modifications to the browser’s DOM (within the page that JavaScript is running).
• JavaScript can use XMLHttpRequest to send HTTP requests with arbitrary content to arbitrary destinations.
• JavaScript in modern browsers can leverage HTML5 APIs such as accessing a user’s geolocation, webcam, microphone and even the specific files from the user’s file system.
https://www.acunetix.com/websitesecurity/cross-site-scripting/
![Page 30: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/30.jpg)
Cross Site Scripting (XSS): Prevention!!
30COMP9321, 17s2, Week 9
![Page 31: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/31.jpg)
Cross Site Scripting (XSS): Prevention!!
31COMP9321, 17s2, Week 9
![Page 32: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/32.jpg)
Cross Site Request Forgery (CSRF)
32COMP9321, 17s2, Week 9
![Page 33: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/33.jpg)
Cross Site Request Forgery (CSRF)
33COMP9321, 17s2, Week 9
Cross-site request forgery
• also known as a one-click attack or session riding• abbreviated as CSRF or XSRF• is a type of malicious exploit of a website whereby unauthorized
commands are transmitted from a user that the website trusts
![Page 34: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/34.jpg)
Cross Site Request Forgery (CSRF)
34COMP9321, 17s2, Week 9
Cross-site request forgery
• also known as a one-click attack or session riding• abbreviated as CSRF or XSRF• is a type of malicious exploit of a website whereby unauthorized
commands are transmitted from a user that the website trusts
Exploit: is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software…
![Page 35: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/35.jpg)
Cross Site Request Forgery (CSRF)
35COMP9321, 17s2, Week 9
Cross-site request forgery
• also known as a one-click attack or session riding• abbreviated as CSRF or XSRF• is a type of malicious exploit of a website whereby unauthorized
commands are transmitted from a user that the website trusts
Exploit: is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause unintended or unanticipated behavior to occur on computer software…
Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service attack.
![Page 36: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/36.jpg)
Cross Site Request Forgery (CSRF)
36COMP9321, 17s2, Week 9
![Page 37: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/37.jpg)
Cross Site Request Forgery (CSRF)
37COMP9321, 17s2, Week 9
![Page 38: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/38.jpg)
Cross Site Request Forgery (CSRF): Prevention!!
38COMP9321, 17s2, Week 9
A CAPTCHA is a type of challenge-response test used in computing todetermine whether or not the user ishuman.
![Page 39: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/39.jpg)
Unvalidated Input
39COMP9321, 17s2, Week 9
![Page 40: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/40.jpg)
Unvalidated Input
40COMP9321, 17s2, Week 9
![Page 41: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/41.jpg)
Unvalidated Input
41COMP9321, 17s2, Week 9
![Page 42: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/42.jpg)
Unvalidated Input: Summary
42COMP9321, 17s2, Week 9
![Page 43: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/43.jpg)
Unvalidated Input: Prevention!
43COMP9321, 17s2, Week 9
![Page 44: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/44.jpg)
Broken Authentication
44COMP9321, 17s2, Week 9
![Page 45: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/45.jpg)
Broken Authentication
45COMP9321, 17s2, Week 9
Google(SHA-1)
![Page 46: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/46.jpg)
Fixing Authentication: How To?!
46COMP9321, 17s2, Week 9
Google(MITM)
![Page 47: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/47.jpg)
Fixing Authentication: Salting Passwords!
47COMP9321, 17s2, Week 9
• In cryptography, a salt is a random data that is used as an additionalinput to a one-way function that hashes a password or passphrase.
• The primary function of salts is to defend against dictionary attacksversus a list of password hashes and against pre-computed rainbowtable attacks.
• e.g. the salt and the password can be concatenated and processedwith a cryptographic hash function, and the resulting output (but notthe original password) can be stored with the salt in a database.
![Page 48: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/48.jpg)
Fixing Authentication: Salting Passwords!
48COMP9321, 17s2, Week 9
Why add Salt?
If each password is simply hashed, identical passwords will have the same hash:There are two drawbacks:
1. Due to the birthday paradox, the attacker can find a password very quickly especially if the number of passwords in the database is large.
In probability theory, the birthday problem or birthday paradox concerns the probability that, in a set of n randomly chosen people, some pair of them will have the same birthday. See: http://en.wikipedia.org/wiki/Birthday_paradox
![Page 49: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/49.jpg)
Fixing Authentication: Salting Passwords!
49COMP9321, 17s2, Week 9
Why add Salt?
If each password is simply hashed, identical passwords will have the same hash. There are two drawbacks:
1. Due to the birthday paradox, the attacker can find a password very quickly especially if the number of passwords in the database is large.
2. An attacker can use a list of precomputed hashes to break passwords in seconds.
A rainbow table is a precomputed table for reversing cryptographic hash functions, usually for cracking password hashes. See: http://en.wikipedia.org/wiki/Rainbow_table
![Page 50: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/50.jpg)
Fixing Authentication: Salting Passwords!
50COMP9321, 17s2, Week 9
In order to solve these problems, a salt can be concatenated to the password beforethe digest operation.
A salt is a random number of a fixed length. This salt must be different for eachstored entry. It must be stored as clear text next to the hashed password.
In this configuration, an attacker must handle a brute force attack on eachindividual password. The database is now birthday attack/rainbow crack resistant.
• …consists of systematically checking allpossible keys or passwords until the correctone is found.
• In the worst case, this would involvetraversing the entire search space.
![Page 51: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/51.jpg)
Fixing Authentication: Salting Passwords!
51COMP9321, 17s2, Week 9
![Page 52: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/52.jpg)
Fixing Authentication: Salting Passwords!
52COMP9321, 17s2, Week 9
![Page 53: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/53.jpg)
Fixing Authentication: Salting Passwords!
53COMP9321, 17s2, Week 9
![Page 54: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/54.jpg)
Session Management
54COMP9321, 17s2, Week 9
![Page 55: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/55.jpg)
Session Management: Problem or Solution?!
55COMP9321, 17s2, Week 9
![Page 56: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/56.jpg)
Session Management: Problem or Solution?!
56COMP9321, 17s2, Week 9
![Page 57: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/57.jpg)
Session Management: Problem or Solution?!
57COMP9321, 17s2, Week 9
Set-Cookie: <name>=<value>[; <Max-Age>=<age>] [; expires=<date>][; domain=<domain_name>][; path=<some_path>][; secure][; HttpOnly]
![Page 58: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/58.jpg)
Transport Layer Security
58COMP9321, 17s2, Week 9
![Page 59: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/59.jpg)
Transport Layer Security (e.g. HTTPS)
59COMP9321, 17s2, Week 9
![Page 60: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/60.jpg)
Transport Layer Security (e.g. HTTPS)
60COMP9321, 17s2, Week 9
Google(Secure Sockets Layer , SSL)
Google(Certification Authority , CA)
![Page 61: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/61.jpg)
HTTPS: Basics…
61COMP9321, 17s2, Week 9
![Page 62: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/62.jpg)
HTTPS: Public-Key Cryptography
62COMP9321, 17s2, Week 9
![Page 63: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/63.jpg)
HTTPS: Shared-Key Cryptography
63COMP9321, 17s2, Week 9
![Page 64: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/64.jpg)
HTTPS: Hashing
64COMP9321, 17s2, Week 9
![Page 65: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/65.jpg)
HTTPS: Certificates
65COMP9321, 17s2, Week 9
![Page 66: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/66.jpg)
HTTPS: Signatures
66COMP9321, 17s2, Week 9
![Page 67: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/67.jpg)
HTTPS: How to? … Limitations?!
67COMP9321, 17s2, Week 9
How to?• Follow the steps at:
• https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
![Page 68: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/68.jpg)
Example
68COMP9321, 17s2, Week 9
![Page 69: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/69.jpg)
Application Layer Security
69COMP9321, 17s2, Week 9
![Page 70: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/70.jpg)
References
70COMP9321, 17s2, Week 9
• http://www.owasp.org• https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
![Page 71: COMP9321 Web Application Engineering - …cs9321/17s2/lectures/lec09/Lec-09.pdfCross Site Request Forgery (CSRF) COMP9321, 17s2, Week 9 34 Cross-site request forgery • also known](https://reader031.vdocument.in/reader031/viewer/2022022006/5abcc91a7f8b9a567c8e3197/html5/thumbnails/71.jpg)
71COMP9321, 17s2, Week 9