Download
web programming and security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Web Programming and Security PowerPoint Presentation
Download Presentation
Web Programming and Security

Web Programming and Security

119 Views Download Presentation
Download Presentation

Web Programming and Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Web Programming and Security Lecture 1 Tamara Rezk

  2. Web Applications Distributed applications that run in a browser and distant servers Network Servers Web Browsers

  3. Web Applications = Multi-tiers applications WEB SERVER Server code Client code BROWSER Database DB MANAGEMENT SYSTEM

  4. Web Evolution

  5. Complexity in Web 2.0 Apps Generate Generate Different programming languages; Multi-tier nature; Dynamic code generation XHR API Data query code Server code Client code DOM API How would my application behave? Thanks Zhengqin Luo for this slide

  6. Importance of Protecting Web Apps Web applications everywhere in your life!!! • Important Information • Identity • Financial situation • Social lives • Security Requirements • Confidentiality • Integrity • Availability

  7. Security problems • Availability violation • Confidentiality violation • Integrity violation

  8. Availability security problems A service or resource is made unvailable

  9. Integrity security problems Unauthorized modification of data (authenticity of data), and unauthorized execution of programs

  10. Confidentiality problems Unauthorized disclosure of data

  11. Tim Berners Lee

  12. Web 1.0 Applications 1990: The static Web, Web 1.0 Info.cern.ch First Browser called WorldWideWeb

  13. Web 1.0 Applications 1990: The static Web, Web 1.0 Apache HTTP Server

  14. Web 1.0 Applications 1990: The static Web, Web 1.0 http://www.a.com Apache HTTP Server

  15. Web 1.0 Applications 1990: The static Web, Web 1.0 http://www.a.com Apache HTTP Server

  16. Web 1.0 Applications 1990: The static Web, Web 1.0 http://www.a.com Apache HTTP Server

  17. Web 1.0 Applications 1990: The static Web, Web 1.0 http://www.a.com Apache HTTP Server Technologies: Web Server (first: CERN httpd) Web Browser (first: WorldWideWeb browser) Protocol : HTTP Language:

  18. HTTP: HyperText Transfer Protocol • Methods: GET, POST, PUT, DELETE … • GET: length limited, usually for requests, no side effects(not in practice) • POST: allows multiple requests, state-change, no cache • PUT: multiple idem requests as one request • DELETE: multiple idem requests as one request • HTTP No State: request/response - each request is independent • http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] You can see headers with Firebug

  19. HTTP: PRIVATE BROWSING? • Method: GET, you can see the parameters in the URL. A possible solution:

  20. Phishing attacks www.paypal.com www.payoak.szm.sk • Be aware of URLs that are shown in the browser • or links that are clicked!

  21. Phishing attacks

  22. Phishing attacks: also emails with false senders

  23. And even this!

  24. A phishing attack to MySpace In 2006, a worm altered links to direct MySpace users to evil websites

  25. Phishing Solutions • Use https (created in 1994 by Netscape) • Verify carefully the URL • Browsers may have “black”lists

  26. Web 1.0 Applications 1993: The Web becomes less static http://www.a.com/foo?var=v

  27. Web 1.0 Applications 1993: The Web becomes less static http://www.a.com/foo?var=v parameters

  28. Web 1.0 Applications 1993: The Web becomes less static http://www.a.com/foo?var=v Technologies: Web Browser, Web Server, HTTP , HTML CGI: Common Gateway Interface 1994:  World Wide Web Consortium (W3C) http://validator.w3.org/

  29. HTTP: Session Example http://www.buy.com see catalog http://www.buy.com/shopping.cfm?pID=269 select item http://www.buy.com/shopping.cfm?pID=269&item=40002 buy item http://www.buy.com/checkout.cfm?pID=269&item=40002 Since HTTP is stateless all session information is saved in the URL BAD PRACTICE!! It is better to use cookies Thanks Ricardo Corin for this slide

  30. Integrity violation: Dansie Shopping Cart (2006) Why not to store sensitive information on the client side? <FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl"> Black Leather purse with leather straps<BR>Price: $20.00<BR> <INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse"> <INPUT TYPE=HIDDEN NAME=price VALUE="20.00"> <INPUT TYPE=HIDDEN NAME=sh VALUE="1"> <INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg"> <INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse with leather straps"> <INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart"> </FORM> Let’s see the form in action

  31. Integrity violation: Dansie Shopping Cart (2006) Why not to store sensitive information on the client side? <FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl"> Black Leather purse with leather straps<BR>Price: $20.00<BR> <INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse"> <INPUT TYPE=HIDDEN NAME=price VALUE="20.00"> <INPUT TYPE=HIDDEN NAME=sh VALUE="1"> <INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg"> <INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse with leather straps"> <INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart"> </FORM> it can be modified by the client at will! Security by obscurity is bad in general. HIDDEN FIELDS IS A BAD PRACTICE!! It is better to use cookies

  32. HTTP : COOKIES A cookie resides in the disk and is created by the web browser

  33. HTTP : COOKIES A cookie resides in the disk and is created by the web browser POST login.cgi (usr+pwd) HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read the cookie) ; expires = (when) ; … GET securepage.html Cookie: NAME=VALUE

  34. HTTP : COOKIES • HTPP does not have state, cookies add state • Cookies are useful for: • Authenticacion • to know if a user has authenticate in the past • Personalization • recognize the user since last visit • Tracking • analyze the behaviour of the user

  35. HTTP : COOKIES Only the site that creates the cookie can read it

  36. HTTP : COOKIES set-cookie(“amount”,$amount); Content-type:text/html Cookie: Amount = 20$ To make it secure it is necessary to add a “MAC” (message-authenticatedcode) to the amount: Cookie: Amount = 20$; HMAC(ServerKey, 20)

  37. Cross site request forgery (CSRF or XSRF) Transmits unauthorized commands from a user who has rightfully logged in to a website to the website.

  38. Some Attack Methods • HTML MethodsIMG SRC  <img src="http://host/?command">SCRIPT SRC  <script src="http://host/?command">IFRAME SRC  <iframe src="http://host/?command"> • JavaScript Methods'Image' Object  <script>  var foo = new Image();  foo.src = "http://host/?command";  </script>

  39. Attack to GMail : January 2007 Google Docs didn’t check what page requests your contact list. If you are logged in on window 1, window 2 (an evil site) can make the function call and get the contact list as an object. Since you are logged in somewhere, your cookie is valid and the request goes through. Let’s have a cookie together!

  40. Prevention • Server side: • add a secret that the attacker cannot guess • re-authenticate for critical operations • User side: • logging off one site before using others

  41. Web 1.0 Applications 1995: Php, and Javascript is born http://www.a.com/foo?var=v Contains Javascript programs Technologies: Web Browser, Web Server, HTTP , HTML CGI: Common Gateway Interface Javascript

  42. Web 1.0 Applications Php example  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <?php      $name = “Hello World!";     ?>  <html xmlns = "http://www.w3.org/1999/xhtml"><head>     <title>A simple PHP document</title> </head>      <body style = "font-size: 2em">  <p>           <strong>              First PHP program, <?php print( "$name" ); ?>!             </strong>        </p>       </body></html> let’s see how the generated page looks like

  43. Javascript • Execute code on the client side • Intepreted language, dymamically typed • ECMAScript standard

  44. Syntax of Javascript is not weird,but its semantics sometimes is function fac(x) { if (x <= 1) { return 1; } return x*fac(x-1); } Let’s see it in Chrome

  45. Embedding Javascript External Javascript File <body> ... <script type="text/javascript" src=“myCode.js" /> <script type="text/javascript"> //<![CDATA[ alert("Page is loading"); //]]> </script> <p onclick="alert('I told you not to click on me!');"> Please do not click on this text.</p> ... </body> Inline Code Event Handler All scripts will share the memory (see Example .js)

  46. Method Example var o = new Object(); o.count = 0; o.increment=function(inc) { if (inc == undefined) { inc = 1; } this.count += inc; return this.count; } Let’s inspect the object in Google Chrome