Web Application Security

Computer Science and Engineering 1

Web Application Security

ReadingReading

• Required:– Stuttard and Pinto: Chapter 3

• Recommended: Csilla Farkas, Michael N. Huhns: Securing Enterprise Applications: Service-Oriented Security (SOS). CEC/EEE 2008: 428-431.

http://www.cse.sc.edu/~farkas/publications/SOS-cec.pdf


http://www.cse.sc.edu/~farkas/publications/SOS-cec.pdf

Key Problem FactorsKey Problem Factors

• Underdeveloped security awareness• Custom development• Deceptive simplicity• Resource and time constraints• Overextended technologies• Increased demands on functionality


New Security PerimeterNew Security Perimeter

• Before web applications:

– Network perimeter protection (DMZ)

– Firewall

• With web applications:

– Firewall must allow access to the application server

– Server may connect to back-end systems

– Back-end system is behind several layers of defensive technologies

– Web application vulnerability may allow the attacker to access back-end system


Demilitarized Zone (DMZ)

• Perimeter Service:– Operates at application layer– Work in conjunction with existing firewall

technologies– Hide internal application details

• External customerExternal customer: corresponds with the perimeter service’s external contracts

• Internal applicationInternal application: response is relayed to the customer by the perimeter service

How to handle Vulnerable How to handle Vulnerable Applications?Applications?

• Honest users may use compromised applications• Compromised applications allow malicious attacker to

access the victim’s back-end system• Malicious user gains privileges of the victimized user• Client-side attacks• Weakness of authentication via email notifications (e.g.,

forgotten password)



Web Application SecurityWeb Application Security

Layered security:

1. Software-level (single service) security

2. Business-level (service composition) security

3. Network-level security


Application DevelopmentApplication Development

• Inherent Security of Applications

• Security granularity

Security Software Software Security


Secure Software DevelopmentSecure Software Development

• Develop software that is free of flawsDevelop software that is free of flaws

– Software engineering – functional requirements

– Security, reliability, QoS – non-functional requirements

• Protect against malicious code

• ReadingReading:

– G. McGraw, Software Security , http://www.cigital.com/papers/download/bsi1-swsec.pdf

– US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html



Web Services CompositionWeb Services Composition

• Create complex applications on the fly from individual services

• BPEL4WS, WSBPEL• How to express security and reliability needs?• How to verify that these needs are satisfied?• How to resolve conflict between business needs and

security requirements?


Web Services TransactionsWeb Services Transactions

• Traditional database transaction managements vs. SOA application needs

• How can we evaluate correct execution? ACID properties? Serializability?

• WS transaction framework:– Atomic (short-term) transactions– Business activity (long-term) transactions

• What are the security implications of WS transactions?


Service-Level DependenciesService-Level Dependencies

• Old threats reappearing in new context: deadlocks, denial-of-service, network flooding, etc.

• How to detect and prevent the occurrence of these threats?

• In composition, independently developed services are dependent on each other

• No information about internal processing of the workflow components


New Approaches to Improve New Approaches to Improve Security and ReliabilitySecurity and Reliability

• Develop criteria to evaluate correctness of composite application execution– E.g., WS transactions: compensation-based transactions

• Increase reliability using redundant services• Offer security as service• Develop defense models using distributed and

collaborative components– E.g., detect malicious behavior based on collaborative nodes,

verify execution correctness by comparing outcome of different services, deploy intelligent software decoy, etc.

Web Application Web Application Development TechnologiesDevelopment Technologies

• SOA• HTTP• Web Functionality• Encoding Schemes


SOA Types SOA Types

• Service Architecture• Service Composition Architecture• Service Inventory Architecture• Service-Oriented Enterprise Architecture


SOA CharacteristicsSOA Characteristics

• Business driven• Vendor neutral• Enterprise centric• Composition centric


Service ArchitectureService Architecture

• Where to implement the security?• Revealing error messages?• Access to protected resources?


Service Composition Service Composition ArchitectureArchitecture

• Complex composition? • Changes and re-composition?• Security design?• Conflict between security and business goals?• Proprietary vs. standardized development?


SOA Orientation PrinciplesSOA Orientation Principles

• Standardized service contract• Service lose coupling• Service abstraction• Service reusability• Service autonomy• Service statelessness• Service discoverability• Service composability


Service Inventory Service Inventory ArchitectureArchitecture

• Common security measures?• Range of potential consumers?• Shared security policies vs. inference?• Cross-domain service composition?• Performance degradation?


Industry standardsIndustry standards

• XML– XML encryption– XML Signature– Canonical XML– Decryption Transformation for XML Signature

• WS-Security• Security Assertion Markup Language (SAML)


SOA Service SOA Service CommunicationCommunication

• Simple Object Access Protocol (SOAP)-based • REST based (no additional messaging layer)

• Communication over HHTP


The HTTP ProtocolThe HTTP Protocol

• Hyper Text Transfer Protocol– Application layer– Layered on top of TCP – Client Server Model– Request-response communication

• Originally developed to retrieve static text-based resources


HTTP RequestHTTP Request

• Request line

1. HTTP method

2. Requested URL

3. HTTP version

E.g., GET /search?q= Web+Technologies HTTP/1.1

• Header lines– Host, Referer, Cookie, User-Agent, Connection,

etc.• Request body


HTTP ResponseHTTP Response

• Status line

1. HTTP version

2. Numeric status call indicating the result of the request

3. Txt reason phrase describing the status of the response

• Header lines

– Server (web server software), Pragma (for the browser), Expires (content), Content-Type, Content-Length

• Response body


Status CodesStatus Codes

• 1xx – Informational• 2xx – the request was successful• 3xx – the client is redirected to a different resource• 4xx – the request contains an error of some kinds• 5xx – the server encountered an error fulfilling the

request


HTTP MethodsHTTP Methods

• GET – retrieves a resources– Send parameters to the requested resource– Be Aware! URLs are stored and displayed -> do not

include sensitive data in the query string • POST – performs an action

– Request parameters sent in the URL query string or in message body

– Be Aware! Back button use warning • Other methods: Head, Trace, Put, etc.


RESTREST

• Representational State Transfer– Request and response messages contain

representation of the current state of the system’s resources

– HTTP conforms to the REST architecture• REST-based web services

– Based on HTTP not on SOAP


HTTPSHTTPS

• HTTP tunneled through SSL• HTTP Proxies

– Using HTTP– Using HTTPS

• Proxy is a man-in-the-middle

• Pure TCP level relay


HTTP AuthenticationHTTP Authentication

• Basic: sends user credentials as a Base64-encoded string in a request header

• NTLM: Challenge-response using Windows NTLM protocol

• Digest: challenge-response using MD5 and checksum of a nonce with the user’s credentials


State and SessionState and Session

• Client and server exchange and process data• Application needs to maintain the state of each user

interactions– Server side structure: session– Client side: sent by the server and protected from

tampering• Stateless HTTP token to identify user sessions


FunctionalityFunctionality

• Server side technologies:– Scripting languages– Web application platform– Web server software– Databases– Back-end components

• Client-side technologies: – Browser Extension technologies



WS Security Standards

• OASISOASIS Web Services Security (WSS) Web Services Security (WSS) – Integrity and authentication: sign SOAP msgs.– Confidentiality: encrypt SOAP msgs.– Attach security tokens

• Security tokensSecurity tokens• Security Assertion Markup Language (SAML) assertions• Kerberos tickets• User credentials• X.509 certificate• Custom defined tokens

Next ClassNext Class

• Mapping Applications


Web Application Security

Documents

Transcript of Web Application Security