Web Application Security
description
Transcript of Web Application Security
Computer Science and Engineering 1
Web Application Security
ReadingReading
• Required:– Stuttard and Pinto: Chapter 3
• Recommended: Csilla Farkas, Michael N. Huhns: Securing Enterprise Applications: Service-Oriented Security (SOS). CEC/EEE 2008: 428-431.
http://www.cse.sc.edu/~farkas/publications/SOS-cec.pdf
Computer Science and Engineering 2
Key Problem FactorsKey Problem Factors
• Underdeveloped security awareness• Custom development• Deceptive simplicity• Resource and time constraints• Overextended technologies• Increased demands on functionality
Computer Science and Engineering 3
New Security PerimeterNew Security Perimeter
• Before web applications:
– Network perimeter protection (DMZ)
– Firewall
• With web applications:
– Firewall must allow access to the application server
– Server may connect to back-end systems
– Back-end system is behind several layers of defensive technologies
– Web application vulnerability may allow the attacker to access back-end system
Computer Science and Engineering 4
Demilitarized Zone (DMZ)
• Perimeter Service:– Operates at application layer– Work in conjunction with existing firewall
technologies– Hide internal application details
• External customerExternal customer: corresponds with the perimeter service’s external contracts
• Internal applicationInternal application: response is relayed to the customer by the perimeter service
How to handle Vulnerable How to handle Vulnerable Applications?Applications?
• Honest users may use compromised applications• Compromised applications allow malicious attacker to
access the victim’s back-end system• Malicious user gains privileges of the victimized user• Client-side attacks• Weakness of authentication via email notifications (e.g.,
forgotten password)
Computer Science and Engineering 6
Computer Science and Engineering 7
Web Application SecurityWeb Application Security
Layered security:
1. Software-level (single service) security
2. Business-level (service composition) security
3. Network-level security
Computer Science and Engineering 8
Application DevelopmentApplication Development
• Inherent Security of Applications
• Security granularity
Security Software Software Security
Computer Science and Engineering 9
Secure Software DevelopmentSecure Software Development
• Develop software that is free of flawsDevelop software that is free of flaws
– Software engineering – functional requirements
– Security, reliability, QoS – non-functional requirements
• Protect against malicious code
• ReadingReading:
– G. McGraw, Software Security , http://www.cigital.com/papers/download/bsi1-swsec.pdf
– US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html
Computer Science and Engineering 9
Computer Science and Engineering 10
Web Services CompositionWeb Services Composition
• Create complex applications on the fly from individual services
• BPEL4WS, WSBPEL• How to express security and reliability needs?• How to verify that these needs are satisfied?• How to resolve conflict between business needs and
security requirements?
Computer Science and Engineering 11
Web Services TransactionsWeb Services Transactions
• Traditional database transaction managements vs. SOA application needs
• How can we evaluate correct execution? ACID properties? Serializability?
• WS transaction framework:– Atomic (short-term) transactions– Business activity (long-term) transactions
• What are the security implications of WS transactions?
Computer Science and Engineering 12
Service-Level DependenciesService-Level Dependencies
• Old threats reappearing in new context: deadlocks, denial-of-service, network flooding, etc.
• How to detect and prevent the occurrence of these threats?
• In composition, independently developed services are dependent on each other
• No information about internal processing of the workflow components
Computer Science and Engineering 13
New Approaches to Improve New Approaches to Improve Security and ReliabilitySecurity and Reliability
• Develop criteria to evaluate correctness of composite application execution– E.g., WS transactions: compensation-based transactions
• Increase reliability using redundant services• Offer security as service• Develop defense models using distributed and
collaborative components– E.g., detect malicious behavior based on collaborative nodes,
verify execution correctness by comparing outcome of different services, deploy intelligent software decoy, etc.
Web Application Web Application Development TechnologiesDevelopment Technologies
• SOA• HTTP• Web Functionality• Encoding Schemes
Computer Science and Engineering 14
SOA Types SOA Types
• Service Architecture• Service Composition Architecture• Service Inventory Architecture• Service-Oriented Enterprise Architecture
Computer Science and Engineering 15
SOA CharacteristicsSOA Characteristics
• Business driven• Vendor neutral• Enterprise centric• Composition centric
Computer Science and Engineering 16
Service ArchitectureService Architecture
• Where to implement the security?• Revealing error messages?• Access to protected resources?
Computer Science and Engineering 17
Service Composition Service Composition ArchitectureArchitecture
• Complex composition? • Changes and re-composition?• Security design?• Conflict between security and business goals?• Proprietary vs. standardized development?
Computer Science and Engineering 18
SOA Orientation PrinciplesSOA Orientation Principles
• Standardized service contract• Service lose coupling• Service abstraction• Service reusability• Service autonomy• Service statelessness• Service discoverability• Service composability
Computer Science and Engineering 19
Service Inventory Service Inventory ArchitectureArchitecture
• Common security measures?• Range of potential consumers?• Shared security policies vs. inference?• Cross-domain service composition?• Performance degradation?
Computer Science and Engineering 20
Industry standardsIndustry standards
• XML– XML encryption– XML Signature– Canonical XML– Decryption Transformation for XML Signature
• WS-Security• Security Assertion Markup Language (SAML)
Computer Science and Engineering 21
SOA Service SOA Service CommunicationCommunication
• Simple Object Access Protocol (SOAP)-based • REST based (no additional messaging layer)
• Communication over HHTP
Computer Science and Engineering 22
The HTTP ProtocolThe HTTP Protocol
• Hyper Text Transfer Protocol– Application layer– Layered on top of TCP – Client Server Model– Request-response communication
• Originally developed to retrieve static text-based resources
Computer Science and Engineering 23
HTTP RequestHTTP Request
• Request line
1. HTTP method
2. Requested URL
3. HTTP version
E.g., GET /search?q= Web+Technologies HTTP/1.1
• Header lines– Host, Referer, Cookie, User-Agent, Connection,
etc.• Request body
Computer Science and Engineering 24
HTTP ResponseHTTP Response
• Status line
1. HTTP version
2. Numeric status call indicating the result of the request
3. Txt reason phrase describing the status of the response
• Header lines
– Server (web server software), Pragma (for the browser), Expires (content), Content-Type, Content-Length
• Response body
Computer Science and Engineering 25
Status CodesStatus Codes
• 1xx – Informational• 2xx – the request was successful• 3xx – the client is redirected to a different resource• 4xx – the request contains an error of some kinds• 5xx – the server encountered an error fulfilling the
request
Computer Science and Engineering 26
HTTP MethodsHTTP Methods
• GET – retrieves a resources– Send parameters to the requested resource– Be Aware! URLs are stored and displayed -> do not
include sensitive data in the query string • POST – performs an action
– Request parameters sent in the URL query string or in message body
– Be Aware! Back button use warning • Other methods: Head, Trace, Put, etc.
Computer Science and Engineering 27
RESTREST
• Representational State Transfer– Request and response messages contain
representation of the current state of the system’s resources
– HTTP conforms to the REST architecture• REST-based web services
– Based on HTTP not on SOAP
Computer Science and Engineering 28
HTTPSHTTPS
• HTTP tunneled through SSL• HTTP Proxies
– Using HTTP– Using HTTPS
• Proxy is a man-in-the-middle
• Pure TCP level relay
Computer Science and Engineering 29
HTTP AuthenticationHTTP Authentication
• Basic: sends user credentials as a Base64-encoded string in a request header
• NTLM: Challenge-response using Windows NTLM protocol
• Digest: challenge-response using MD5 and checksum of a nonce with the user’s credentials
Computer Science and Engineering 30
State and SessionState and Session
• Client and server exchange and process data• Application needs to maintain the state of each user
interactions– Server side structure: session– Client side: sent by the server and protected from
tampering• Stateless HTTP token to identify user sessions
Computer Science and Engineering 31
FunctionalityFunctionality
• Server side technologies:– Scripting languages– Web application platform– Web server software– Databases– Back-end components
• Client-side technologies: – Browser Extension technologies
Computer Science and Engineering 32
Computer Science and Engineering 33
WS Security Standards
• OASISOASIS Web Services Security (WSS) Web Services Security (WSS) – Integrity and authentication: sign SOAP msgs.– Confidentiality: encrypt SOAP msgs.– Attach security tokens
• Security tokensSecurity tokens• Security Assertion Markup Language (SAML) assertions• Kerberos tickets• User credentials• X.509 certificate• Custom defined tokens
Next ClassNext Class
• Mapping Applications
Computer Science and Engineering 34