Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/Web Technologies
Web application security
☣a general presentation
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
“Experience is that marvelous thing that enables you to recognize a mistake
when you make it again.”
F.P. Jones
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Security is the process of maintaining an acceptable perceptible risk level
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Security is the process of maintaining an acceptable perceptible risk level
“Security is a process, not an end state.”Mitch Kabay
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Web application security risksOWASP – Open Web Application Security Project
www.owasp.org
cracker
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
ConfidentialityAuthenticationAuthorization
IntegrityNon-repudiation
PrivacyAvailability
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Confidentiality
impossibility of a third entity to access data transmitted between two receivers
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Confidentiality
solution:
private connections between the two end-points of the communication channel
data is transferred through a tunnel provided by a VPN – Virtual Private Network
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Confidentiality
HTTPS (HyperText Transfer Protocol Secure)
goal: bidirectional encryption + “safe” authentication, preventing the man-in-the-middle attacks and data
interception/modification (eavesdropping, tampering)
RFC 7230
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Confidentiality
HTTPS (HyperText Transfer Protocol Secure)
HTTP over TLS (Transport Layer Security)
URLs are using the https schema – standard port: 443
use case: HTTPS on Stack Overflow (2017)https://nickcraver.com/blog/2017/05/22/https-on-stack-overflow/
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Confidentiality
solution:
data encryption via various approaches (algorithms)a practical introduction at www.crypto101.io
general specification: Web Cryptography API (W3C Recommendation, 2017)www.w3.org/TR/WebCryptoAPI/
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Examples of cryptographic solutions – specialized libraries and/or provided by Web development environments :
OpenSSL (C library; many ports)Java Cryptography Architecture
Forge (JavaScript) – github.com/digitalbazaar/forge
System.Security.Cryptography (.NET Framework)crypto (Node.js) – www.npmjs.com/package/crypto-js
Mcrypt, phpseclib, Zend Framework Encryption (PHP)Cryptography Toolkit (Python) – www.pycrypto.org/
more at github.com/sobolevn/awesome-cryptography
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Confidentiality
attention: exploiting the vulnerabilities of libraries
example (2014): heartbleedmajor weakness of the open-source library OpenSSL
http://heartbleed.com/
example (2015): FREAKwas based on the TLS browser vulnerabilities
https://freakattack.com/
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Authentication
a mechanism that allows users to access a service after checking the user identity
– usually, by name + password
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Authentication
solution:
the Web server provides support for basic authenticationor authentication based on digest (hash) algorithms
– e.g., SHA-2 (SHA-256, SHA-512, etc.), SHA-3http://csrc.nist.gov/groups/ST/hash/
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Authentication
examples:mod_auth_basic, mod_auth_digest, mod_authn_dbd,…
(Apache modules)http://httpd.apache.org/docs/howto/auth.html
ngx_http_auth_basic_module, ngx_http_auth_request_module
(Nginx modules)for other solutions, visit http://wiki.nginx.org/Modules
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Authentication
solution:
using/implementing authentication servicesfor example, OpenID Connect
for end-users (humans), use multi-factor authentication – e.g., Two Factor Auth (2FA): twofactorauth.org
advanced
see one of previous lectures
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Authorization
specifies the actions (roles) that a user or user application can accomplish in a specific context
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Authorization
specifies the actions (roles) that a user or user application can accomplish in a specific context
associated with authentication
allows defining the policies to control the access to services (functionalities)
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Authorization
solution:
access rights (permissions)+
ACLs – Access Control Lists
context: authorizing access to the available data provided by a Web application – e.g., via OAuth
RFC 6819 – https://tools.ietf.org/html/rfc6819
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Authorization
solution:
RBAC – Role-Based Access Control
example:a regular user as an administrator in a specific context
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Integrity
in this context, involves detecting the attempts to modify – in an unauthorized manner –
the transmitted data (data tampering)
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Integrity
solutions:
digest algorithms
digital signatures(stored, possibly, in XML documents – XML Signature)
could be transported also via SOAP messages
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Non-repudiation
ensures that the sender of a message can not say that (s)he has not sent it
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Non-repudiation
solution:
digital certificatesstore data regarding the identity of an entity
holding a secret:password, credit card number, digital certificate, …
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
PKI (Public Key Infrastructure)
a suite of hardware, software, human resources + policies & procedures for digital certificate management
(creation, distribution, use, storage, revocation)
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
securitatea datelorcertificate authority
validationauthority
registrationauthority
PKI allows users to communicate “securely” on an insecure public network, including checking the user identity
by using digital certificates issued by an authority
advanced
www.herongyang.com/PKI/
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Web of trust – WOT(Phil Zimmermann, 1992)
alternative to PKI
adopts PGP (Pretty Good Privacy)
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
securitatea datelor
an implementation regarding the Website reputation based on users’ opinions: www.mywot.com
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Availability
the need for a particular resource to be accessed at the right time
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Availability
the need for a particular resource to be accessed at the right time
aspect of interest: service qualitystipulated via SLA (Service-Level Agreement)
uptime, average speed to answer, turn-around time, abandonment rate, mean time to recover,…
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
`
securitatea datelor
advanced
the availability of specific Web services
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Availability
causes of unavailability:
DoS (Denial of Service) attacks
DDoS (Distributed DoS) attacks
poor implementation
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Privacy
refers to the rights to be respected regarding the character (the subject) of the transferred data
http://privacy.org/
often considered similar to confidentiality
Bruce Schneier, Security and Privacy in a Hyper-connected World (2016) – www.youtube.com/watch?v=cJMG34UzIyk
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Privacy
breaches: inadequate data storage on server – information disclosure
XSS (Cross-Site Scripting) attacks
phishing attacks – www.honeynet.org/papers/phishing/
inappropriate system configuration
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Web security should consider:
client
user interactionpersonal data storage: cookies, off-line data, cache,…asynchronous transfers – Ajax/Comet or WebSockets
(unauthorized) execution of JavaScript programsexistence of suspicious plugins/extensions
…
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Web security should consider:
data in transit
wired/wireless network securitysafe message exchange between various entities
data non-repudiation…
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Web security should consider:
server
Web server(s) securityapplication, framework, library,… security
availability of provided services
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Web security should consider:
client
data in transit
server
Attacks can target any of these 3 aspects!
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Vulnerabilities
weaknesses of a hardware/software system allowing unauthorized users to access it
may also occur due to poor administration
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
data security
Vulnerabilities
no system is 100% secure
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Environment assessment
identifying the public ports/services
discovering the applications’ types + versions
generating errors + examining obtained messages
finding sensitive information:source-code, comments, hidden fields of Web forms,…
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
inspecting the technologies used by a Web application: BuiltWith
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Determining the target of the attack
authentication mechanism (login)
Web form fields
session management
infrastructure – data storage servers, additional services (e.g., proxy),…
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
HTTP-level
analyzing data packets (network sniffing):works for unencrypted HTTP data streams
a prevention solution: HTTPS
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
HTTP-level
session hijacking:attacker determines the user SID and
uses it for his/her own purpose
example: analyzing the Referer header fieldReferer: https://www.ebank.info/view/account?id=98151
&jsessid=BAC13606AC22B81E5137F45F95EE7573
details: www.geeksforgeeks.org/session-hijacking/
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
HTTP-level
session hijacking:attacker determines the user SID and
uses it for his/her own purpose
classic prevention solutions:removing the SID from URL
storing the SID in User-Agent fieldusing a variable SID
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
HTTP-level
using the HTTP status code to expose data
details in Mike Cardwell, Abusing HTTP Status Codes to Expose Private Information (2011)
www.grepular.com/Abusing_HTTP_Status_Codes_to_Expose_Private_Information
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Server Side Request Forgery (SSRF)
abusing the Web server functionality to access or alter internal resources
by using a URL, the attacker could alter parameters used by an application in order to create malicious requests
modus operandi + counteraction solutions:www.acunetix.com/blog/articles/server-side-request-forgery-vulnerability/
www.netsparker.com/blog/web-security/server-side-request-forgery-vulnerability-ssrf/
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
SQL injection
involves the writing of SQL queries that allow displaying, altering, deleting data from databases via Web forms or
directly using URLs
for details, consult Testing for SQL Injection:www.owasp.org/index.php/Testing_for_SQL_Injection_%28OTG-INPVAL-005%29
real cases: https://laurent22.github.io/so-injections/
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
SQL injection – example:
select * from customers where name=$name and pass=$pass
with $name from a Web form having as value '' or 1=1 --
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
SQL injection – example:
http://e-banking.org/access_client.php?client=3
in script: select credit_card from clients where client=$client
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
SQL injection – example:
http://e-banking.org/access_client.php?client=3
in script: select credit_card from clients where client=$client
what happens if the URL ishttp://www.sit.org/access_client.php?client=client ?
or if, instead of select, the delete command is used?
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
SQL injection
variations: creating incorrect SQL statements
to have access to “interesting” error messages
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
SQL injection – example:http://www.site.org/search?id=1+OR+xy=1
we can obtain a message like:
[Microsoft][ODBC SQL Server Driver] [SQL Server] Invalid column name 'xy'.
SELECT group_id, securityName, maxSalesCharge, price,
security_id, trade_date FROM funds
WHERE group_id = 1 OR xy=1 ORDER BY price DESC
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
SQL injection – example:http://www.site.org/search?id=1+OR+xy=1
we can obtain a message like:
[Microsoft][ODBC SQL Server Driver] [SQL Server] Invalid column name 'xy'.
SELECT group_id, securityName, maxSalesCharge, price,
security_id, trade_date FROM funds
WHERE group_id = 1 OR xy=1 ORDER BY price DESC
the attacker could continue – for example – with:http://www.site.org/search?id=1;DELETE+FROM+funds+--
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
SQL injection
prevention solutions: neutralizing SQL meta-characters, prepared statements,
using ORM (Object-Relational Mapping) frameworks, stored procedures,…
$sql = "select * from users
where user = '" . $user . "'";
$result = $db.query
("select * from users
where user = ?", $user);
correctwrong
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
SQL injection
solutions for vulnerability testing (penetration tools):
sqlmap – sqlmap.org
SQL Ninja – sqlninja.sourceforge.net
SQL Power Injector – www.sqlpowerinjector.com
details at www.owasp.org/index.php/Blind_SQL_Injection
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
NoSQL injection
exploiting the programming language exposed by NoSQL server, including the weaknesses of the provided
API and/or the data transfer format (JSON, XML)
example: Hacking Node.js and MongoDB (2014)http://blog.websecurify.com/2014/08/hacking-nodejs-and-mongodb.html
for details, readwww.owasp.org/index.php/Testing_for_NoSQL_injection
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Shell command injection
running external commands via CGI scripts or from Web application servers (PHP, Python, Ruby)
prevention solution:forbidding the use of system (), exec (), etc. functions
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
SQL injection + command injection
using SQL to execute shell commands from the database server
example:SELECT * FROM users WHERE name = 'tuxy' AND
pass = ' '; xp_cmdshell 'taskkill /F /IM sqlservr.exe' --'
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
XPath injection
using XPath expressions to have access to data from a XML document or to perform various actions
via XPath functions
has consequences also on malign XSLT transformations for example, causing DoSdetails at www.agarri.fr/blog/
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Path traversal
ability to access unauthorized filesystems – e.g., outside the directories
where the Web application resides
example:http://e-photos.info/listphotos.jsp?dir=../../
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Path traversal
ability to access unauthorized filesystems – e.g., outside the directories
where the Web application resides
example in the XML context (XXE – XML External Entity):http://cwe.mitre.org/data/definitions/611.html
<!DOCTYPE doc [ <!ENTITY xxe SYSTEM "file:///tmp/sessions/..."> ]>
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Real example – attack on PostgreSQL
connecting with low privilegesgetting global/pg_auth by using XXE
overwriting this file via XSLTre-connecting with admin privileges
restoring global/pg_auth with XSLTlaunching postgres_payload.rb – resource provided by
the Metasploit project: www.metasploit.com
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Poisonous null-byte attack
using NULL character to place scripts on server which can then be executed
example:an “image” upload – img.php%00.jpg
“Thank you! See your picture at img.php”
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Cross-Site Scripting (XSS)
allows “injection” into the system of JavaScript programs, in order to be directly executed
in the browser
works especially on interactive Web sites(e.g., forums, blogs, wikis)
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Stored XSS
the attacker injects a JS script (also, called payload) which is permanently stored in the target application
e.g., into the database of the Web applicationusually, a CMS (Content Management System)
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Reflected XSS
the payload script is transmitted by the attacker’s Web server as a part of a HTTP response message
(malicious script is remotely delivered to each victim)
the user is persuaded to visit a special URL via social engineering techniques (e-mail, social networks,…)
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
DOM-based XSS
the payload is stored – after an illegal manipulation of the JS code – into the DOM tree available on browser
details in the Ferruh Mavituna’s article (2017)www.netsparker.com/blog/web-security/dom-based-cross-site-scripting-vulnerability/
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
XSS – typical examples:
<img src="javascript:code" />
redirecting the user to the other URL, getting cookies or blocking the browser
including malicious code (malware)to be executed by the Web browser
via elements like <embed>, <img> or <object>
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
XSS – other malevolent actions:
<script type="text/javascript">
setInterval (function () {
var w = window.open ();
w.document.write (document.documentElement.outerHTML ||
document.documentElement.innerHTML);
}, 33);
</script> recursive window creation via DOM (à la fork bomb)
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
XSS – other malevolent actions:
placing malware program inside Web applications– e.g., fake jQuery code
case studies:https://blog.sucuri.net/category/website-malware-infections/
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
XSS
provides the premises for circumventing the policy on interaction between client-level scripts and resources
from the same Internet domain: Same Origin Policy
usually, a program belonging to site.org can not obtain data from a Web page belonging to the othersite.org domain
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
A real example:
exploiting a XSS vulnerability in the HTML filter of MySpace, when a user viewed Tuxy’s profile, the JavaScript code automatically made him/her a friend of Tuxy + used Ajax to insert the malevolent script to the current profile
social network worm (2005)
http://samy.pl/popular/tech.html
after 20 hours, 1005831 requestsMySpace “crushed”
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Other genuine examples:
XSS weakness detected in GMail for iOS(Roy Castillo, 2013)http://goo.gl/agbZz3
XSS vulnerability of the Tumblr application(Andrew Lang, 2016)
blog.andrewlang.net/post/152805939304/tumblr-xss-exploit
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Cross-Site Request Forgery (CSRF)
forces the authenticated user into an application to perform unwanted actions – e.g., data corruption
real cases: getting the list of contacts
for an authenticated GMail user (2005)changing postal address + renting films by the persons
having Netflix accounts (2006)
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Cross-Site Request Forgery (CSRF)
can also lead to the identify theft (phishing)or to the injection of malware code on the client
www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29
a solution to mitigate the risk of CSRF attacks: CSRFGuard library
https://github.com/aramrami/OWASP-CSRFGuard
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Cross Site History Manipulation (CSHM)
security breach eluding Same Origin Policy, which allows the navigation history to be manipulated by a malicious program – e.g., detecting user authentication
status on a site, user tracking, accessing parameters associated to a URL,…
http://tinyurl.com/qyurynm
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Other phishing Web attacks
using JavaScript code to modify the content presented to the user by the Web browser or
to manipulate the user to visit hidden links
jeremiahgrossman.blogspot.com/2008/09/cancelled-clickjacking-owasp-appsec.html
clickjacking
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Other phishing Web attacks
using JavaScfript code to generate in a browser tab a replica of a log-in form regarding an application
– e.g., Facebook, GMail
www.azarask.in/blog/post/a-new-type-of-phishing-attack/
tabnabbing
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Other phishing Web attacks
adopting social engineering techniques“any act that influences a person to take an action
that may or may not be in their best interest”
manipulating the user – e.g., theft of passwords –by using intimidation, blackmail, authority, flattery,
person substitution, vanity, etc.
www.social-engineer.org
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
A real example:
Email spam campaign impersonating Google Docs(May 2017)
reddit.com/r/google/comments/692cr4/new_google_docs_phishing_scam_almost_undetectable/
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Prevention solutions:
forbidding the use of HTML markups
HTML escaping via a specialized library
markup filtering
separating data presentation from actual processing
etc.
www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Problems caused by URI/IRIs
misleading the user about the Internet domain of a Website
example: http://[email protected]/
+wrong encoding of hex codes
certain Web servers’ vulnerabilities
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Problems caused by URI/IRIs
using Unicode charactersproblems with decoding URLs considered “safe”
sites adopting IDN – International Domain Nameshomography-based attacks
details at www.unicode.org/reports/tr36/
example: www.xudongz.com/blog/2017/idn-phishing/
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Problems regarding the use of passwords
most authentication processes use passwords
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Problems regarding the use of passwords
the more user needs to memorize multiple passwords, the more the password-based authentication system
is prone to security breaches:choosing weak passwords, used for a long time
sharing passwords in groups of friends/colleagues
writing down passwords on the paper – eventually at sight
using the same password for multiple Web applications
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Problems regarding the use of passwords
attack example:using a dictionary or brute-force on Twitterdiscovering the “happiness” as password
associated to an admin accounthttps://blog.codinghorror.com/dictionary-attacks-101/
typical prevention solution:admin accounts separated from regular accounts
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Web trojans
seemingly useful Web sites/applications accidentally visited by users
– for example, through automatic redirection
additionally, XSS/CSRF or social engineering techniques could be adopted
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Web trojans
examples: fake antiviruses, online purchases of pharmaceuticals, modified Web search software
large-scale abusive advertising+
e-payment extortions (credit card or Bitcoin)
http://cseweb.ucsd.edu/~savage/papers/CCS12Priceless.pdf
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Examples:injecting altered JS libraries inside a CMS
– e.g., Joomla, Wordpress,…
Fake jQuery Scripts in Nulled WordPress Pluginsblog.sucuri.net/2015/05/fake-jquery-scripts-in-nulled-wordpress-pugins.html
jQuery.min.php Malware Affects Thousands of Websitesblog.sucuri.net/2015/11/jquery-min-php-malware-affects-thousands-of-websites.html
injecting fake plug-insfor example, bbPress for WordPress
blog.sucuri.net/2017/01/fake-bb_press-plugin.html
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Web trojans
prevention solutions:adopt a ticket system (crumbs)
each action that can be performed by user has associated a random ticket (number) which will be used only once
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Denial of service
exploiting certain application components, so the functionalities can not be offered to real clients
usually, initiation of a recursive processing(possibly, through self-reproducing programs)
M. Abliz, Internet Denial of Service Attacks and Defense Mechanisms (2011)https://people.cs.pitt.edu/~mehmud/docs/abliz11-TR-11-178.pdf
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Denial of service
exploiting certain application components, so the functionalities can not be offered to real clients
usually, initiation of a recursive processing(possibly, through self-reproducing programs)
fork bomb – e.g., for Ruby: loop { fork { __FILE__ } }
XML bombzip bomb – http://research.swtch.com/zip
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
Real example (billions of lols)
<?xml version="1.0"?> <!DOCTYPE lolz [
<!ENTITY lol "lol"> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1; &lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;"> …<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;"> <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]> <lolz>&lol9;</lolz>
B. Sullivan, XML Denial of Service Attacks and Defenses (2009)msdn.microsoft.com/magazine/ee335713
www.owasp.org/index.php/XML_External_Entity_(XXE)_Processing
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Ransomware
stopping a type of attack on a Web site – e.g., DDoS or content encryption – only if the owner pays
a “protection fee” (i.e. using Bitcoin)
actual examples:blog.sucuri.net/2015/12/ddos-extortions-campaigns.html
blog.sucuri.net/2016/01/ransomware-strikes-websites.html
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Ransomware
The OWASP Anti-Ransomware Guide (May 2017): www.owasp.org/index.php/OWASP_Anti-Ransomware_Guide_Project
detection via traps – honeypots (April 2016):Using honeypots to spot ransomware infections
www.owasp.org/images/0/03/OWASP_RansomwareHoneypots.pptx
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
Tentatives of accessing allegedly vulnerable resources or administration sections of a Web site
208.113.197.80 GET /wp-admin/
5.196.16.176 GET /~jromai/romaijournal//images/stories/post.gif
185.22.64.241 GET /~busaco/docs/jdownloads/screenshots/has.php.j?rf
5.196.16.176 POST /index.php?option=com_jce&task=plugin&file=imgmanager&
method=form&cid=20&6bc427c8a7981f4fe1f5ac65c=cf6dd3cf1923c950586
38.87.45.121 GET /~vcosmin/WikiLogica/index.php?title=BuckYoung847
74.220.207.111 GET /wp-admin/admin-ajax.php?action=revslider_ajax_action
74.220.207.111 GET /index.php?gf_page=upload
195.30.97.113 POST //index.php?option=com_jdownloads&Itemid=0&view=upload
5.153.237.232 POST /~flash/wiki/index.php?title=Special:Userlogin&action=submitlogin
46.102.103.137 POST /~flash/wiki/index.php?title=Special:Userlogin&action=submitlogin
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
attacks
The detection of possible vulnerabilities – due to incorrect/default settings of Web servers and/or
Web applications – can be accomplished by using a search engine
see also Google Hack Honeypot project (2007)ghh.sourceforge.net
other resources of interest at www.honeynet.org
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
Examples of actions:
detecting versions of programs having known bugs:"Apache/2.0.52 server at"
access to .bak files: inurl:index.php.bak
detecting admin pages: "admin login"
default installations: intitle:"welcome to" intitle:internet IIS
locating database systems’ interfaces:inurl:main.php phpMyAdmin
searching for applications or log files: inurl:error.log +filetype:log –cvs
getting error messages generated by applications or database servers: "ASP.NET_SessionId" "data source="
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
atacuri
alternative: searching for potentially vulnerable programsin publicly available source code repositories
GitHub case: code execution detection – e.g., exec($_GET
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
prevention
Use case: securing Apache HTTP server
remove non-essential modulesmod_autoindex, mod_dav, mod_info, mod_includes, mod_status,…
restrict default permissions for various directories: /, /var/www/html (Website root directory),
(public_)html/ user directories
run server as a user having minimal permissions, by limiting the access to system resources
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
prevention
Use case: securing Apache HTTP server
“immunize” important configuration files
run Apache in a chroot jailsee also github.com/ZenProjects/Apache-mod-chroot
prohibit the creation of server “signature” for the pages generated automatically:ServerSignature Off and ServerTokens Prod
use mod_ssl module to enable HTTPS connections
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
prevention
Use case: securing Apache HTTP server
check/adjust the permissions of public files
limit/disable file uploads
limit the use of .htaccess file for regular users
prohibit the access to users table of MySQL
configure the application servers to not send error messages to the browser – at PHP: display_errors off
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
prevention
Use case: securing Apache HTTP server
run script in “safe” modePerl in taint mode, PHP: safe_mode on, allow_url_fopen off
sign code as being “safe” – for Java/.NET
update the sites only with secured methods:ssh, scp, sftp
for guidelines and good practices, consulthttp://httpd.apache.org/docs/2.4/misc/security_tips.html
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
prevention
On Web application servers/platforms
various examples:
ASP.NET – https://github.com/aspnet/Security
Node.js – nodesecurity.io
PHP – http://phpsecurity.readthedocs.org/
Python – www.pythonsecurity.org
Ruby on Rails – http://tinyurl.com/pbmzgm8
avansat
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
survival
The system must carry out its mission even if some components/parts of the system
are affected or disused
fulfilling most important functionalities (mission-critical)identifying essential services
example: providing a read-only copy of the content
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
survival
Important system properties:
resisting to attacks
recognizing the attacks and their effects
adapting to attacks
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
survival
Resisting to attacks
strategies to reject the attack:
mandatory data validation
user authentication
granting minimum privileges
key-only access to Web services or APIs
…
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
survival
Recognizing the attacks and their effects
strategies for restoring data, limiting effects, maintaining/restoring compromised services
Web farms – possibly, in the cloudRAID (Redundant Array of Independent Disks)
SAN (Storage Area Network)backups: full or incremental
…
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
survival
Adapting to attacks
strategies to improve the survival chance (rate)
analysis (audit)learning from mistakes
using the expertise of specialized companies…
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
response to incidents
Aggressive responses – e.g., hack back –are prohibited
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
response to incidents
Aggressive responses – e.g., hack back –are prohibited
commonly, the SANS (System Administration, Networking, and Security) methodology is adopted
stages:preparationidentificationcontainment
eradicationrecoveryfollow-upwww.sans.org/security-resources/
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
response to incidents
Forensics
the process of cracker “catching”
investigation of digital evidencefor use in criminal or civil courts of law
http://forensicswiki.org/
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
response to incidents
Forensics
usually, is performed after a security incident
involves the analysis of hardware (disks, RAM),“trash” (information detritus), logs,
configuration files, and others
various software tools:www.cert.org/digital-intelligence/tools/
resources.infosecinstitute.com/computer-forensics-tools/
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
response to incidents
Forensics
the action of “erasing” traces = anti-forensics
several details athttp://forensicswiki.org/wiki/Anti-forensic_techniques
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Tests to verify…
capacity of serving clients
robustness
running in extreme situations
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
To be taken into consideration:Web browser characteristics (+default settings)
platform(s): hardware, operating system,...
user interface: screen resolution, color depth,…
caching policy (+proxy security)
support for various document types’ rendering(plugin security)
used programming language(s)(including application server(s), libraries, etc.)
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Specific tests regarding programming:
buffer overflow
example: the length of URIs sent by client
real case: Apple iTunes for Windows (version < 8.2) allowed
the arbitrary code execution when using itms: URL schemahttp://www.securitytracker.com/id/1022313
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Specific tests regarding programming:
parsing issues
processing of URIs, data received from Web forms,cookies, (X)HTML entities, XML data,HTTP, XML-RPC, and SOAP requests,
SQL statements, JSON data, etc.
advanced
N. Seriot, Parsing JSON is a Minefield (2016)http://seriot.ch/parsing_json.php
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Specific tests regarding programming:
problems of data conversion
for example, ASCII Unicode
best practices:RFC 5137 – https://tools.ietf.org/html/rfc5137
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Specific tests regarding programming:
problems of data rendering
example: displaying the lastname firstname pair when
lastname="<script>document.location="
firstname="'aURI'</script>"
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Specific tests regarding programming:
problems of escaping
example:character escaping for cs/b string
cs%2Fb
cs%%252Fb
cs%25%32%46b
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Specific tests regarding programming:
problems of escaping
direct data “injection” via URI or by using the Web interface or via a file (illegal upload) or using a program
(e.g., remote application administration),...
verify the escaping with dedicated toolsan example: www.htmlescape.net
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Solutions and strategies:
defensive programming
enforcing coding standards
unit testing
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Solutions and strategies:
include a system for error prevention, detection, and reporting + a system for bug tracking
use a version control system
revisit the lecture about Web engineering
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Specific tests concerning the privacy:
user data must be treated as safe and confidential
What data will be available in the client cache?
Cookies/LocalStorage data may contain sensitive data, potentially exploited by malicious people?
How the cache is invalidated?
avansat
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Tests regarding component integration:
the security of an application depends on the security of the most vulnerable component
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Tests regarding component integration:
the security of an application depends on the security of the most vulnerable component
not verifying the user identity on server, considering the fact that this verification was already
performed on the browserreal case: www.ifc0nfig.com/dominos-pizza-and-payments/
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Tests regarding data obfuscation:
data should not be stored in predictable locations
content itself can lead to security issues– information disclosure
e.g., Webcam access – context: IoT (Internet Of Things)www.ifc0nfig.com/a-close-look-at-the-philips-in-sight-ip-camera-range/
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Breaches regarding information disclosure:
accessing hidden fields of the Web formsand/or
comments from HTML, CSS, JavaScript source-code
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Breaches regarding information disclosure:
inspecting the robots.txt filescanning configuration files or
temporary directories – e.g., traffic reports
User-agent: *
Disallow: /plenum/data/5510903.doc
Disallow: organization/193959.pdf
Disallow: /en/community/thread/12819
…
details at http://thiébaud.fr/robots.txt.html
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Breaches regarding information disclosure:
error messages emitted by Web applications
files having incorrect extensionsaccess to source-code of script available on server
visualizing the content of server directories
scanning network traffic(URIs, asynchronously transmitted XML/JSON data,…)
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
unwanted access to the data regarding the occurred errors+ the source-code of a Web application
(in this case, Node.js using the Express framework)
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Specific tests regarding the deployment:
a suitable preparation for application deployment
detecting flow problems
properly handling the 4xx and 5xx HTTP status codes,the access to authenticated resources
(e.g., getting data without user authentication), the abnormal script execution, etc.
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Specific tests regarding the deployment:
testing the interaction with the Web applicationprograms simulating virtual visitors
experiment Selenium – www.seleniumhq.org
performing load testingscenarios and result interpretation
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Stressing tools could reveal information about…
performance
e.g., response time, content generation time, etc.
details at “Client-Side Web Application Development”https://profs.info.uaic.ro/~busaco/teach/courses/cliw/
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Stressing tools could reveal information about…
scalability
memory usage, disk usage, number of connections regarding other services, behavior, etc.
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Stressing tools could reveal information about…
correctness
reports on the (flawed) operation of some components
e.g., by using the log files
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
monitoring & testing
Stressing tools could reveal information about…
security issues
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
tools (examples)
AppScan, skipfish, w3af, WebInspect
vulnerability scanners
Burp, Paros, WebScarab
Web testing suites
native tools for developers provided by Web browsers + specific extensions
also, consult http://sectools.org/tag/web-scanners/
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
to remember
Web application security:
must take into consideration the whole architecture, functionality,
source-code, and content
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
to remember
Web application security:
does not target the vulnerabilities of operating system or auxiliary programs
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
to remember
The vulnerabilities of a Web application are not necessarily “famous” and
can often be independent of the security of the system on which the site is deployed
a list of Internet vulnerabilities, including the Web ones:www.cve.mitre.org/data/downloads/
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
OWASP Top 10 Most Critical Web Application SecurityRisks (2017 – Release Candidate, April 2017)
www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
advanced
risk factors associated to most important vulnerabilities
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
OWASP Top 10 Mobile Risks – 2016
Improper Platform UsageInsecure Data Storage
Insecure CommunicationInsecure Authentication
Insufficient CryptographyInsecure Authorization
Client Code QualityCode Tampering
Reverse EngineeringExtraneous Functionality
www.owasp.org/index.php/Mobile_Top_10_2016-Top_10
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
to remember
Web application security principles
service separation
different systems for Web server, application server, storage (database) server, etc.
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
to remember
Web application security principles
limit privileges
regarding file systems and databases, permissions for users
running specific applications – e.g., Apache, Tomcat,…
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
to remember
Web application security principles
hide secrets – e.g., passwords, SIDs,…
use standard libraries
maintain + study the log files
perform tests and adjustments (Web tunning)
updated!
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
de reținutRules/good practices (Sverre Huseby, 2004):
Do not underestimate the power of the dark side
Use POST requests when actions have side effects
In a server-side context,there is no such thing as client-side security
Always generate a new session ID once the user logs in
Never pass detailed error messages to the client
Identify every possible meta-character to a subsystem
When possible, pass data separate from control information
Do not blindly trust the API documentation
Identify all sources of input to the application
When filtering data, use white-listing rather than black-listing
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
de reținutRules/good practices (Sverre Huseby, 2004):
Create application-level logs
Never use client-side scripts for security
Pass as little internal state information as possible to the client
Don’t assume that requests will come in a certain order
Filter all data before including them in a Web page,no matter what the origin
Stick to existing cryptographic algorithms, do not create your own
Never store clear-text passwords
Assume that server-side code is available to attackers
Security is not a product; it is a process
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
to remember
Security risks are not a concern only for the owner of the Web site/application, but also for end-user
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
to remember
Security risks are not a concern only for the owner of the Web site/application, but also for end-user
typical actions:spying on user (user tracking)
inserting unwanted messages (ad injection malware)
events + resourses: www.ieee-security.org www.w3.org/Security/
http://googleonlinesecurity.blogspot.com/
advanced
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/
to remember
Discomforts caused by an insecure Web site/app:
financial – loss of money/information
performance – e.g., blocking/slowing down actions
psychological – dissatisfactioninfluence on UX
social – e.g., work incapacity, lack of communication,…
time – cumbersome browsing, redirecting, etc.
Dr.
Sab
in B
ura
ga
profs.in
fo.uaic.ro/~busa
co/“conclusion”
Web application security
☣context, attacks, vulnerabilities, prevention,
rules of good practice, case studies
Top Related