340 likes | 480 Vues
Web Application Security. Reading. Required: Stuttard and Pinto: Chapter 3 Recommended: Csilla Farkas, Michael N. Huhns: Securing Enterprise Applications: Service-Oriented Security (SOS). CEC/EEE 2008: 428-431. http://www.cse.sc.edu/~farkas/publications/SOS-cec.pdf. Key Problem Factors.
E N D
Web Application Security Computer Science and Engineering
Reading • Required: • Stuttard and Pinto: Chapter 3 • Recommended: Csilla Farkas, Michael N. Huhns: Securing Enterprise Applications: Service-Oriented Security (SOS). CEC/EEE 2008: 428-431. http://www.cse.sc.edu/~farkas/publications/SOS-cec.pdf Computer Science and Engineering
Key Problem Factors • Underdeveloped security awareness • Custom development • Deceptive simplicity • Resource and time constraints • Overextended technologies • Increased demands on functionality Computer Science and Engineering
New Security Perimeter • Before web applications: • Network perimeter protection (DMZ) • Firewall • With web applications: • Firewall must allow access to the application server • Server may connect to back-end systems • Back-end system is behind several layers of defensive technologies • Web application vulnerability may allow the attacker to access back-end system Computer Science and Engineering
Demilitarized Zone (DMZ) • Perimeter Service: • Operates at application layer • Work in conjunction with existing firewall technologies • Hide internal application details • External customer: corresponds with the perimeter service’s external contracts • Internal application: response is relayed to the customer by the perimeter service
How to handle Vulnerable Applications? • Honest users may use compromised applications • Compromised applications allow malicious attacker to access the victim’s back-end system • Malicious user gains privileges of the victimized user • Client-side attacks • Weakness of authentication via email notifications (e.g., forgotten password) Computer Science and Engineering
Web Application Security Layered security: • Software-level (single service) security • Business-level (service composition) security • Network-level security Computer Science and Engineering
Application Development • Inherent Security of Applications • Security granularity Security Software Software Security Computer Science and Engineering
Secure Software Development • Develop software that is free of flaws • Software engineering – functional requirements • Security, reliability, QoS – non-functional requirements • Protect against malicious code • Reading: • G. McGraw, Software Security , http://www.cigital.com/papers/download/bsi1-swsec.pdf • US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html Computer Science and Engineering Computer Science and Engineering 9
Web Services Composition • Create complex applications on the fly from individual services • BPEL4WS, WSBPEL • How to express security and reliability needs? • How to verify that these needs are satisfied? • How to resolve conflict between business needs and security requirements? Computer Science and Engineering
Web Services Transactions • Traditional database transaction managements vs. SOA application needs • How can we evaluate correct execution? ACID properties? Serializability? • WS transaction framework: • Atomic (short-term) transactions • Business activity (long-term) transactions • What are the security implications of WS transactions? Computer Science and Engineering
Service-Level Dependencies • Old threats reappearing in new context: deadlocks, denial-of-service, network flooding, etc. • How to detect and prevent the occurrence of these threats? • In composition, independently developed services are dependent on each other • No information about internal processing of the workflow components Computer Science and Engineering
New Approaches to Improve Security and Reliability • Develop criteria to evaluate correctness of composite application execution • E.g., WS transactions: compensation-based transactions • Increase reliability using redundant services • Offer security as service • Develop defense models using distributed and collaborative components • E.g., detect malicious behavior based on collaborative nodes, verify execution correctness by comparing outcome of different services, deploy intelligent software decoy, etc. Computer Science and Engineering
Web Application Development Technologies • SOA • HTTP • Web Functionality • Encoding Schemes Computer Science and Engineering
SOA Types • Service Architecture • Service Composition Architecture • Service Inventory Architecture • Service-Oriented Enterprise Architecture Computer Science and Engineering
SOA Characteristics • Business driven • Vendor neutral • Enterprise centric • Composition centric Computer Science and Engineering
Service Architecture • Where to implement the security? • Revealing error messages? • Access to protected resources? Computer Science and Engineering
Service Composition Architecture • Complex composition? • Changes and re-composition? • Security design? • Conflict between security and business goals? • Proprietary vs. standardized development? Computer Science and Engineering
SOA Orientation Principles • Standardized service contract • Service lose coupling • Service abstraction • Service reusability • Service autonomy • Service statelessness • Service discoverability • Service composability Computer Science and Engineering
Service Inventory Architecture • Common security measures? • Range of potential consumers? • Shared security policies vs. inference? • Cross-domain service composition? • Performance degradation? Computer Science and Engineering
Industry standards • XML • XML encryption • XML Signature • Canonical XML • Decryption Transformation for XML Signature • WS-Security • Security Assertion Markup Language (SAML) Computer Science and Engineering
SOA Service Communication • Simple Object Access Protocol (SOAP)-based • REST based (no additional messaging layer) • Communication over HHTP Computer Science and Engineering
The HTTP Protocol • Hyper Text Transfer Protocol • Application layer • Layered on top of TCP • Client Server Model • Request-response communication • Originally developed to retrieve static text-based resources Computer Science and Engineering
HTTP Request • Request line • HTTP method • Requested URL • HTTP version E.g., GET /search?q= Web+Technologies HTTP/1.1 • Header lines • Host, Referer, Cookie, User-Agent, Connection, etc. • Request body Computer Science and Engineering
HTTP Response • Status line • HTTP version • Numeric status call indicating the result of the request • Txt reason phrase describing the status of the response • Header lines • Server (web server software), Pragma (for the browser), Expires (content), Content-Type, Content-Length • Response body Computer Science and Engineering
Status Codes • 1xx – Informational • 2xx – the request was successful • 3xx – the client is redirected to a different resource • 4xx – the request contains an error of some kinds • 5xx – the server encountered an error fulfilling the request Computer Science and Engineering
HTTP Methods • GET – retrieves a resources • Send parameters to the requested resource • Be Aware! URLs are stored and displayed -> do not include sensitive data in the query string • POST – performs an action • Request parameters sent in the URL query string or in message body • Be Aware! Back button use warning • Other methods: Head, Trace, Put, etc. Computer Science and Engineering
REST • Representational State Transfer • Request and response messages contain representation of the current state of the system’s resources • HTTP conforms to the REST architecture • REST-based web services • Based on HTTP not on SOAP Computer Science and Engineering
HTTPS • HTTP tunneled through SSL • HTTP Proxies • Using HTTP • Using HTTPS • Proxy is a man-in-the-middle • Pure TCP level relay Computer Science and Engineering
HTTP Authentication • Basic: sends user credentials as a Base64-encoded string in a request header • NTLM: Challenge-response using Windows NTLM protocol • Digest: challenge-response using MD5 and checksum of a nonce with the user’s credentials Computer Science and Engineering
State and Session • Client and server exchange and process data • Application needs to maintain the state of each user interactions • Server side structure: session • Client side: sent by the server and protected from tampering • Stateless HTTP token to identify user sessions Computer Science and Engineering
Functionality • Server side technologies: • Scripting languages • Web application platform • Web server software • Databases • Back-end components • Client-side technologies: • Browser Extension technologies Computer Science and Engineering
WS Security Standards • OASISWeb Services Security (WSS) • Integrity and authentication: sign SOAP msgs. • Confidentiality: encrypt SOAP msgs. • Attach security tokens • Security tokens • Security Assertion Markup Language (SAML) assertions • Kerberos tickets • User credentials • X.509 certificate • Custom defined tokens Computer Science and Engineering
Next Class • Mapping Applications Computer Science and Engineering