1 / 34

Web Application Security

Web Application Security. Reading. Required: Stuttard and Pinto: Chapter 3 Recommended: Csilla Farkas, Michael N. Huhns: Securing Enterprise Applications: Service-Oriented Security (SOS). CEC/EEE 2008: 428-431. http://www.cse.sc.edu/~farkas/publications/SOS-cec.pdf. Key Problem Factors.

leopoldoa
Télécharger la présentation

Web Application Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Application Security Computer Science and Engineering

  2. Reading • Required: • Stuttard and Pinto: Chapter 3 • Recommended: Csilla Farkas, Michael N. Huhns: Securing Enterprise Applications: Service-Oriented Security (SOS). CEC/EEE 2008: 428-431. http://www.cse.sc.edu/~farkas/publications/SOS-cec.pdf Computer Science and Engineering

  3. Key Problem Factors • Underdeveloped security awareness • Custom development • Deceptive simplicity • Resource and time constraints • Overextended technologies • Increased demands on functionality Computer Science and Engineering

  4. New Security Perimeter • Before web applications: • Network perimeter protection (DMZ) • Firewall • With web applications: • Firewall must allow access to the application server • Server may connect to back-end systems • Back-end system is behind several layers of defensive technologies • Web application vulnerability may allow the attacker to access back-end system Computer Science and Engineering

  5. Demilitarized Zone (DMZ) • Perimeter Service: • Operates at application layer • Work in conjunction with existing firewall technologies • Hide internal application details • External customer: corresponds with the perimeter service’s external contracts • Internal application: response is relayed to the customer by the perimeter service

  6. How to handle Vulnerable Applications? • Honest users may use compromised applications • Compromised applications allow malicious attacker to access the victim’s back-end system • Malicious user gains privileges of the victimized user • Client-side attacks • Weakness of authentication via email notifications (e.g., forgotten password) Computer Science and Engineering

  7. Web Application Security Layered security: • Software-level (single service) security • Business-level (service composition) security • Network-level security Computer Science and Engineering

  8. Application Development • Inherent Security of Applications • Security granularity Security Software  Software Security Computer Science and Engineering

  9. Secure Software Development • Develop software that is free of flaws • Software engineering – functional requirements • Security, reliability, QoS – non-functional requirements • Protect against malicious code • Reading: • G. McGraw, Software Security , http://www.cigital.com/papers/download/bsi1-swsec.pdf • US National Security Agency: System Security Engineering CMM (SSE CMM), http://www.sse-cmm.org/index.html Computer Science and Engineering Computer Science and Engineering 9

  10. Web Services Composition • Create complex applications on the fly from individual services • BPEL4WS, WSBPEL • How to express security and reliability needs? • How to verify that these needs are satisfied? • How to resolve conflict between business needs and security requirements? Computer Science and Engineering

  11. Web Services Transactions • Traditional database transaction managements vs. SOA application needs • How can we evaluate correct execution? ACID properties? Serializability? • WS transaction framework: • Atomic (short-term) transactions • Business activity (long-term) transactions • What are the security implications of WS transactions? Computer Science and Engineering

  12. Service-Level Dependencies • Old threats reappearing in new context: deadlocks, denial-of-service, network flooding, etc. • How to detect and prevent the occurrence of these threats? • In composition, independently developed services are dependent on each other • No information about internal processing of the workflow components Computer Science and Engineering

  13. New Approaches to Improve Security and Reliability • Develop criteria to evaluate correctness of composite application execution • E.g., WS transactions: compensation-based transactions • Increase reliability using redundant services • Offer security as service • Develop defense models using distributed and collaborative components • E.g., detect malicious behavior based on collaborative nodes, verify execution correctness by comparing outcome of different services, deploy intelligent software decoy, etc. Computer Science and Engineering

  14. Web Application Development Technologies • SOA • HTTP • Web Functionality • Encoding Schemes Computer Science and Engineering

  15. SOA Types • Service Architecture • Service Composition Architecture • Service Inventory Architecture • Service-Oriented Enterprise Architecture Computer Science and Engineering

  16. SOA Characteristics • Business driven • Vendor neutral • Enterprise centric • Composition centric Computer Science and Engineering

  17. Service Architecture • Where to implement the security? • Revealing error messages? • Access to protected resources? Computer Science and Engineering

  18. Service Composition Architecture • Complex composition? • Changes and re-composition? • Security design? • Conflict between security and business goals? • Proprietary vs. standardized development? Computer Science and Engineering

  19. SOA Orientation Principles • Standardized service contract • Service lose coupling • Service abstraction • Service reusability • Service autonomy • Service statelessness • Service discoverability • Service composability Computer Science and Engineering

  20. Service Inventory Architecture • Common security measures? • Range of potential consumers? • Shared security policies vs. inference? • Cross-domain service composition? • Performance degradation? Computer Science and Engineering

  21. Industry standards • XML • XML encryption • XML Signature • Canonical XML • Decryption Transformation for XML Signature • WS-Security • Security Assertion Markup Language (SAML) Computer Science and Engineering

  22. SOA Service Communication • Simple Object Access Protocol (SOAP)-based • REST based (no additional messaging layer) • Communication over HHTP Computer Science and Engineering

  23. The HTTP Protocol • Hyper Text Transfer Protocol • Application layer • Layered on top of TCP • Client Server Model • Request-response communication • Originally developed to retrieve static text-based resources Computer Science and Engineering

  24. HTTP Request • Request line • HTTP method • Requested URL • HTTP version E.g., GET /search?q= Web+Technologies HTTP/1.1 • Header lines • Host, Referer, Cookie, User-Agent, Connection, etc. • Request body Computer Science and Engineering

  25. HTTP Response • Status line • HTTP version • Numeric status call indicating the result of the request • Txt reason phrase describing the status of the response • Header lines • Server (web server software), Pragma (for the browser), Expires (content), Content-Type, Content-Length • Response body Computer Science and Engineering

  26. Status Codes • 1xx – Informational • 2xx – the request was successful • 3xx – the client is redirected to a different resource • 4xx – the request contains an error of some kinds • 5xx – the server encountered an error fulfilling the request Computer Science and Engineering

  27. HTTP Methods • GET – retrieves a resources • Send parameters to the requested resource • Be Aware! URLs are stored and displayed -> do not include sensitive data in the query string • POST – performs an action • Request parameters sent in the URL query string or in message body • Be Aware! Back button use  warning • Other methods: Head, Trace, Put, etc. Computer Science and Engineering

  28. REST • Representational State Transfer • Request and response messages contain representation of the current state of the system’s resources • HTTP conforms to the REST architecture • REST-based web services • Based on HTTP not on SOAP Computer Science and Engineering

  29. HTTPS • HTTP tunneled through SSL • HTTP Proxies • Using HTTP • Using HTTPS • Proxy is a man-in-the-middle • Pure TCP level relay Computer Science and Engineering

  30. HTTP Authentication • Basic: sends user credentials as a Base64-encoded string in a request header • NTLM: Challenge-response using Windows NTLM protocol • Digest: challenge-response using MD5 and checksum of a nonce with the user’s credentials Computer Science and Engineering

  31. State and Session • Client and server exchange and process data • Application needs to maintain the state of each user interactions • Server side structure: session • Client side: sent by the server and protected from tampering • Stateless HTTP  token to identify user sessions Computer Science and Engineering

  32. Functionality • Server side technologies: • Scripting languages • Web application platform • Web server software • Databases • Back-end components • Client-side technologies: • Browser Extension technologies Computer Science and Engineering

  33. WS Security Standards • OASISWeb Services Security (WSS) • Integrity and authentication: sign SOAP msgs. • Confidentiality: encrypt SOAP msgs. • Attach security tokens • Security tokens • Security Assertion Markup Language (SAML) assertions • Kerberos tickets • User credentials • X.509 certificate • Custom defined tokens Computer Science and Engineering

  34. Next Class • Mapping Applications Computer Science and Engineering

More Related