850 likes | 1.01k Vues
Web Programming and Security. Lecture 1 Tamara Rezk. Web Applications. Distributed applications that run in a browser and distant servers. Network. Servers. Web Browsers. Web Applications = Multi-tiers applications. WEB SERVER. Server code. Client code. BROWSER. Database.
E N D
Web Programming and Security Lecture 1 Tamara Rezk
Web Applications Distributed applications that run in a browser and distant servers Network Servers Web Browsers
Web Applications = Multi-tiers applications WEB SERVER Server code Client code BROWSER Database DB MANAGEMENT SYSTEM
Complexity in Web 2.0 Apps Generate Generate Different programming languages; Multi-tier nature; Dynamic code generation XHR API Data query code Server code Client code DOM API How would my application behave? Thanks Zhengqin Luo for this slide
Importance of Protecting Web Apps Web applications everywhere in your life!!! • Important Information • Identity • Financial situation • Social lives • Security Requirements • Confidentiality • Integrity • Availability
Security problems • Availability violation • Confidentiality violation • Integrity violation
Availability security problems A service or resource is made unvailable
Integrity security problems Unauthorized modification of data (authenticity of data), and unauthorized execution of programs
Confidentiality problems Unauthorized disclosure of data
Web 1.0 Applications 1990: The static Web, Web 1.0 Info.cern.ch First Browser called WorldWideWeb
Web 1.0 Applications 1990: The static Web, Web 1.0 Apache HTTP Server
Web 1.0 Applications 1990: The static Web, Web 1.0 http://www.a.com Apache HTTP Server
Web 1.0 Applications 1990: The static Web, Web 1.0 http://www.a.com Apache HTTP Server
Web 1.0 Applications 1990: The static Web, Web 1.0 http://www.a.com Apache HTTP Server
Web 1.0 Applications 1990: The static Web, Web 1.0 http://www.a.com Apache HTTP Server Technologies: Web Server (first: CERN httpd) Web Browser (first: WorldWideWeb browser) Protocol : HTTP Language:
HTTP: HyperText Transfer Protocol • Methods: GET, POST, PUT, DELETE … • GET: length limited, usually for requests, no side effects(not in practice) • POST: allows multiple requests, state-change, no cache • PUT: multiple idem requests as one request • DELETE: multiple idem requests as one request • HTTP No State: request/response - each request is independent • http_URL = "http:" "//" host [ ":" port ] [ abs_path [ "?" query ]] You can see headers with Firebug
HTTP: PRIVATE BROWSING? • Method: GET, you can see the parameters in the URL. A possible solution:
Phishing attacks www.paypal.com www.payoak.szm.sk • Be aware of URLs that are shown in the browser • or links that are clicked!
A phishing attack to MySpace In 2006, a worm altered links to direct MySpace users to evil websites
Phishing Solutions • Use https (created in 1994 by Netscape) • Verify carefully the URL • Browsers may have “black”lists
Web 1.0 Applications 1993: The Web becomes less static http://www.a.com/foo?var=v
Web 1.0 Applications 1993: The Web becomes less static http://www.a.com/foo?var=v parameters
Web 1.0 Applications 1993: The Web becomes less static http://www.a.com/foo?var=v Technologies: Web Browser, Web Server, HTTP , HTML CGI: Common Gateway Interface 1994: World Wide Web Consortium (W3C) http://validator.w3.org/
HTTP: Session Example http://www.buy.com see catalog http://www.buy.com/shopping.cfm?pID=269 select item http://www.buy.com/shopping.cfm?pID=269&item=40002 buy item http://www.buy.com/checkout.cfm?pID=269&item=40002 Since HTTP is stateless all session information is saved in the URL BAD PRACTICE!! It is better to use cookies Thanks Ricardo Corin for this slide
Integrity violation: Dansie Shopping Cart (2006) Why not to store sensitive information on the client side? <FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl"> Black Leather purse with leather straps<BR>Price: $20.00<BR> <INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse"> <INPUT TYPE=HIDDEN NAME=price VALUE="20.00"> <INPUT TYPE=HIDDEN NAME=sh VALUE="1"> <INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg"> <INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse with leather straps"> <INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart"> </FORM> Let’s see the form in action
Integrity violation: Dansie Shopping Cart (2006) Why not to store sensitive information on the client side? <FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl"> Black Leather purse with leather straps<BR>Price: $20.00<BR> <INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse"> <INPUT TYPE=HIDDEN NAME=price VALUE="20.00"> <INPUT TYPE=HIDDEN NAME=sh VALUE="1"> <INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg"> <INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse with leather straps"> <INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart"> </FORM> it can be modified by the client at will! Security by obscurity is bad in general. HIDDEN FIELDS IS A BAD PRACTICE!! It is better to use cookies
HTTP : COOKIES A cookie resides in the disk and is created by the web browser
HTTP : COOKIES A cookie resides in the disk and is created by the web browser POST login.cgi (usr+pwd) HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read the cookie) ; expires = (when) ; … GET securepage.html Cookie: NAME=VALUE
HTTP : COOKIES • HTPP does not have state, cookies add state • Cookies are useful for: • Authenticacion • to know if a user has authenticate in the past • Personalization • recognize the user since last visit • Tracking • analyze the behaviour of the user
HTTP : COOKIES Only the site that creates the cookie can read it
HTTP : COOKIES set-cookie(“amount”,$amount); Content-type:text/html Cookie: Amount = 20$ To make it secure it is necessary to add a “MAC” (message-authenticatedcode) to the amount: Cookie: Amount = 20$; HMAC(ServerKey, 20)
Cross site request forgery (CSRF or XSRF) Transmits unauthorized commands from a user who has rightfully logged in to a website to the website.
Some Attack Methods • HTML MethodsIMG SRC <img src="http://host/?command">SCRIPT SRC <script src="http://host/?command">IFRAME SRC <iframe src="http://host/?command"> • JavaScript Methods'Image' Object <script> var foo = new Image(); foo.src = "http://host/?command"; </script>
Attack to GMail : January 2007 Google Docs didn’t check what page requests your contact list. If you are logged in on window 1, window 2 (an evil site) can make the function call and get the contact list as an object. Since you are logged in somewhere, your cookie is valid and the request goes through. Let’s have a cookie together!
Prevention • Server side: • add a secret that the attacker cannot guess • re-authenticate for critical operations • User side: • logging off one site before using others
Web 1.0 Applications 1995: Php, and Javascript is born http://www.a.com/foo?var=v Contains Javascript programs Technologies: Web Browser, Web Server, HTTP , HTML CGI: Common Gateway Interface Javascript
Web 1.0 Applications Php example <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <?php $name = “Hello World!"; ?> <html xmlns = "http://www.w3.org/1999/xhtml"><head> <title>A simple PHP document</title> </head> <body style = "font-size: 2em"> <p> <strong> First PHP program, <?php print( "$name" ); ?>! </strong> </p> </body></html> let’s see how the generated page looks like
Javascript • Execute code on the client side • Intepreted language, dymamically typed • ECMAScript standard
Syntax of Javascript is not weird,but its semantics sometimes is function fac(x) { if (x <= 1) { return 1; } return x*fac(x-1); } Let’s see it in Chrome
Embedding Javascript External Javascript File <body> ... <script type="text/javascript" src=“myCode.js" /> <script type="text/javascript"> //<![CDATA[ alert("Page is loading"); //]]> </script> <p onclick="alert('I told you not to click on me!');"> Please do not click on this text.</p> ... </body> Inline Code Event Handler All scripts will share the memory (see Example .js)
Method Example var o = new Object(); o.count = 0; o.increment=function(inc) { if (inc == undefined) { inc = 1; } this.count += inc; return this.count; } Let’s inspect the object in Google Chrome