Introduction to Web Security
-
Upload
kamil-lelonek -
Category
Internet
-
view
183 -
download
3
Transcript of Introduction to Web Security
Web Security• What is security in web app context?• Authentication vs Authorization• „Standard” way - Stateful• „Modern” way - Stateless• Cookies and Tokens• Double and 2-step verification• Useful libraries• Summary
Whatis
Security?
• practice of defending information from unauthorized access• keeping away all valuable information from unprivileged users• protecting data from leaking outside the company• storing confidential informations only for provisioned roles
Authorization
vs
Authentication
Unauthorized
Forbidden
Session
• Storing data on server side• Client passes back only id• Server knows what user it is talking to• Lasts form first user's visit on the page and is kept
some time after his last activity (request)• It almost impossible to know that user left the
page• In most servers session express after particular
period
RESTful
• The whole state need to be held by the client, not the server
• State is being transfered in every request to release server from remembering it
• An ideal RESTful service allows clients to perform any needed task in one request
Stateless?
Actually, there is a state!
When it comes to authentication, some information has to stay on the server side for security reasons
And what about cookies?
• If cookies are used to maintain state at the client side, for the client, of the client and by the client then they are restful.
• For clients besides browsers, managing cookies is a pretty big inconvenience compared to query params
• However in browser, using cookies can make lots of things much simpler
• API should first look in the Authorization header for the authentication data (the place for non-browser clients) and in case authentication data is missing then may also check for a session cookie
• When we are the only developers who creating apps which can access to our web service, we can depend on cookies and implement cookie mechanisms in our applications
Login
Token
Request
Response
Data
DB
Use the new TLS!• Asymmetric cryptography• Secure data between connection endpoints• Client encrypts data, Server decrypts it• Protects from MITM
Multi-factor authentication
Token +• IP• User Agent
• SMS• Biometric• Face• Electronic signature• Codes from card
Cross-Site Scriptinghttps://xss-game.appspot.com/
https://github.com/gbirke/Sanitize.js
2-step verification
Useful GEMs for Rails
• the_role | https://github.com/the-teacher/the_role
Which resources are available for what role (group of users)Roles and permissions are declared with JSON and stored in DBAccess can be managed from administrative panel within our web app
• declarative_authorization | https://github.com/stffn/declarative_authorization
The developer needs to specify which roles are allowed to access a specific controller action or a part of a viewAuthorization at controller, model or view levelDSL for specifying Authorization rules
• devise | https://github.com/plataformatec/devise
Complete MVC solution based on modularity conceptOffers complete session model for authenticationProvide generators for scaffolding authorization skeleton
https://oauth.io/home
https://auth0.com/