Web Application Security - SEIDENBERG SCHOOL...
Transcript of Web Application Security - SEIDENBERG SCHOOL...
![Page 1: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/1.jpg)
Web Application Security
Li-Chiou Chen
Seidenberg School of Computer Science and
Information Systems
Pace University
March 1st, 2013
![Page 2: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/2.jpg)
What device do you use to surf the web?
© Li-Chiou Chen, Pace University 2
![Page 3: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/3.jpg)
What software do you use to surf the web
© Li-Chiou Chen, Pace University 3
![Page 4: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/4.jpg)
What are things you do on the web?
© Li-Chiou Chen, Pace University 4
![Page 5: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/5.jpg)
Which network protocol do you use to surf
the web?
© Li-Chiou Chen, Pace University 5
![Page 6: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/6.jpg)
HTTP (Hypertext Transfer Protocol)
© Li-Chiou Chen, CSIS, Pace 6
Browser Server
Client: Hello! Please
send me the file
specified in URL
Server: OK. Here
is your file
IE,
Firefox,
or others www.example.com
HTTP is an application layer protocol for browsers and servers to
communicate with each other
![Page 7: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/7.jpg)
HTML (Hypertext Makeup Language)
© Li-Chiou Chen, CSIS, Pace 7
HTML is the language used to display web contents; it is carried as the
data in the HTTP communications
A browser interprets HTML and displays the contents specified by HTML
![Page 8: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/8.jpg)
© Li-Chiou Chen, CSIS, Pace 8
Web Application Architecture
Internet
TCP/IP DBMS
Web Browser/App
HTTP
HTTP
HTTP
Web Browser/App
ASP/Servlet/
JSP
Application
Server
Web Server
Sources: Dr. Lixin Tao/Web security lectures
![Page 9: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/9.jpg)
Common Threats to Web Applications
Malware or Spyware
Phishing
Weak Authentication
SQL injection, cross site scripting, cross site
request forgery, etc
9 © Li-Chiou Chen, Pace University
![Page 10: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/10.jpg)
How to determine if a web site is
legitimate?
© Li-Chiou Chen, Pace University 10
![Page 11: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/11.jpg)
How to determine if a web site is legitimate
Make sure that the web address is correct
Google it or type it yourself
Do not click on links in emails
Use browser security features
Firefox has more default security settings than IE
Use HTTPS encryption for sensitive information
Verify the site using the security padlock
Pay attention to browser warnings
© Li-Chiou Chen, Pace University 11
![Page 12: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/12.jpg)
Make sure that the web address is correct
Google it or type it yourself
Do not click on links in emails
© Li-Chiou Chen, Pace University 12
![Page 13: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/13.jpg)
Uniform Resource Locator (URL) An address for uniquely identifying a web
resource, such as a web page or a Java object, on
the Internet
An example
http://www.pace.edu/pace/
http is the application layer protocol for
communications
www.pace.edu is the web server domain name
pace is the directory name
This URL points to a default.html under pace directory
© Li-Chiou Chen, CSIS, Pace 13
![Page 14: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/14.jpg)
Which one of the following is a fake URL
http://www.citicards.com.chilli.net
http://129.20.1.2/www.citicards.com/
http://paybill.center.net/citicards/
© Li-Chiou Chen, Pace University 14
![Page 15: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/15.jpg)
Use Browser Security Settings
© Li-Chiou Chen, Pace University 15
![Page 16: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/16.jpg)
Activity I: Examine Browser Security Settings
Open Firefox
Tools / Options / Security
For Blacklist
Tools /Options / Privacy
For Cookie control
© Li-Chiou Chen, Pace University 16
![Page 17: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/17.jpg)
Use HTTPS encryption for sensitive information
17
“https” refers to the content is encrypted
www.citicards.citi.com is the domain name (or site name)
© Li-Chiou Chen, Pace University
![Page 18: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/18.jpg)
Verify the site using the security padlock
18
the security Padlock, click it to
see the web certificate
© Li-Chiou Chen, Pace University
![Page 19: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/19.jpg)
You need to double click the padlock to verify it
19
This verifies that www.citicards.citi.c
om is owned by
Citigroup Inc.
VeriSign, Inc.
verifies this
information
This
indicates that
the content is
encrypted
© Li-Chiou Chen, Pace University
![Page 20: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/20.jpg)
The content of the web certificate
© Li-Chiou Chen, Pace University 20
![Page 21: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/21.jpg)
Activity II: Examine Web Certificate
Go to a site that uses encryption such as
www.google.com
Click on the security padlock (the lock proceed
https)
Click on More Information to see the web
certificate
Click on View Certificate to see the certificate
Click on View Cookie to see the cookies used by
the site
© Li-Chiou Chen, Pace University 21
![Page 22: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/22.jpg)
Pay attention to browser warnings
© Li-Chiou Chen, Pace University 22
![Page 23: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/23.jpg)
I Understand the Risks? Add Exception?
© Li-Chiou Chen, Pace University 23
![Page 24: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/24.jpg)
Confirm Security Exception? View Certificate?
© Li-Chiou Chen, Pace University 24
![Page 25: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/25.jpg)
Is this really Google’s Certificate ?
© Li-Chiou Chen, Pace University 25
![Page 26: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/26.jpg)
Come on! I just want to go on with my life
Confirm Security Exception!
© Li-Chiou Chen, Pace University 26
![Page 27: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/27.jpg)
Your secure web transactions are not secure now !
© Li-Chiou Chen, Pace University 27
![Page 28: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/28.jpg)
Man in the Middle
© Li-Chiou Chen, Pace University 28
Fake
Certificate
Intercept
Certificate
![Page 29: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/29.jpg)
Real vs Fake Certificate
© Li-Chiou Chen, Pace University 29
![Page 30: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/30.jpg)
Activity III: Intercept/View Web Transactions
We will use a web proxy software, Burp Suite, to
cache and view your web transactions
Download the software from
http://www.portswigger.net/burp/downloadfree.html
Save it on your computer desktop (it is a Java
program)
Double click on the program to run it.
© Li-Chiou Chen, Pace University 30
![Page 31: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/31.jpg)
Setting up Proxy
Click on Proxy / Options
Uncheck
intercept requests based on the following rules.
Click on History tab to wait for web traffic
© Li-Chiou Chen, Pace University 31
![Page 32: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/32.jpg)
Setup Browser Proxy Configuration
Open Firefox
Tools/ Options / Advanced / Network /Settings
Check
Manual Proxy Configuration
HTTP Proxy: 127.0.0.1 Port:8080
Check
Use this proxy server for all protocols
© Li-Chiou Chen, Pace University 32
![Page 33: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/33.jpg)
Intercept and view web transactions
In Firefox, browse www.pace.edu
On your proxy history tab, you should be able to
see the transactions that are cached
Click on one of them to see the contents
© Li-Chiou Chen, Pace University 33
![Page 34: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/34.jpg)
Try a HTTPS site
Browse www.google.com
What happened?
© Li-Chiou Chen, Pace University 34
![Page 35: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/35.jpg)
Clean Up
Click exit to close Burp Suite when you are done.
Open Firefox
Tools/ Options / Advanced / Network /Settings
Check
No Proxy
Click OK
© Li-Chiou Chen, Pace University 35
![Page 36: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/36.jpg)
How to determine if a web site is legitimate
Make sure that the web address is correct
Google it or type it yourself
Do not click on links in emails
Use browser security features
Firefox has more default security settings than IE
Use HTTPS encryption for sensitive information
Verify the site using the security padlock
Pay attention to browser warnings
© Li-Chiou Chen, Pace University 36
![Page 37: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/37.jpg)
Activity IV: Watch Phishing Video
DoD DISA video on Phishing
http://iase.disa.mil/eta/phishing/Phishing/launchP
age.htm
© Li-Chiou Chen, Pace University 37
![Page 38: Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP](https://reader035.fdocuments.in/reader035/viewer/2022063015/5fd2ab71496b096fa00777dd/html5/thumbnails/38.jpg)
Questions / Comments
© Li-Chiou Chen, Pace University 38