Web security

Introduction to Computer Security

Book Title: Computer Security: Art and Science, 2nd edition Authors: Matt Bishop, Elisabeth Sullivan, and Michelle Ruppel. Institution: Montclair State University.

The Evolution of Web Applications

  • Early days of the Internet:

    • The World Wide Web consisted only of static documents.

    • One-way flow of information from server to browser.

    • User authentication was often unnecessary.

Current State of Web Applications

  • Today's websites:

    • Majority are complex applications with two-way flow of information between server and browser.

    • Functions include registration, login, financial transactions, user-generated content, and handling sensitive information.

Security Threats in Web Applications

  • Unique vulnerabilities per application.

  • Many developers lack a full understanding of security challenges.

  • Applications connect to internal systems holding sensitive data.

Common Web Application Functions

  • Notable functions:

    • Shopping (e.g., Amazon)

    • Social Networking (e.g., Facebook)

    • Banking (e.g., Citibank)

    • Web Search (e.g., Google)

    • Online Auctions (e.g., eBay)

    • Gambling (e.g., Betfair)

    • Blogging (e.g., Blogger)

    • Webmail (e.g., Gmail)

    • Interactive Information (e.g., Wikipedia)

Adoption of Web Applications in Organizations

  • Utilized for HR applications, infrastructure management, collaboration tools, business applications, and services like email.

Benefits of Web Applications

  • HTTP protocol facilitates access and user engagement due to lightweight nature and universal browser availability.

  • Modern browsers support rich UIs and functionalities; core development technologies are user-friendly.

Web Application Security Evolution

  • Defects have evolved over time with new attacks emerging post-development, focusing on exposing sensitive data and gaining backend access.

"This Site Is Secure"

  • Despite SSL technology and PCI scans, many web applications remain insecure.

Common Security Vulnerabilities

  • Major vulnerabilities include:

    • Broken Authentication (62%): Weakened passwords, brute-force attacks, login bypassing.

    • Broken Access Controls (71%): Unauthorized data access due to insufficient protection.

    • SQL Injection (32%): Disruption of database interactions due to crafted inputs.

    • Cross-Site Scripting (XSS) (94%): Attackers targeting users via the application.

    • Information Leakage (78%): Revealing sensitive data to assist attackers.

    • Cross-Site Request Forgery (CSRF) (92%): Users coerced into unintended actions.

SSL and Security Limitations

  • SSL provides data confidentiality, integrity, and server identity authentication but cannot prevent attacks targeting server or client components.

Core Security Problem: Input Submission

  • Applications must treat all user inputs as potentially malicious due to manipulation risks.

Majority of Attacks

  • Attacks exploit crafted input, altering transactions, modifying session tokens, removing parameters, and injecting queries.

Key Problem Factors in Security

  • Underdeveloped security awareness and lack of focus during custom development.

Deceptive Simplicity & Other Problematic Factors

  • Functional code may compromise security; resource constraints hinder security investments; legacy technologies complicate security measures.

HTTP Protocol Overview

  • Core communication protocol: Request-response model with connectionless mechanism.

Understanding HTTP Requests & Response Structure

  • HTTP requests contain method, URL, and version; responses include status code and reason phrase.

Important HTTP Methods

  • GET for retrieving resources, POST for actions (better for sensitive data).

  • Other methods include HEAD, OPTIONS, PUT, and TRACE.

URL Structure & RESTful Architecture

  • URL format and REST influence attack behaviors.

Cookies & Attributes

  • Cookies enable data storage and include attributes like expiration and security settings.

Status Code Categories & Examples

  • Status codes indicate request outcomes, with categories ranging from informational (1xx) to server error (5xx).

Transition to HTTPS

  • HTTPS uses SSL/TLS for secure data transmission, addressing TCP vulnerabilities.

Client-Side Functionality & Technologies

  • Involves various technologies (e.g., JavaScript, HTML) for interactivity and data processing.

Summary

This document covers various aspects of web application security, including the historical evolution of web applications, current vulnerabilities, and security challenges. A range of functions associated with web applications, their adoption in organizations, and the benefits they provide is also discussed. Common security vulnerabilities are highlighted, along with the limitations of SSL/TLS. HTTP protocols are explained, detailing request and response structures alongside various HTTP methods and status codes. The document emphasizes the importance of treating user input as potentially harmful and outlines the necessity for robust security practices. Overall, the key focus is on understanding how to secure web applications amidst evolving threats and technology changes.