Web Security

Lecture 
Web Application
Defense Mechanism (I)
Core Defense Mechanisms

  Know who is your enemy

  The following are defense mechanisms employed by
web applications
–  Handling user access to the application
s data and functionality,
to prevent users from gaining unauthorized access
–  Handling user input to the application
s functions, to prevent
malformed input from causing undesirable behavior
–  Handling attackers, to ensure that the application behaves
appropriately when being directly targeted, taking suitable
defensive and offensive measures to frustrate the attacker
–  Managing the application itself, by enabling administrators to
monitor its activities and configure its functionality
Handling User Access

  There are often many different types of users of a

web site:
–  Anonymous users
–  Ordinary authenticated users
–  Administrative users

  The access each type of user has is based on three
components:
–  Authentication
–  Session management
–  Access control

  A defect in any one of the above components may
enable an attacker to gain unrestricted access to the
application
s functionality and data.
User Access Security Components

  Authentication
–  Establishing that a user is in fact who he claims to be
–  Most applications use a username and password.
–  Attackers can identify other users
usernames, guess their passwords, or
bypass the login function altogether by exploiting defects in its logic.

  Session Management
–  Web application issues an authenticated user a token that identifies the
session because the data in the session is stored on the server.
–  Attackers attempt to compromise the tokens issued to other users by
guessing the tokens issued to other users or capturing other users
tokens.

  Access Control
–  Authenticated users may only be able to access specific areas of a site,
such as only being able to read their own email after logging in
successfully.
–  Attackers can gain unauthorized access to data and functionality by
exploiting programmers who have made flawed assumptions about how
users will interact with the application.
Handling User Input

  Approaches to Input Handling
–  Reject Known Bad

  Match literal strings that are known to be used in attacks.
–  Accept Known Good

  Match literal strings that are known to be only benign input.
–  Sanitization

  Remove characters that could potentially be malicious but accept everything
else.
–  Safe Data Handling

  Instead of only validating the input, ensure the processing that is performed is
inherently safe, such as by parameterizing queries for database access (which
prevents SQL injection).
–  Semantic Checks

  The data submitted is not malformed, but just malicious, such as a user
changing the bank account number in a hidden form field to try to access
another user
s account
Boundary Validation

  Instead of only validating input on the client side or

on the server side, validate input within each
individual component or functional unit of the server-
side application.
Boundary Validation