Lecture 7 Authorization 2
Lecture 7 Authorization 2
Must take into consideration the characteristics of a web application and their resources
The requirements for authentication and authorization may well have been determined
in conjunction with local, regional, or national law. Example: HIPAA. You need to spend
some time during
early phases to
gather info about
Determining Resource laws that can govern
Subject Access (Object)
your web app.
3
Web Application Security
4
Authorization Fundamentals
Read
Write
6
Authorization Elements
1.Subjects
The thing requesting access to protected resources
KSU
Student LMS
DB 7
Authorization Elements
2.Resources (Objects)
The protected objects: data or functionality
File
Database
Programs
How a web application knows what the resource in question is for any given access request?
3. Encoded or identified by data stored within the session state à adds little security
8
Session State
9
Authorization Elements
3. Determining Access
Once the web application has determined the subject and what the subject wants to
do, it can determine whether the action is permitted
Through rules: many names permissions, access control, policies..
We have heterogeneous techniques to define and enforce these rules. Among these
techniques, we can highlight two:
Permission-based authorization
defines permissions to each system’s user
Role-based authorization
specifies permissions to a set of roles of a system, roles assigned to each user.
10
Authorization Elements
3.Determining Access
1. Policies: ACL are permissions that are applied to a specific resource
ACL combines particular subjects, operations, and target resources into discrete
bundles
to resources?
11
Authorization Elements
3.Determining Access
2. Role-based authorization labels resources with groups of subjects (roles)
Requires two-stage decision:
Assessing what roles can perform the requested action
of these roles
Data
Functions
Both can have permissions, and there are three type of permissions:
13
Read & Write permission Execute permission
(بداية التسجيل )كنت غايبه في اللي قبل
AuthZ (A2) should happen at many points and many times within a web app.
14
When and How to Authorized
15
Authorization Layers (Reading assignment)
Traditional
computer
security concerns
with vertical
interaction
User to application (horizontally) Horizontally: it takes
place between
systems on the path
from user to app.
Interacting components
Vertically: it takes
(vertically)
place between
interacting
components within an
individual system.
16
Web browser layer Web server layer Application server layer Database server layer
Controls by layer (Horizontally)
Talk about potential authorization checkpoints in each layer.
IP Addressing whitelisting
Ø internal private network (intranets)
URL Authorization (most java web server allows limit access to URL through setting or configuration files)
Ø specify which users and groups can access what URLs.
OS Authorization (web application| server must run in some context within the OS)
Ø Use OS native security framework of file and directory permissions, security group, ACL, ….
17
Ø Reduce damages when web applications are compromised
Controls by layer (Horizontally)
Application server layer
Can use the same basic techniques as the previous ones (IP black or white listing…). In addition to:
Application Compartmentalization
Servlet and App Server Restrictions
Ø Java implemented applications
Ø Use resource management configuration features
Ø Complex
18
Code Access Security (CAS): performing authorization on pieces of code to determine whether the code is allowed
to run with the capabilities it wishes to use. >> executable permission
Controls by layer (Horizontally)
Database Server Layer
Databases have their own implementations of concepts like users, roles, permissions, and so forth
Take advantage of these features to implement part of the application’s authorization scheme
Ø Stored procedures à revoke direct access permissions from all the tables in the DB
AuthZ logic: the code that enforces those permission policy decisions
- Complicates deployment and maintenance: web admin and DB admin are different people
2. Database layer
Stored procedures can contain authorization logic
Before running that query, the stored procedure can first figure out whether the user making
the request is allowed to do so
or both
Which one is better? There is no right or wrong here. Just make sure you make the
decision for security reasons rather than convenience.
20
Custom authorization mechanisms
Not recommended (security code can be hard and tricky to get right)
Any authorization framework should be designed around a 3-by-3 matrix of factors (also
referred to as a lattice).
It ensures you will consider all the critical authorization points in your application
Alternative: designers brainstorm a list of every place in the application that needs to consider
21
authorization. They can forget an important area that leaves your application open to attack.
The 3X3 model of authorization
2 axis:
1- What (3 categories of item of participant)
2- When (3 places)
23
The 3X3 model of authorization
When: it considers the times when permission checks need to happen and approvals
granted or denied
24
The 3X3 model of authorization
Before loading the interface
Web applications are not loaded at onceè distributed among a collection of HTML pages. It does not
need to make a one-time all-or-nothing decision.
They will perform authorization checks before ever sending that part of the interface to the user’s web
browser
Ø It is not sufficient:
§ Vulnerable to forceful browsing
§ It should be done with each URL request
Ø Gives an HTTP response 401 unauthorized, 403 forbidden or 404 not found. Some are lies but never say truth!
26
The 3X3 model of authorization
Before (HTTP|HTTPS) requests are submitted
Interactive web pages (run JavaScript) creates the possibility of using client-side code to
implement additional authorization checking
Warning: it is only for performance, it offers zero protection against determined attackers
Ø Save server time from dealing with request that will only be denied
Client-side code can deter casual attackers driven by curiosity more than actual malice. They
are trivial to bypass (Example: yellow warning tape around freshly poured section of sidewalk)
It can also filter the links. Its there but you can’t see it you can’t click it (using CSS or DOM).
Attackers can use reverse engineering to extract hidden links
It can also defend against a user interacting with UI elements at the wrong time.
Disable submit button when field has improper value
27
The 3X3 model of authorization
Client-side attacks Client-side checks are helpful for keeping
most users honest and for improving overall
CSS and JavaScript can be used to display the
places color code that show which is available system performance by keeping most bad
and which is reserved. requests from reaching the server side
https://www.smartertravel.com/
seat they want even it it’s shown to be not 28
available.
The 3X3 model of authorization
Before granting final access
The most important time to perform authorization checks, and the most important
place to perform them, is on the server immediately before granting final access to
anything
The server can be the web application server, the database server or both.
The strongest guarantees of security come from server-side authorization
The server is the last line of defense for those resources
The best time to make server-side authorization checks is as close as possible to the
time when an action is to be taken, to avoid the “time of check to time of use
(TOCTOU)” problem.
29
Ø Race condition vulnerability
The 3X3 model of authorization
Time of check to time of use (TOCTOU)
The idea is to minimize the interval between these two times, because an overly lengthy
interval can create the potential for abuse
Different person using an authenticated and authorized user’s account without permission
Ø Do an action on behalf of you.
Web application servers should specify upper limit on the TOCTOU interval.
This limit represents a time beyond which the server isn’t even willing to trust its own prior
authorization checks 30
TOCTOU exploits
Married couple example
Go to the
Sign-in to bank and
bank Go to take a
website meeting check
A session that has simply been in existence for too long can be expired
A session can be forcibly expired if the timestamp on the permission records for the user is
newer than the creation timestamp of the session ID, thus indicating permission changes.
32
Web authorization best practices
(Reading assignment)
Failing closed Minimizing custom authorization
Fails securely
code
Operating with least privilege
Protecting static resources
Separating duties
users and admin Avoiding insecure client-side
XSS maybe used in a completely unrelated website to obtain user’s browsing history à make a site map
Any data stores in URL parameters, cookies, or form fields is subject to tampering.
35
Attacks against authorization
Cross-site request forgery (CSRF) ﺗزوﯾر
Occurs when an attacker tricks a victim’s browser into making an HTTP request against a
target web application
Example: attacker stole Joe’s web browsing history through XSS à online banking history
(purchases)
Ø à chat forum for vintage cars à crafts a post
37
Session Management
The key challenge is that HTTP is stateless
Example: two students logged on edugate
Sessions represent a user’s authentication and authorization for the duration of a user’s
interaction with your web application
Session management is the means by a client and server keep track of who a user is
It is also related to what that user is allowed to do, and what the user is actually doing
Is how the web server knows you are you, after you have been authenticated
Allow\deny access
What’s a session?
Tracking a single user’s interactions with the web application 38
Session management fundamentals
A secure (encrypted) session ID will therefore look like random data
The harder you make it for an attacker to guess the value (Predictable session token),
the harder it is for them to impersonate an active session with the web application
39
Session management fundamentals
When to issue sessions IDs?
Many web applications issue a session ID at the time an unknown user performs the
application’s authentication procedure, but some do so before authentication
Example: filling the shopping cart before signing-in
Before completing the purchase, the user must sign-in à issue new session ID
Never reuse a session ID à let the web client dictate to you the session ID value
open you up to session fixation attack
If the applications doesn’t need to track user behavior prior to authentication à it’s safer
not to do it
40
What is session state
Session IDs help enormously by at least allowing a web application to tell different users apart
Ø Cons: insecure, unless encrypted; and limited to 4KB of data, performance issue
Server-side storage:
Ø Modern web application server implementations provide facilities for session state management
42
How to manage session state?
43
Attacks against sessions
Tampering
Also referred to as: cookie poisoning
Theft
Stealing the session ID value to impersonate the victim
Mitigations are generic (see Session Management Best Practices )
Ø XSS: trick the victim in running a script to transmit the cookies on their browser
Attacker can then generate the next 100 or 1000 session IDs and wait for a user to be assigned one of them
Session fixation
When an attacker is able to prepopulate a victim’s web browser with session ID value
Mitigation:
Ø Not issue before authentication
Session hijacking
Use a stolen or fixated session ID to impersonate a legitimate user è prevent the user from using it
45
Attacks against sessions
Cross-site request forgery
Cause the victim’s browser to take a single desired action within the application
It exploits the trust between the application and the client based on the session ID
Works by tricking the web browser into making a request for a URL à hidden elements
Attacker cannot predict when the victim might take the bait (if ever)
Ø Succeed attack: hijacking a still used session, or been idle for a long period of time
46
Attacks against session state
Sessions and session state go hand in hand
Hijacking: when an attacker is able to steal the contents of the session state
47
Session Management Best Practices
(Reading Assignment-Page 141)
Enforcing absolute session timeouts
Limiting session concurrency (active session single user can have - sessions per user)
Logging out
48
Regenerating session IDs on Authentication
References
Web Application Security: A Beginner’s Guide
Chapter 4
49