Web Applications: Authorization and Content Delivery

Questions and Answers

Which layer of a web application is primarily responsible for delivering static content to the user?

• Web server layer (correct)
• Application server layer
• Database server layer
• Web browser layer

What is a key feature of permission-based authorization in a web application?

• Users are assigned roles that dictate their access
• Database content is accessible to all authenticated users
• Static content is delivered based on user roles
• Access is granted based on user-specific privileges (correct)

In terms of authorization layers, where should authorization checks ideally occur in a web application?

• Only at the web server layer
• Exclusively at the database server layer
• Primarily within the web browser layer
• At multiple points across different layers (correct)

Which type of authorization relies on the roles assigned to a user to control access?

Role-based authorization (C)

Which layer is primarily responsible for handling dynamic content in a web application?

Application server layer (D)

Which authorization technique involves granting access based on user roles?

Role-based authorization (C)

What is the primary function of session state management in web applications?

To maintain user data across multiple requests (D)

In web applications, which layer is primarily responsible for handling database access permissions?

Database server layer (B)

What is a key characteristic of permission-based authorization?

It restricts access based on specific permissions assigned to users (D)

Which of the following best describes URL encoding techniques?

They ensure proper transmitting of data within URLs. (D)

What is the purpose of Code Access Security in web applications?

To implement authorization for pieces of code based on their permissions (B)

Which method is NOT mentioned for implementing authorization in web applications?

Utilizing URL encoding techniques for security (D)

What does developing a custom authorization framework entail?

Significant responsibility with tailored features (B)

Which of the following best describes role-based authorization in web applications?

Assigning permissions based on the user's role within the application (B)

How can application compartmentalization enhance security in web applications?

By isolating different application sections to prevent unauthorized access (C)

Flashcards

Web Browser Layer

The layer where users interact with the web application through their web browsers.

Web Server Layer (Static Content)

Handles requests for static files (images, CSS, JavaScript) and serves them directly to the browser.

Application Server Layer

Processes dynamic content requests, often involving database interactions, and constructs the responses.

Database Server Layer

Stores and manages the data needed by web applications.

AuthZ (Authorization)

The process of determining if a user has the necessary permissions to perform an action.

Multiple points of AuthZ

Authorization checks should happen many times throughout the application, ensuring security.

Web Browser Layer Authorization

Authorization checks performed by the web browser, often in the form of cookies or local storage verification, or using client-side JavaScript, to validate user credentials.

Web Server Layer Authorization

Authorization checks performed by the web server, such as validating HTTP headers, session tokens, or basic authentication. This usually occurs after the initial user request.

Application Server Layer Authorization

Authorization checks in the application server, using the application's logic to control access to specific functionalities or resources.

Database Server Layer Authorization

Database-level authorization that restricts data access based on user permissions, often defined in the database system.

Application Compartmentalization

Separating different parts of an application for better organization and security.

Servlet and App Server Restrictions

Rules limiting what servlets (Java) and application servers can do to prevent security breaches.

Java Implementations

Using Java programming language for web application development, often within specific frameworks.

Resource Management Configuration

Setting up features that control how an application uses resources (memory, etc.)

Application Server Code

The code residing within an application server, often implementing security like authorization.

Authorization Implementation (Methods)

Three main approaches to implementing authorization within web applications: using built-in frameworks, third-party authorization modules, or custom framework development.

Code Access Security

Checking if a piece of code is allowed to perform operations with the requested permissions.

Study Notes

Authorization

• Authorization is the process of determining if a subject has permission to perform an operation against a target resource.
• Authorization is a complex subject.
• It requires consideration of web application characteristics and resources.
• Authorization requirements may be defined by local, regional or national law (e.g., HIPAA).

Recording Lectures

• Recording lectures without permission is a violation.
• Recording and sharing recordings is considered a crime.
• The penalty can include imprisonment or fines.

Authorization (Authz) Fundamentals

• Authorization determines if a subject has enough permission.
• Authorization is a complex subject.
• Web application and resource characteristics are crucial factors.
• Authorization and authentication requirements are often specified by local, regional, or national laws (e.g. HIPAA).

Web Application Security

• Ensuring protection of external web applications from cyber threats is the goal.
• Requirements for cybersecurity must be identified, documented, and approved.
• Implement cybersecurity requirements for protection.
• Standards should cover Web Application Firewall (WAF), multi-tier architecture, secure protocols like HTTPS, and secure user policies.
• Regularly review web application security requirements.

Authorization Fundamentals

• Authenticated subject requests an operation.
• Authorization checks the permission associated with the resource using an Access Control List (ACL).
• If authorized, the operation is performed, and data is readable.
• If not authorized, the request is denied.

Authorization Goals

• Users can only perform actions within their privilege level.
• Access to protected resources is controlled based on user roles/privileges.
• Mitigate privilege escalation attacks(e.g., enabling a non-admin user to access admin functions even as an anonymous guest user).

Authorization Elements: Subjects

• Subjects are anything requesting access to protected resources.
• Examples include humans, web applications, web services, back-end databases, computer systems.

Authorization Elements: Resources

• Protected objects include data and functionality.
• Types are files, databases, and programs.
• Web applications use encoded parameters and data in the session state to identify resources.

Session State

• Most browsers limit cookie sizes to 4096 bytes.
• Session state information, including authentication, is crucial for web applications based on HTTP's stateless nature.
• Sessions are tracked between client and server.
• The state is critical to know who the user is, and what the user is allowed to do on the application.

Authorization Elements: Determining Access

• Access is determined through permissions, access controls, and policies.
• Techniques include permission-based authorization to define user permissions, and role-based authorization to assign roles and their associated permissions.
• Policies such as ACLs apply to specific resources and combine subjects, operations, and resources into discrete bundles.
• Exception handling allows new roles.

Types of Permissions

• Read access: viewing an item.
• Write access: modifying an item.
• Execute access: running a piece of code.
• There are two types of resources: data (read/write permissions), and functions (execute access).

Authorization Layers

• Authorization is not a one-time process.
• It involves multiple layers within web applications, including the web browser, web server, application server, and database server layers.

Controls by Layer (Horizontally)

• Checkpoints are in each layer for authorization.
• The web server layer uses IP addressing (blacklisting/whitelisting) and URL Authorization to control access.
• Application layer controls implement authorization logic in the application server code, using built-in frameworks (e.g., .NET and ASP.NET) or custom frameworks.
• Database layer implementation of authorization.

Where to Put Authorization Logic

• Web application is the usual place for authorization logic, although this can increase deployment complexity.
• Using stored procedures in the database layer is an option
• Security should be prioritized over convenience in choosing the method.

Custom Authorization Mechanisms

• Custom authorization mechanisms should be designed using a 3x3 matrix .
• Consider every place in the application that might need authorization.

The 3x3 Model of Authorization

• The 3x3 model defines items that participate in authorization.
• Users/subjects, operations and resources categorize interactions in the matrix.
• The model helps design an authorization framework.

The 3x3 Model of Authorization (When)

• Authorization checks can occur before the interface loads, before submitting requests, and before granting access.
• Web applications are not loaded together; instead they are distributed among a collection of HTML.

The 3x3 Model of Authorization (Client-side Attacks)

• Checks in the client side can help to keep most users honest.
• They are not substitutes for server side checks, where attackers can manipulate the client-side to behave differently to bypass authorizations.

The 3x3 Model of Authorization (Before Final Access)

• Best practice is to perform auth checks immediately before allowing access from any source including client side.
• Server-side authorization guarantees the best security outcomes.

Time of Check to Time of Use (TOCTOU)

• This occurs when there is an unnecessarily long interval between authorization checks.
• The attacker can benefit from this long interval.
• Web application servers should specify an upper limit for the TOCTOU interval preventing exploit abuses.

TOCTOU Exploits

• A scenario with a married couple needing to complete a transaction.

TOCTOU Exploits: Session Management

• Session management helps handle issues caused by the TOCTOU scenario.
• Use various criteria for automatically invalidating a session.

Web Authorization Best Practices

• Employ the principle of least privilege to limit user access and responsibilities.
• Separate duties and user/administrative functions
• Define strong policies, restricting resource sharing.
• Prevent unauthorized access through account uniqueness.

Attacks Against Authorization

• Forceful Browsing: Designers assume correct authentication.
• Cross-Site Scripting (XSS): Guessing input areas to discover hidden elements of a site's behavior or map out a site.
• Input Authorization/Parameter Tampering: Malicious alteration of parameters in requests.
• HTTP Header Manipulation: Trusting metadata.
• Cross-Site Request Forgery(CSRF): Tricks user's browser into making requests.

Attacks Against Session State

• Tampering: Changing session data to bypass checks.
• Theft: Stealing session ID to impersonate a user.
• Predictability: Session IDs should not be predictable by attackers.
• Hijacking: Stealing or taking over another user's session IDs

Attack Against Sessions: Cross-Site Request Forgery

• Exploiting relationship between application and client using session IDs.
• Attacker cannot know when the victim might take the "bait."
• Mitigation involves session expiration.

Attacks Against Session State: Tampering and Hijacking

• Tampering with or hijacking session state means changing or stealing session-critical elements (e.g., session identity).

Session Management Best Practices

• Enforce absolute session timeouts.
• Limit session concurrency to one active session per user.
• Mandate secure cookies, using methods like HTTPS.
• Use the HttpOnly flag, limiting client-side access to the cookies.
• Use cryptographically random session IDs
• Destroy invalidated session IDs and cookies
• Implement logging during sessions
• Regenerate session IDs on authentication.

Browser Development Tool

• Use browser developer tools for network debugging, checking and identifying HTTP requests.
• This helps to better understand interactions between web application and resources.

Session ID

• There is no standard name for Session ID session cookies.