Web Applications: Authorization and Content Delivery

Questions and Answers

Which layer of a web application is primarily responsible for delivering static content to the user?

Web server layer (correct)

Application server layer

Database server layer

Web browser layer

What is a key feature of permission-based authorization in a web application?

Users are assigned roles that dictate their access

Database content is accessible to all authenticated users

Static content is delivered based on user roles

Access is granted based on user-specific privileges (correct)

In terms of authorization layers, where should authorization checks ideally occur in a web application?

Only at the web server layer

Exclusively at the database server layer

Primarily within the web browser layer

At multiple points across different layers (correct)

Which type of authorization relies on the roles assigned to a user to control access?

Role-based authorization

Which layer is primarily responsible for handling dynamic content in a web application?

Application server layer

Which authorization technique involves granting access based on user roles?

Role-based authorization

What is the primary function of session state management in web applications?

To maintain user data across multiple requests

In web applications, which layer is primarily responsible for handling database access permissions?

Database server layer

What is a key characteristic of permission-based authorization?

It restricts access based on specific permissions assigned to users

Which of the following best describes URL encoding techniques?

They ensure proper transmitting of data within URLs.

What is the purpose of Code Access Security in web applications?

To implement authorization for pieces of code based on their permissions

Which method is NOT mentioned for implementing authorization in web applications?

Utilizing URL encoding techniques for security

What does developing a custom authorization framework entail?

Significant responsibility with tailored features

Which of the following best describes role-based authorization in web applications?

Assigning permissions based on the user's role within the application

How can application compartmentalization enhance security in web applications?

By isolating different application sections to prevent unauthorized access

Study Notes

Authorization

• Authorization is the process of determining if a subject has permission to perform an operation against a target resource.
• Authorization is a complex subject.
• It requires consideration of web application characteristics and resources.
• Authorization requirements may be defined by local, regional or national law (e.g., HIPAA).

Recording Lectures

• Recording lectures without permission is a violation.
• Recording and sharing recordings is considered a crime.
• The penalty can include imprisonment or fines.

Authorization (Authz) Fundamentals

• Authorization determines if a subject has enough permission.
• Authorization is a complex subject.
• Web application and resource characteristics are crucial factors.
• Authorization and authentication requirements are often specified by local, regional, or national laws (e.g. HIPAA).

Web Application Security

• Ensuring protection of external web applications from cyber threats is the goal.
• Requirements for cybersecurity must be identified, documented, and approved.
• Implement cybersecurity requirements for protection.
• Standards should cover Web Application Firewall (WAF), multi-tier architecture, secure protocols like HTTPS, and secure user policies.
• Regularly review web application security requirements.

Authorization Fundamentals

• Authenticated subject requests an operation.
• Authorization checks the permission associated with the resource using an Access Control List (ACL).
• If authorized, the operation is performed, and data is readable.
• If not authorized, the request is denied.

Authorization Goals

• Users can only perform actions within their privilege level.
• Access to protected resources is controlled based on user roles/privileges.
• Mitigate privilege escalation attacks(e.g., enabling a non-admin user to access admin functions even as an anonymous guest user).

Authorization Elements: Subjects

• Subjects are anything requesting access to protected resources.
• Examples include humans, web applications, web services, back-end databases, computer systems.

Authorization Elements: Resources

• Protected objects include data and functionality.
• Types are files, databases, and programs.
• Web applications use encoded parameters and data in the session state to identify resources.

Session State

• Most browsers limit cookie sizes to 4096 bytes.
• Session state information, including authentication, is crucial for web applications based on HTTP's stateless nature.
• Sessions are tracked between client and server.
• The state is critical to know who the user is, and what the user is allowed to do on the application.

Authorization Elements: Determining Access

• Access is determined through permissions, access controls, and policies.
• Techniques include permission-based authorization to define user permissions, and role-based authorization to assign roles and their associated permissions.
• Policies such as ACLs apply to specific resources and combine subjects, operations, and resources into discrete bundles.
• Exception handling allows new roles.

Types of Permissions

• Read access: viewing an item.
• Write access: modifying an item.
• Execute access: running a piece of code.
• There are two types of resources: data (read/write permissions), and functions (execute access).

Authorization Layers

• Authorization is not a one-time process.
• It involves multiple layers within web applications, including the web browser, web server, application server, and database server layers.

Controls by Layer (Horizontally)

• Checkpoints are in each layer for authorization.
• The web server layer uses IP addressing (blacklisting/whitelisting) and URL Authorization to control access.
• Application layer controls implement authorization logic in the application server code, using built-in frameworks (e.g., .NET and ASP.NET) or custom frameworks.
• Database layer implementation of authorization.

Where to Put Authorization Logic

• Web application is the usual place for authorization logic, although this can increase deployment complexity.
• Using stored procedures in the database layer is an option
• Security should be prioritized over convenience in choosing the method.

Custom Authorization Mechanisms

• Custom authorization mechanisms should be designed using a 3x3 matrix .
• Consider every place in the application that might need authorization.

The 3x3 Model of Authorization

• The 3x3 model defines items that participate in authorization.
• Users/subjects, operations and resources categorize interactions in the matrix.
• The model helps design an authorization framework.

The 3x3 Model of Authorization (When)

• Authorization checks can occur before the interface loads, before submitting requests, and before granting access.
• Web applications are not loaded together; instead they are distributed among a collection of HTML.

The 3x3 Model of Authorization (Client-side Attacks)

• Checks in the client side can help to keep most users honest.
• They are not substitutes for server side checks, where attackers can manipulate the client-side to behave differently to bypass authorizations.

The 3x3 Model of Authorization (Before Final Access)

• Best practice is to perform auth checks immediately before allowing access from any source including client side.
• Server-side authorization guarantees the best security outcomes.

Time of Check to Time of Use (TOCTOU)

• This occurs when there is an unnecessarily long interval between authorization checks.
• The attacker can benefit from this long interval.
• Web application servers should specify an upper limit for the TOCTOU interval preventing exploit abuses.

TOCTOU Exploits

• A scenario with a married couple needing to complete a transaction.

TOCTOU Exploits: Session Management

• Session management helps handle issues caused by the TOCTOU scenario.
• Use various criteria for automatically invalidating a session.

Web Authorization Best Practices

• Employ the principle of least privilege to limit user access and responsibilities.
• Separate duties and user/administrative functions
• Define strong policies, restricting resource sharing.
• Prevent unauthorized access through account uniqueness.

Attacks Against Authorization

• Forceful Browsing: Designers assume correct authentication.
• Cross-Site Scripting (XSS): Guessing input areas to discover hidden elements of a site's behavior or map out a site.
• Input Authorization/Parameter Tampering: Malicious alteration of parameters in requests.
• HTTP Header Manipulation: Trusting metadata.
• Cross-Site Request Forgery(CSRF): Tricks user's browser into making requests.

Attacks Against Session State

• Tampering: Changing session data to bypass checks.
• Theft: Stealing session ID to impersonate a user.
• Predictability: Session IDs should not be predictable by attackers.
• Hijacking: Stealing or taking over another user's session IDs

Attack Against Sessions: Cross-Site Request Forgery

• Exploiting relationship between application and client using session IDs.
• Attacker cannot know when the victim might take the "bait."
• Mitigation involves session expiration.

Attacks Against Session State: Tampering and Hijacking

• Tampering with or hijacking session state means changing or stealing session-critical elements (e.g., session identity).

Session Management Best Practices

• Enforce absolute session timeouts.
• Limit session concurrency to one active session per user.
• Mandate secure cookies, using methods like HTTPS.
• Use the HttpOnly flag, limiting client-side access to the cookies.
• Use cryptographically random session IDs
• Destroy invalidated session IDs and cookies
• Implement logging during sessions
• Regenerate session IDs on authentication.

Browser Development Tool

• Use browser developer tools for network debugging, checking and identifying HTTP requests.
• This helps to better understand interactions between web application and resources.

Session ID

• There is no standard name for Session ID session cookies.

Description

Test your knowledge on the layers of web applications, focusing on the delivery of static content, authorization techniques, and session management. This quiz covers key concepts necessary for understanding web application security and performance.