Only Web Security.pptx

Full Transcript

Lecture 6
Web Security
EIE4432 WEB SYSTEMS AND TECHNOLOGIES

Dr. Pauli Lai
1

Importance of Web Security
1. Protection of sensitive data
 Encryption techniques like SSL protect data transmission
between users and websites.
 Secure storage mechanisms, such as hashing and
encryption, safeguard sensitive information from
unauthorized access.
 Compliance with data protection regulations (e.g.,
GDPR) helps ensure user data is handled securely.
 Implementing access controls and user authentication
mechanisms restrict unauthorized data access.

2

SSL

https://www.wpbeginner.com/beginners-guide/howto-get-a-free-ssl-certificate-for-your-wordpress-web
site/
3

GDPR

Key elements of the GDPR
The GDPR requires organisations handling
personal data to do so according to its six data
processing principles:
a) it is processed fairly, lawfully and transparently
b) it is collected and processed for specific
reasons and stored for specific periods of time,
and that it is not used for reasons beyond its
original purpose
c) only the data necessary for the purpose it is
intended is collected, and not more

https://theconversation.com/what-does-gdpr-mean- d) it is accurate and that reasonable steps are
taken to ensure it remains accurate
for-me-an-explainer-96630
e) it is kept in a form that allows individuals to be
identified only as long as is necessary
f) it is kept securely and protected from unlawful
4
access, accidental loss or damage

Importance of Web Security
2. Safeguarding user privacy and maintaining
trust
 Web security measures like anonymization and
pseudonymization protect user identities and personal
information.
 Secure login systems, such as two-factor authentication
(2FA), enhance user privacy and account security.
 Clear privacy policies and transparent data handling
practices build user trust in the organization.
 Regular security audits and vulnerability assessments
demonstrate commitment to user privacy.
5

2FA

Source:
https://doubleoctopus.com/security-wiki/authentication/what-is2fa/

6

Importance of Web Security
3. Preventing unauthorized access
and data breaches
 Implementing strong user authentication
mechanisms (e.g., passwords, biometrics)
mitigates the risk of unauthorized access.
 Regular security updates and patches
address vulnerabilities that could be exploited
by attackers.
 Implementing secure coding practices
helps prevent common attack vectors like
injection attacks.

https://fully-verified.com/use
-authentication-methods/

7

Common Threats &
Vulnerabilities
1. Cross-Site Scripting (XSS) attacks
2. SQL injection attacks
3. Cross-Site Request Forgery (CSRF)
4. Phishing and social engineering attacks
5. Malware and viruses
6. Brute-force attacks and password cracking
7. Denial of Service (DoS) attacks

8

Common Threats &
Vulnerabilities
1.Cross-Site Scripting (XSS) attacks
 Exploiting vulnerabilities in web applications to inject
malicious scripts into web pages viewed by users.
 Can lead to session hijacking, cookie theft, and
unauthorized access to user data.
 Prevention measures:
 Input validation
 Output encoding
 Using security frameworks that mitigate XSS attacks

 Regular security testing and code reviews help identify
and address XSS vulnerabilities.
9

Cross-Site Scripting (XSS)
Explained

https://youtu.be/EoaDgUgS6QA?si=EE_gOwFhsyS8
Oyzt&t=186
10

What is cross-site scripting?

Source:
https://www.cloudflare.com/learning/security/threats/cross-site-scrip
ting/

11

Full story on session hijacking, cookie theft,
and unauthorized access to user data (7 min)

https://youtu.be/cbmBDiR6WaY?si=0rQOuHZq0my
ojV3E
12

XSS

https://youtu.be/DqK_OYat-3M?si=L81leTSN6Edsvje
6

13

Common Threats &
Vulnerabilities
2. SQL injection attacks
 Exploiting poorly sanitized user input to execute
unauthorized SQL queries on a database.
 Can lead to unauthorized data disclosure,
modification, or deletion.
 Prevention measures:
 Using prepared statements or parameterized queries
 Input validation
 Enforcing least privilege access controls

 Regular security assessments and code reviews can help
identify and mitigate SQL injection vulnerabilities.
14

Source:
https://www.cloudflare.com/learning/security/threats/sql-inject
ion/

15

Source:
https://www.cloudflare.com/learning/security/threats/sql-inject
ion/

16

Common Threats &
Vulnerabilities
4. Phishing and social engineering attacks
 Social engineering is a security attack that relies on human
interaction to trick users into breaking standard security
procedures.
 Deceptive techniques to trick users into revealing sensitive
information or performing malicious actions.
 Can include fake emails, websites, or phone calls
impersonating legitimate entities.
 Prevention measures:
 User education and awareness
 Spam filters
 Multi-factor authentication
17

What is Social Engineering?

Source:
https://www.skysnag.com/blog/what-is-social-engineering-definition-types-mo
re/

18

What is Social
Engineering?

https://youtu.be/9U-JgdUkaTQ?si=nKPYYGMlsSdNMJ
ff
19

Common Threats &
Vulnerabilities
7.Denial of Service (DoS) attacks
 Overwhelming a web server or network with a flood of
requests, rendering it inaccessible to legitimate users.
 Can exploit vulnerabilities in network infrastructure or
consume server resources to cause service disruptions.

20

What is a DDoS attack?

Source:
https://www.cloudflare.com/learning/ddos/what-is-a-ddos-atta
ck/

21

DDoS Attack Explained

https://youtu.be/ilhGh9CEIwM?si=tVN9L0cS_bCjl4u
z
22

Real-life examples of DDoS
What was the largest DDoS attack of all time?
The biggest DDoS attack to date took place in September of 2017. The attack targeted
Google services and reached a size of 2.54 Tbps. Google Cloud disclosed the attack in
October 2020.
The attackers sent spoofed packets to 180,000 web servers, which in turn sent
responses to Google. The attack was not an isolated incident: the attackers had
directed multiple DDoS attacks at Google's infrastructure over the previous six months.
What are some other famous DDoS attacks?
 The February 2020 attack reported by AWS
 The February 2018 GitHub DDoS attack
 And more …

Source:
https://www.cloudflare.com/learning/ddos/famous-ddos-attack
s/

Preventive measures for DDoS
attacks
1.DDoS Protection Services
2.Network Traffic Monitoring
3.Load Balancing and Scalability
4.Firewalls and Intrusion Prevention Systems (IPS)
5.Rate Limiting and Traffic Shaping
6.Web Application Firewall (WAF)
7.Incident Response Plan
8.Regular Updates and Patching
9.Employee Awareness and Training
10.Redundancy and Backup

24

Cryptographic Hash Functions
 Hashing
 Data transformation into fixed-size output for integrity verification and unique
identification.
 Deterministic and irreversible process with properties like speed, uniqueness, and
data integrity.
 Not the same as encryption; focuses on data integrity and non-reversible
transformation.
 Key tool in password storage, digital signatures, data integrity verification, and
certificate fingerprinting.
 There are 3 common types of hashing function:
 MD5
 SHA-1
 SHA-256

25

Cryptographic Hash Functions
 MD5:
 Widely used hash function, but considered weak due to vulnerabilities and collision
attacks.
 Produces a 128-bit hash value, commonly represented as a 32-character hexadecimal string.
 Fast and efficient, but not recommended for security-critical applications.

 SHA-1:
 Commonly used, but considered weak and vulnerable to collision attacks.
 Produces a 160-bit hash value, commonly represented as a 40-character hexadecimal string.
 Deprecated for security purposes and replaced by more secure hash functions.

 SHA-256:
 Part of the SHA-2 family, widely adopted and considered secure for most applications.
 Produces a 256-bit hash value, commonly represented as a 64-character hexadecimal string.
 Provides a higher level of security compared to MD5 and SHA-1.

26

Cryptographic Hash Functions
Hash Function

Output Size

Security Level

Common Usage

MD5

128 bits

Weak

Non-critical
applications,
checksums

SHA-1

160 bits

Weak

Digital signatures, nonsensitive data

Strong

Password hashing,
digital certificates,
sensitive data

SHA-256

256 bits

27

Salting in SHA-256
 Adding a unique random value to input data before hashing.
 Each salted hash becomes unique, preventing precomputed attacks like
rainbow tables.
 Increases complexity, making it harder for attackers to crack passwords.

28

Cryptographic Hash Functions
 Application of Hash Function in Web App:
Password Hashing
 Protect user passwords by converting them into
irreversible, hashed representations that are
more secure against unauthorized access.

 Online Tool to try:
https://emn178.github.io/online-tools/sha256.
html
 Imagine you are inputting a password.
 The tool will convert your password string into
another uncrackable string for storing your
hashed-password in database.the

29

Cryptographic Hash Functions
JavaScript can be used to implement the password hashing function as well

30

Password Hashing, Salts, Peppers | Explained!

https://youtu.be/--tnZMuoK3E?si=eX65Jhe0b730cw
8Z
31

Secure Communication: HTTPS
 HTTPS is the secure version of HTTP,
employing SSL/TLS encryption for secure web
communication.
 SSL/TLS ensures confidentiality, integrity,
and authentication of data transmitted
between clients and servers.
 Visual indicators like padlock icon and
"https://" signify a secure HTTPS connection.
 HTTPS protects sensitive information from
eavesdropping and tampering, enhancing
overall security on the web.

32

Secure Communication: HTTPS
Digital certificates and public key
infrastructure (PKI):
 Digital certificates bind public keys to
entities' identities, establishing trust in
secure communication.
 Certificate Authorities (CAs) issue and verify
certificates, acting as trusted third-party
organizations.
 Certificate chains and trust hierarchy
ensure the authenticity and integrity of
certificates in the PKI.
 Certificate validation involves:
 Checking expiration
 Revocation status
 Verifying digital signatures to ensure trustworthiness

https://www.thesecuritybuddy.com/blockchain/publi
c-key-infrastructure-and-blockchain/

33

Secure Communication: HTTPS
Benefits of HTTPS in securing web
communications:
 Data encryption ensures confidentiality,
preventing unauthorized access to sensitive
information.
 HTTPS protects against tampering and ensures data
integrity during transmission.
 Authentication verifies the identity of the server,
protecting against impersonation and man-in-themiddle attacks.
 HTTPS improves user trust, search engine
rankings, and overall website credibility.
34

What is PKI? How does PKI work?

https://youtu.be/7U0MgZmx-Lw
35