Web Application Security Fundamentals PDF
Document Details
Uploaded by Deleted User
Tags
Summary
This document provides an overview of web application security fundamentals. It covers the evolution of web applications and introduces concepts like client-server models and distinguishes between static and dynamic applications. The document also explores the core security problems and the OWASP foundation.
Full Transcript
Topic 1 Web Application Security Fundamentals Objectives Know the evolution of web application Know the common web application functions Identify the common web application vulnerabilities 2 The Internet and WWW The internet is a sys...
Topic 1 Web Application Security Fundamentals Objectives Know the evolution of web application Know the common web application functions Identify the common web application vulnerabilities 2 The Internet and WWW The internet is a system of interconnected networks that connects a vast array of private, public, commercial, academic, and governmental networks to enable global communication and access to data resources. The Internet is managed by organizations that create global protocols, such as the Internet Assigned Numbers Authority (or IANA). The World Wide Web (WWW), is a collection of information that can be accessed via the Internet. The WWW is a service built on top of the Internet's infrastructure. What are the other services provided by the Internet? Is there another alternative to WWW? 3 Client-Server Model It is a distributed application structure that partitions tasks or workloads between the providers of a resource or service, called servers, and service requesters, called clients. Every machine on the internet is either a server or a client. The machines that provide services to other machines are servers. And the machines that are used to utilize these services are clients. Request Response client server 5 The WWW Is a distributed system made up of both client and server software. Your Web browser is a client program that has requested a service from the Web server. The client process always initiates a request from the server, while the server process always waits for requests from any client and respond to them accordingly. HTTP Web browser Web server 6 Web Application? “A Web application (Web app) is an application program that is stored on a remote server and delivered over the Internet through a browser interface.” – Wikipedia.org The client is provided services through a Web server. Run on the browser (client) and don’t need to be installed. Programmed using a client–server modelled structure. Written using server-side programming language. Receive request from the client and send back response. Discussion: Why you need a Web Application? Compare between website and Web application 7 Client-side vs Server-side Client-side means that the Server-side means that the processing takes place on the processing takes place on a user’s computer. web server. Web browsers execute client- Web servers execute server- side scripts. side scripts. Used to create static pages. Used to create dynamic pages. It can access the file system It can access the file system residing at the user’s residing at the webserver. computer. 8 Client-side vs Server-side scripts Client-Side Scripts Server Side Scripts The source code is used to The source code is interpreted transfer from webserver to on the Web server and the user’s computer over the result transferred to the user’s internet and run directly on computer over the internet browsers. and run directly on browsers. HTML, CSS, and JavaScript are PHP, Python, Java, Ruby are used. used. 9 Static vs Dynamic Applications Static web apps display Dynamic web apps display live constant information and data or change their contents doesn’t change unless based on user requests and modified by the developer. interaction. A static web application is a A dynamic web application is collection of HTML, CSS, and written in PHP, ASP.net or JavaScript. Python. Can work without a web Must use a Web server to server, they need only the Web interpret the source code browser to render the page. 10 How Web App Works 11 Source: https://alb.host.cs.st-andrews.ac.uk/webdatabases/howwebapp.htm Class Discussion Identify different types of web applications! 12 Class Discussion Identify different types of web applications! 13 The Evolution of Web Applications http://www.evolutionoftheweb.com https://www.webdesignmuseum.org/web-design-history https://thehistoryoftheweb.com/timeline Activities: Write a short review on any of the available web technologies 16 World’s First Website Tim Berners-Lee August 6, 1991 17 Class Activity Objectives: To observe how websites/web applications have evolved over time Steps: Visit https://web.archive.org/ Search for your college website Explore how the website was evolved over the years 18 The Evolution of Web Applications Importent The Web in early days The Web now Static pages, no interaction Dynamic pages, interaction with end Client-side (front-end) user Publicly accessible to all the Server and client-side (front and visitors. back-end) Passively viewing contents Private and public pages. One way communication Users able to modify the contents No encryption was required Two way communication No authentication was required Encryption is a must Minimum resources, less complex Authentication is essential More resources, higher complexity 19 What makes Web Apps so popular? The protocol (HTTP) is lightweight and connectionless Every user already has a browser installed on his computer and mobile device. Browsers are highly functional, enabling rich and satisfying user interfaces. Core technologies and languages used to develop web applications are relatively simple 20 Enterprise Web Applications Enterprise web applications are large-scale software solutions designed to meet the complex needs of organizations and businesses. These applications are typically accessed through web browsers and provide a range of functionalities to support various business processes. Examples of enterprise web applications include Customer Relationship Management (CRM) systems, Enterprise Resource Planning (ERP) systems, Human Resources Management Systems (HRMS), and project management tools designed for large organizations. Characteristics of Enterprise Web Apps Importent Scalability: handle many user Enterprise web applications must be able to handle a large number of users and data. Scalability is essential to accommodate the growth of users and data volume without sacrificing performance. Security: Security is a top priority for enterprise applications. They often deal with sensitive business data, and robust security measures are implemented to protect against unauthorized access, data breaches, and other potential threats. Integration: Enterprise web applications need to integrate seamlessly with other existing systems within the organization, such as databases, legacy applications, third- party services, and external APIs. Integration ensures data consistency and enhances overall efficiency. Characteristics of Enterprise Web Apps Customization: Enterprises have diverse needs, and the ability to customize the application to align with specific business processes is crucial. Customization options allow organizations to tailor the application to their unique requirements. User Access Control: Role-based access control (RBAC) is often implemented to manage user permissions. This ensures that different users have appropriate levels of access based on their roles within the organization. Collaboration Features: Many enterprise web applications include collaboration features such as document sharing, version control, and real-time collaboration tools to facilitate teamwork among employees. Characteristics of Enterprise Web Apps Workflow Automation: Automation of business processes is a common feature in enterprise applications. Workflow automation helps streamline repetitive tasks, reduce errors, and improve overall efficiency. Reporting and Analytics: Comprehensive reporting and analytics tools enable organizations to gain insights into their operations, monitor key performance indicators (KPIs), and make informed decisions. Responsive Design: With users accessing applications from various devices, including desktops, laptops, tablets, and smartphones, responsive design is crucial. The application should provide a consistent and user-friendly experience across different screen sizes. Characteristics of Enterprise Web Apps Compliance: policy Enterprise web applications often need to comply with industry-specific regulations and standards. Ensuring compliance is important for legal and regulatory reasons. Continuous Maintenance and Support: Enterprise applications require ongoing maintenance, updates, and support to address bugs, security vulnerabilities, and evolving business needs. Case Study “A Case Study on Web Application Security Testing with Tools and Manual Testing” 27 Read the first two pages of the article and answer the following questions Discuss the following sentence “Web applications today are highly functional and rely upon a two-way flow of information between the server and browser.” What is OWASP? What are the common web application vulnerabilities mentioned in the paper? Differentiate between penetration testing and static code analysis How Tunestore web application was tested? Do you think using the web security testing tools were enough to identify all the vulnerabilities? Discuss how SQL injection works? What are the consequences of SQLi? Explain how an application can be vulnerable to cross-site scripting (XSS)? What can be achieved with XSS? What is the main cause of broken authentication? Describe web spiders Describe web fuzzer, fuzz testing or fuzzing What does it mean when it is mentioned in the tool description that the supports payload feature? What is SOAP? What is Ajax? 28 Group Discussion What are the web application security requirements? Protect the confidentiality of the applications data, source code and user’s data Protect the integrity of the applications data and user’s data Protect the availability of the applications’ function and user’s data 29 Web Application Security “Web application security is a branch of information security that deals specifically with security of websites, web applications and web services”. -- Wikipedia Popular tools: Information Burp Suite Gathering OWASP ZAP Proxy SQLMap Remediation BEef Research And And Ongoing John Ripper , Hydra Exploitation Support Skipfish W3af Reporting And Wfuzz Recommendati Watcher ons 31 Web Application Security Posture Web applications introduce new security vulnerabilities. Emerging technologies create opportunities for exploitation. Serious attacks aim to expose sensitive data or gain unrestricted access to back-end systems. Attacks causing system downtime are critical events for many organizations. 32 Key Web Apps Security Elements There are several key web application security requirements that organizations should consider to ensure the security of their web applications: Input validation: Validate all user input to prevent processing of malicious input (e.g., SQL injection, cross-site scripting). Authentication and authorization: Implement robust mechanisms, including password policies, two-factor authentication, and secure encryption, to control access. Session management: Securely manage user sessions by using secure tokens, invalidating sessions after inactivity, and encrypting session data with HTTPS. 33 Key Web Apps Security Elements Data Protection: Securely store and transmit sensitive data, employing encryption for data at rest and in transit, and using secure protocols like SSL/TLS. Access Control: Implement mechanisms to control access, ensuring only authorized users can access sensitive data and application functions. This may involve role-based access control and access control lists. Logging and Monitoring: Maintain detailed logs of user activity and system events, enabling the detection and investigation of security incidents. Regularly monitor logs for suspicious activity and deploy intrusion detection systems for threat response. Regular Software Updates: Keep software and third-party components up-to-date to patch vulnerabilities and maintain the overall security of the application. 34 Web Applications Attack Landscape Malicious Bots Bot attacks employ automated online requests to manipulate, scam, or disrupt a website, application, API, or users. Bot assaults have grown from spamming operations to international criminal businesses with economies and infrastructures. Malware Malware can target web applications and the servers they run on. They can perform a variety of malicious operations including stealing, encrypting or deleting sensitive data, altering or hijacking core computing functions, and monitoring users’ computer activity without their permission. 35 Web Applications Attack Landscape Denial of Service (DoS) A DoS attack is a malicious attempt to disrupt the normal operation of a web application for legitimate users. In DoS attackers flood targets with packets or requests. Application Vulnerabilities Application vulnerabilities are flaws in code or application design that create a possible point of compromise and potentially allow entry for attackers. Common examples of web application vulnerabilities include injection vulnerabilities, cross-site scripting (XSS), broken authentication and session management, and security misconfiguration. 36 Web Application Vulnerabilities Broken authentication — this category of vulnerability encompasses various defects within the application’s login mechanism, which may enable an attacker to: Guess weak passwords, Launch a brute-force attack, or Login to: app.com Bypass the login. Hello Hassan Sniffing 37 Web Application Vulnerabilities Broken access controls — this involves cases where the application fails to properly protect access to its data and functionality, potentially enabling an attacker to view other users’ sensitive data held on the server or carry out privileged actions. Run as Administrator OK 38 38 Web Application Vulnerabilities run & execute SQL injection — this vulnerability enables an attacker to submit crafted input to interfere with the application’s interaction with back-end databases. An attacker may be able to retrieve arbitrary data from the application, interfere with its logic, or execute commands on the database server itself. Submit crafted input Retrieve arbitrary data 39 Web Application Vulnerabilities Cross-site scripting — This vulnerability enables an attacker to target other users of the application, potentially gaining access to their data, performing unauthorized actions on their behalf, or carrying out other attacks against them. (3) Browser executes malicious script (2) victim's browser loads legitimate site (1) script-injected (4) Malicious script link send victim’s private data to the attacker 40 Web Application Vulnerabilities Information leakage — This involves cases where an application divulges sensitive information that is of use to an attacker in developing an assault against the application, through defective error handling or other behaviour. 41 Web Application Vulnerabilities Cross-site request forgery — This flaw means that application users can be induced to perform unintended actions on the application within their user context and privilege level. The vulnerability allows a malicious web site visited by the victim user to interact with the application to perform actions that the user did not intend. (1) User login to his account (2) Access token is issued (4) Unintended action (3) script-injected link 42 The Core Security Problem Because the client is outside of the application’s control, users can submit arbitrary input to the server-side application. The application must assume that all input is potentially malicious. Users can interfere with any piece of data transmitted between the client and the server, Users can send requests in any sequence and can submit parameters at a different stage than the application expects, Users are not restricted to using only a web browser to access the application. 43 The OWASP Foundation The Open Web Application Security Project (OWASP) provides free and open resources*. It is led by a non-profit called The OWASP Foundation. The OWASP Top 10 - 2017 is the published result of recent research based on comprehensive data compiled from over 40 partner organizations. From this data, approximately 2.3 million vulnerabilities were discovered across over 50,000 applications. * https://www.owasp.org/ 44 OWASP Top 10 According to the OWASP Top 10 - 2017, the ten most critical web application security risks include*: SQL injection Broken Authentication Sensitive Data Exposure XML External Entities (XXE) Insecure Direct Object References Security Misconfiguration Cross-Site Scripting (XSS) Insecure Deserialization Using Components with Known Vulnerabilities Insufficient Logging and Monitoring 45 Summary A Web application (Web app) is an application program that is stored on a remote server and delivered over the Internet through a browser interface. Nowadays web applications are mostly dynamic pages and provide two-way communication to interact with users. Encryption and authentication are essential in web applications. The protocol (HTTP) is lightweight and connectionless, HTTPS is more secure because it uses SSL (encryption). Web applications are widely adopted inside organizations to support key business functions. Broken authentication, broken access control, SQL Injection, Cross-site scripting and cross-site request forgery are examples of web vulnerabilities. 46 References Dafydd Stuttard, and Marcus Pinto. The Web Application Hacker’s Handbook. Indianapolis, Ind. Wiley. Shema, Mike, and Jorge Blanco Alcover. Hacking Web Apps : Detecting and Preventing Web Application Security Problems. Waltham, Ma, Syngress, 2012.