Web Application Security

Presented by

Ben Lake

How the Web Works

• Hypertext Transfer Protocol (HTTP) Application-level Stateless

• Example Web Browser Request

Web Server Response

GET / HTTP/1.1Host www.google.com[Content]

HTTP/1.1 200 OK[Content]

Web Applications

• Pseudo Definition A series of HTTP requests to complete a task in an

environment in which state is maintained.

• The difference between a web site and a web application is the ability to maintain state.

• Examples Online shopping, banking, class enrollment, bulletin

board, etc.

Maintaining State

• State A condition of mode or being. A light has two obvious states: ON or OFF

• HTTP is a stateless protocol Every request is individual and maintains no correlation

between past requests.

• Maintaining state over HTTP is an illusion. This illusion is created by having a key piece of

information propagate between requests.

Cookies!

• Definition An extension of HTTP that allows state to be maintained by

providing a token piece of information between HTTP requests.

• Put simply, cookies are datagrams stored by a web browser at the request of a web server.

• How they work Client sends request Server sends response with its own request to set a cookie Client decides to accept or reject cookie Subsequent requests may or may not contain the cookie

Set-Cookie: NAME=VALUE; expires=DATE;path=PATH; domain=DOMAIN_NAME; secure

Cookies! and State

• Cookies provide a mechanism to maintain state.

• The data stored in a cookie can be used to identify a user based on previous requests.

• Examples Storing the ID numbers of the items you have selected for

purchase. Storing a unique ID number that identifies you as the person taking

an online test.

Authentication

• Definition The mechanism(s) that provide a means of identifying an individual in a

public environment.

• When state can be maintained, authentication in a Web Application becomes feasible.

• Authentication allows a system to meet the needs of the individual using it. This includes Web Applications.

• Examples Banking - whose account should be accessed? Course Enrollment - what courses have you taken? Shopping - what’s on your wish list?

Authenticating and State

• Authentication allows more robust and customized functionality from Web Applications.

• There are many ways to authenticate a client. Scenario 1: Require user to authenticate for every request.

• Problems: Cumbersome for user.

• Solutions: Auto populating browser.

Scenario 2: Store authentication information in a cookie.• Problems: Probability of authentication information being intercepted

greatly increased.

• Solutions: Use a unique ID.

Scenario 3: Store a unique ID in a cookie assigned when authentication information is verified.

• Problems: Unique ID can be intercepted and used by another user.

• Solutions: Rolling ID and/or ID expiration.

Secure Socket Layer (SSL)

• Definition A protocol layered on top of TCP to provide a secure (encrypted) transport layer

for the communication between two applications.

• Attributes Private - The data stream is symmetrically encrypted. Reliable - Each packet of information is verified via a hash. Authentic - The servers identity is authenticated using asymmetric encryption.

• How SSL Works There is a handshake between the client and server to decide on a protocol

version, encryption suite, and encryption method. The peers verify one another's identity if applicable using public key encryption

methods. A secure connection is established and data is transported transparently by the

secure layer.

Conclusion

• Security is evolving with the every newly adopted standard. Be aware of the technologies you’re utilizing, so that you can make an educated assessment of the security risks you face in any given environment.

References

• HTTP - ftp://ftp.isi.edu/in-notes/rfc2616.txt

• Cookies - http://www.netscape.com/newsref/std/cookie_spec.html

• SSL - http://wp.netscape.com/eng/ssl3/draft302.txt