Upload
ambrose-beasley
View
213
Download
0
Embed Size (px)
Citation preview
Web Application Security
Presented by
Ben Lake
How the Web Works
• Hypertext Transfer Protocol (HTTP) Application-level Stateless
• Example Web Browser Request
Web Server Response
GET / HTTP/1.1Host www.google.com[Content]
HTTP/1.1 200 OK[Content]
Web Applications
• Pseudo Definition A series of HTTP requests to complete a task in an
environment in which state is maintained.
• The difference between a web site and a web application is the ability to maintain state.
• Examples Online shopping, banking, class enrollment, bulletin
board, etc.
Maintaining State
• State A condition of mode or being. A light has two obvious states: ON or OFF
• HTTP is a stateless protocol Every request is individual and maintains no correlation
between past requests.
• Maintaining state over HTTP is an illusion. This illusion is created by having a key piece of
information propagate between requests.
Cookies!
• Definition An extension of HTTP that allows state to be maintained by
providing a token piece of information between HTTP requests.
• Put simply, cookies are datagrams stored by a web browser at the request of a web server.
• How they work Client sends request Server sends response with its own request to set a cookie Client decides to accept or reject cookie Subsequent requests may or may not contain the cookie
Set-Cookie: NAME=VALUE; expires=DATE;path=PATH; domain=DOMAIN_NAME; secure
Cookies! and State
• Cookies provide a mechanism to maintain state.
• The data stored in a cookie can be used to identify a user based on previous requests.
• Examples Storing the ID numbers of the items you have selected for
purchase. Storing a unique ID number that identifies you as the person taking
an online test.
Authentication
• Definition The mechanism(s) that provide a means of identifying an individual in a
public environment.
• When state can be maintained, authentication in a Web Application becomes feasible.
• Authentication allows a system to meet the needs of the individual using it. This includes Web Applications.
• Examples Banking - whose account should be accessed? Course Enrollment - what courses have you taken? Shopping - what’s on your wish list?
Authenticating and State
• Authentication allows more robust and customized functionality from Web Applications.
• There are many ways to authenticate a client. Scenario 1: Require user to authenticate for every request.
• Problems: Cumbersome for user.
• Solutions: Auto populating browser.
Scenario 2: Store authentication information in a cookie.• Problems: Probability of authentication information being intercepted
greatly increased.
• Solutions: Use a unique ID.
Scenario 3: Store a unique ID in a cookie assigned when authentication information is verified.
• Problems: Unique ID can be intercepted and used by another user.
• Solutions: Rolling ID and/or ID expiration.
Secure Socket Layer (SSL)
• Definition A protocol layered on top of TCP to provide a secure (encrypted) transport layer
for the communication between two applications.
• Attributes Private - The data stream is symmetrically encrypted. Reliable - Each packet of information is verified via a hash. Authentic - The servers identity is authenticated using asymmetric encryption.
• How SSL Works There is a handshake between the client and server to decide on a protocol
version, encryption suite, and encryption method. The peers verify one another's identity if applicable using public key encryption
methods. A secure connection is established and data is transported transparently by the
secure layer.
Conclusion
• Security is evolving with the every newly adopted standard. Be aware of the technologies you’re utilizing, so that you can make an educated assessment of the security risks you face in any given environment.
References
• HTTP - ftp://ftp.isi.edu/in-notes/rfc2616.txt
• Cookies - http://www.netscape.com/newsref/std/cookie_spec.html
• SSL - http://wp.netscape.com/eng/ssl3/draft302.txt