Bài giảng Web technologies and e-Services - Bài 12: Web Security - Trường Đại học Bách khoa Hà Nội

Download
IT4409: Web Technologies  
and e-Services  
Web Security  
1
Outline  
1. What is web security?  
2. HTTPS  
3. Session Management  
4. Authentication  
5. Common Web Attacks  
2
What is web security?  
v Website security is the act/practice of protecting  
websites from unauthorized access, use,  
modification, destruction, or disruption. (Mozilla)  
v Effective website security requires design effort  
across the whole of the website:  
§ Web application  
§ Configuration of the web server  
§ Policies for creating and renewing passwords  
§ Client-side code.  
3
Facts and Stats  
v 95% of breached records came from only three  
industries in 2016  
v There is a hacker attack every 39 seconds  
v 43% of cyber attacks target small business  
v The average cost of a data breach in 2020 will  
exceed $150 million  
v In 2018 hackers stole half a billion personal  
records  
v Over 75% of healthcare industry has been infected  
with malware over 2018  
v Large-scale DDoS attacks increase in size by 500%  
4
Facts and Stats  
v Approximately $6 trillion is expected to be spent  
globally on cybersecurity by 2021  
v By 2020 there will be roughly 200 billion connected  
devices  
v Unfilled cybersecurity jobs worldwide will reach 3.5  
million by 2021  
v 95% of cybersecurity breaches are due to human error  
v More than 77% of organizations do not have a Cyber  
Security Incident Response plan  
v Most companies take nearly 6 months to detect a data  
breach, even major ones  
v Share prices fall 7.27% on average after a breach  
v Total cost for cybercrime committed globally has  
added up to over $1 trillion dollars in 2018  
5
Outline  
1. What is web security?  
2. HTTPS  
3. Session Management  
4. Authentication  
5. Common Web Attacks  
6
HTTPS  
v Hypertext transfer protocol secure (HTTPS) is the  
secure version of HTTP, which is the primary  
protocol used to send data between a web browser  
and a website.  
• HTTPS is encrypted in order to  
increase security of data  
transfer.  
• This is particularly important  
when users transmit sensitive  
data, such as by logging into a  
bank account, email service, or  
health insurance provider.  
7
HTTPS  
v HTTPS uses an encryption protocol to encrypt  
communications.  
v The protocol is called Transport Layer Security (TLS),  
although formerly it was known as Secure Sockets  
Layer (SSL).  
§ The private key - this key is controlled by the owner of a website  
and it’s kept, as the reader may have speculated, private. This key  
lives on a web server and is used to decrypt information  
encrypted by the public key.  
§ The public key - this key is available to everyone who wants to  
interact with the server in a way that’s secure. Information that’s  
encrypted by the public key can only be decrypted by the private  
key.  
8
Outline  
1. What is web security?  
2. HTTPS  
3. Session Management  
4. Authentication  
5. Common Web Attacks  
9
Session Management  
v A web session is a sequence of network HTTP  
request and response transactions associated to  
the same user.  
v Modern and complex web applications require the  
retaining of information or status about each user  
for the duration of multiple requests.  
v Therefore, sessions provide the ability to establish  
variables – such as access rights and localization  
settings – which will apply to each and every  
interaction a user has with the web application for  
the duration of the session.  
10  
Session Management  
v Web applications can create sessions to keep track  
of anonymous users after the very first user  
request.  
11  
Session Management  
v The disclosure, capture, prediction, brute force, or  
fixation of the session ID will lead to session  
hijacking (or sidejacking) attacks.  
v An attacker is able to fully impersonate a victim  
user in the web application.  
v Attackers can perform two types of session  
hijacking attacks, targeted or generic.  
12  
Outline  
1. What is web security?  
2. HTTPS  
3. Session Management  
4. Authentication  
5. Common Web Attacks  
13  
Major security issues  
v Prevent unauthorized users from accessing  
sensitive data  
§ Authentication: identifying users to determine if they are  
one of the authorized ones  
§ Access control: identifying which resources need protection  
and who should have access to them  
v Prevent attackers from stealing data from network  
during transmission  
§ Encryption (usually by Secure Sockets Layer)  
14  
Authentication  
v Collect user ID information from end users (“logging  
in”)  
§ usually by means of browser dialog / interface  
§ user ID information normally refers to username and password  
v Transport collected user ID information to the web  
server  
§ unsecurely (HTTP) or securely (HTTPS = HTTP over SSL)  
v Verify ID and passwd with backend Realm (“security  
database”)  
§ Realm maintains username, password, roles, etc., and can be  
organized by means of LDAP (Lightweight Directory Access  
Protocol), RDBMS, Flat-file, etc.  
§ Validation: the web server checks if the collected user ID &  
passwd match with these in the realms.  
v Keep track of previously authenticated users for  
further HTTP operations  
15  
WWW-Authenticate  
v The authentication request received by the browser will  
look something like:  
§ WWW-Authenticate = Basic realm=“defaultRealm”  
Basic indicates the HTTP Basic authentication is requested  
realm indicates the context of the login  
realms hold all of the parts of security puzzle  
Users  
Groups  
ACLs (Access Control Lists)  
v Basic Authentication  
§ userid and password are sent base 64 encoded (might as well be  
plain text)  
§ hacker doesn’t even need to unencode all he has to do is “replay”  
the blob of information he stole over and over ( this is called a  
“replay attack”)  
16  
WWW-Authenticate  
v Digest Authentication  
§ attempts to overcome the shortcomings of Basic Authentication  
§ WWW-Authenticate = Digest realm=“defaultRealm”  
nonce=“Server SpecificString”  
§ see RFC 2069 for description of nonce, each nonce is different  
§ the nonce is used in the browser in a 1-way function (MD5, SHA-  
1….) to encode the userid and password for the server, this  
function essentially makes the password good for only one time  
v Common browsers don’t use Digest Authentication but an  
applet could as an applet has access to all of the Java  
Encryption classes needed to create the creation of a  
Digest.  
17  
Outline  
1. What is web security?  
2. HTTPS  
3. Session Management  
4. Authentication  
5. Common Web Attacks  
18  
Common Web Attacks  
Client side  
Server side  
• SQLi  
v XSS  
v CSRF  
• Brute-force  
• File upload  
• Command injection  
19  
Cross-Site Scripting - XSS  
v Cross-site scripting (XSS) is a security exploit which  
allows an attacker to inject into a website malicious  
client-side code.  
v This code is executed by the victims and lets the  
attackers bypass access controls and impersonate users.  
v XSS was the seventh most common Web  
app vulnerability in 2017 - OWASP  
20  
Tải về để xem bản đầy đủ
pdf 40 trang Thùy Anh 27/04/2022 9720
Download
Bạn đang xem 20 trang mẫu của tài liệu "Bài giảng Web technologies and e-Services - Bài 12: Web Security - Trường Đại học Bách khoa Hà Nội", để tải tài liệu gốc về máy hãy click vào nút Download ở trên

File đính kèm:

  • pdfbai_giang_web_technologies_and_e_services_bai_12_web_securit.pdf