Web Application Security Li-Chiou Chen Seidenberg School of Computer Science and Information Systems Pace University March 1 st , 2013
Web Application Security
Li-Chiou Chen
Seidenberg School of Computer Science and
Information Systems
Pace University
March 1st, 2013
What device do you use to surf the web?
© Li-Chiou Chen, Pace University 2
What software do you use to surf the web
© Li-Chiou Chen, Pace University 3
What are things you do on the web?
© Li-Chiou Chen, Pace University 4
Which network protocol do you use to surf
the web?
© Li-Chiou Chen, Pace University 5
HTTP (Hypertext Transfer Protocol)
© Li-Chiou Chen, CSIS, Pace 6
Browser Server
Client: Hello! Please
send me the file
specified in URL
Server: OK. Here
is your file
IE,
Firefox,
or others www.example.com
HTTP is an application layer protocol for browsers and servers to
communicate with each other
HTML (Hypertext Makeup Language)
© Li-Chiou Chen, CSIS, Pace 7
HTML is the language used to display web contents; it is carried as the
data in the HTTP communications
A browser interprets HTML and displays the contents specified by HTML
© Li-Chiou Chen, CSIS, Pace 8
Web Application Architecture
Internet
TCP/IP DBMS
Web Browser/App
HTTP
HTTP
HTTP
Web Browser/App
ASP/Servlet/
JSP
Application
Server
Web Server
Sources: Dr. Lixin Tao/Web security lectures
Common Threats to Web Applications
Malware or Spyware
Phishing
Weak Authentication
SQL injection, cross site scripting, cross site
request forgery, etc
9 © Li-Chiou Chen, Pace University
How to determine if a web site is
legitimate?
© Li-Chiou Chen, Pace University 10
How to determine if a web site is legitimate
Make sure that the web address is correct
Google it or type it yourself
Do not click on links in emails
Use browser security features
Firefox has more default security settings than IE
Use HTTPS encryption for sensitive information
Verify the site using the security padlock
Pay attention to browser warnings
© Li-Chiou Chen, Pace University 11
Make sure that the web address is correct
Google it or type it yourself
Do not click on links in emails
© Li-Chiou Chen, Pace University 12
Uniform Resource Locator (URL) An address for uniquely identifying a web
resource, such as a web page or a Java object, on
the Internet
An example
http://www.pace.edu/pace/
http is the application layer protocol for
communications
www.pace.edu is the web server domain name
pace is the directory name
This URL points to a default.html under pace directory
© Li-Chiou Chen, CSIS, Pace 13
Which one of the following is a fake URL
http://www.citicards.com.chilli.net
http://129.20.1.2/www.citicards.com/
http://paybill.center.net/citicards/
© Li-Chiou Chen, Pace University 14
Use Browser Security Settings
© Li-Chiou Chen, Pace University 15
Activity I: Examine Browser Security Settings
Open Firefox
Tools / Options / Security
For Blacklist
Tools /Options / Privacy
For Cookie control
© Li-Chiou Chen, Pace University 16
Use HTTPS encryption for sensitive information
17
“https” refers to the content is encrypted
www.citicards.citi.com is the domain name (or site name)
© Li-Chiou Chen, Pace University
Verify the site using the security padlock
18
the security Padlock, click it to
see the web certificate
© Li-Chiou Chen, Pace University
You need to double click the padlock to verify it
19
This verifies that www.citicards.citi.c
om is owned by
Citigroup Inc.
VeriSign, Inc.
verifies this
information
This
indicates that
the content is
encrypted
© Li-Chiou Chen, Pace University
The content of the web certificate
© Li-Chiou Chen, Pace University 20
Activity II: Examine Web Certificate
Go to a site that uses encryption such as
www.google.com
Click on the security padlock (the lock proceed
https)
Click on More Information to see the web
certificate
Click on View Certificate to see the certificate
Click on View Cookie to see the cookies used by
the site
© Li-Chiou Chen, Pace University 21
Pay attention to browser warnings
© Li-Chiou Chen, Pace University 22
I Understand the Risks? Add Exception?
© Li-Chiou Chen, Pace University 23
Confirm Security Exception? View Certificate?
© Li-Chiou Chen, Pace University 24
Is this really Google’s Certificate ?
© Li-Chiou Chen, Pace University 25
Come on! I just want to go on with my life
Confirm Security Exception!
© Li-Chiou Chen, Pace University 26
Your secure web transactions are not secure now !
© Li-Chiou Chen, Pace University 27
Man in the Middle
© Li-Chiou Chen, Pace University 28
Fake
Certificate
Intercept
Certificate
Real vs Fake Certificate
© Li-Chiou Chen, Pace University 29
Activity III: Intercept/View Web Transactions
We will use a web proxy software, Burp Suite, to
cache and view your web transactions
Download the software from
http://www.portswigger.net/burp/downloadfree.html
Save it on your computer desktop (it is a Java
program)
Double click on the program to run it.
© Li-Chiou Chen, Pace University 30
Setting up Proxy
Click on Proxy / Options
Uncheck
intercept requests based on the following rules.
Click on History tab to wait for web traffic
© Li-Chiou Chen, Pace University 31
Setup Browser Proxy Configuration
Open Firefox
Tools/ Options / Advanced / Network /Settings
Check
Manual Proxy Configuration
HTTP Proxy: 127.0.0.1 Port:8080
Check
Use this proxy server for all protocols
© Li-Chiou Chen, Pace University 32
Intercept and view web transactions
In Firefox, browse www.pace.edu
On your proxy history tab, you should be able to
see the transactions that are cached
Click on one of them to see the contents
© Li-Chiou Chen, Pace University 33
Try a HTTPS site
Browse www.google.com
What happened?
© Li-Chiou Chen, Pace University 34
Clean Up
Click exit to close Burp Suite when you are done.
Open Firefox
Tools/ Options / Advanced / Network /Settings
Check
No Proxy
Click OK
© Li-Chiou Chen, Pace University 35
How to determine if a web site is legitimate
Make sure that the web address is correct
Google it or type it yourself
Do not click on links in emails
Use browser security features
Firefox has more default security settings than IE
Use HTTPS encryption for sensitive information
Verify the site using the security padlock
Pay attention to browser warnings
© Li-Chiou Chen, Pace University 36
Activity IV: Watch Phishing Video
DoD DISA video on Phishing
http://iase.disa.mil/eta/phishing/Phishing/launchP
age.htm
© Li-Chiou Chen, Pace University 37
Questions / Comments
© Li-Chiou Chen, Pace University 38