Dr. Drew Hwang, CIS, Cal Poly Pomona
Home
101
WDD
ECOMM
SWA
SP
Secure Web Development
Home
Basics
Offense
Defense
SDLC
Code
Access
Parameter
Perimeter
Browser
Industry
Resource
Defense
Defensive Mechanism
Input Validation
CAPTCHA
Cryptography
Cryptography
ASPNET Cryptography
Error Handling
Alert & Audit
Database Security
Access Control
Regex Library
Common Regex
Regex Reference (.NET)
Regex Reference (PHP)
Regex Analyzer
Encode/Decode
HTML Encoder
HTML Decoder
URL Encoder
URL Decoder
Print
Defensive Mechanism
Philosophy of Defense
The Web Detective's Law:
All users are suspicious; all user input is untrusted.
Sun Tzu's Law:
If you know the enemy and know yourself, your victory will not stand in doubt.*
Humans are infinitely a threat to security.
Trust is not an absolute value or a binary concept.
Core Defensive Mechanisms**
The defense mechanisms employed by web applications comprise the following core elements:
Attack surface
: The scope of web application functionality needs to be tightly scrutinized not to introduce unnecessary attack surface.
Access
: Handling access to the application's data and functionality to prevent unauthorized access.
Input
: Handling input to the application's functions to prevent malformed input from causing undesirable behavior.
Attackers
: Handling attackers to ensure that the application behaves appropriately when being directly targeted, taking suitable defensive and offensive measures to frustrate the attacker.
Application
: Managing the application itself, by enabling administrators to monitor its activities and configure its functionality.
Reduce Attack Surface
The attack surface of a software environment is the scope of functionality that is available to unauthenticated users.
The first approach to improving information security is to reduce the attack surface, making a piece of software harder to attack.
The overall security provided by the mechanisms is only as strong as the weakest link in the chain.
Handling Access
Web applications need to handle three categories of users:
anonymous users
ordinary authenticated users
administrative users
Access control
: Access control consists of identification, authentication, and authorization.
Identification
: Web applications should identify its externals (e.g., human actors and external applications) before interacting with them. Identification requirements are typically necessary prerequisites for authentication requirements.
Authentication
: Authenticating a user involves establishing that the user is in fact who he claims to be (identification and authentication). Authentication control are typically insufficient by themselves without authorization control.
Authorization
: When the authentication functions correctly, the web application knows the identity of the user. The next logical step is to decide whether an user or a page/module/program is authorized to perform a certain action or access certain data (i.e.
user roles or
user
privileges)
.
Session Management:
After the access control, session management is needed to keep the access thereafter secure.
A web application usually receives many
concurrent requests
from different users, some of whom are authenticated and some of whom are anonymous. In order to enforce effective access control, the application creates a
session
for each user and issues the user a
token
that identifies the user.
The
token
is a unique string that the application maps to the session. HTTP
cookies
are the standard method for transmitting sessions and tokens.
Handling Input
A huge variety of different attacks against web applications involve submitting unexpected input, and
input validation
is often considered as the most essential defense against these attacks.
Input validation can be implemented on both client-side and server-side. However, client-side validation is ineffective.
Common input validation approaches include:
Sanitizing
- make potentially malicious data safe
Whitelisting
- accept known good
Blacklisting
- reject known bad
Boundary validating
- validate input coming in from an untreated source into a trusted source
Handling Attackers
Another key function of the application's security is to identify the attackers, handle the attackers, and provide appropriate notification and evidence to the application's owners of what has taken place. There are three main counter-attack mechanisms:
Error handling:
Errors inevitably occur, but they need to be handled properly not to give attackers any clue about the application being exploited.
Maintaining audit logs
: In any applications for which security is important, key events should be logged as a matter of course.
Alerting administrators
: A well-designed alerting mechanism can use a combination of factors to diagnose how a determined attack is underway and can aggregate related events into a single alert where possible. Anomalous events monitored by alerting mechanisms often include:
Usage anomalies
, such as large numbers of requests being received from a single IP address or user, indicating a scripted attack.
Business anomalies
, such as an unusual number of funds transfers being made to or from a single bank account.
Malicious requests,
such as those containing known attack strings.
Hidden data
, such as that is hidden from ordinary users but has been modified by the attackers.
Reacting to attacks:
Many security-critical applications contain built-in mechanisms to react defensively to users who are identified as potentially malicious.
Application
Administrative functions
: Web application should allow administrators to do the followings:
Manage user accounts and roles
Access monitoring and audit functions
Perform diagnostic tasks
Configure aspects of the application's functionality
These administrative functions are commonly implemented through the same web interface, thus making the administrative mechanism a critical part of the application's attack surface.
Administrative access
: Weaknesses in the authentication mechanism may enable an attacker to gain administrative access.
References
"The Art of War Plus The Ancient Chinese Revealed", translated by G. Gagliardi, Clearbridge Publishing, 2003.
"The Web Application Hacker's Handbook: Discovering and Exploiting Security Flaws", D. Stuttard and M. Pinto, 2008, Wiley Publishing.