Is the Web at Risk?
0 likes3,558 views
The document discusses the risks associated with web applications and emphasizes the importance of security in the online environment. It highlights common vulnerabilities such as injection attacks, cross-site scripting (XSS), and cross-site request forgery (CSRF). The author urges users to be cautious with the applications they trust and to remain vigilant against potential threats.
![[quick] conclusions
Extra-care with the web applications you
trust your data
Extra-care on the way you handle your
email
Always act suspicious upon something
“strange” on the web
WebApp developers take care on what you
do – your code is part of the security
perimeter](https://image.slidesharecdn.com/wip2-100706043923-phpapp02/85/Is-the-Web-at-Risk-30-320.jpg)
Is the Web at Risk?
- 1. is the web @ risk ? World Internet Project Meeting 2010 ISCTE-IUL/SoTA/ADETTI-IUL Carlos Serrão Instituto Superior de Ciências do Trabalho e da Empresa carlos.serrao@iscte.pt Instituto Universitário de Lisboa carlos.j.serrao@gmail.com School of Technology and Architecture ADETTI-IUL http://www.carlosserrao.net http://blog.carlosserrao.net http://www.linkedin.com/in/carlosserrao
- 2. Is the Web … … at risk? … a risk? … putting YOU at risk? WHY? HOW? WHEN?
- 3. The Internet… … and the WWW, in the beg inning .
- 4. in the beginning... Vinton Gray Cerf Robert Elliot Kahn … a.k.a. the “Internet fathers”
- 5. The Internet was created… … as an ubiquitous … decentralized … standardized … global … interconnected … digital … communications channel.
- 6. in the beginning... (Sir) Tim Berners Lee … a.k.a. the “WWW father”
- 7. The WWW was created! A system of interlinked hypertext documents accessed via the Internet. Infinite worldwide knowledge access.
- 8. growth
- 9. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
- 10. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
- 11. evolving, growing network Small data part on Large amounts of Data on the Cloud a specific web-site data on a large (or limited number number of sites Applications on the of web-sites) Applications on the Web and Cloud desktop and Web Applications on the (more and more) Data almost desktop Part of the data inexistent on the Most data is on the still on desktop desktop (still on desktop (but also mobile) mobile) Data processing on Data processing on Data processing the desktop the desktop, but almost inexistent also on the web user
- 12. security++ what do we have today? anti-virus anti-malware anti-spyware firewalls intrusion detection systems … are they enough?
- 13. security++ YES, but… dothey protect the user from the web applications? cana Web application be compromised to hurt legitimate users? sure it can.
- 14. security++ How? Do you trust your favorite web-applications? Google Gmail Doyou trust your favorite social-web applications? Facebook Twitter Do you trust your homebanking? Do you trust your government web-sites?
- 15. security++ The security perimeter has huge security holes in the application Application Layer layer Legacy Systems Human Resrcs Web Services Directories Custom Developed Databases Application Code Billing APPLICATION ATTACK App Server Web Server Network Layer Hardened OS Firewall Firewall
- 16. implications…
- 17. security trends problem types typical problems on web apps
- 18. the security risks http://www.owasp.org/index.php/Top_10
- 19. security risks considering the three most important A1: Injection A2: Cross Site Scripting (XSS) A5: Cross Site Request Forgery (CSRF)
- 20. A1: Injection what if?
- 21. A1: Injection what if? SELECT * FROM users usr WHERE usr.username = ‘admin’;--’ AND usr.password=’bb21158c733229347bd4e681891e213d94c685be’
- 22. A1: Injection what if?
- 23. any input from the web app user can be an attack vector
- 24. A2: Cross Site Scripting (XSS) injecting malicious payload on the web app from the end-user side to be redirected to other users (victims)
- 25. A2: Cross Site Scripting (XSS) 1 Attacker sets the trap – update my profile Application with stored XSS Attacker enters a vulnerability malicious script into a web page that stores the data on the server Knowledge Mgmt Communication Administration Bus. Functions E-Commerce Transactions 2 Victim views page – sees attacker profile Accounts Finance Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie
- 26. A5: Cross Site Request Forgery (CSRF) an attacker can build its own malicious website and initiate request on the user’s browser
- 27. A5: Cross Site Request Forgery (CSRF) Attacker sets the trap on some website on the internet 1 (or simply via an e-mail) Application with CSRF Hidden <img> tag vulnerability contains attack against vulnerable site Knowledge Mgmt Communication Administration Bus. Functions Transactions E-Commerce Accounts Finance While logged into vulnerable site, 2 victim views attacker site Custom Code 3 Vulnerable site sees <img> tag loaded by legitimate request browser – sends GET from victim and request (including performs the action credentials) to requested vulnerable site
- 28. A5: Cross Site Request Forgery (CSRF) Alice transfer 100€ to Bob Bob through bank.com POST http://bank.com/transfer.do HTTP/1.1 ... ... ... Content-Length: 19; acct=BOB&amount=100 realizes that the same bank.com web application can execute Pirate the transfer using a URL with parameters GET http://bank.com/transfer.do?acct=BOB&amount=100 HTTP/1.1 will try to use Alice to transfer 100.000€ to its own account http://bank.com/transfer.do?acct=MARIA&amount=100000 sends an HTML email to Alice with an URL to click <a href="http://bank.com/transfer.do?acct=MARIA&amount=100000">View my Pictures!</a> or, sends an HTML email to Alice with a image to hide the attack <img src="http://bank.com/transfer.do?acct=MARIA&amount=100000" width="1" height="1" border="0"> Alice if Alice is authenticated at bank.com with an active session the transfer is performed
- 29. consequences This is serious!!! And we are just looking at the tip of the iceberg!
- 30. [quick] conclusions Extra-care with the web applications you trust your data Extra-care on the way you handle your email Always act suspicious upon something “strange” on the web WebApp developers take care on what you do – your code is part of the security perimeter