Web Security Architecture 102
Presenter: Hu Xiaoyu, Software Engineer @ VMware
Web Security 102
Presentation Outline
Web Security 102
SSL: Secure Sockets Layer
Provide transport layer encryption to prevent sniffing and MITM attack.
Web Security 102
Basic HTTP Authentication
Basic HTTP Authentication uses HTTP header for authentication, well-supported, and easy to use.
Typical workflow:
It requires every request to carry the credentials in plaintext (base64), and requires https to protect it from sniffing or MITM attack.
Web Security 102
Form Based Authentication
Typical Workflow:
Web Security 102
Form Based Authentication
Cookie:
Web Security 102
OAuth
Web Security 102
OAuth
Example workflow:
Web Security 102
OAuth
Demo:
https://synapse-trial.uc.r.appspot.com/
Web Security 102
Bearer Token
A token in the HTTP “Authorization” header for authentication with application or resource server.
It’s an encrypted token not meaningful to clients.
Web Security 102
Bearer Token
A token in the HTTP “Authorization” header for authentication with application or resource server.
It’s an encrypted token not meaningful to clients.
Web Security 102
Password Storage
What is password salting:
https://websitesecuritystore.com/blog/what-is-password-salting/
If passwords are saved in plaintext, or as a not well-protected hash, it’s viable to use “rainbow table” attack to map all passwords to their hashes.
Web Security 102
Password Storage
Add “salt”: a certain length randomly generated text for more entropy, and saves hashes that are never directly mapped to the hash of the original password.
Use existing libraries. (e.g. bcrypt)
Web Security 102
Password Storage
For example, with input password abc123xyz, cost 12, and a random salt, the output of bcrypt is the string
$2a$12$R9h/cIPz0gi.URNNX3kh2OPST9/PgBkqquzi.Ss7KIUgO2t0jWMUW
\__/\/ \____________________/\_____________________________/
Alg Cost Salt Hash
Web Security 102
Password Storage
Circa 2012:
Web Security 102
Password Storage
Circa 2013:
Web Security 102
Password Storage
Circa 2013:
Web Security 102
Authorization
Authentication (Authn): Decides who you are.
Authorization (Authz): Decides what you can do.
Web Security 102
Injection
Hello my name is Kevin, people also call me ';DROP table users;--
INSERT INTO COMMENTS
where comment='Hi My name is Kevin, people also call me ';DROP table users;--';
Web Security 102
Injection
Command Injection
User input for filename: 'videoname.mp4 && rm -rf /videos/;'
Server-side execution:
bash -c 'video_converter videoname.mp4 && rm -rf /videos/*;'
Web Security 102
Injection
Web Security 102
Path Traversal
By sending request to directories outside of web service root directory.
http://some_site.com.br/get-files?file=../../../../etc/passwd
http://some_site.com.br/../../../../etc/shadow
**Mitigation**:
- Chroot jails.
- Least permission available for service. (It’s almost always wrong to run with root.)
- Normalize user input.
- Whitelist paths available to the service, validate user input.
Web Security 102
Thank you!