Web Application Security

About This Presentation

Title:

Description:

Number of Views:29

Avg rating:3.0/5.0

Slides: 12

Provided by: benl89

Category:

Tags: application | security | symmetrically | web

Transcript and Presenter's Notes

Title: Web Application Security

1
Web Application Security

2
How the Web Works

GET / HTTP/1.1 Host www.google.com Content
HTTP/1.1 200 OK Content
3
Web Applications

Pseudo Definition
A series of HTTP requests to complete a task in
an environment in which state is maintained.
The difference between a web site and a web
application is the ability to maintain state.
Examples
Online shopping, banking, class enrollment,
bulletin board, etc.

4
Maintaining State

State
A condition of mode or being.
A light has two obvious states ON or OFF
HTTP is a stateless protocol
Every request is individual and maintains no
correlation between past requests.
Maintaining state over HTTP is an illusion.
This illusion is created by having a key piece of
information propagate between requests.

5
Cookies!

Definition
An extension of HTTP that allows state to be
maintained by providing a token piece of
information between HTTP requests.
Put simply, cookies are datagrams stored by a web
browser at the request of a web server.
How they work
Client sends request
Server sends response with its own request to set
a cookie
Client decides to accept or reject cookie
Subsequent requests may or may not contain the
cookie

Set-Cookie NAMEVALUE expiresDATE pathPATH
domainDOMAIN_NAME secure
6
Cookies! and State

Cookies provide a mechanism to maintain state.
The data stored in a cookie can be used to
identify a user based on previous requests.
Examples
Storing the ID numbers of the items you have
selected for purchase.
Storing a unique ID number that identifies you as
the person taking an online test.

7
Authentication

Definition
The mechanism(s) that provide a means of
identifying an individual in a public
environment.
When state can be maintained, authentication in a
Web Application becomes feasible.
Authentication allows a system to meet the needs
of the individual using it. This includes Web
Applications.
Examples
Banking - whose account should be accessed?
Course Enrollment - what courses have you taken?
Shopping - whats on your wish list?

8
Authenticating and State

Authentication allows more robust and customized
functionality from Web Applications.
There are many ways to authenticate a client.
Scenario 1 Require user to authenticate for
every request.
Problems Cumbersome for user.
Solutions Auto populating browser.
Scenario 2 Store authentication information in a
cookie.
Problems Probability of authentication
information being intercepted greatly increased.
Solutions Use a unique ID.
Scenario 3 Store a unique ID in a cookie
assigned when authentication information is
verified.
Problems Unique ID can be intercepted and used
by another user.
Solutions Rolling ID and/or ID expiration.

9
Secure Socket Layer (SSL)

Definition
A protocol layered on top of TCP to provide a
secure (encrypted) transport layer for the
communication between two applications.
Attributes
Private - The data stream is symmetrically
encrypted.
Reliable - Each packet of information is verified
via a hash.
Authentic - The servers identity is authenticated
using asymmetric encryption.
How SSL Works
There is a handshake between the client and
server to decide on a protocol version,
encryption suite, and encryption method.
The peers verify one another's identity if
applicable using public key encryption methods.
A secure connection is established and data is
transported transparently by the secure layer.

10
Conclusion

Security is evolving with the every newly adopted
standard. Be aware of the technologies youre
utilizing, so that you can make an educated
assessment of the security risks you face in any
given environment.