Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security - - PowerPoint PPT Presentation

web security and auth
SMART_READER_LITE
LIVE PREVIEW

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security - - PowerPoint PPT Presentation

Jul 15, 2023 36 likes •342 views

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications Injection, broken authentication , XSS, CSRF, etc. Checklist of 23 Node.js security best practices Auth: Authentication, authorization, and

slide-1
SLIDE 1

Web Security and Auth

Shan-Hung Wu CS, NTHU

slide-2
SLIDE 2

Outline

  • Security risks of web applications

– Injection, broken authentication, XSS, CSRF, etc. – Checklist of 23 Node.js security best practices

  • Auth: Authentication, authorization, and session

management

– HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions

  • Single Sign On (SSO)

2

slide-3
SLIDE 3

Outline

  • Security risks of web applications

– Injection, broken authentication, XSS, CSRF, etc. – Checklist of 23 Node.js security best practices

  • Auth: Authentication, authorization, and session

management

– HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions

  • Single Sign On (SSO)

3

slide-4
SLIDE 4

Authentication vs. Authorization

  • Authentication: the

process to verify you are who you said

  • Authorization: the

process to decide if you have permission to access a resource

4

slide-5
SLIDE 5

Session Management

  • The process of securely handling multiple

requests to a server from a single client (user)

5

slide-6
SLIDE 6

Were to Store Session States?

  • Server

– Stateful sessions – Server processes requests based on the states

  • Client

– Stateless sessions – Server processes requests based on their content

6

slide-7
SLIDE 7

Outline

  • Security risks of web applications

– Injection, broken authentication, XSS, CSRF, etc. – Checklist of 23 Node.js security best practices

  • Auth: Authentication, authorization, and session

management

– HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions

  • Single Sign On (SSO)

7

slide-8
SLIDE 8

Which one should I choose?

8

slide-9
SLIDE 9

Evaluation Criteria

  • Complexity
  • Reliance on HTTPS
  • Reliance on CSRF protection
  • Replay and integrity protection
  • Session management
  • User cases & tips

9

slide-10
SLIDE 10

Outline

  • Security risks of web applications

– Injection, broken authentication, XSS, CSRF, etc. – Checklist of 23 Node.js security best practices

  • Auth: Authentication, authorization, and session

management

– HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions

  • Single Sign On (SSO)

10

slide-11
SLIDE 11

How It Works

  • A client attaches clear text password to each

request:

  • Seriously?

11

// Request from client Authorization: Basic base64(username:password)

slide-12
SLIDE 12

Evaluation

  • Complexity: Dead simple; tons of libraries
  • Reliance on HTTPS: Yes
  • Reliance on CSRF protection: Yes
  • Replay and integrity protection: Relies on TLS
  • Session management: Poor

– Logout is complicated

  • Tips: always use Basic Auth with HTTPS

12

slide-13
SLIDE 13

Outline

  • Security risks of web applications

– Injection, broken authentication, XSS, CSRF, etc. – Checklist of 23 Node.js security best practices

  • Auth: Authentication, authorization, and session

management

– HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions

  • Single Sign On (SSO)

13

slide-14
SLIDE 14

HTTP Digest Auth

  • Goal: not to rely on HTTPS/TLS anymore
  • Idea: server challenges client

– No password in every request

  • Not widely adopted due to complexity!

14

slide-15
SLIDE 15

Outline

  • Security risks of web applications

– Injection, broken authentication, XSS, CSRF, etc. – Checklist of 23 Node.js security best practices

  • Auth: Authentication, authorization, and session

management

– HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions

  • Single Sign On (SSO)

15

slide-16
SLIDE 16

How It Works

  • Cookies are managed by browser

– Sent to server in every subsequent request

16

// Login response from server Set-Cookie: sessionId=...; Domain=.app.com; Secure; SameSite; HttpOnly // Subsequent requests from client Cookie: sessionId=...

slide-17
SLIDE 17

Stateful Sessions

17

User ID

slide-18
SLIDE 18

Evaluation

  • Complexity: simple; tons of libraries
  • Reliance on HTTPS: Yes

– Set the Secure flag

  • Reliance on CSRF protection: Yes

– Set the SameSite flag

  • Replay and integrity protection: Relies on TLS
  • Session management: Good
  • Tips: Set the HttpOnly flag to prevent XSS

attacks from stealing it

18

slide-19
SLIDE 19

Outline

  • Security risks of web applications

– Injection, broken authentication, XSS, CSRF, etc. – Checklist of 23 Node.js security best practices

  • Auth: Authentication, authorization, and session

management

– HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions

  • Single Sign On (SSO)

19

slide-20
SLIDE 20

How It Works

  • A JWT token is self-descriping and immutable

– Includes user ID, expiration date, etc.

20

// Login response from server { token: e2ZahC5b // JWT token } // Subsequent request from client Authorization: Bearer e2ZahC5b // added by JS (uid, expdate, sha256(uid, expdate, secret))

slide-21
SLIDE 21

Sateless Sessions

21

User ID User ID

slide-22
SLIDE 22

Evaluation

  • Complexity: simple with aid from libraries
  • Reliance on HTTPS: Yes
  • Reliance on CSRF protection: No
  • Replay and integrity protection: Relies on TLS
  • Session management: Limited
  • Tips:

– Use access and refresh tokens – Do not save tokens in local or session storage

22

slide-23
SLIDE 23

Tips

  • Secure à No token stealing
  • HttpOnly à No XSS
  • SameSite à No CSRF

23

auth.app.com

app.com SetCookie: access=...; Domain=.app.com; Secure; SameSite; HttpOnly SetCookie: refresh=...; Domain=auth.app.com; Secure; SameSite; HttpOnly

slide-24
SLIDE 24

Statefull or Sateless?

24

  • Stateless: more scalable, but simpler lifecycle

– Good for single-page sites, APIs, or mobile apps

slide-25
SLIDE 25

More Authentication Schemes

  • For server-to-server communications

– Based on symmetric/asymmetric key cryptography

  • Signature Schemes

– Idea: to digitally sign every request to prevent request tempering – Used by AWS

  • TLS Client Certificates

– Idea: to use TLS certificate to authenticate each

  • ther

25

slide-26
SLIDE 26

Outline

  • Security risks of web applications

– Injection, broken authentication, XSS, CSRF, etc. – Checklist of 23 Node.js security best practices

  • Auth: Authentication, authorization, and session

management

– HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions

  • Single Sign On (SSO)

26

slide-27
SLIDE 27

Signgle Sign-On (SSO)

27

slide-28
SLIDE 28

Open ID Connect (OIDC) vs. OAuth

  • Authentication
  • Authorization

28

slide-29
SLIDE 29

OIDC Flow

29

Client app.com fb.com Login 302 Credentials (name, password) 302 w/ ID token Login w/ ID token Session Verification

slide-30
SLIDE 30

OAuth 2 Flow

30

Client app.com fb.com auth.fb.com Login 302 Credentials (name, password) 302 w/ ID token, grant code api.fb.com Login w/ ID token Session Grant code Access token Session w/ access token Verification