web security and auth
play

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security - PowerPoint PPT Presentation

Jul 15, 2023 •36 likes •336 views

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications Injection, broken authentication , XSS, CSRF, etc. Checklist of 23 Node.js security best practices Auth: Authentication, authorization, and

  1. Web Security and Auth Shan-Hung Wu CS, NTHU

  2. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 2

  3. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 3

  4. Authentication vs. Authorization • Authentication : the process to verify you are who you said • Authorization : the process to decide if you have permission to access a resource 4

  5. Session Management • The process of securely handling multiple requests to a server from a single client (user) 5

  6. Were to Store Session States? • Server – Stateful sessions – Server processes requests based on the states • Client – Stateless sessions – Server processes requests based on their content 6

  7. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 7

  8. Which one should I choose? 8

  9. Evaluation Criteria • Complexity • Reliance on HTTPS • Reliance on CSRF protection • Replay and integrity protection • Session management • User cases & tips 9

  10. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 10

  11. How It Works • A client attaches clear text password to each request: // Request from client Authorization: Basic base64(username:password) • Seriously? 11

  12. Evaluation • Complexity: Dead simple; tons of libraries • Reliance on HTTPS: Yes • Reliance on CSRF protection: Yes • Replay and integrity protection: Relies on TLS • Session management: Poor – Logout is complicated • Tips: always use Basic Auth with HTTPS 12

  13. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 13

  14. HTTP Digest Auth • Goal: not to rely on HTTPS/TLS anymore • Idea: server challenges client – No password in every request • Not widely adopted due to complexity! 14

  15. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 15

  16. How It Works // Login response from server Set-Cookie: sessionId=...; Domain=.app.com; Secure; SameSite; HttpOnly // Subsequent requests from client Cookie: sessionId=... • Cookies are managed by browser – Sent to server in every subsequent request 16

  17. Stateful Sessions User ID 17

  18. Evaluation • Complexity: simple; tons of libraries • Reliance on HTTPS: Yes – Set the Secure flag • Reliance on CSRF protection: Yes – Set the SameSite flag • Replay and integrity protection: Relies on TLS • Session management: Good • Tips: Set the HttpOnly flag to prevent XSS attacks from stealing it 18

  19. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 19

  20. How It Works // Login response from server { token: e2ZahC5b // JWT token } // Subsequent request from client Authorization: Bearer e2ZahC5b // added by JS • A JWT token is self-descriping and immutable – Includes user ID, expiration date, etc. (uid, expdate, sha256(uid, expdate, secret)) 20

  21. Sateless Sessions User ID User ID 21

  22. Evaluation • Complexity: simple with aid from libraries • Reliance on HTTPS: Yes • Reliance on CSRF protection: No • Replay and integrity protection: Relies on TLS • Session management: Limited • Tips: – Use access and refresh tokens – Do not save tokens in local or session storage 22

  23. Tips SetCookie: access=...; Domain=.app.com; Secure; SameSite; HttpOnly SetCookie: refresh=...; Domain=auth.app.com; Secure; SameSite; HttpOnly app.com auth. app .com • Secure à No token stealing • HttpOnly à No XSS • SameSite à No CSRF 23

  24. Statefull or Sateless? • Stateless: more scalable, but simpler lifecycle – Good for single-page sites, APIs, or mobile apps 24

  25. More Authentication Schemes • For server-to-server communications – Based on symmetric/asymmetric key cryptography • Signature Schemes – Idea: to digitally sign every request to prevent request tempering – Used by AWS • TLS Client Certificates – Idea: to use TLS certificate to authenticate each other 25

  26. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 26

  27. Signgle Sign-On (SSO) 27

  28. Open ID Connect (OIDC) vs. OAuth • Authentication • Authorization 28

  29. OIDC Flow Client app.com fb.com Login 302 Credentials (name, password) 302 w/ ID token Login w/ ID token Verification Session 29

  30. Client app.com fb.com auth.fb.com api.fb.com Login OAuth 2 Flow 302 Credentials (name, password) 302 w/ ID token, grant code Login w/ ID token Verification Session Grant code Access token Session w/ access token 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and

Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and

CSS441 Introduction Functions Auth. with Encryption Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

673 views • 21 slides
O H! H! Auth th Implementation pitfalls & the auth providers who have fell in it

O H! H! Auth th Implementation pitfalls & the auth providers who have fell in it

H! H! O H! H! Auth th Implementation pitfalls & the auth providers who have fell in it @samitanwer1 samit.anwer@gmail.com C: C:\>whoami Samit Anwer Product Security Team @Citrix Web/Mobile App Security Enthusiast

724 views • 58 slides
MOEBIUS Mobility Management Application Niavi Stefania AUTh IT Center Liolios Nikos AUTh

MOEBIUS Mobility Management Application Niavi Stefania AUTh IT Center Liolios Nikos AUTh

MOEBIUS Mobility Management Application Niavi Stefania AUTh IT Center Liolios Nikos AUTh Department of European Educational Programmes 1 Moebius - AUTh, Greece Main challenges of mobility management 1. Large volume of bilateral agreements

483 views • 30 slides
W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF

W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF

W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF Bundang, July 2018 Outline Who tried what Intel, Panasonic, Smart Things, Siemens, EURECOM, others? HTTPS (direct and via proxy), Auth

109 views • 10 slides
Like NSA Pre-auth RCE on Leading SSL VPNs Orange Tsai (@orange_8361) Meh Chang (@mehqq_) Orange

Like NSA Pre-auth RCE on Leading SSL VPNs Orange Tsai (@orange_8361) Meh Chang (@mehqq_) Orange

Infiltrating Corporate Intranet Like NSA Pre-auth RCE on Leading SSL VPNs Orange Tsai (@orange_8361) Meh Chang (@mehqq_) Orange Tsai Principal security researcher at DEVCORE Captain of HITCON CTF team 0day researcher, focusing on

1.98k views • 121 slides
Turning AUTh into e-University Pinelopi Giovanitsa, Academic Support IT Center introduction 2

Turning AUTh into e-University Pinelopi Giovanitsa, Academic Support IT Center introduction 2

Turning AUTh into e-University Pinelopi Giovanitsa, Academic Support IT Center introduction 2 learning management systems in AUTh centra eClass blackboard moodle 3 timeline of transition September 2014 March 2014 eLearning on

526 views • 16 slides
General LTL Specification Mining Caroline Lemieux , Dennis Park and Ivan Beschastnikh University

General LTL Specification Mining Caroline Lemieux , Dennis Park and Ivan Beschastnikh University

login attempt auth failed login attempt guest login login attempt authorized Texada auth failed login attempt G( x XF y ) login attempt G( guest login XF authorized ) guest login authorized auth failed login attempt Authorized

1.11k views • 59 slides
Let us l s lea ead d you ou t to a an AUTH THENT NTIC TE TEXAS RA RANC NCH E EXPERI

Let us l s lea ead d you ou t to a an AUTH THENT NTIC TE TEXAS RA RANC NCH E EXPERI

Let us l s lea ead d you ou t to a an AUTH THENT NTIC TE TEXAS RA RANC NCH E EXPERI RIENC NCE!!! JUST ST 2 25 MINU INUTES f fro rom DO DOWNTOWN SA SAN ANTONI NIO Guests Choose fro rom one of our r thre ree Uniq ique

187 views • 16 slides
Scientific Program HMC2016 4th Historic Mortars Conference Organizing Committee Papayianni

Scientific Program HMC2016 4th Historic Mortars Conference Organizing Committee Papayianni

HMC2016 4th Historic Mortars Conference Scientific Program HMC2016 4th Historic Mortars Conference Organizing Committee Papayianni Ioanna Professor AUTH Stefanidou Maria Associate Professor AUTH Palyvou Clairy Emeritus Professor AUTH Pachta

95 views • 5 slides
Afzaal zaal Mau auth thoor oor Mad Scientist. Travel Entrepreneur. Philanthropist Co

Afzaal zaal Mau auth thoor oor Mad Scientist. Travel Entrepreneur. Philanthropist Co

Afzaal zaal Mau auth thoor oor Mad Scientist. Travel Entrepreneur. Philanthropist Co Co-found under er - Inspi pired ed Esca capes pes Founder der - The e Philanth lanthropy y Club b London on In every rything thing I do I

326 views • 16 slides
Environmental Informatics ICT for the Environment Kostas Karatzas Informatics Applications

Environmental Informatics ICT for the Environment Kostas Karatzas Informatics Applications

Environmental Informatics ICT for the Environment Kostas Karatzas Informatics Applications and Systems Group Dept. of Mechanical E ngineering Aristotle University of Thessaloniki kkara@ eng.auth.gr , http:/ / isag.meng.auth.gr

1.56k views • 107 slides
Big Data Analytics with Apache Apostolos N. Papadopoulos (Associate Prof.)

Big Data Analytics with Apache Apostolos N. Papadopoulos (Associate Prof.)

chiPSet Training School, September 2017, Novi Sad, Serbia Big Data Analytics with Apache Apostolos N. Papadopoulos (Associate Prof.) (papadopo@csd.auth.gr, http://datalab.csd.auth.gr/~apostol) Data Science & Engineering Lab Department of

934 views • 81 slides
Introduction to the urban environment Kostas Karatzas Informatics A pplications and Systems

Introduction to the urban environment Kostas Karatzas Informatics A pplications and Systems

Introduction to the urban environment Kostas Karatzas Informatics A pplications and Systems Group Dept. of Mechanical E ngineering A ristotle University of Thessalonik i k k ara@ eng.auth.gr , http:/ / isag.meng.auth.gr Contents Part A:

983 views • 76 slides
An Information-Theoretic Approach to Detecting Changes in Multi-Dimensional Data Streams Auth

An Information-Theoretic Approach to Detecting Changes in Multi-Dimensional Data Streams Auth

An Information-Theoretic Approach to Detecting Changes in Multi-Dimensional Data Streams Auth thors: Presentatio ion: Dasu, T., Krishnan, S., Vincent Chu Venkatasubramanian, S., 22 November 2017 & Yi, K. (2006). Content Introduction

512 views • 48 slides
An Introduction to Apostolos N. Papadopoulos (papadopo@csd.auth.gr) Assistant Professor Data

An Introduction to Apostolos N. Papadopoulos (papadopo@csd.auth.gr) Assistant Professor Data

An Introduction to Apostolos N. Papadopoulos (papadopo@csd.auth.gr) Assistant Professor Data Engineering Lab Department of Informatics Aristotle University of Thessaloniki Thessaloniki Greece 1 Outline What is Spark? Basic features

951 views • 64 slides
CMC's & The FCA Jeremy Smith Director B-Compliant Ltd Do I I need to be auth thoris

CMC's & The FCA Jeremy Smith Director B-Compliant Ltd Do I I need to be auth thoris

CMC's & The FCA Jeremy Smith Director B-Compliant Ltd Do I I need to be auth thoris ised? CMR Regulated Seeking out persons who may have a claim Referring details of a claim or potential claim or potential claimant to another

96 views • 7 slides
R configuration for packages install.packages(c("devtools", "usethis",

R configuration for packages install.packages(c("devtools", "usethis",

R configuration for packages install.packages(c("devtools", "usethis", "testthat", "reprex", "pkgdown")) git_sitrep() > library(usethis) > git_sitrep() Git user * Name: 'Amelia McNamara'

308 views • 9 slides
Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a

Apache Airavata Security Manager Authentication & Authorization Im Implementation for a Multi- Tenant e-Science Framework Supun Nakandala, Hasini Gunasinghe, Suresh Marru and Marlon Pierce Science Gateways Research Center Indiana

695 views • 33 slides
Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010

Hadoop Security Design? Just Add Kerberos? Really? Andrew Becherer Black Hat USA 2010 https://www.isecpartners.com Agenda Conclusion What is Hadoop Old School Hadoop Risks The New Approach to Security Concerns

300 views • 29 slides
Testing Kotlin at Scale: Spek Artem Zinnatullin @artem_zin - Productivity - Productivity -

Testing Kotlin at Scale: Spek Artem Zinnatullin @artem_zin - Productivity - Productivity -

Testing Kotlin at Scale: Spek Artem Zinnatullin @artem_zin - Productivity - Productivity - Reviewability - Productivity - Reviewability - Maintainability - Patterns - Principles - OOP/FP - Common Sense But We focus on production code

1.47k views • 113 slides
OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days

OAuth 2.0 Ein Standard wird erwachsen Uwe Friedrichsen (codecentric AG) Berlin Expert Days 2013 4. April 2013 Uwe Friedrichsen @ufried <session> <no-code> <motivation /> <history /> <solution />

1.03k views • 44 slides
Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material

Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material

Secure System Development Mechanisms CS460 Cyber Security Lab Spring 2010 Reading Material Web sites Microsoft links from last lecture Linux Capabilities - man 7 capabilities or http://www.linuxjournal.com/article/5737

1.17k views • 29 slides
Sergey Beryozkin, T alend Sergey Beryozkin, T alend Apache CXF Apache CXF Practical JOSE

Sergey Beryozkin, T alend Sergey Beryozkin, T alend Apache CXF Apache CXF Practical JOSE

Sergey Beryozkin, T alend Sergey Beryozkin, T alend Apache CXF Apache CXF Practical JOSE with Apache CXF Practical JOSE with Apache CXF Practical JOSE with Apache CXF Practical JOSE with Apache CXF What Is Apache CXF Production

465 views • 25 slides
Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A.

Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A.

Interledger Smart Contracts for Decentralized Authorization to Constrained Things Vasilios A. Siris joint work with D. Dimopoulos, N. Fotiou, S. Voulgaris, G.C. Polyzos Mobile Multimedia Laboratory Athens University of Economics and Business,

289 views • 28 slides

More recommend