Embed Size (px)
Citation preview
1
Security Issuesin Web Programming
Robert M. Dondero, Ph.D.Princeton University
2
Objectives
You will learn about: Authentication and authorization Secure storage of usernames and passwords Secure data transmission In:
Python CGI Web programming Java CGI Web programming PHP Web programming
3
Part 1:Authentication and Authorization
4
A&A Definitions
Authentication Is the user authentic? Is the user who he/she says he/she is?
Authorization Does the user have proper authority? Does the user have permission to use the
application in the manner he/she has requested?
5
Authorization Approaches
Approaches to authorization Application specific Typically: Use database table(s)
User login ids → permission to use each facet of application
(We will not discuss further)
6
Authentication Approaches
Three approaches to authentication: (1) "Do it yourself" authentication (2) Basic access authentication (3) Central Authentication System (CAS)
Let's consider one at a time...
7
(1) "Do It Yourself" Authentication
Demo PennypackPythonAuth app Demo PennypackJavaAuth app Demo PennypackPhpAuth app
8
"Do It Yourself" Authentication
Browser
Web Server(and CGI program)
<a href="searchform.cgi/php">
Calls authenticate()Valid username/password in form or cookies?No!
9
"Do It Yourself" Authentication
Browser
Login page
Web Server(and CGI program)
<form action="searchform.cgi"><input type="text" name="username"><input type="password" name="password">...
Username/password in form
Calls authenticate()Valid username/password in form or cookies?Yes! In form.
Set username/password cookies
10
"Do It Yourself" Authentication
Browser
Search form page
Web Server(and CGI program)
<form action="searchresults.cgi">...
Username/password in cookies
Continue as usual
Browser retains cookies
Calls authenticate()Valid username/password in form or cookies?Yes! In cookies.
11
PennypackPythonAuth App
See PennypackPythonAuth application book.py, database.py, common.py index.html searchform.cgi, searchform.py searchresults.cgi, searchresults.py auth.py
12
PennypackJavaAuth App
See PennypackJavaAuth application Book.java, Database.java, Common.java index.html searchform.cgi, SearchForm.java searchresults.cgi, SearchResults.java Cgi.java Auth.java
13
PennypackPhpAuth App
See PennypackPhpAuth application book.php, database.php, header.php, footer.php index.html searchform.php searchresults.php auth.php login.php
14
"Do It Yourself" Auth: Logout
App can provide "logout" link or form Commands browser to:
Destroy the username/password cookie Set username/password to incorrect values
15
"Do It Yourself" Auth Assessment
Pros: Simple Works with any browser and web server Can implement logout
Cons: Must write yourself!
Widely used
16
(2) Basic Access Authentication
Wikipedia: "The basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials – in the form of a user name and password – when making a request."
Demo PennypackPythonAuthBasic app Demo PennypackJavaAuthBasic app Demo PennypackPhpAuthBasic app
17
CGI Basic Access Authentication
searchform.cgi
Browser
Web Server
<a href="searchform.cgi">
Web Server
WWW-Authenticate: Basic realm="Log into Pennypack.com."Status: 401 Unauthorized accessContent-type: Text/plain
Calls authenticate()Valid username/password in HTTP_AUTHORIZATION env var?No!
WWW-Authenticate: Basic realm="Log into Pennypack.com."Status: 401 Unauthorized accessContent-type: Text/plain
GET /~rdondero/cos333/PennypackPythonAuthBasic/searchform.cgi HTTP/1.1Host: www.cs.princeton.edu<Blank line>
18
CGI Basic Access Authentication
searchform.cgi
Browser
Web Server
Web Server
Calls authenticate()Gets HTTP_AUTHORIZATION env varIs "rdondero:xxx" valid? Yes!
Displays dialog box, collects username (rdondero) and password (xxx)Retains rdondero:xxx
Sets HTTP_AUTHORIZATION="Basic rdondero:xxx"
HTTP_AUTHORIZATION env var
GET /~rdondero/cos333/PennypackPythonAuthBasic/searchform.cgi HTTP/1.1Host: www.cs.princeton.eduAuthorization: Basic rdondero:xxx<Blank line>
Base64 encoded
19
CGI Basic Access Authentication
searchresults.cgi
Browser
Search form page
Web Server
<form action="searchresults.cgi">...
Continue as usual
HTTP_AUTHORIZATION env var
GET /~rdondero/cos333/PennypackPython1/searchresults.cgi HTTP/1.1Host: www.cs.princeton.eduAuthorization: Basic rdondero:xxx<Blank line>
Sets HTTP_AUTHORIZATION="Basic rdondero:xxx"
Calls authenticate()Gets HTTP_AUTHORIZATION env varIs "rdondero:xxx" valid? Yes!
Base64 encoded
Browser retains rdondero:xxx
20
PennypackPythonAuthBasic App
See PennypackPythonAuthBasic book.py, database.py, common.py index.html searchform.cgi, searchform.py searchresults.cgi, searchresults.py auth.py
21
PennypackJavaAuthBasic App
See PennypackJavaAuthBasic book.php, database.php, header.php, footer.php index.html searchform.cgi, SearchForm.java searchresults.cgi, SearchResults.java Cgi.java Auth.java
22
Apache and CGI Basic Web Auth
RewriteEngine onRewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},last]
CGI apps must create .htaccess file
Specific to Apache web serverContains "rewrite rule"Commands web server to pass HTTP_AUTHORIZATION env var to CGI pgm
23
PHP Basic Access Authentication
Browser
Web Server
<a href="searchform.php">
Require_once authenticate()$_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] valid?No!
WWW-Authenticate: Basic realm="Log into Pennypack.com."Status: 401 Unauthorized accessContent-type: Text/plain
GET /~rdondero/cos333/PennypackPhpAuthBasic/searchform.php HTTP/1.1Host: www.cs.princeton.edu<Blank line>
24
PHP Basic Access Authentication
Browser
Web Server
Displays dialog box, collects username (rdondero) and password (xxx)Retains rdondero:xxx
GET ~rdondero/cos333/PennypackPhpAuthBasic/searchform.cgi HTTP/1.1Host: www.cs.princeton.eduAuthorization: Basic rdondero:xxx<Blank line>
Require_once authenticate()$_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"]) valid?Yes!
Base64 encoded
25
PHP Basic Access Authentication
Browser
Search form page
Web Server
<form action="searchresults.php">...
Continue as usual
GET /~rdondero/cos333/PennypackPhpAuthBasid/searchresults.php HTTP/1.1Host: www.cs.princeton.eduAuthorization: Basic rdondero:xxx<Blank line>
Require_once authenticate()$_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"]) valid?Yes!
Base64 encoded
Retains rdondero:xxx
26
PennypackPhpAuthBasic App
See PennypackPhpAuthBasic application book.php, database.php, header.php, footer.php index.html searchform.php searchresults.php auth.php
27
Aside: Base64 Encoding
Question: How to represent arbitrary bit sequence using only
64 characters? A-Z (26) a-z (26) 0-9 (10) + (1) / (1)
Answer: Base64 encoding Email uses to represent images, etc.
28
Aside: Base64 Encoding
From Wikipedia
Could be anyarbitrary bit pattern
29
Aside: Base64 Encoding
From Wikipedia
30
Basic Access Auth: Logout
Limitation of basic access authentication... Browser retains authentication info until:
Browser is closed User clears "active logins" history
No way for Web server to command browser to discard authentication info
No way for app to implement "logout"
31
Basic Access Auth: Assessment
Pros Less code Less work for application programmer Works with any browser/Web server
Cons Less control No logout
Frequently used by small private websites Rarely used by large public websites
32
Basic Access Auth: Alternative
Incidentally... Can let the Web server and browser do all the
work...
33
Basic Access Auth: Alternative
RewriteEngine onRewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization},last]
AuthUserFile /u/rdondero/public_html/cos333/PennypackPythonAuthApache/.htpasswdAuthType BasicAuthName "Please login to Pennypack"Require valid-user
.htaccess File
Informs web server to:● Use basic access authentication● Find usernames and passwords in file .htpasswd
34
Basic Access Auth: Alternative
rdondero:RYO7cZqCz5WvAcos217:nCjw.2c0vbz8.
.htpasswd File
Contains usernames and encrypted passwords
Created automatically by the commands
htpasswd -c .htpasswd rdondero htpasswd .htpasswd cos217
htpasswd command is available on penguins
35
Basic Access Auth: Alternative
Pros: Simple No work for application programmer
Cons: Specific to Apache web server How to manage usernames and passwords?
Apache has plug-in modules to allow usernames and passwords to reside in DB
36
(3) CAS Authentication
Wikipedia: "The Central Authentication Service (CAS) is a
single sign-on protocol for the web Its purpose is to permit a user to access multiple
applications while providing their credentials (such as userid and password) only once.
It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password."
37
CAS Authentication
Demo PennypackPythonAuthCas app Demo PennypackJavaAuthCas app Demo PennypackPhpAuthCas app
CAS Authentication
Question: How does it work? Answer: Beyond the scope of the course
See http://www.jasig.org/cas/protocol if interested
Question: How do I use it in my apps? Answer: ...
39
PennypackPythonAuthCas App
See PennypackPythonAuthCas application book.py, database.py, common.py index.html searchform.cgi, searchform.py searchresults.cgi, searchresults.py CASClient.py
Written by Brian Kernighan, translated from PHP version written by Scott Karlin and Alex Halderman
40
PennypackJavaAuthCas App
See PennypackJavaAuthCas application book.php, database.php, header.php, footer.php index.html searchform.cgi, SearchForm.java searchresults.cgi, SearchResults.java Cgi.java CASClient.java
Written by Dondero, translated from CASClient.py
41
PennypackPhpAuthCas App
See PennypackPhpAuthCas application book.php, database.php, header.php, footer.php index.html searchform.php searchresults.php CASClient.php
Written by Scott Karlin and Alex Halderman, with small edits by Dondero
42
CAS Authentication Assessment
Pros Application need not manage usernames or
passwords Application cannot access passwords!
Suppose you want to make your application available to the Princeton community, and only that community
Can't ask for passwords!!!
Cons Complex Adds overhead
43
Part 2:Secure Storage of
Usernames and Passwords
44
Storing Usernames & Passwords
Problem: How to store usernames/passwords securely? I.e., How to store usernames/passwords (in DB)
such that attackers cannot steal them?
45
One-Way Functions
Insight: Maybe you don't need to store the usernames or
passwords! Maybe it's sufficient to know whether a given
username and password are correct!
Solution: One-way function storedUsername = oneWayFunction(username) storedPassword = oneWayFunction(password)
46
Example One-Way Function
Example: md5() hash function Given string, generates integer
Given integer, cannot generate string Given same string, generates same integer May generate same integer for two distinct strings,
but improbable
Given username/password, can determine (to high degree of probability) that they are valid
Attacker sees storedUsername/storedPassword => attacker doesn't know username/password
47
The Need for Salting
Problem: One-way function approach is susceptible to a brute
force attack... Given md5 sum, attacker could search (malevolent)
DB of known md5 sums for username/password
48
Salting
Solution: salting "Salt" the username/password with some extra
application-specific text
Example: storedUsername = md5('!@#' + username + '$%^') storedPassword = md5('&*(' + password + ')_+')
49
Salting
Note: Given username/password, can verify (to a high
degree of certainty) that they are correct One-way function: Attacker sees
storedUsername/storedPassword => doesn't know username/password
Salting: Attacker finds md5 sum in malevolent DB => still doesn't know username/password
Attacker also must see salting code
50
Part 3:Secure Data Transmission
51
The Problem
Problem: Bob wants to send message to Alice Bob wants message to be secure
Unintelligible to eavesdroppers
Solution...
52
Secret Key Encryption
msg
msgEncodedUsingKey
msgEncodedUsingKey
msg
encode(key)
decode(key)
(1) Alice sends key to Bob(2) Bob encodes msg using key(3) Alice decodes msg using key
Bob
Alice
53
Problem
Eavesdropping attack When Alice sends key to Bob, Hacker eavesdrops
Hacker knows key When Bob sends encoded msg to Alice, Hacker
eavesdrops Hacker decodes msg
Solution...
54
Public Key Encryption
msg
msgEncodedUsingAlicesPublicKey
msg
encode(AlicesPublicKey)
decode(AlicesPrivateKey)
(1) Alice sends her public key to Bob(2) Bob encodes msg using Alice's public key(3) Alice decodes msg using her private key
Bob
Alice
msgEncodedUsingAlicesPublicKey
Can't decode w/oAlice's private key --See Computers Limitedby David Harel
55
Problem
Authentication How can Alice know that msg really is from Bob? Previously: user authentication
How can app authenticate user? How does amazon.com know that I'm who I say?
Solution: usernames and passwords Now: process authentication
How can client & server processes authenticate themselves?
How do I know that I'm really communicating with amazon.com?
Solution...
56
Public Key Encryption with Auth
msg
decode(BobsPrivateKey)
(1) Alice sends her public key to Bob(2) Bob sends his public key to Alice(3) Bob decodes and encodes(4) Alice decodes and encodes
Bob
Alice
msgDecodedUsingBobsPrivateKey
msgDecodedUsingBobsPrivateKeyAndEncodedUsingAlicesPublicKey
msgDecodedUsingBobsPrivateKeyAndEncodedUsingAlicesPublicKey
msgDecodedUsingBobsPrivateKey
msg
encode(AlicesPublicKey)
decode(AlicesPrivateKey)
encode(BobsPublicKey)
57
Problem
Man-in-the-middle attack When Bob sends public key to Alice, Hacker
intercepts Hacker replaces Bob's public key with Hacker's
public key Alice stores Hacker's public key
Later, Hacker sends message to Alice using Hacker's public key
Alice thinks message is from Bob
Solution...
58
Certificates
Bob & Alice store their public keys ("certificates") with a certification authority E.g. Verisign Costs money!!!
Bob retrieves Alice's public key from certification authority (not from Alice)
Alice retrieves Bob's public key from certification authority (not from Bob)
Still not perfect, but harder for Hacker to "get between" Bob & Alice
59
Certificates
In practice: Certificates often used by client (browser) to
authenticate server (web server) Certificates rarely used by server (web server) to
authenticate client (browser) Would require browser user to create certificate
and store it with certification authority Costs money!
60
TLS
TLS (Transport Layer Security) Based upon earlier SSL (Secure Sockets Layer) Operates on top of TCP Provides public key encryption & authentication with
certificates to HTTP
61
HTTPS
HTTPS (Hypertext Transfer Protocol Secure) HTTP + TLS Provides public key encryption & authentication with
certificates to Web applications
62
Using HTTPS
Assumptions Administrators have configured Web server for
HTTPS Generated public keys Paid money to store with certification authority Etc.
Using Apache Web server
63
Using HTTPS
HTTPS is between browser and web server Your app need not be concerned
To tell web server to use HTTPS for your app: Create .htaccess file in app directory Add this line:
SSLRequireSSL
To tell browser to use HTTPS: https://host:443/file 443 is the default port
64
PennypackJavaSecure App
PennypackJavaSecure App All files identical to PennypackJava3 Add .htaccess file to app directory Try accessing as:
https://www.cs.princeton.edu/~rdondero/cos333/PennypackJavaSecure/index.html (yes)
https://www.cs.princeton.edu:443/~rdondero/cos333/PennypackJavaSecure/index.html (yes)
https://www.cs.princeton.edu:80/~rdondero/cos333/PennypackJavaSecure/index.html (no)
http://www.cs.princeton.edu/~rdondero/cos333/PennypackJavaSecure/index.html (no!!!)
65
Problem
Session hijacking Some websites use HTTPS for initial login, and not
thereafter Hacker can eavesdrop on transmission of session
id cookies Hacker can "hijack" a user's session!!!
Solution Websites should use HTTPS throughout … and tolerate slightly worse performance
66
Firesheep
Firesheep Makes the problem extremely visible
Even to non-tech Web users Firefox browser plug-in
For Windows and Mac; not yet Linux See demo at:
http://www.youtube.com/watch?v=ZtZPR-TAEZw
67
Summary
We have covered: Authentication and authorization Secure storage of usernames and passwords Secure data transmission In:
Python CGI Web programming Java CGI Web programming PHP Web programming
