Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP

Web Application Security

Li-Chiou Chen

Seidenberg School of Computer Science and

Information Systems

Pace University

March 1st, 2013

What device do you use to surf the web?

© Li-Chiou Chen, Pace University 2

What software do you use to surf the web


What are things you do on the web?


Which network protocol do you use to surf

the web?


HTTP (Hypertext Transfer Protocol)

© Li-Chiou Chen, CSIS, Pace 6

Browser Server

Client: Hello! Please

send me the file

specified in URL

Server: OK. Here

is your file

IE,

Firefox,

or others www.example.com

HTTP is an application layer protocol for browsers and servers to

communicate with each other

HTML (Hypertext Makeup Language)


HTML is the language used to display web contents; it is carried as the

data in the HTTP communications

A browser interprets HTML and displays the contents specified by HTML


Web Application Architecture

Internet

TCP/IP DBMS

Web Browser/App

HTTP

HTTP

HTTP

Web Browser/App

ASP/Servlet/

JSP

Application

Server

Web Server

Sources: Dr. Lixin Tao/Web security lectures

Common Threats to Web Applications

Malware or Spyware

Phishing

Weak Authentication

SQL injection, cross site scripting, cross site

request forgery, etc

9 © Li-Chiou Chen, Pace University

How to determine if a web site is

legitimate?


How to determine if a web site is legitimate

Make sure that the web address is correct

Google it or type it yourself

Do not click on links in emails

Use browser security features

Firefox has more default security settings than IE

Use HTTPS encryption for sensitive information

Verify the site using the security padlock

Pay attention to browser warnings






Uniform Resource Locator (URL) An address for uniquely identifying a web

resource, such as a web page or a Java object, on

the Internet

An example

http://www.pace.edu/pace/

http is the application layer protocol for

communications

www.pace.edu is the web server domain name

pace is the directory name

This URL points to a default.html under pace directory


http://www.pace.edu/pace/

http://www.pace.edu/

Which one of the following is a fake URL

http://www.citicards.com.chilli.net

http://129.20.1.2/www.citicards.com/

http://paybill.center.net/citicards/


http://www.citicards.com.chilli.net/

http://129.20.1.2/www.citicards.com/

http://paybill.center.net/citicards/

Use Browser Security Settings


Activity I: Examine Browser Security Settings

Open Firefox

Tools / Options / Security

For Blacklist

Tools /Options / Privacy

For Cookie control



17

“https” refers to the content is encrypted

www.citicards.citi.com is the domain name (or site name)

© Li-Chiou Chen, Pace University

http://www.citicards.citi.com/


18

the security Padlock, click it to

see the web certificate


You need to double click the padlock to verify it

19

This verifies that www.citicards.citi.c

om is owned by

Citigroup Inc.

VeriSign, Inc.

verifies this

information

This

indicates that

the content is

encrypted


The content of the web certificate


Activity II: Examine Web Certificate

Go to a site that uses encryption such as

www.google.com

Click on the security padlock (the lock proceed

https)

Click on More Information to see the web

certificate

Click on View Certificate to see the certificate

Click on View Cookie to see the cookies used by

the site


http://www.google.com/



I Understand the Risks? Add Exception?


Confirm Security Exception? View Certificate?


Is this really Google’s Certificate ?


Come on! I just want to go on with my life

Confirm Security Exception!


Your secure web transactions are not secure now !


Man in the Middle


Fake

Google

Certificate

Intercept

Google

Certificate

Real vs Fake Certificate


Activity III: Intercept/View Web Transactions

We will use a web proxy software, Burp Suite, to

cache and view your web transactions

Download the software from

http://www.portswigger.net/burp/downloadfree.html

Save it on your computer desktop (it is a Java

program)

Double click on the program to run it.


http://www.portswigger.net/burp/downloadfree.html

Setting up Proxy

Click on Proxy / Options

Uncheck

intercept requests based on the following rules.

Click on History tab to wait for web traffic


Setup Browser Proxy Configuration

Open Firefox

Tools/ Options / Advanced / Network /Settings

Check

Manual Proxy Configuration

HTTP Proxy: 127.0.0.1 Port:8080

Check

Use this proxy server for all protocols


Intercept and view web transactions

In Firefox, browse www.pace.edu

On your proxy history tab, you should be able to

see the transactions that are cached

Click on one of them to see the contents


http://www.pace.edu/

Try a HTTPS site

Browse www.google.com

What happened?


http://www.google.com/

Clean Up

Click exit to close Burp Suite when you are done.

Open Firefox

Tools/ Options / Advanced / Network /Settings

Check

No Proxy

Click OK


How to determine if a web site is legitimate




Use browser security features

Firefox has more default security settings than IE





Activity IV: Watch Phishing Video

DoD DISA video on Phishing

http://iase.disa.mil/eta/phishing/Phishing/launchP

age.htm


http://iase.disa.mil/eta/phishing/Phishing/launchPage.htm




Questions / Comments


Documents

Web Application Security - SEIDENBERG SCHOOL …csis.pace.edu/~lchen/pcap13/WebApplicationSecurity_PCAP.pdfWeb Application Architecture Internet TCP/IP DBMS Web Browser/App HTTP HTTP