web security and auth
play

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security - PowerPoint PPT Presentation

Jul 15, 2023 •36 likes •336 views

Web Security and Auth Shan-Hung Wu CS, NTHU Outline Security risks of web applications Injection, broken authentication , XSS, CSRF, etc. Checklist of 23 Node.js security best practices Auth: Authentication, authorization, and

  1. Web Security and Auth Shan-Hung Wu CS, NTHU

  2. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 2

  3. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 3

  4. Authentication vs. Authorization • Authentication : the process to verify you are who you said • Authorization : the process to decide if you have permission to access a resource 4

  5. Session Management • The process of securely handling multiple requests to a server from a single client (user) 5

  6. Were to Store Session States? • Server – Stateful sessions – Server processes requests based on the states • Client – Stateless sessions – Server processes requests based on their content 6

  7. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 7

  8. Which one should I choose? 8

  9. Evaluation Criteria • Complexity • Reliance on HTTPS • Reliance on CSRF protection • Replay and integrity protection • Session management • User cases & tips 9

  10. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 10

  11. How It Works • A client attaches clear text password to each request: // Request from client Authorization: Basic base64(username:password) • Seriously? 11

  12. Evaluation • Complexity: Dead simple; tons of libraries • Reliance on HTTPS: Yes • Reliance on CSRF protection: Yes • Replay and integrity protection: Relies on TLS • Session management: Poor – Logout is complicated • Tips: always use Basic Auth with HTTPS 12

  13. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 13

  14. HTTP Digest Auth • Goal: not to rely on HTTPS/TLS anymore • Idea: server challenges client – No password in every request • Not widely adopted due to complexity! 14

  15. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 15

  16. How It Works // Login response from server Set-Cookie: sessionId=...; Domain=.app.com; Secure; SameSite; HttpOnly // Subsequent requests from client Cookie: sessionId=... • Cookies are managed by browser – Sent to server in every subsequent request 16

  17. Stateful Sessions User ID 17

  18. Evaluation • Complexity: simple; tons of libraries • Reliance on HTTPS: Yes – Set the Secure flag • Reliance on CSRF protection: Yes – Set the SameSite flag • Replay and integrity protection: Relies on TLS • Session management: Good • Tips: Set the HttpOnly flag to prevent XSS attacks from stealing it 18

  19. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 19

  20. How It Works // Login response from server { token: e2ZahC5b // JWT token } // Subsequent request from client Authorization: Bearer e2ZahC5b // added by JS • A JWT token is self-descriping and immutable – Includes user ID, expiration date, etc. (uid, expdate, sha256(uid, expdate, secret)) 20

  21. Sateless Sessions User ID User ID 21

  22. Evaluation • Complexity: simple with aid from libraries • Reliance on HTTPS: Yes • Reliance on CSRF protection: No • Replay and integrity protection: Relies on TLS • Session management: Limited • Tips: – Use access and refresh tokens – Do not save tokens in local or session storage 22

  23. Tips SetCookie: access=...; Domain=.app.com; Secure; SameSite; HttpOnly SetCookie: refresh=...; Domain=auth.app.com; Secure; SameSite; HttpOnly app.com auth. app .com • Secure à No token stealing • HttpOnly à No XSS • SameSite à No CSRF 23

  24. Statefull or Sateless? • Stateless: more scalable, but simpler lifecycle – Good for single-page sites, APIs, or mobile apps 24

  25. More Authentication Schemes • For server-to-server communications – Based on symmetric/asymmetric key cryptography • Signature Schemes – Idea: to digitally sign every request to prevent request tempering – Used by AWS • TLS Client Certificates – Idea: to use TLS certificate to authenticate each other 25

  26. Outline • Security risks of web applications – Injection, broken authentication , XSS, CSRF, etc. – Checklist of 23 Node.js security best practices • Auth: Authentication, authorization, and session management – HTTP Basic auth – HTTP Digest auth – Cookies for stateful sessions – Bearer tokens for stateless sessions • Single Sign On (SSO) 26

  27. Signgle Sign-On (SSO) 27

  28. Open ID Connect (OIDC) vs. OAuth • Authentication • Authorization 28

  29. OIDC Flow Client app.com fb.com Login 302 Credentials (name, password) 302 w/ ID token Login w/ ID token Verification Session 29

  30. Client app.com fb.com auth.fb.com api.fb.com Login OAuth 2 Flow 302 Credentials (name, password) 302 w/ ID token, grant code Login w/ ID token Verification Session Grant code Access token Session w/ access token 30

Recommend

Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and

Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and

CSS441 Introduction Functions Auth. with Encryption Message Authentication Codes Auth. with MAC Security Algorithms CSS441: Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by

673 views • 21 slides
O H! H! Auth th Implementation pitfalls & the auth providers who have fell in it

O H! H! Auth th Implementation pitfalls & the auth providers who have fell in it

H! H! O H! H! Auth th Implementation pitfalls & the auth providers who have fell in it @samitanwer1 samit.anwer@gmail.com C: C:\>whoami Samit Anwer Product Security Team @Citrix Web/Mobile App Security Enthusiast

724 views • 58 slides
MOEBIUS Mobility Management Application Niavi Stefania AUTh IT Center Liolios Nikos AUTh

MOEBIUS Mobility Management Application Niavi Stefania AUTh IT Center Liolios Nikos AUTh

MOEBIUS Mobility Management Application Niavi Stefania AUTh IT Center Liolios Nikos AUTh Department of European Educational Programmes 1 Moebius - AUTh, Greece Main challenges of mobility management 1. Large volume of bilateral agreements

483 views • 30 slides
W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF

W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF

W3C Web of Things Plugfest Security Review Michael McCool W3C WoT WG Security and Privacy TF Bundang, July 2018 Outline Who tried what Intel, Panasonic, Smart Things, Siemens, EURECOM, others? HTTPS (direct and via proxy), Auth

109 views • 10 slides
Like NSA Pre-auth RCE on Leading SSL VPNs Orange Tsai (@orange_8361) Meh Chang (@mehqq_) Orange

Like NSA Pre-auth RCE on Leading SSL VPNs Orange Tsai (@orange_8361) Meh Chang (@mehqq_) Orange

Infiltrating Corporate Intranet Like NSA Pre-auth RCE on Leading SSL VPNs Orange Tsai (@orange_8361) Meh Chang (@mehqq_) Orange Tsai Principal security researcher at DEVCORE Captain of HITCON CTF team 0day researcher, focusing on

1.98k views • 121 slides
Turning AUTh into e-University Pinelopi Giovanitsa, Academic Support IT Center introduction 2

Turning AUTh into e-University Pinelopi Giovanitsa, Academic Support IT Center introduction 2

Turning AUTh into e-University Pinelopi Giovanitsa, Academic Support IT Center introduction 2 learning management systems in AUTh centra eClass blackboard moodle 3 timeline of transition September 2014 March 2014 eLearning on

526 views • 16 slides
General LTL Specification Mining Caroline Lemieux , Dennis Park and Ivan Beschastnikh University

General LTL Specification Mining Caroline Lemieux , Dennis Park and Ivan Beschastnikh University

login attempt auth failed login attempt guest login login attempt authorized Texada auth failed login attempt G( x XF y ) login attempt G( guest login XF authorized ) guest login authorized auth failed login attempt Authorized

1.11k views • 59 slides
Let us l s lea ead d you ou t to a an AUTH THENT NTIC TE TEXAS RA RANC NCH E EXPERI

Let us l s lea ead d you ou t to a an AUTH THENT NTIC TE TEXAS RA RANC NCH E EXPERI

Let us l s lea ead d you ou t to a an AUTH THENT NTIC TE TEXAS RA RANC NCH E EXPERI RIENC NCE!!! JUST ST 2 25 MINU INUTES f fro rom DO DOWNTOWN SA SAN ANTONI NIO Guests Choose fro rom one of our r thre ree Uniq ique

187 views • 16 slides
Scientific Program HMC2016 4th Historic Mortars Conference Organizing Committee Papayianni

Scientific Program HMC2016 4th Historic Mortars Conference Organizing Committee Papayianni

HMC2016 4th Historic Mortars Conference Scientific Program HMC2016 4th Historic Mortars Conference Organizing Committee Papayianni Ioanna Professor AUTH Stefanidou Maria Associate Professor AUTH Palyvou Clairy Emeritus Professor AUTH Pachta

95 views • 5 slides
Afzaal zaal Mau auth thoor oor Mad Scientist. Travel Entrepreneur. Philanthropist Co

Afzaal zaal Mau auth thoor oor Mad Scientist. Travel Entrepreneur. Philanthropist Co

Afzaal zaal Mau auth thoor oor Mad Scientist. Travel Entrepreneur. Philanthropist Co Co-found under er - Inspi pired ed Esca capes pes Founder der - The e Philanth lanthropy y Club b London on In every rything thing I do I

326 views • 16 slides
Environmental Informatics ICT for the Environment Kostas Karatzas Informatics Applications

Environmental Informatics ICT for the Environment Kostas Karatzas Informatics Applications

Environmental Informatics ICT for the Environment Kostas Karatzas Informatics Applications and Systems Group Dept. of Mechanical E ngineering Aristotle University of Thessaloniki kkara@ eng.auth.gr , http:/ / isag.meng.auth.gr

1.56k views • 107 slides
Big Data Analytics with Apache Apostolos N. Papadopoulos (Associate Prof.)

Big Data Analytics with Apache Apostolos N. Papadopoulos (Associate Prof.)

chiPSet Training School, September 2017, Novi Sad, Serbia Big Data Analytics with Apache Apostolos N. Papadopoulos (Associate Prof.) (papadopo@csd.auth.gr, http://datalab.csd.auth.gr/~apostol) Data Science & Engineering Lab Department of

934 views • 81 slides
Introduction to the urban environment Kostas Karatzas Informatics A pplications and Systems

Introduction to the urban environment Kostas Karatzas Informatics A pplications and Systems

Introduction to the urban environment Kostas Karatzas Informatics A pplications and Systems Group Dept. of Mechanical E ngineering A ristotle University of Thessalonik i k k ara@ eng.auth.gr , http:/ / isag.meng.auth.gr Contents Part A:

983 views • 76 slides
An Information-Theoretic Approach to Detecting Changes in Multi-Dimensional Data Streams Auth

An Information-Theoretic Approach to Detecting Changes in Multi-Dimensional Data Streams Auth

An Information-Theoretic Approach to Detecting Changes in Multi-Dimensional Data Streams Auth thors: Presentatio ion: Dasu, T., Krishnan, S., Vincent Chu Venkatasubramanian, S., 22 November 2017 & Yi, K. (2006). Content Introduction

512 views • 48 slides
An Introduction to Apostolos N. Papadopoulos (papadopo@csd.auth.gr) Assistant Professor Data

An Introduction to Apostolos N. Papadopoulos (papadopo@csd.auth.gr) Assistant Professor Data

An Introduction to Apostolos N. Papadopoulos (papadopo@csd.auth.gr) Assistant Professor Data Engineering Lab Department of Informatics Aristotle University of Thessaloniki Thessaloniki Greece 1 Outline What is Spark? Basic features

951 views • 64 slides
CMC's & The FCA Jeremy Smith Director B-Compliant Ltd Do I I need to be auth thoris

CMC's & The FCA Jeremy Smith Director B-Compliant Ltd Do I I need to be auth thoris

CMC's & The FCA Jeremy Smith Director B-Compliant Ltd Do I I need to be auth thoris ised? CMR Regulated Seeking out persons who may have a claim Referring details of a claim or potential claim or potential claimant to another

96 views • 7 slides
Usi Using Stew tewar ardsh ship Au Auth thor ority y to Advan to Advance ce Restor

Usi Using Stew tewar ardsh ship Au Auth thor ority y to Advan to Advance ce Restor

Collaborative restoration Workshop april, 2016 Usi Using Stew tewar ardsh ship Au Auth thor ority y to Advan to Advance ce Restor Restorati tion on Rebecca B cca Barn rnar ard National Forestry Programs Manager

669 views • 21 slides
Faecal Sludge Treatment and Utilization by Hydrothermal Carbonization Process Auth thor ors s

Faecal Sludge Treatment and Utilization by Hydrothermal Carbonization Process Auth thor ors s

Faecal Sludge Treatment and Utilization by Hydrothermal Carbonization Process Auth thor ors s : Krail ilak Fakkaew Thammara mmarat Koo oott ttatep Ch Chon ongrak rak Pol olpras asert 1 IN INTR TRODUCT ODUCTION ION 2 INTR IN

614 views • 18 slides
45nm High-k + Metal Gate Strain-Enhanced Transistors C. Auth, A. Cappellani, J.-S. Chun, A.

45nm High-k + Metal Gate Strain-Enhanced Transistors C. Auth, A. Cappellani, J.-S. Chun, A.

45nm High-k + Metal Gate Strain-Enhanced Transistors C. Auth, A. Cappellani, J.-S. Chun, A. Dalis, A. Davis, T. Ghani, G. Glass, T. Glassman, M. Harper, M. Hattendorf, P. Hentges, S. Jaloviar, S. Joshi, J. Klaus, K. Kuhn, D. Lavric, M. Lu, H.

1.17k views • 42 slides
HOW TO AUTH: SECURE A GRAPHQL API WITH CONFIDENCE MANDI WISE | GRAPHQL SUMMIT 2020 AGENDA

HOW TO AUTH: SECURE A GRAPHQL API WITH CONFIDENCE MANDI WISE | GRAPHQL SUMMIT 2020 AGENDA

HOW TO AUTH: SECURE A GRAPHQL API WITH CONFIDENCE MANDI WISE | GRAPHQL SUMMIT 2020 AGENDA Authentication Authorization Federation GRAPHQL SUMMIT 2020 AUTH AUTHENTICATION AUTHORIZATION YOU ARE WHO YOU SAY YOU ARE YOU CAN DO WHAT YOU WANT

347 views • 23 slides
Au Auth thor orin ing g KNAR NARTs Andrew M. Simms, PhD Clinical Informatics Scientist

Au Auth thor orin ing g KNAR NARTs Andrew M. Simms, PhD Clinical Informatics Scientist

Au Auth thor orin ing g KNAR NARTs Andrew M. Simms, PhD Clinical Informatics Scientist Cognitive Medical Systems Background KN owledge ART ifact A computable representation of clinical knowledge Documentation Templates

498 views • 8 slides
Kern ern Grou roundwater Auth thor orit ity GSP Framework W k Worksh shop Apri ril 4 4,

Kern ern Grou roundwater Auth thor orit ity GSP Framework W k Worksh shop Apri ril 4 4,

Kern ern Grou roundwater Auth thor orit ity GSP Framework W k Worksh shop Apri ril 4 4, , 2017 Groundwater Sustainability Plan Outlines Overview Analysis Approach GSP Sections Overview Umbrella/Chapter GSP Outline

895 views • 32 slides
Th The P Pas assenger Ferry y Gr Gran ant P Program am Sta tatu tuto tory ry Au Auth

Th The P Pas assenger Ferry y Gr Gran ant P Program am Sta tatu tuto tory ry Au Auth

Th The P Pas assenger Ferry y Gr Gran ant P Program am Sta tatu tuto tory ry Au Auth thori rity ty Section 5307(h) Passenger Ferry Grant Program Authorizes FTA to award on a competitive basis for passenger ferry projects that

585 views • 10 slides
Philippine S e Stati tatisti tics Auth uthor ority ty Provin incia ial St Statis istic

Philippine S e Stati tatisti tics Auth uthor ority ty Provin incia ial St Statis istic

Philippine S e Stati tatisti tics Auth uthor ority ty Provin incia ial St Statis istic ics Of Offic ice On On-goi oing S Stati tatisti tical al A Acti tiviti ties Ev Evelyn O O. Apell llid ido S upervis isin ing S

324 views • 17 slides

More recommend