Web security

Cyber security

• Application security
  
  • Assets at the software level
  • Database, document
• Network security
  • The infrastructure of network level
  • Connection, hardware

Important terms

• Validation
  • to check if something is valid or existing
• Varification
  • To check if something is real
• Autohentication
  • To verify a user with credentials as the correct person
• Authorization
  • To determine the permission on what a user can access.

 

To 10 of OWASP (open web application security project)

• Top 10 Web Application Security Risks (2021) • See more: https://owasp.org/Top10/

1. Broken access control

2. Cryptographic failures

3. Injection

4. Insecure design

5. Security misconfiguration

6. Vulnerable and outdated components

7. Identification and authentication failures

8. Software and data integrity failures

9. Security logging and monitoring failures

10. Server-side request forgery

 

Common Access Control Vulnerabilities

• Access granted to more than necessary capabilities, roles, or users 
• Bypassing access control checks possible with URL modificaiton
• Permitting access to someone else's account with unique identifier
• Metabeta manipulation with cookies or security tokens
• CORS misconfiguration giving rise to access from unauthorized orgins.

 

Bad implementation

• There may be carelessness or ignorance of threats
  • including sensitive data in URL
  • password not encrypted in storage or transit
  • Storing credentials in public code responsitories
  • permitting brute force attacks
  • running application in development debug mode for production
  • session timeout unhandled
  • missing access control to functions
  • using components with known vulnerabilities
• Using security frameworks(misconfig) instead might be helpful!
  • test the application thoroughly and rigorously

 

Mitigation to attacks (어떻게 완화하냐)

• Plan carefully for authentication and authorization
• combination of multiple layers of security measures
• sanitize all untrusted data
  • All user input should be considered untrusted (do not trust all users!), and should go through:
    • Validation: sting format expected?
    • Escaping: special characters (<,>) can inject HTML code. change to &lt or &gt 
    • Sanitization: if needed, only allow certain code in a whitelist.
• Enforce same-site requirements
  • Allow cross-site only if needed, with only minimal possibilities

 

Https (web security)

• By design, HTTP transfers everything in plain text
• HTTP secure is an extension to http
  • Authentication:
  • Encryption:
• Transport layer security(TLS)
  • private connection with symmetric cryptography
    • a key is used for encryption of plain text and decryption of ciphertext
    • a unique session key is generated at the beginning of each connection during the handshake

 

 

Certificates

• to verify identity, signed by a certificate authority(CA)
• Server certificates
  • Domain verification: only prove that domain is owned by a certain person (who.is 들어가면됨)
  • Organization Verification: company name and public address
  • Extended Verification: existence and location of a legal entity
• Browsers and OSes maintain a trusted list of CAs
  • If a cert is issued by these CAs, the cert is trusted

DDOS

• Distributed Denial-of-service attack
  • Exhausting the resources of the target, ex)consuming all the available bandwidth, or computation power
  • Distributed: not a single source of attack, usually using botnets
• Layer 7 DDOS
  • Flooding with application requests (ex, HTTP)
  • 전체 네크워크가 아닌 특정 웹 어플리케이션만 공격해서 마비시킴

Cloud solution for DDOS

• Distributed and intelligent system to mitigate attacks (ex) are you human?)