CSC309: Web ProgrammingGreg Wilson 1 This may be the most important lecture in the courseAssuming you care about your data, your bank account, your reputation……and those of othersSecurity is a collective responsibilityA system is only as strong as its weakest componentIf you are creating CGI scripts, or sending data over the web, you are putting others at risk as well as yourself !Impossible to cover anything more than the basics in this lecturePlease read Schneier's Secrets and Lies and Beyond FearAnd treat everything you see in the papers with deep suspicionExample: 30,000 Internet police in China?No: 30,000 copies of a program called "Internet Police" installed in ChinaBut identity theft is a multi-billion dollar business" #$ %&'Security systems try to achieve many (often contradictory) goalsLet everyone who should be able to do something do it easily……while blocking people who <e>shouldn't</e> be able to……and gathering information about their attemptsAll three parts are importantCSC309: Web ProgrammingGreg Wilson 2! #$ %&'Most people are trustworthy most of the timePreventing legitimate users from doing things annoys themIf people are sufficiently annoyed, they'll turn security off, or find ways around itExample: best way to ensure villains can't access data is to erase it……which encourages people to write it down on scraps of paper(! #$ %&'Have to design the system for the villainous minorityAny system that relies on trust will eventually be abusedBe honest: do you always put a quarter in the jar when you get a cup of coffee in the staff room?Keeping track of how villains are trying to break in is (almost) as important as preventing themA good way to find holes in your systemBuild an audit trail in order to take legal action)% #$ *Most successful attacks use social engineering, not technologyCall up your bank, and see if you can get your credit card balance without your PINHelps if you sound like a grandmother who is close to tears because her poodle has just been hit by a car+!% #$ Second most successful way to attack a system is to get a job with the company running itBurn an extra copy of credit card data while backing up the serverTake notes of all the "fix later" points from the web site security auditMany companies choose not to press charges, rather than deal with bad publicity after a security failureCSC309: Web ProgrammingGreg Wilson 3,!% #$ Exploiting carelessness is the thirdMany people don't bother to change the default password on their wireless routerMany more choose easily-guessed passwords "Easy" if you have the right tools, that is But once one villain builds a tool, they can all use it!% #$ In fact, technology often makes systems lesssecureExample: facial recognition software that works correctly 99% of the timeSo one person in a hundred is mistakenly identified as a potential terrorist300,000 passengers a day in a busy airportThat's one false alarm every 30 secondsHow much attention do you think the guards will pay to the system after a week on the job?-%#.$ Security systems are responsible for:Authentication: who are you?Authorization: who is allowed to do what?Access control: how are rules enforced?Every exploit attacks one or more of theseConvince the system you are someone elseConvince it that you're allowed to do something you're notCircumvent its enforcement of the rules!-%#.When analyzing security, look for ways to compromise the three A'sUse defense in depthIf your first security mechanism fails, is there another one behind it just in case?First step is always risk assessmentWhat is most important to you?Always remember: the real purpose of a bicycle lock is to convince thieves to steal something elseCSC309: Web ProgrammingGreg Wilson 4 / &0%123Anyone who knows a URL can send it dataTherefore no guarantee that the HTTP request you receive was generated from your formInput provided for a selection list may not be one of the values you offeredInput for a text field may be longer than the maximum you specifiedQUERY_STRING parameters may be missing or fabricated Data may not even be formatted legally…"!&0%123Validate input before using itCheck that all the parameters you expect, and only those, are presentCheck that values meet constraints Has someone changed price=399.99 to price=3.99?Make sure special characters have been escapedBut watch out for double-escapingDon't re-invent the wheel: every language has libraries for thisIf you can't validate it, reject it#4256Always check filenames supplied by userSpecial case of the preceding rule, but importantExample: controlling access to documentsAll your documents live below /web/docsCheck URLs with url[:9] == '/web/docs' to prevent people from accessing /home/prof/grades.xslThen get /web/docs/../../home/prof/grades.xslAnalysis?Solution: normalize paths before using them(!#4256Example: temporary filesCGI creates temporary file /tmp/1728397.cgidata (where 1728397 is a pseudo-random number)A villain with an account on the system writes a script that repeatedly looks for /tmp/*.cgidata Copies contents, or overwritesAnalysis?Solution?CSC309: Web ProgrammingGreg Wilson 5)/ 78 /9 :4Suppose you want to build a search engineCan't be bothered writing it yourself, so use
View Full Document