Servlet SecurityTable of Contents:Server-side Security IssuesServer-side Security Issues (cont’)Session State MaintenanceCookiesURL RewritingHidden Form FieldsIntercept of session state informationIntercept of session state information (cont’)Forgery of Session State InformationSession TimeoutBuffer OverflowData ValidationPage SequencingBrowser residueUser AuthenticationLogging of sensitive informationServlet AuthenticationHTTP Basic AuthenticationPowerPoint PresentationHTTP Digest AuthenticationForm Based AuthenticationSlide 24Slide 25HTTPS Client Authentication(SSL)Access ControlDeclarative SecuritySlide 29Slide 30Programmatic SecuritySlide 32Slide 33Data IntegrityConfidentialityReferencesThank You3/26/2003 Servlet Security 1Servlet SecurityCSCI 5931.01Research Topics in Computer Science--Web SecurityInstructor: Dr.YangStudents: Shiyou Li, Gang ZhengServlet Security 23/26/2003Table of Contents:Sever-side security issues JAVA Servlet SecurityUser AuthenticationAccess ControlData IntegrityConfidentialityServlet Security 33/26/2003Server-side Security IssuesInterception of Session State InformationForgery of Session State InformationSession TimeoutBuffer OverflowData ValidationServlet Security 43/26/2003Server-side Security Issues (cont’)Page Sequencing Information ReportingBrowser ResidueUser AuthenticationLogging of Sensitive InformationServlet Security 53/26/2003Session State MaintenanceHTTP is a stateless protocol, every browser request and server response is independent each other.Mechanisms for session maintenance:CookiesURL RewritingHidden Form fieldsServlet Security 63/26/2003CookiesEnable information to be stored in users’ browser Consists of information sent by server-side scripts in name-value pair as result of processing a particular URL requestsWhenever a cookie-enabled browser requests a URL from a web server, it first checks cookies.If there are cookies associated with that URL, it send the cookie information to server as part of URL request. It might includes session ID information.Servlet Security 73/26/2003URL RewritingRewrite the URLs of the links of a web page to contain extra information in the form of query string or extra path information.Example : a user named John Doe log in with session ID=1234 and enter page1.cgi , page1.cgi contains a link to page2.cgiWhen user click link to page2.cgi, the URL is: http://sample.com/page2.cgi?fname=John&lname=Doe&sessionid=1234Servlet Security 83/26/2003Hidden Form Fields<input type=“HIDDEN” name=“id” value=“1234”>Typically contained in forms that are placed in a common frame of a frameset Accessed using client-side javascriptWhen javascript executes in one page of an application, it stored values(session ID) in hidden form fields.Servlet Security 93/26/2003Intercept of session state informationCookies vulnerability:sent back and forth with every request and responseCan be read from cookie fileSignificant vulnerability in Internet café environmentURL rewriting vulnerability:URLs requested and rewritten are passed back and forthIf intercepted, they can be used to take over a user’s sessionServlet Security 103/26/2003Intercept of session state information (cont’)Hidden form vulnerability:Sent between browser and serverSince it used with client-side scripts, the communication is less than cookies or URL rewritingCountermeasure: SSL encryption between client serverServlet Security 113/26/2003Forgery of Session State InformationIn some cases, an attacker may be able to take over a user’s session without intercepting the communication between browsers and serversExample: a user log into server with session ID 123456, but forge cookie or rewritten URL by using session ID 123455Countermeasure:Using large and random number as session IDSession information encrypted on serverServlet Security 123/26/2003Session TimeoutTwo mechanism to terminate a sessionExplicit clicking a link (eg. logout)Set timeout for sessionImplementation: track the last time a user makes a request to the serverSetting the duration of a session timeout involves tough tradeoffTypically 10-45 min, with 20 min being a common valueServlet Security 133/26/2003Buffer OverflowOccurs when amount of input data are larger than the input bufferWhen a buffer overflows, overflow data may overwrite program data or even instructions or stack informationLead to takeover of web server by attackerCountermeasure: validate the data received from browserServlet Security 143/26/2003Data ValidationInput script tag(<>) and a script in the input field to execute the script on serverRewrite URLs or modify hidden form fields to contains unexpected values (remember /../..?)Enter numeric values that result in numeric overflowCause null value operation in serverCountermeasure: careful server-side validationServlet Security 153/26/2003Page SequencingErroneous assumption: user will proceed through the pages of application in the designed sequence.Example: the first page of a web application is user login, but will the user really enter the first page?What will happen to the application if the user skip the first page and type in the URLs of the next page directly?Countermeasure: code logic to verify that the user really goes through the login pageServlet Security 163/26/2003Browser residueInformation related to the user’s interaction with a web application is stored in the browser’s cache.URLs visited recentlyWeb application’s cookiesOther private user dataWhat if someone else also have access to the same computer?Possible countermeasure: clear the internet temp files, history files as well as cookies periodicallyServlet Security 173/26/2003User AuthenticationOne of the weakest while widely used form of authentication is reusable passwordsSusceptible to interceptionSusceptible to guessingCountermeasure: account lock-out when a user fail to login after a specified number of attemptsProblem: susceptible to denial of service attackServlet Security 183/26/2003Logging of sensitive informationWeb server typically provide the capability to log all URLs requested by the browsersLogging data is sensitive because sensitive user information can be encoded in URLsOnline access to log data should be prohibited.Log data should