Servlet SecurityTable of Contents:Server-side Security IssuesServer-side Security Issues (cont’)Session State MaintenanceCookiesURL RewritingHidden Form FieldsIntercept of session state informationIntercept of session state information (cont’)Forgery of Session State InformationSession TimeoutBuffer OverflowData ValidationPage SequencingBrowser residueUser AuthenticationLogging of sensitive informationServlet AuthenticationHTTP Basic AuthenticationPowerPoint PresentationHTTP Digest AuthenticationForm Based AuthenticationSlide 24Slide 25HTTPS Client Authentication(SSL)Access ControlDeclarative SecuritySlide 29Slide 30Programmatic SecuritySlide 32Slide 33Data IntegrityConfidentialityReferencesThank You3/26/2003 Servlet Security 1Servlet SecurityCSCI 5931.01Research Topics in Computer Science--Web SecurityInstructor: Dr.YangStudents: Shiyou Li, Gang ZhengServlet Security 23/26/2003Table of Contents:Sever-side security issues JAVA Servlet SecurityUser AuthenticationAccess ControlData IntegrityConfidentialityServlet Security 33/26/2003Server-side Security IssuesInterception of Session State InformationForgery of Session State InformationSession TimeoutBuffer OverflowData ValidationServlet Security 43/26/2003Server-side Security Issues (cont’)Page Sequencing Information ReportingBrowser ResidueUser AuthenticationLogging of Sensitive InformationServlet Security 53/26/2003Session State MaintenanceHTTP is a stateless protocol, every browser request and server response is independent each other.Mechanisms for session maintenance:CookiesURL RewritingHidden Form fieldsServlet Security 63/26/2003CookiesEnable information to be stored in users’ browser Consists of information sent by server-side scripts in name-value pair as result of processing a particular URL requestsWhenever a cookie-enabled browser requests a URL from a web server, it first checks cookies.If there are cookies associated with that URL, it send the cookie information to server as part of URL request. It might includes session ID information.Servlet Security 73/26/2003URL RewritingRewrite the URLs of the links of a web page to contain extra information in the form of query string or extra path information.Example : a user named John Doe log in with session ID=1234 and enter page1.cgi , page1.cgi contains a link to page2.cgiWhen user click link to page2.cgi, the URL is: http://sample.com/page2.cgi?fname=John&lname=Doe&sessionid=1234Servlet Security 83/26/2003Hidden Form Fields<input type=“HIDDEN” name=“id” value=“1234”>Typically contained in forms that are placed in a common frame of a frameset Accessed using client-side javascriptWhen javascript executes in one page of an application, it stored values(session ID) in hidden form fields.Servlet Security 93/26/2003Intercept of session state informationCookies vulnerability:sent back and forth with every request and responseCan be read from cookie fileSignificant vulnerability in Internet café environmentURL rewriting vulnerability:URLs requested and rewritten are passed back and forthIf intercepted, they can be used to take over a user’s sessionServlet Security 103/26/2003Intercept of session state information (cont’)Hidden form vulnerability:Sent between browser and serverSince it used with client-side scripts, the communication is less than cookies or URL rewritingCountermeasure: SSL encryption between client serverServlet Security 113/26/2003Forgery of Session State InformationIn some cases, an attacker may be able to take over a user’s session without intercepting the communication between browsers and serversExample: a user log into server with session ID 123456, but forge cookie or rewritten URL by using session ID 123455Countermeasure:Using large and random number as session IDSession information encrypted on serverServlet Security 123/26/2003Session TimeoutTwo mechanism to terminate a sessionExplicit clicking a link (eg. logout)Set timeout for sessionImplementation: track the last time a user makes a request to the serverSetting the duration of a session timeout involves tough tradeoffTypically 10-45 min, with 20 min being a common valueServlet Security 133/26/2003Buffer OverflowOccurs when amount of input data are larger than the input bufferWhen a buffer overflows, overflow data may overwrite program data or even instructions or stack informationLead to takeover of web server by attackerCountermeasure: validate the data received from browserServlet Security 143/26/2003Data ValidationInput script tag(<>) and a script in the input field to execute the script on serverRewrite URLs or modify hidden form fields to contains unexpected values (remember /../..?)Enter numeric values that result in numeric overflowCause null value operation in serverCountermeasure: careful server-side validationServlet Security 153/26/2003Page SequencingErroneous assumption: user will proceed through the pages of application in the designed sequence.Example: the first page of a web application is user login, but will the user really enter the first page?What will happen to the application if the user skip the first page and type in the URLs of the next page directly?Countermeasure: code logic to verify that the user really goes through the login pageServlet Security 163/26/2003Browser residueInformation related to the user’s interaction with a web application is stored in the browser’s cache.URLs visited recentlyWeb application’s cookiesOther private user dataWhat if someone else also have access to the same computer?Possible countermeasure: clear the internet temp files, history files as well as cookies periodicallyServlet Security 173/26/2003User AuthenticationOne of the weakest while widely used form of authentication is reusable passwordsSusceptible to interceptionSusceptible to guessingCountermeasure: account lock-out when a user fail to login after a specified number of attemptsProblem: susceptible to denial of service attackServlet Security 183/26/2003Logging of sensitive informationWeb server typically provide the capability to log all URLs requested by the browsersLogging data is sensitive because sensitive user information can be encoded in URLsOnline access to log data should be prohibited.Log data should
View Full Document