The document discusses various topics related to web application security including authenticating users, SSL protocol, padlock icons, user interface attacks, and Pretty Good Privacy (PGP). It provides details on cookie-based and token-based authentication, how SSL works to establish encrypted links, different padlock icons and what they indicate, types of user interface attacks like clickjacking and cursorjacking, and how PGP provides authentication, confidentiality, compression and compatibility for securing emails.
4. Authenticating Users
• Authenticating user is a process to check genuineness of the user
• User Authentication can be done in following ways
1. Cookie Based Authentication
2. Token Based Authentication
5. Cookie Based Authentication
• Cookie based authentication is considered as stateful authentication
method (Server based authentication).
• In here, it is needed to store authentication records in client side and
server side both.
• Server basically keeps and maintains active session details in the data
storage and front end cookie will be created to hold session identifier.
• The main disadvantage of using this authentication method is, server
has to store all the session data for each and every user and increases
the overhead in the server.
6. Flow of Cookie Based Authentication
1. Enter login credentials
2. Server verifies given credentials, creates a session and stores in
database.
3. Cookie + Session ID will be kept in client side(User browser)
4. For consequent requests, session ID will be verified against
database.
5. Session will be destroyed from client and server side once the use
logs out.
7. Token Based Authentication
• This is the mostly used authentication methods which is suitable for
single page applications, web APIs and for IOT development
• Token based authentication is defined as stateless and server does not
keep records about the user logged in. But the token will be generated
using credentials provided.
• The main advantage of token based authentication is client side and
server side is decoupled for the authentication mechanism which can
provide an uninterrupted workflow.
• No session information stored means simply your application can
scale and add more machines as necessary without worrying about
where the user logged in
8. Flow of Token Based Authentication
1. User provides credentials
2. Server verifies credentials and returns a signed token.
3. Token is stored in client side
4. Subsequent requests to the server will be sent with the token as
authentication header (HTTP header).
5. Server verifies the token (JSON web token) and return required data.
6. Token is destroyed in client, once the user logs out.
10. What is SSL?
• SSL (Secure Sockets Layer) is a standard security protocol for
establishing encrypted links between a web server and a browser in an
online communication.
• The usage of SSL technology ensures that all data transmitted between
the web server and browser remains encrypted.
11. What is SSL Certificate?
• SSL or TLS (Transport Layer Security) certificates are data files that
bind a cryptographic key to the details of an organization.
• When SSL/TLS certificate is installed on a web server, it enables a
secure connection between the web server and the browser that
connects to it.
• The website's URL is prefixed with "https" instead of "http" and a
padlock is shown on the address bar. If the website uses an extended
validation (EV) certificate, then the browser may also show a green
address bar.
12. What is SSL used for?
• The SSL protocol is used by millions of online business to protect
their customers, ensuring their online transactions remain confidential.
• A web page should use encryption when it expects users to submit
confidential data, including personal information, passwords, or credit
card details.
• All web browsers have the ability to interact with secured sites so long
as the site's certificate is issued by a trusted CA.
13. How SSL Works?
1. An end-user asks their browser to make a secure connection to a
website
2. The browser obtains the IP address of the site from a DNS server
then requests a secure connection to the website.
3. To initiate this secure connection, the browser requests that the
server identifies itself by sending a copy of its SSL certificate to the
browser.
14. How SSL Works?
4. The browser checks the certificate to ensure:
1. That it is signed by a trusted CA
2. That it is valid - that it has not expired or been revoked
3. That it confirms to required security standards on key lengths and other
items.
4. That the domain listed on the certificate matches the domain that was
requested by the user.
5. When the browser confirms that the website can be trusted, it creates
a symmetric session key which it encrypts with the public key in the
website's certificate. The session key is then sent to the web server.
15. How SSL Works?
6. The web server uses its private key to decrypt the symmetric session
key.
7. The server sends back an acknowledgement that is encrypted with
the session key.
8. From now on, all data transmitted between the server and the
browser is encrypted and secure.
17. Padlock Icon in browsers
• As part of its security features, web browsers uses a special set of
symbols that alerts users to a website's validity.
• Shown in the left corner of the address bar, these icons provide vital
information about a site's certificates and connections.
18. Decoding the Padlock Icons on Google
Chrome
• The different padlocks and icons shown next to the URL bar on
Google Chrome let you know whether a site uses TLS or SSL
certificates.
• These certificates allow you to distinguish between a valid site and an
invalid one.
• Padlock types include Green Lock Icon, Yellow exclamation Point,
Blank Page Icon, Lock icon with Yellow Triangle and Red Padlock
Icon
19. Padlock Icons
Green Padlock Icon
• The green padlock indicates that a webpage connection is
secure. This means that a website's identity has been
verified by a trusted third-party authority and that it has a
valid certificate for the URL that you're trying to reach.
• Site certificates are produced by any website that requires
some sort of authentication (such as a username and
password) to access a page's full services. An easy way to
tell if a site is secure is to check its URL — encrypted sites
(those that use SSL) will usually begin with https, while
non-encrypted sites use an http URL.
20. Padlock Icons
Yellow Exclamation Point
• A yellow exclamation mark indicates that the website has not
provided the browser with a certificate. This is normal for regular
HTTP sites, as certificates are only usually provided if the site uses
SSL.
Blank Page Icon
• Any "normal" http websites, will be shown with a blank page icon
displayed before it. These pages can be accessed without prior
authentication.
21. Padlock Icons
Lock Icon with Yellow Triangle
• A lock icon with a yellow triangle indicates that Chrome can see a site's
certificate but that the site has weak security. In this case, we recommended
that you proceed with caution, as your connection may not be private.
Red Padlock Icon
• If you see a red padlock with an x next to a URL, this is an indication of
problems with a site's certificate. Exercise extreme caution when
proceeding onto the site — refrain from entering any personal data or
sensitive information. It is likely that somebody is trying to impersonate the
requested website in order to capture your information.
22. Certificate of a Web Page
• If a web site has a valid certificate, it means that a
certificate authority has taken steps to verify that
the web address actually belongs to that
organization. When you type a URL or follow a
link to a secure web site, your browser will check
the certificate for the following characteristics:
1. the web site address matches the address on the
certificate
2. the certificate is signed by a certificate authority
that the browser recognizes as a "trusted"
authority
23. How to check a Certificate
• A secure way to find information about the certificate is to look for the certificate
feature in the menu options. This information may be under the file properties or
the security option within the page information.
1. who issued the certificate - You should make sure that the issuer is a legitimate,
trusted certificate authority (you may see names like VeriSign, thawte, or
Entrust).
2. who the certificate is issued to - The certificate should be issued to the
organization who owns the web site. Do not trust the certificate if the name on
the certificate does not match the name of the organization or person you
expect.
3. expiration date - Most certificates are issued for one or two years. One
exception is the certificate for the certificate authority itself, which, because of
the amount of involvement necessary to distribute the information to all of the
organizations who hold its certificates, may be ten years.
25. User Interface Attacks
• In systems where multiple applications or websites share the same
display, the user can be tricked to interact with false UI elements.
• For example, a malicious website may be able to draw an overlay over
a button that causes the user click the button unintentionally.
• Such attacks are called clickjacking or UI redressing.
26. How Clickjacking Works
• Clickjacking is possible because seemingly harmless features of
HTML web pages can be employed to perform unexpected actions.
• A clickjacked page tricks a user into performing undesired actions by
clicking on a concealed link.
• On a clickjacked page, the attackers load another page over it in a
transparent layer.
27. How Clickjacking Works
• The users think that they are clicking visible buttons, while they are
actually performing actions on the invisible page.
• The hidden page may be an authentic page.
• Therefore, the attackers can trick users into performing actions which
the users never intended.
28. Cursorjacking
• Cursorjacking is a variant of Clickjacking Attack.
• Cursorjacking is a UI redressing technique to change the cursor from the location the user
perceives, discovered in 2010 by Eddy Bordi, a researcher at Vulnerability.fr
• Marcus Niemietz demonstrated this with a custom cursor icon, and in 2012 Mario
Heiderich by hiding the cursor.
• Jordi Chancel, a researcher at Alternativ-Testing.fr, discovered a cursorjacking
vulnerability using Flash, HTML and JavaScript code in Mozilla Firefox (fixed in Firefox
30.0) which can lead to arbitrary code execution and webcam spying.
• A second CursorJacking vulnerability was again discovered by Jordi Chancel in Mozilla
Firefox on Mac OS X systems (fixed in Firefox 37.0) using once again Flash, HTML and
JavaScript code which can lead also to the spying of the webcam and the execution of a
malicious addon allowing the execution of a malware on the computer of the trapped user.
29. Password Manager Attack
• A 2014 paper from researcher at the Carnegie Mellon University discooovered this attack.
• He found that while browsers refuse to autofill if the protocol on the current login page is
different from the protocol at the time the password was saved, some password managers
would insecurely fill in passwords for the http version of https-saved passwords.
• Most managers did not protect against iFrame- and redirection-based attacks and exposed
additional passwords where password synchronization had been used between multiple
devices.
31. Pretty Good Privacy (PGP)
• PGP is an open source, freely available software package for E-mail
security
• PGP has grown very quickly and now is widely used. Reasons for it’s
growth are:
1. It is freely available worldwide in versions that run on variety of
platforms. In addition commercial versions provides vendor support.
2. The package includes RSA, DSS, and Diffie-Hellman for public-
key encryption, CAST-128, IDEA, and 3DES for symmetric
encryption, and SHA-1 for hash coding.
33. Authentication
• This is achieved through Digital Signature Service provided by PGP
1. The sender creates a message
2. SHA-1 is used to generate 160 bit hash code of the message
3. The hash code is encrypted with RSA using the sender’s private key, and
the result is prepended to the message.
4. The receiver uses RSA with the sender’s public key to decrypt and
recover the hash code.
5. The receiver generates a new hash code for the message and compares it
with the decrypted hash code. If the two match, the message is accepted
as authentic.
34. Confidentiality
• PGP another service is confidentiality, which is encrypting messages
for transmitting or to store files locally.
• In both cases, the symmetric encryption algorithm CAST-128 may be
used. Alternatively, IDEA or 3DES may be used. And the 64-bit cipher
feedback (CFB) mode is used.
• In PGP, each symmetric key is used only once. The session key is
bound to the message. To protect the key, it is encrypted with the
receiver’s public key.
35. Confidentiality
1. The sender generates a message and a random 128-bit number to be
used as a session key for this message only.
2. The message is encrypted using CAST-128 (or IDEA or 3DES) with
the session key.
3. The session key is encrypted with RSA using the recipient’s public
key and is prepended to the message.
4. The receiver uses RSA with its private key to decrypt and recover
the session key.
5. The session key is used to decrypt the message.
36. Compression
• PGP compresses the message after applying the signature but before
encryption. This has the benefit of saving space both for e-mail
transmission and for file storage.
• The signature is generated before compression for two reasons:
1. It is preferable to sign an uncompressed message so that one can
store only the uncompressed message together with the signature for
future verification.
2. If you generate signature after compression then there is a need
recompression for message verification, PGP’s compression
algorithm presents a difficulty.
37. Compression
• Message encryption is applied after compression to strengthen
cryptographic security. Therefore cryptanalysis is more difficult.
• The compression algorithm used here is ZIP Algorithm
38. E-Mail Compatibility
• The resulting message block consists of a stream of arbitrary 8-bit
octets.
• However, many electronic mail systems only permit the use of blocks
consisting of ASCII text.
• To accommodate this restriction, PGP provides the service of
converting the raw 8-bit binary stream to a stream of printable ASCII
characters
• The scheme used for this purpose is radix-64 conversion. Each group
of three octets of binary data is mapped into four ASCII characters.
This format also appends a CRC to detect transmission errors.
39. E-Mail Compatibility
• The use of radix 64 expands a message by 33%. Fortunately, the
session key and signature portions of the message are relatively
compact, and the plaintext message has been compressed.
• In fact, the compression should be more than enough to compensate
for the radix-64 expansion
40. Segmentation and Reassembly
• E-mail facilities often are restricted to a maximum length. To
accommodate this, PGP automatically subdivides a messsage that is
too large into segments that are small enough to send via e-mail.
• The segmentation is done after all of the other processing, including
the radix-64 conversion.
41. Summary of PGP Services
Function Algorithm Used Description
Digital Signature
DSS/SHA or
RSA/SHA
A hash code of message is created using SHA-1. this message digest is
encrypted using DSS or SHA using the senders private key and is
included with the message
Message
Encryption
CAST or IDEA or
Three Key Triple
DES with Diffie
Hellman or RSA
A message is encrypted using CAST-128 or IDEA or 3DES with a one
time session key generated by the sender. The session Key is encrypted
using Diffie-Hellman or RSA with the recipient's public key and
included with the message.
Compression ZIP A message may be compressed for storage or transmission using ZIP
E-Mail
Compatibility
Radix-64
Conversion
To provide transparency for e-mail applications, an encrypted message
may be converted to an asci string using radix-64 conversion