UNIVERSITY OF SCIENCE AND TECHNOLOGY OF HANOI

WEB SECURITY LECTURE NOTES

CHAPTER 3 – WEB
SECURITY MEASURES

Lecturer: Assoc. Prof. Dr. Hoang Xuan Dau

E-mail: [email protected]
Office: Faculty of Information Security, PTIT, Hanoi
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

TOPICS

1. Access control for web applictions

2. Securing web sessions
3. Securing web servers
4. Securing web databases
5. Securing file systems
6. Securing web browsers

2
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Access control for web applictions

❖ Overview of access control

❖ Overview of user authentication
❖ Authentication in web applications
❖ Securing password-based authentication
❖ Mechanisms to secure authentication for web
applications.

3
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Overview of access control

❖ Access control is a process in which an user is identified and

authorised accesses to information, systems and resources.
❖ An access control system can be built based on 3 major
services:
▪ Authentication:
• Is the verification process of the user’s identification information.
▪ Authorization:
• Determine which resources an user is allowed to access after the user has
been authenticated.
▪ Administration:
• Provide the functionalities for adding, removing and modifying the user
account information as well as access permissions of the user.

4
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Overview of access control

❖ The main purpose of access control is to ensure the

Confidentiality, Integrity and Availability of information,
systems and resources:
▪ Confidentiality: to ensure that only authorised users can access data
and systems.
▪ Integrity: to ensure data is not modified by unauthorised parties.
▪ Availability: to ensure the readiness (quick response/ service quality)
of the service to legitimate users.

5
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Overview of access control

❖ A simple model of access control:

6
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Overview of access control

General view of the
authentication process

7
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Overview of user authentication

❖ Authentication is the verification process of the user’s

identification information;
▪ It can only verify identification information provided the user;
▪ It can’t verify if the user is the true owner of the information / account.
❖ User’s identification information may include 3 groups:
▪ Who you are? (Identity card, driving license, fingerprints, etc)
▪ What you know? (username, email, password, PIN, etc)
▪ What you have? (ATM card, credit card, etc)

8
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Overview of user authentication

❖ User authentication based on 1 or more factor groups:

▪ 1-factor authentication: 1 factor is used for user authentication from 1
factor group;
• Example: authentication based on password.
▪ 2-factor authentication: factors are used for user authentication from 2
factor groups;
• Example: authentication based on ATM card and PIN.
▪ 3-factor authentication: factors are used for user authentication from 3
factor groups;
• Example: authentication based on ATM card, fingerprint and PIN.

9
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Overview of user authentication

❖ Rule: The more factor groups are used the higher level of
security the user authentication is.
❖ Question: how many factor groups are there in the user
authentication using email + password + OTP (One Time
Password sent by SMS)?

10
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Authentication in web applications

❖ Authentication based on username and password is the

practical standard for web applications, especially Internet-
based web applications.
▪ Reasons:
• Easy to implement and use
• Cheap – Only need web browsers on the client side and no additional
facilities required.
• Provide basic level of security.

11
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Authentication in web applications

❖ In some special web applications, hardware or software-

based token is used may be used as 2nd factor to enhance
the security.
❖ Biometrics based authentication is rarely used for web
applications.
▪ Why?

12
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Authentication in web applications

❖ Password-based authentication methods for web

applications:
▪ Built-in HTTP Authentication
▪ Single Sign On (SSO)
▪ Self-development authentication systems.

13
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Built-in HTTP Authentication

❖ HTTP protocol provides 2 authentication methods:

▪ Basic access authentication
▪ Digest access authentication
❖ Example of HTTP-authentication dialogue box:

14
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Basic access authentication

❖ Authentication process:
1. When the client browser requests a protected resource (a file or a
folder) on the web Server;
2. Receiving the access request, the web server sends required
authentication response (coded 401):

15
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Basic access authentication

❖ Authentication process:
3. When browser receives required authentication response from the
server, it displays authentication dialogue box asking the user to
provide the username and password;
4. Having the username and password from user, browser:
a. creates the reply message by combining username and password in the
form of username:password;
b. Encode the reply message using base64 method;
c. Puts the message into authentication header and sends to web server.

16
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Basic access authentication

❖ Authentication process:
5. Receiving authentication information from browser, the web server
verifies the provided username and password:
a. If the username and password are valid, allows the browser to Access the
requested resource;
b. If the username and password are NOT valid, returns an error or sends
the re-authentication response.

17
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Basic access authentication

❖ Pros:
▪ Simple and easy to implement.
❖ Cons:
▪ Insecure password communication as base64 doesn’t ensure the
confidentiality and the encoded password can be decoded easily.
▪ Password is sent from browser to server frequently that may cause the
password leaking and stealing;
• This is because the server doesn’t have a session, hence browser usually
stores username and password and sends them to server on request.
▪ Insure storage of passwords:
• Username and password are stored and sent to server on request
automatically;
• No session exists, therefore user can’t sign out.

18
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Digest access authentication

❖ Digest access authentication is very similar to Basic access

authentication in the authentication process;
❖ The only difference is password is encrypted using MD5
hash function and then put into authentication message sent
to server;
▪ Reduce the possibility of password leaking and stealing thanks to
using MD5 encrypted password in communication.
❖ Suggestions:
▪ Both Basic access authentication and Digest access authentication
are weak authentication methods and should NOT be used;
▪ HTTPS should be used with these methods to improve the security.

19
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Single Sign On - SSO

❖ SSO authentication is the mechanism that allows users to

log on one time using an authentication interface to access
multiple associated systems and services;
❖ For web applications, users can log on one time and then
are able to access multiple SSO-supported websites and
web-based services;

20
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Single Sign On - SSO

❖ Some practical SSO systems:

▪ Google Account is a typical SSO. After logging on, users can access
many Google services, such as GMail, Youtube, Google Talk, Google
Adwords,…
▪ Microsoft Account is also a typical SSO. After logging on, users can
access many Microsoft services, such as Windows PC, Skype, Xbox
Live, Outlook.com, OneDrive…

21
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

SSO - Google Account

22
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

SSO - Microsoft Account

23
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Self-development authentication systems

❖ Many web applications have their own authentication and

authorisation systems:
▪ An authentication and authorisation system is customized to fit
specific requirements of the web application.
❖ Common components of an authentication and authorisation
system:
▪ A database to store:
• Users’ identity information, including username and password;
• Access permissions of users and groups of users;
• Pages for logging on and logging out/off;
• Components for validating log-on statuses and access permissions;
• Components for validating and managing working sessions.

24
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Securing password-based authentication

❖ Set the minimum length for passwords:

▪ Minimum length of passwords for normal applications: 8 chars
▪ Minimum length of passwords for critical applications: 10 chars.
❖ Ensure the complexity of passwords:
▪ Passwords should have 4 character sets: lower cases, upper cases,
digits and special chars.
❖ Not to store passwords in plaintext:
▪ Use hashing form (SHA1 for example) to store the passwords.

25
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Securing password-based authentication

❖ Change passwords periodically:

▪ Depend on the security policies
▪ May be passwords are required to change every 3-6 months.
❖ Restrict the re-use of old passwords;
❖ Not to use passwords same as usernames;
❖ Allow to disable user accounts.

26
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Mechanisms to secure authentication for web applications

❖ Ensure the secure communications: use SSL/TLS (HTTPS)

for authentication communications to avoid the stealing of
sensitive information;
❖ Provide the mechanism for system lockout:
▪ Define mechanism for system or account lockout if there is a number
of unsuccessful log-on attempts.

27
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Mechanisms to secure authentication for web applications

❖ Use CAPTCHA to authenticate forms to avoid automatic log-

on / registration;
❖ Disable un-used accounts;
❖ Not to use default accounts, such as administrator, root,...
❖ Not to store account information in program code;
❖ Avoid to use functions, such as Remember Me/Stay Signed
In;
❖ Not to use Autocomplete for log-on form

28
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Securing web sessions

❖ Introduction to web sessions

❖ Weaknesses in session management
❖ Measures for securing web sessions

29
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Introduction to web sessions

❖ Session is a technique implemented by web applications,

which allows them to connect access requests of each
individual user;
❖ Note:
▪ HTTP protocol works on the Request / Response model, it doesn’t
support session;
▪ Requests from a user are processed separately and there is no
connection among them.

30
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Introduction to web sessions

❖ Working flow of a web session:

▪ When web server receives a request from browser, it creates a identity
string, called Session ID or Token to form and manage a web session;
▪ When server sends Token to browser in the form of a cookie using the
Set-Cookie command:

▪ Receiving the Token, browser stores it as a cookie in its database;

▪ Browser attaches Token to all subsequent requests to send to server:

▪ Sever gets back the Token from Browser and it can distinguish
requests from each individual user.

31
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Introduction to web sessions

❖ Session begins: A session can be created by the required

log-on from user or no required log-on:
▪ Required log-on is usually used for accessing protected areas, such
as member areas, email applications,...
▪ No required log-on is usually used for accessing public areas, such as
online stores, where clients can search for products, create shopping
carts and place orders without required log-ons.
❖ Session ends:
▪ Actively by the users: a user can request a ‘Sign Out’ to end a session;
▪ Passively by the server: server can abandon an inactivity session for a
specific period of time.

32
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Introduction to web sessions

❖ How does the web server identify a web user?

▪ The server uses a combination of client IP address and browser
information (operating system information included).
❖ How does the web server distinguish 2 web users who share
a public IP address (in the same LAN under NAT)?
❖ Can a user with a computer create more than 1 session on a
website?

33
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Weaknesses in session management

❖ Weaknesses in the generation of session tokens:

▪ Meaningful session tokens
▪ Easy-to-guess session tokens.
❖ Weaknesses in the use of session tokens:
▪ Token leakage on networks
▪ Token leakage in web logs
▪ Vulnerability in mapping from token to session
▪ Vulnerability in ending of session
▪ Token stealing on the client side
▪ No restriction to cookie scope.

34
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Meaningful session tokens

❖ Some web applications generate session tokens from

meaningful elements, such as username, email, date, etc;
▪ Meaningful session tokens are created from username, email using
encoding or mixing techiques. Example of a token:

is respresented in the hexadecimal form. After converting into ASCII

form, it becomes:

❖ Token generation rules can be inferred easily from session

tokens containg meaningful data:
▪ Hackers can use token generation rules to generate new tokens and
try to hijack other users’ sessions.

35
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Easy-to-guess session tokens

❖ Tokens based on sequential numbers or hidden sequences

❖ Tokens based on time
❖ Tokens based on weak random number generators

36
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Tokens based on sequential numbers

or hidden sequences

❖ These tokens are generated using sequential numbers or

hidden sequences. Example: A serie of tokens

Tokens (1) ASCII string (2) Hexa string (3) Subtraction of 2 adjacent
numbers (4)

37
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Tokens based on sequential numbers

or hidden sequences

❖ Example: A serie of tokens

▪ (1) are tokens in the Base64 encoding format
▪ (2) are the results of decoding and transforming (1) to ASCII format
▪ (3) are the results of transforming (2) to hexadecimal format
▪ (4) are the results of subtracting 2 adjacent tokens

==> Generation rule:

▪ Geneate a seed
▪ Add the seed with 0x97C4EB6A
▪ Take 32 bit from the left and encode using Base64.

38
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Tokens based on time

❖ These tokens are generated using time or element of time –

time dependent tokens. Example: time dependent tokens

39
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Tokens based on weak random number generators

❖ These tokens are generated using weak random number

generators.
❖ Example: a rule to generate tokens using java.util.Random:
▪ Generate a seed
▪ Compute seed * constant1 + constant2
▪ Extract 48 bits from the left
▪ Extract the number of bits for the output as required.

▪ Hackers know the token generation algorithm, they can generate

many tokens and submit to server to hijack users’ session.

40
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Weaknesses in session management

❖ Weaknesses in the use of session tokens:

▪ Token leakage on networks
▪ Token leakage in web logs
▪ Vulnerabilities in mapping from token to session
▪ Vulnerabilities in ending of session
▪ Token stealing on the client side
▪ No restriction to cookie scope.

41
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Token leakage on networks

❖ As session tokens are transferred from servers to browsers

and vice versa, they can be sniffed on the communication
networks if not encrypted.

42
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Token leakage on networks

❖ Some websites use HTTPS to encrypt the communication

data, however there are some embedded elements linked to
HTTP only URLs:
▪ Hackers can still intercept and capture session tokens by monitoring
embedded HTTP elements.
▪ It is recommended to use all HTTPS elements in a page/website.

43
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Token leakage in web logs

❖ Some web applications record access logs that include

session tokens if they are in the URL;
❖ Access logs can be recorded on browsers, web servers and
proxy servers.
❖ Example:

44
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Vulnerability in mapping from token to session

❖ Some web applications allow users to create multiple

sessions using 1 user account:
▪ It is possible that a user switches to work on another machine without
canceling the old session.
▪ Allows hackers to steal / mis-use session tokens undetected because
the user's session is valid and the session generated by the hacker
takes place at the same time.
▪ The risk is higher for static, sequential, or predictable tokens.

Suggestion: 1 user account <--> 1 session at a time only.

45
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Vulnerabilities in ending of session

❖ Some web applications do not provide the Log Out, Sign

Out, or Sign Off function;
❖ The log-out function doesn’t ensure to cancel token and all
other resources of session;
❖ Some web applications do not set inactivity period of user
session;

==> if not cancel properly, session is still active and hackers

may mis-use user sessions.

46
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Token stealing on the client side

❖ Session tokens can be stolen from client side using XSS

attacks;
▪ Hackers can embed malicious scripts to steal cookies from client
browsers, which contain session tokens;
▪ Then they can use stolen tokens to hijack users’ sessions.

47
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

No restriction to cookie scope

❖ Session cookies must be restricted in appropriate scope of

use. If not they may be mis-used;
❖ Example: a token geneated and sent to client:

❖ Then token can be sent to all sub-domains by the client

browsers:

48
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Measures for securing web sessions

❖ Generation of ‘strong’ session tokens

❖ Protection of session tokens in all life circle
❖ Logging, monitoring and reporting.

49
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Generation of ‘strong’ session tokens

❖ Tokens should be generated with sufficient large values;

❖ Tokens should be randomly generated and unpredictable;
❖ Tokens are long, randomized => difficult to predict and brute
force in a short period of time;
❖ Tokens shouldn’t be meaningful;
❖ Tokens should not be time dependent.

50
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Protection of session tokens in all life circle

❖ Tokens should be securely exchanged using the HTTPS

protocol.
▪ If only using HTTPS for authentication, then switching to HTTP will not
guarantee security because the token exchanged between the
browser and the web server is not encrypted.
❖ The session token should not be included in the URL as a
parameter because it can be easily retrieved / changed.
▪ Tokens should be included in hidden fields using POST method.
❖ It is necessary to implement the Log Out feature: cancel all
session parameters and token.

51
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Protection of session tokens in all life circle

❖ A session expiration needs to be configured after a period of

user inactivity. If the user submits an access request after
the session is expired, the user is redirected to login page.
❖ Only 1 user is allowed to log in for a single session.
▪ When a user logs in to a new session, the old session and its
resources need to be destroyed.
▪ Many web applications allow 1 user to log in into multiple sessions,
making it difficult to track down anomalies and attacks.

52
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Protection of session tokens in all life circle

❖ It is necessary to set a strict scope for cookies in the domain

and its paths.
❖ Filters and security mechanisms are needed to prevent
scripts like XSS and CSRF attacks.
❖ Double authentication measures on important transactions
(such as payments, transfers) can help effectively prevent
CSRF attacks.

53
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Protection of session tokens in all life circle

❖ Use tokens to validate each page: in each page, the server

can insert a randomly generated token and embed in hidden
fields and then re-check when the user submits the request.
▪ If token is valid => allows the execution of the request;
▪ If token is invalid => refuses the execution of the request.
❖ Advantages:
▪ Effectively prevents attacks on tokens and sessions
❖ Cons:
▪ Slows down the system
▪ Disables the browser's Forward and Back features.

54
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Use token to validate a page

55
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Logging, monitoring and reporting

❖ The management and use of tokens and other sensitive

information of the session should be monitored and logged
to alert on unusual behavior;
❖ Measures:
▪ Monitor requests that contain invalid tokens as hackers often have to
try with multiple tokens, resulting in a large number of invalid requests
- a kind of session attack.
▪ Difficult to prevent dry session attacks, however:
• It is possible to temporarily block the IP address that originated the attack;
• If multiple users share the same NAT type IP address or behind the firewall,
the IP locker may prohibit normal users.

56
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Logging, monitoring and reporting

❖ Measures:
▪ Need to warn the user about unusual activities on account / session;
▪ Session termination in reaction-style should be used for some
applications require a high level of security, such as banking
applications, which adds the ability to immediately terminate the
session when:
• Received an unusual request;
• There are signs of code insertion attacks;
▪ Require authentication at each query can help slow down all types of
attacks, ensuring security.

57
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Securing web servers

❖ Vulnerabilities in configuration of web servers

❖ Configuration guidelines for securing web servers
❖ Vulnerabilities in web server software
❖ Securing web server software

58
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Vulnerabilities in configuration of web servers

❖ Configuration of web servers consists of settings that control

the operation of a web server;
❖ Weaknesses and vulnerabilities in configuration of web
servers:
▪ Default administrative accounts;
▪ Default contents;
▪ Directory browsing;
▪ Dangerous HTTP methods.

59
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Default administrative accounts

❖ Most of web servers have default administrative accounts

using weak passwords, or even no passwords.

60
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Default contents

❖ Many web Server software come with default contents that

may be a “lever” to assist hackers to attack web servers and
websites, web applications;
❖ Some default contents that may cause risks to systems:
▪ Debugging and testing funcationalities for administrators;
▪ Sample features are designed for shared tasks;
▪ Some special features are designed for internal use, but inadvertently
accessible to outsiders.
▪ Web server administration or usage manuals can be a powerful tool
for hackers.

61
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Default contents - Debugging and testing funcationalities

❖ PHP engine’s phpinfo.php is used for administration to read

web Server configuration.

62
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Default contents - Sample features

❖ Microsoft IIS web servers (old versions):

▪ The CodeBrsw.asp page is designed to work only in the sample code
/IISSAMPLES directory which accepts the filenames and displays the
source code of the ASP pages.
• However, when entering the paths of other pages in the format
/IISSAMPLES/../NEW_FOLDER/page.asp, you can see the code of other
pages.
▪ Many sample scripts that come with IIS servers allow hackers to query
database, read the content of account information of MS Windows.
▪ Newer IIS versions (6 and newer) have removed these sample scripts.

63
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Default contents - Sample features

❖ Apache Tomcat web servers provide a tool to read and modify session
parameters Attackers can exploit this tool to interfere the user sessions.

64
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Default contents - Special features

❖ Some web servers offer powerful administrative features, but

with weak or faulty access control, which can be exploited by
hackers.
❖ Example: One of typical errors occurs in the PL / SQL
gateway feature of Oracle Application Server:
▪ The requests from website are passed and executed directly by the
procedure in the database in the form:

▪ Another form of exploitation is it can be used to execute arbitrary

queries:

65
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Directory browsing

66
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Directory browsing

❖ When a web server receives a browser request that is a

directory, the following activities may be carried out:
▪ If a default page, such as index.html, default.htm,... exists in the
directory, the default page is fetched and sent to browser;
▪ If default pages are found, the web server can:
• Return the 403 error message (forbidden) if directory browsing is not
enabled;
• Return the list of files in the directory if directory browsing is enabled.
❖ Since some files / directories may be configured with
inappropriate permissions, allowing browsing of directory
content can help hackers find useful information to aid in
attacks.

67
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Dangerous HTTP methods

❖ Apart from standard HTTP methods of GET and POST, web

servers also support “dangerous” HTTP methods, such as:
▪ PUT allows to upload files to server
▪ DELETE allows to remove a file, folder of the server
▪ COPY allows to copy a file, folder of the server
▪ MOVE allows to move a file, folder of the server
▪ SEARCH allows to search on files, folders of the server.

68
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Configuration guidelines for securing web servers

❖ It is not difficult to configure a secure web server, but there

are often errors due to:
▪ The administrator is negligent, subjective;
▪ The administrator lacks awareness.
❖ Configuration approaches for securing web servers:
▪ Read the administrative manual to get a good understanding of how
the web server operates and its configuration settings;
▪ Set configuration parameters based on the instructions for enhancing
the security of web server and web applications.

69
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Configuration guidelines for securing web servers

❖ Rename and change the passwords of default admin

accounts. Delete or disable default admin accounts if not in
use;
❖ Block accesses from public networks to the administrative
interfaces. Restrict accesses to administrative interfaces
from the local network or specific IP addresses using ACLs
or firewalls.

70
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Configuration guidelines for securing web servers

❖ For default contents:

▪ Remove the default content, if not in use.
▪ Apply appropriate security mesures for the required default content /
features
❖ Checks all directories and forbids the directory browsing.
▪ Make sure folders have default pages.
▪ Only allow directory browsing for each specific case.

71
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Configuration guidelines for securing web servers

❖ Lock/ disable all HTTP methods that are not in use;

❖ Set appropriate access permissions for files/ folders on the
web servers:
▪ Only grant READ permission to static web pages;
▪ Only grant READ, LIST and EXECUTE permissions for dynamic web
pages;
▪ Only grant READ, LIST and WRITE permissions for folders to store
uploaded files (NO EXECUTE).

72
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Vulnerabilities in web server software

❖ Buffer overflow vulnerabilities

❖ Path traversal vulnerabilities
❖ Encoding and standardization vulnerabilities

73
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Buffer overflow vulnerabilities

❖ Buffer overflow vulnerabilities:

▪ Are typical vulnerabilities with high severity;
▪ Allow attackers to insert and execute remote code that in turn assists
them to take the control of the victim systems.
❖ Some well-known buffer overflow vulnerabilities:
▪ Buffer overflow in Microsoft IIS ISAPI Extensions
▪ Buffer overflow in Apache Chunked Encoding
▪ Buffer overflow in Microsoft IIS WebDav
▪ Buffer overflow in iPlanet Search

74
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Buffer overflow in Microsoft IIS ISAPI Extensions

❖ Details of the vulnerability:

▪ Microsoft IIS 4 and 5 web servers come with some ISAPI processors
by default. ISAPI processors allow the execution of various types of
code on the server.
▪ Some ISAPI processors contain buffer overflows that allow hackers to
exploit or spread the worm.
▪ Typically, the Nimda worm and Code Red exploited the buffer overflow
error in the Internet Printing Protocol extension and Index Server
extension in 2001.
❖ Detailed description of the vulnerability can be found at:

75
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Buffer overflow in Apache Chunked Encoding

❖ Details of the vulnerability:

▪ The buffer overflow occurred during the server processing of signed
integers was discovered in 2002 on the Apache web server.
▪ Error codes are used on a lot of parts of the Apache web server.
❖ Detailed description of the vulnerability can be found at:
http://www.securityfocus.com/bid/5033/discuss

76
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Buffer overflow in Microsoft IIS WebDav

❖ Details of the vulnerability:

▪ The buffer overflow in a core component of MS Windows was
discovered in 2003.
▪ Many attack methods that exploit this bug have been developed.
▪ This bug existed in the most exploited Microsoft IIS WebDav (Web
Distributed Authoring and Versioning), affecting many users.
❖ Detailed description of the vulnerability can be found at:
www.microsoft.com/technet/security/bulletin/MS03-007.mspx

77
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Buffer overflow in iPlanet Search

❖ Details of the vulnerability:

▪ The search engine in the iPlanet web server encountered a stack
buffer overflow discovered in 2002.
▪ By sending a request with a large parameter, the hacker overflows the
stack and can execute malicious code that runs on the user’s access
permission of the local system.
❖ Detailed description of the vulnerability can be found at:
www.ngssoftware.com/advisories/sun-iws.txt

78
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Path traversal vulnerabilities

❖ This type of vulnerabilities usually occurs when web

applications perform read or write operations to the file
system based on user-supplied parameters.
❖ If read / write operations to the local file system are not
strictly validated, it will create conditions for hackers to take
advantage of.
❖ The vulnerability can help hackers steal passwords, logs,
sensitive data, or overwrite important data.
▪ On the worst case scenario, hackers can gain control of both the web
application and the system.

79
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Path traversal vulnerabilities

❖ Example of path traversal vulnerabilities:

▪ A web appliction has a page that allows users to retrieve photos using
the URL as follows:

▪ The page’s processing flow:

• Extract the filename of the photo from the request parameter;
• Concatenate the filename with the path of C:\wahh-app\images\ to get the
full path of the photo;
• Open the file using the full path;
• Retrieve the content of the file and return to the client.

80
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Path traversal vulnerabilities

❖ Example of path traversal vulnerabilities:

▪ The photo page of the web application face the error when an attacker
uses a path traversal as a part of the photo filename in the URL:

https://wahh-app.com/scripts/GetImage.aspx?file=..\..\windows\repair\sam

▪ The full path of the photo file will be:

C:\wahh-app\images\..\..\windows\repair\sam
→ C:\windows\repair\sam
→ this allows the attacker to retrieve the content of the ‘sam’ file that is
the MS Windows’s system file stored usernames and passwords.

81
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Path traversal vulnerabilities

❖ Example of path traversal vulnerabilities:

▪ Paths of some sensitive files on the systems:

..\..\..\..\windows\system32\config\sam

../../../../etc/password

../../../../etc/shadow

82
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Path traversal vulnerabilities

❖ Example of path traversal vulnerabilities:

83
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Path traversal vulnerabilities

❖ Defensive measures:
▪ Restrict / minimize the read/write operations to the local file system
based on input parameters from users;
▪ If the operations are necessary:
• Carefully validate input data to filter out all path traversal strings, such as
..\..\ or ../../ from the filename;
• Limit access to specific folders;
• Use standard or library filters that have been tested carefully.

84
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Encoding and standardization vulnerabilities

❖ Web servers usually use encoding techniques to encode

data;
▪ Base64 is one of the commonly used encoding techniques.
❖ Errors in encoding and standardization techniques can assist
attackers to attack web systems;
❖ Some typical vulnerabilities:
▪ Encoding error in Allaire JRun web application server
▪ Encoding error in Microsoft IIS.

85
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Encoding error in Allaire JRun web application server

❖ Encoding error that allows directory browsing in Allaire JRun

web application server:
▪ With the input URL:

▪ where %3f is the encoding of ‘?’ character that is the beginning of the
URL query string;
▪ The initial interpreter doesn’t perform URL decoding, but it considers
‘%3f.jsp’ as a script file and sends the filename to the JSP interpreter;
▪ The JSP interpreter converts %3f to ‘?’ and considers it as an invalid
request, causing a processing error that returns list of files in current
folder.

86
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Encoding error in Microsoft IIS

▪ IIS is equipped with a path-browsing string filter in both normal and

encrypted form (..\..\ ../../ strings).
▪ If the request contains the path-browsing string --> removed.
▪ If the request does not contain the path-browsing string, it is forwarded
for processing in next step.
▪ If the hacker does some extra transformation --> he might get past the
path-browsing filter.
▪ Example: Hackers may use a wrong unicode encoded string to
represent path-browsing string ‘..%c0%af’. When the system decodes
it will ignore the encoding error and convert ‘..%c0%af’ to ‘..\’.

87
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Securing web server software

❖ Select high-quality web server software:

▪ High-quality and validated web server software developed by major
software firms;
▪ High-ranking software firms can provide good support for
troubleshooting problems.
❖ Update/upgrade web server software periodically;
❖ Implement security strengthening measures:
▪ Turn off or remove unnecessary or unused features and components.
▪ With the necessary default features or resources, they should be
renamed to avoid abuse.
▪ Should run web applications with limited access privilege.

88
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Securing web server software

❖ Get updated information about newly discovered web

vulnerabilities from trusted sources:
▪ Bugtraq
▪ Full Disclosure
❖ Apply ‘defense in depth’ stategy to protect web systems:
▪ Network protection (using firewall)
▪ Operating system protection (using access control)
▪ Database protection
▪ Securing web applications via appropriate configuration settings
▪ Using SSL/TLS.

89
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

3.4 Securing web databases

❖ SQLi and defending against SQLi

❖ Database privilege settings
❖ Securing database stored procedures.

90
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

3.4 Securing web databases

❖ A database is one of critical components of a web

applications:
▪ Stores web content
▪ Store sensitive information, such as customer information and etc.

91
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

SQLi and defending against SQLi

❖ 2 causes of SQLi attacks:

▪ Web applications use dynamic SQL queries that are created based on
user input data;
▪ Insufficient validation and filtering of input data.

92
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

SQLi and defending against SQLi

❖ SQLi attacks may allow attackers to:

▪ bypass user authentication of the web applications
▪ insert, modify or delete data records from database tables
▪ Remove tables and databases completely
▪ Steal/extract data from databases
▪ Take control of the victim servers.

93
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

SQLi examples

94
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

SQLi with XSS

95
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

SQLi with XSS

96
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

SQLi to execute OS commands

97
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Blind SQLi
❖ Blind SQLi to get information about system and database

98
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Defending against SQLi

❖ Carefully validate input data from users

▪ Use data filters
▪ Use regular expressions for data validation
❖ Use stored procedures
❖ Minimize the use of dynamic SQL queries.

99
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Database privilege settings

❖ Using 1 database account for all purposes:

▪ for accessing data from web application
▪ for database administration
==> bad solution for database security management.
❖ Recommended solution: create different database accounts
for different usage purposes:
▪ Read-only access users
▪ Update access users
▪ Database administration users
▪ System administration users.

100
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Database privilege settings – Different DB users

101
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Securing database stored procedures

❖ Advantages of using database stored procedures over

dynamic SQL queries:
▪ Significantly increase performance because the procedures have been
compiled and stored in the database.
▪ Efficiently prevent SQLi attacks due to the separation of user data from
the SQL code.
❖ Minimize direct user accesses to data tables:
▪ Only set permission to perform procedures.
▪ All data manipulation are done through procedures.
▪ Not allow to execute SQL statements directly on tables.

102
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Securing database stored procedures

❖ Do not use dynamic SQL queries in stored procedures due

to SQLi attacks are still possible:

103
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

3.5 Securing file systems

❖ Set appropriate access privileges

❖ Keep source code secret
❖ Use information obscurity techniques
❖ Directory browsing and path traversal.

104
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Set appropriate access privileges

❖ Use the operating system’s administrative tools to set

appropriate access permissions to local file system for
groups of users:
▪ Public pages: allow accesses to all users
▪ Internal pages: require username + password authentication, or
manages accesses based on sessions.
▪ Administration pages: additionally restrict the hosts / networks that are
allowed to access via IP addresses.
▪ Pages containing sensitive data of the operating system and/or web
servers: restricted accesses.

105
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Keep source code secret

❖ Source code of web pages (excluding HTML/CSS files)

should be kept secret, avoiding accesses from malicious
users/hackers.

106
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Keep source code secret

❖ Types of web server scripts:

▪ Intepreted scripts:
• PHP
• ASP
• Perl
• Python
▪ Compiled scripts:
• C++ (EXE hoặc DLL forms)
• JSP/Java
• ASP.NET (VB.NET or C#)

107
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Keep source code secret

❖ Script leakage in the backup process:

▪ Many editors automatically save the old contents of a file to a backup
file, before saving the updated content to the file. The backup file’s
extension can be:
• .bak
• .backup
• .first
• .2
▪ When deploying the code files to the service server, if the
administrator doesn’t delete the backup files --> they can be exploited
by hackers to view the source code.
▪ Web server doesn’t consider the backup files as scripts files so they
don’t execute them, but return the source code directly to the browser.

108
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Keep source code secret

❖ Information leakage from comments in source code:

109
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Use information obscurity techniques

❖ The obscurity techniques can be used to hide the access

information of a resource:
▪ It should NOT be used as the only security measure, but a security
enhancing method;
▪ It should be used with other security measures.
❖ Examples:
▪ Use of non-standard ports for internal, administrative sites (8080,...)
▪ Use a private, unusual URL for internal, administrative sites:

https://admin4963.mysite.com
https://mysite.com/admin4963/

110
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Directory browsing and path traversal issues

❖ Enable or disable directory browsing:

▪ Use default pages in each web folder
▪ Disable directory browsing and use customized error pages.
❖ Path traversal issues:
▪ Use filter or regular expression to filter out path traversal strings
▪ Restrict Read/Write operations to local file system using direct input
from users.
❖ Periodically scan web logs for access and execution errors
and have appropriate fixing measures:
▪ Page not found error (404)
▪ Access forbidden (403)
▪ Execution error (500).

111
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Securing web browsers

❖ Architecture of the web browsers

❖ Browser security issues
❖ Measures for securing web browsers
❖ Evaluate the security of some popular browsers

112
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Architecture of the web browsers

113
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Architecture of the web browsers

❖ User Interface:
▪ Is the interface between user and browser
▪ User Interface consists of:
• Menu
• Address bar
• Tool bar (Home, Back, Forward, Refresh, Stop,…)
• Bookmarks or Favourites
• Tabs

114
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Architecture of the web browsers

❖ Browser Engine
▪ Is the intermediate component to process and transfer inputs from
User Interface to Rendering Engine.
❖ Rendering Engine:
▪ Responsible for displaying requested content to screen
▪ Processing flow:
• Parsing HTML tags;
• Use styles to build the presentation tree;
• Build presentation arrangements.

115
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Architecture of the web browsers

❖ Networking
▪ Responsible for making network service calls, such as sending HTTP
requests to web server and receiving responses from the web server.
❖ JavaScript Interpreter
▪ Responsible for interpreting and executing JavaScript code in web
page.
❖ UI Backend
▪ Responsible for drawing objects in the browser such as windows,
combo boxes, lists, ...
❖ Data Storage
▪ A local database on a browser is responsible for storing data for the
browser to operate: Cache, Cookies, History,...

116
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Browser security issues

❖ Web browsers can be attacked in the following ways:

▪ Operating system can be hacked and malicious code can read /
modify browser memory space in privileged mode;
▪ The browser itself is hacked;
▪ The browser components are hacked;
▪ Browser plug-ins / add-ons are hacked;
▪ The browser's network communication might be intercepted from
outside the machine.

117
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Purposes of attacks to web browsers

❖ Display ads (pop-up)

❖ Collecting / stealing personal information
❖ Marketing on the Internet
❖ Track / analyze user web usage
❖ Install adware, viruses, spyware and trojans, ...
❖ Install and use the tools:
▪ Clickjacking
▪ Likejacking,...

118
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Browsers’ features and risks

❖ ActiveX support
▪ ActiveX is supported by Microsoft Internet Explorer on Microsoft
Windows
▪ Many ActiveX components contains many security flaws, helping
hackers to attack the browser and the system.
❖ Java Support
▪ Allows to run Java programs through JVM as Applets in the sandbox
▪ If the JVM installation has security errors, the java code in the Applet
can help hackers attack the browser and the system.

119
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Browsers’ features and risks

❖ Plug-ins/Add-on/Extensions support:
▪ Browser plugins, ad-ons, or extensions:
• External modules are added to the browser
• Provide new features / utilities for users.
▪ Some common plug-ins: Adobe Flash Player, Adobe (Acrobat)
Reader, Java plugin, ActiveX, ...
▪ Plug-ins and extensions also pose many security risks to the browser
• Add attack interfaces;
• Some malicious code is written in the form of plug-ins.

120
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Browsers’ features and risks

❖ Cookies
▪ May contain personal data and many other information
▪ Cookies can be stolen through XSS attacks, etc.
❖ JavaScript
▪ Help websites increase interactivity
▪ Facilitates the XSS code execution.
❖ VBScript
▪ This feature is similar to JavaScript, but only supported on Microsoft
Internet Explorer.

121
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Measures for securing web browsers

❖ Security and privacy settings

❖ Keep your browser up to date
❖ Sign up for alert extensions
❖ Be careful when installing plug-ins
❖ The system needs a virus scan program
❖ Install security plug-ins

122
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Measures for securing web browsers

❖ Security and privacy settings

▪ Prohibit 3rd party cookies
▪ Consider allowing or prohibiting ActiveX, Java, certain plug-ins,
cookies, and JavaScript.
❖ Keep your browser up to date
▪ Regular updates will minimize the risk of being attacked by a known
vulnerability
▪ Automatic update should be used.
❖ Sign up for alert extensions
▪ Alert tools like Google Alerts are very helpful.

123
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Measures for securing web browsers

❖ Be careful when installing plug-ins

▪ Need to know plug-ins features and origin
▪ Avoid installing strange, unknown plug-ins.
❖ The system needs a virus scan program
▪ AV operates in real-time protection mode will help limit the risk of
malicious code infecting and attacking the system.

124
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Measures for securing web browsers

❖ Install security plug-ins

▪ HTTPS Everywhere: allows you to always open the page in HTTPS
(secure) mode if supported by the website.
▪ Web of Trust: A tool to evaluate the safety of a website
• Green icon: safe
• Yellow icons: be careful
• Red icon: should not be opened
▪ LongURL.org: Displays the full URL hidden behind the links.

125
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Web of Trust

126
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

LongURL.org

127
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Evaluate the security of some popular browsers

❖ Evaluation criteria:
▪ Update frequency
▪ Number of vulnerabilities discovered / exploited
▪ Sandbox feature
▪ Ability to block malicious code using social engineering

128
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Evaluate the security of some popular browsers

129
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Evaluate the security of some popular browsers

130
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Top 20 known vulnerabilities of common software

131
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Browsers’ sandbox feature

132
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Ability to block malicious code using social engineering

133
 WEB SECURITY LECTURE NOTES
CHAPTER 3 – WEB SECURITY MEASURES

Evaluate the security of some popular browsers

134