SlideShare a Scribd company logo

Browser Security – Issues and Best Practices1Outli

Download as DOCX, PDF
V
VannaSchrader3

Browser and server security are important due to vulnerabilities that can be exploited by hackers. Browser security involves protecting against attacks like cross-site scripting and sensitive data exposure, while sandboxing and isolating processes. Server security requires securing the operating system, software, network, and data, as well as securely configuring, patching, and monitoring the server. Best practices for both include auto-updating, HTTPS, and blocking plugins/popups for browsers and least privilege access and logging for servers.

1 of 32
Download to read offline
Browser Security – Issues and Best Practices 1 Outline Intro to Browser Security Need for Browser Security Browser Security Fundamentals Browser Security Issues OWASP Top 10 – A7:2017– Cross-Site Scripting XSS OWASP Top 10 – A3:2017– Sensitive Data Exposure Attacks against Browser Security Mechanisms Browser Security Best Practices 2 Intro to Browser Security 3 Intro to Browser Security How does a web application work? 4 Client Server Involves browsers
Intro to Browser Security (contd.) Browser A browser is “an application that finds and displays web pages”. It coordinates communication between your computer and the web server where a particular website “lives” by: Accepting a website address as a URL Submitting a request to the server to retrieve the content for the page Processing the code (HTML, CSS, JavaScript, etc.) from the server Loading active content (Flash, ActiveX, etc.) needed by the page Displaying the complete, formatted web page Repeating the process for every single user interaction with the page 5 Source: Understanding Your Computer: Web Browsers – U.S. CERT – https://www.cisa.gov/uscert/ncas/tips/st04-022 Intro to Browser Security (contd.) Examples: Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, Opera, etc. Browser Market Share as of February 2022: 6 Source: Global Web Stats – W3Counter– https://www.w3counter.com/globalstats.php Intro to Browser Security (contd.)
Browser security refers to “how differences in design and implementation of various security technologies in modern web browsers might affect their security” (X41 Browser Security White Paper, 2017, pg. 8) Browser security involves the following: Protection against common client-side attacks Protection against phishing Management of browser extensions Use of adequate cryptography protocols 7 Source: X41 Browser Security White Paper – https://browser-security.x41-dsec.de/X41-Browser-Security- White-Paper.pdf Intro to Browser Security (contd.) Browser security also involves the following: Protection against active content Active content refers to scripts that execute programs within the browser e.g.: scripts used to create splash pages or options like drop- down menus JavaScript is widely used to create active content ActiveX controls reside on your computer and can be used as spyware Protecting cookies Cookies store information such as IP address, domain names, browser info, browsing habits, etc. Both session cookies and persistent cookies must be protected from security attacks by adjusting the browser’s security settings to block or limit access to cookie information 8 Source: U.S. CERT – Browsing Safely: Understanding Active Content and Cookies – https://www.cisa.gov/uscert/ncas/tips/ST04-012
Intro to Browser Security (contd.) Browser-specific security features: Google Chrome security features Apple Safari security features Internet Explorer security features Microsoft Edge security features Mozilla Firefox security features Opera security features 9 Intro to Browser Security (contd.) Your Browser’s Security Features – GCFLearnFree.org Source: GCFLearnFree.org – Internet Safety: Your Browser’s Security Features – https://www.youtube.com/watch?v=2ZZQlgV2Gus 10 Need for Browser Security 11 Need for Browser Security As per U.S. CERT (2015): Browsers such as Firefox, Chrome, Edge, and Safari are installed on almost all computers Default browsers that come with the Operating Systems are not setup using secure default configurations Unsecure browsers can lead to spyware being installed on your computers allowing intruders to take control There is an increasing threat from attacks that take advantage of vulnerable web browsers
Hackers are using compromised or malicious websites to exploit vulnerabilities in browsers 12 Need for Browser Security (contd.) As per U.S. CERT (2015), the problem is made worse by a number of factors including the following: 13 Need for Browser Security (contd.) As per the EdgeScan (2019) Vulnerability Statistics Report: 19% of all vulnerabilities were associated with Layer 7 web applications However, the risk density is much higher for web application vulnerabilities compared to network vulnerabilities 14 Need for Browser Security (contd.) As per the EdgeScan (2019) Vulnerability Statistics Report, the most common browser-related vulnerabilities are: Cross-Site Scripting – 14.69% Other Injection – 8.18% DOM-based Vulnerability – 1.82% Cross-Site Request Forgery – 1.75% 15
Need for Browser Security (contd.) Hackers are increasingly using browsers to cause data breaches (Privacy Rights Clearinghouse, 2020) 16 Need for Browser Security (contd.) Hackers are increasingly using browsers to cause data breaches (Privacy Rights Clearinghouse, 2020) 17 Browser Security Fundamentals 18 Browser Security Fundamentals How Web Browsers Function – Open Canvas Source: OpenCanvas – How Web Browsers Function – https://www.youtube.com/watch?v=z0HN-fG6oT4 19 Browser Security Fundamentals (contd.) As per Open Canvas (2016), web browsers use the following architectural components: User interface Rendering engine Browser engine
Networking JavaScript interpreter Data storage – cookies, local storage, etc. 20 Browser Security Fundamentals (contd.) Google Chrome Architecture Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) – https://www.youtube.com/watch?v=PzzNuCk-e0Y 21 Browser Security Fundamentals (contd.) Google Chrome Architecture: Browser Process Includes the User Interface (UI), networking, and storage GPU Process Handles rich web page content built using features like WebGL Is a separate process to ensure stability and security Utility Process Runs untrusted code on behalf of browser in a sandbox e.g.: installing an extension, processing JSON Is a short-lived process Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) – https://www.youtube.com/watch?v=PzzNuCk-e0Y 22 Browser Security Fundamentals (contd.) Google Chrome Architecture (continued):
Extension Process Ensures extensions have limited access to browser, page, & system Stops poorly written extension code from adversely affecting pages Pepper Plugins Handles plugin code not controlled by Google (Flash, PDF, etc.) Uses new plugin API that is sandboxed Renderer – Blink rendering engine JavaScript Interpreter – v8 JavaScript engine Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) – https://www.youtube.com/watch?v=PzzNuCk-e0Y 23 Browser Security Fundamentals (contd.) Google Chrome Security: Sandboxing Limits the impact of many browser vulnerabilities by isolating different components of an application from the rest of the system Components are run with their access privileges to system resources and/or other components limited to the bare essentials needed to perform its function Thus, the privileges an attacker can gain by exploiting a security issue in these components is fairly limited Process and Origin Isolation Chrome uses Site Isolation to isolate websites with different origins Source: X41 – Browser Security White Paper – https://browser-security.x41-dsec.de/X41-Browser-Security- White-Paper.pdf 24
Browser Security Fundamentals (contd.) Google Chrome Security: Hardening and Exploit Mitigation Supports /GS, ASLR, DEP, no direct win32k syscalls, SEHOP, etc. Web Security Same Origin Policy Enforcement Restricts interaction between websites of different origins Port Banning Enforcement Denies connections to non-standard TCP ports Content Security Policy Enforcement Limits what sources of scripts are acceptable HTML5 Features Support Supports Service Workers, WebRTC, History API, WebGL, Web Notifications, etc. Source: X41 – Browser Security White Paper – https://browser-security.x41-dsec.de/X41-Browser-Security- White-Paper.pdf 25 Browser Security Issues 26 Browser Security Issues Specific browser security issues include the following: Client-side JavaScript code for checking user input is not enough Information sent from the browser can be modified before it reaches the server Plenty of HTTP/HTTPS proxy tools are available to hackers for this very purpose Protocols such as SSL that browsers rely on have their own issues
Likewise, attackers can use browser mechanisms such as cache, cookies, session IDs, etc. to steal sensitive information Java applets are susceptible to Man-in-the-Middle (MITM) attacks Java servlets may be vulnerable to SQL injection Source: OWASP – Application Security FAQ – https://owasp.org/www- community/OWASP_Application_Security_FAQ 27 Browser Security Issues (contd.) Specific browser security issues include the following: Browsers pose a unique risk to the enterprise infrastructure because of their frequent exposure to untrusted dynamic content Configuring browser security settings is challenging due to uncertainty of both attack mitigation effectiveness and impact on end users Administrator-driven manual patching often incurs significant lag time before patches are deployed Administrators are often hesitant to enable automatic updating out of fear that patches will break existing functionality 88% of publicly disclosed vulnerabilities exploited within a day of release Browser plugins accounted for 34.5% of browser-related vulnerabilities Source: NSA.gov – Steps to Secure Web Browsing – https://www.nsa.gov/Portals/70/documents/what-we- do/cybersecurity/professional-resources/csi-steps-to-secure- web-browsing.pdf 28 Browser Security Issues (contd.)
OWASP Top 10 – A7:2017 – Cross-Site Scripting XSS Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS – https://owasp.org/www-project-top-ten/2017/A7_2017-Cross- Site_Scripting_(XSS) 29 Browser Security Issues (contd.) Common browser security vulnerabilities: Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS – https://owasp.org/www-project-top-ten/2017/A7_2017-Cross- Site_Scripting_(XSS) 30 Browser Security Issues (contd.) Cross-Site Scripting – XSS – Professor Messer Source: Cross-Site Scripting – XSS – CompTIA Security+ Sy0- 501 – 1.2 – https://www.youtube.com/watch?v=AjsYOMatAcg 31 Browser Security Issues (contd.) OWASP Top 10 – A3:2017–Sensitive Data Exposure Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017- Sensitive_Data_Exposure 32
Browser Security Issues (contd.) Common browser security vulnerabilities: Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017- Sensitive_Data_Exposure 33 Browser Security Attacks 34 Browser Security Attacks Most common browser security attacks: Source: OWASP – Attacks – https://owasp.org/www-community/attacks/Attack TypeDescriptionCache Poisoning A maliciously constructed response is cached by the browserClickjackingThe attacker hijacks clicks meant for their own page and routes them to another pageCross-Site Request Forgery (CSRF)An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticatedCross-Site Scripting (XSS)A type of injection in which malicious scripts are injected into otherwise benign and trusted websites 35
Browser Security Attacks (contd.) Most common browser security attacks (continued): Attack TypeDescriptionMan-in-the-BrowserA previously installed Trojan horse is used to act between the browser and the browser’s security mechanism, sniffing or modifying transactions as they are formed on the browser, but still displaying back the user’s intended transactionSession HijackingAn attack that compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web ServerSpywareA program that captures statistical information from a user’s computer and sends it over internet without user acceptance. This information is usually obtained from cookies and the web browser’s history. Source: OWASP – Attacks – https://owasp.org/www-community/attacks/ 36 Browser Security Best Practices 37 Browser Security Best Practices Best practices for web browser security include : Setting up browsers to Auto Update Disabling malicious browser plugins such as Adware Connecting to websites only using HTTPS Clearing the browser history including cookies Disabling the browser’s auto-complete of forms (including
stored passwords) functionality Blocking browser pop-ups using extensions such as AdBlock Using VPN or proxy servers Source: InfoSec Institute – Best Practices for Web Browser Security – https://resources.infosecinstitute.com/best-practices-web- browser-security/ 38 Browser Security Best Practices (contd.) Best practices for web browser security include : Enabling automatic updates Mitigates 91% of publicly known vulnerabilities Enabling reputation services such as Google Safe Browsing or Microsoft SmartScreen Prevents 87.7% of socially engineered malware and phishing attempts Disable unsafe plugins and extensions Use advanced mitigation techniques/tools Browser isolation, Cloud Browsers, O/S level mitigations, etc. Source: NSA.gov – Steps to Secure Web Browsing – https://www.nsa.gov/Portals/70/documents/what-we- do/cybersecurity/professional-resources/csi-steps-to-secure- web-browsing.pdf 39 Browser Security Best Practices (contd.) Use the following best practices to protect against XSS: Source: OWASP Top 10 2017 A7-Cross Site Scripting XSS – https://owasp.org/www-project-top-ten/2017/A7_2017-Cross- Site_Scripting_(XSS).html 40
Recap Browser security issues continue to be among the OWASP Top 10 list of web application security risks This is due to weaknesses in browser mechanisms such as browser processes, renderers, plugins, extensions, etc. Hackers are able to exploit the weaknesses using attacks such as cache poisoning, clickjacking, CSRF, XSS, MITM, session hijacking, spyware, etc. Best practices to protect browsers include using auto update, HTTPS, pop-up blockers, VPNs or proxy servers, reputation services, sandboxing, isolation, hardening, same origin policy, port banning, content security policy, cloud browsers, etc. 41 Thank you!!! 42 Server Security – Issues and Best Practices 1 Outline Intro to Server Security Need for Server Security Server Security Fundamentals
Server Security Issues OWASP Top 10 – A6:2017– Security Misconfiguration OWASP Top 10 – A10:2017– Insufficient Logging and Monitoring Attacks against Server Security Mechanisms Server Security Best Practices 2 Intro to Server Security 3 Intro to Server Security How does a web application work? 4 Client Server Involves servers Intro to Server Security (contd.) Server A server serves as the host for web applications It refers to the “server” portion of the client-server architecture It receives the HyperText Transfer Protocol (HTTP) request message from the client machine’s browser It authenticates the client based on the user-supplied credentials It authorizes the client’s access to the requested web application after authentication 5
Intro to Server Security (contd.) Server (continued) It sends an HTTP response header back to the client machine with the response code 200 for successful requests or the response code 404 for page not found (maybe due to a broken link) It uses ports to make services available to clients Common port numbers: 80 for HTTP traffic, 443 for HTTPS traffic, 25 for SMTP traffic, 21 for FTP traffic, 23 for telnet traffic, etc. Examples: Apache HTTP Server, Apache Tomcat, Microsoft IIS, IBM WebSphere, Oracle WebLogic, Red Hat JBoss EAP, etc. 6 Intro to Server Security (contd.) Server Market Share: 7 Source: Web and Application Servers Market Share Report – Datanyze – https://www.datanyze.com/market-share/web-and-application- servers--425 Intro to Server Security (contd.) What is a Server? – PowerCert Animated Videos
8 Source: PowerCert Animated Videos – What is a Server? – https://www.youtube.com/watch?v=UjCDWCeHCzY Intro to Server Security (contd.) Server security refers to “the fundame ntal activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function” (NIST SP 800-123, pg.10) Server security involves the following (NIST SP 800-44, pg.18): Installing, configuring, and securing the server Operating System (OS) Installing, configuring, and securing the server software Employing appropriate network protection mechanisms Firewalls, packet filtering routers, proxies, etc. Ensuring that the hosted web applications are securely coded Employing secure administration and maintenance processes Patching and upgrading, testing, monitoring of logs, backing up data and OS Protecting information and data in a careful/systemic manner Conducting initial/periodic vulnerability scans of server/network infrastructure 9 Intro to Server Security (contd.) Server security (by technology): Apache HTTP Server security settings NGINX security settings Internet Information Services (IIS) security settings LiteSpeed Web Server security settings OpenResty security settings Server security (by Operating System) Ubuntu Linux Server guide
Windows Server security guide macOS Server Guide 10 Need for Server Security 11 Need for Server Security As per NIST SP 800-123: Servers are frequently targeted by attackers because of the value of their data and services Servers might contain personally identifiable information that could be used to perform identity theft Most organizations install servers with standard directory names, directory locations, and filenames making it easy for attackers to target those servers The failure of organizations to fully recognize the amount of expense and skills required to field a secure server often results in overworked employees and insecure systems 12 Need for Server Security (contd.) As per NIST SP 800-123 (continued): Default hardware and software configurations are typically set by manufacturers to emphasize features, functions, and ease of use, at the expense of security The default configuration of the OS often includes guest accounts (with and without passwords), administrator or root level accounts, and accounts associated with local and network services Because manufacturers are unaware of each organization’s security needs, server administrators need to configure new servers to reflect their organizations’ security requirements and
reconfigure them as needed 13 Need for Server Security (contd.) As per NIST SP 800-44: Compromised web sites can serve as an entry point for intrusions into many organizations’ internal networks Organizations can face monetary losses, damage to reputation, or legal action if an intruder successfully violates the confidentiality of their data Hackers could compromise web server security by: defacing organizations’ web site or otherwise affecting integrity executing unauthorized commands on the host OS launching attacks on external sites from the web server using the server to deliver attacks against vulnerable clients using the server to distribute illegally copied software 14 Need for Server Security (contd.) As per the EdgeScan (2019) Vulnerability Statistics Report, the most common infrastructure vulnerabilities include the following server-related issues: 44.70% – SSL / TLS Version & Configuration Issues 29.53% – SMB Security Issues 8.61% – OpenSSH Vulnerabilities & Configuration Issues 6.25% – Windows Remote Desktop Protocol Server MITM 4.15% – Unencrypted Telnet Services 1.69% – Unsupported & Unpatched Server Detection 15
Need for Server Security (contd.) As per the EdgeScan (2019) Vulnerability Statistics Report: 33.33% of all high and critical risk vulnerabilities discovered in 2018 were in relation to unsupported Windows Server 2003 systems (no patching, support, end-of-life systems) 7.53% of all high and critical risk vulnerabilities discovered in 2018 related to exposure to NotPetya CVEs (CVE-2017-0144, CVE-2017-0145) – Windows Server Message Block (SMB) Remote Code Execution Vulnerability Systems using Apache and PHP also contributed to the Top 10 due to weak component security and traditional patch management of exposed systems 16 Need for Server Security (contd.) Hackers are increasingly using servers to cause data breaches (Privacy Rights Clearinghouse, 2020) 17 Server Security Fundamentals 18 Server Security Fundamentals What is the Apache HTTP Server? – CBT Nuggets 19 Source: CBT Nuggets – What is the Apache HTTP Server? – https://www.youtube.com/watch?v=fRLJ3bnbHmE
Server Security Fundamentals (contd.) A basic Apache web server architecture includes the following components (Kew, 2007): Modules Multi-Processing Modules (MPM) Apache Portable Runtime (APR) Libraries 20 Server Security Fundamentals (contd.) Apache web server architecture: Modules Functionality that can be used to do things such as authentication, dynamic content generation, encryption, virus scanning, file compression, email services, file transfer services, etc. Multi Processing Modules (MPM) Special module which allows Apache to be configured as a pure process-based server, a pure threaded server, or both Apache Portable Runtime (APR) Libraries Provides for platform-specific tuning and optimization 21 Source: Apache – Apache HTTP Server Version 2.4 Documentation – https://httpd.apache.org/docs/2.4/ Server Security Fundamentals (contd.) Apache web server security: Modular architecture Allows modules to be enabled or disabled to add and remove web server functionality
Only MPM modules can interact directly with the Operating System Authentication Modules can authenticate against plain text files and database files including Oracle, MySQL, PostgreSQL, etc. E.g. mod_auth_basic, mod_auth_digest, mod_auth_form, mod_authn_dbd, etc. 22 Source: Apache – Apache HTTP Server Version 2.4 Documentation – https://httpd.apache.org/docs/2.4/ Server Security Fundamentals (contd.) Apache web server security (continued): Access Control The mod_access_compat module can restrict access to resources based on IP address or hostname of the client SSL / TLS The mod_ssl module provides strong encryption to protect data transmitted between the web server and the client Proxy Apache supports both a traditional HTTP proxy and a reverse proxy Reverse proxy can be used for load balancing Virtual Hosting Support and XML Security 23 Source: TLDP.org – Apache Overview HOWTO – https://www.tldp.org/HOWTO/pdf/Apache-Overview- HOWTO.pdf Server Security Fundamentals (contd.) Apache web server security (continued): Configuration Settings Modules come with several directives related to timeouts,
resource consumption, request processing, concurrent connections, etc. Common Gateway Interface (CGI) & Server Side Includes (SSI) The suEXEC feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs Logs The mod_log_config, mod_log_forensic modules can be used to log everything that happens on the server 24 Source: Apache.org – Apache HTTP Server Documentation Version 2.4 – https://archive.apache.org/dist/httpd/docs/httpd-docs- 2.4.33.en.pdf Server Security Issues 25 Server Security Issues As per NIST SP 800-123 (pg. 7), server security issues include: 26 Source: NIST SP 800-123 – Guide to General Server Security – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-123.pdf Server Security Issues (contd.) As per NIST SP 800-44 (pg. 17-18), other server security issues include the following: Misconfiguration or other improper operation of the Web server, which may result, for example, in the disclosure or alteration of proprietary or sensitive information. This information can include items such as:
Assets of the organization Configuration of the server or network that could be exploited for subsequent attacks Credentials of the users or administrator(s) of the Web server Inadequate or unavailable defense mechanisms for the Web server to prevent certain classes of attacks, such as DoS attacks, which disrupt the availability of the Web server and prevent authorized users from accessing the Web site when required 27 Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-44ver2.pdf Server Security Issues (contd.) Other server security issues include the following (continued): Vulnerabilities within the Web server that might allow, for example, attackers to compromise the security of the server and other hosts on the organization’s network by taking actions such as the following: 28 Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-44ver2.pdf Server Security Issues (contd.) OWASP Top 10–A6:2017 – Security Misconfiguration 29 Source: OWASP Top 10 2017 A6 – Security Misconfiguration – https://owasp.org/www-project-top-ten/2017/A6_2017-
Security_Misconfiguration.html Server Security Issues (contd.) Common server security vulnerabilities: 30 Source: OWASP Top 10 2017 A6 – Security Misconfiguration – https://owasp.org/www-project-top-ten/2017/A6_2017- Security_Misconfiguration.html Server Security Issues (contd.) OWASP Top 10–A10:2017 – Insufficient Logging & Monitoring 31 Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring – https://owasp.org/www-project-top-ten/2017/A10_2017- Insufficient_Logging%2526Monitoring Server Security Issues (contd.) Common server security vulnerabilities: 32 Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring – https://owasp.org/www-project-top-ten/2017/A10_2017- Insufficient_Logging%2526Monitoring Server Security Attacks
33 Server Security Attacks Most common server security attacks: 34Attack TypeDescriptionDenial of Service (DoS)Attacks may be directed to the server or its supporting network infrastructure, denying or hindering valid users from making use of its services. Attacks may take advantage of the server’s account lockout policy. Attacks may involve uploading many large files Attacks take advantage of simultaneous network connections.MalwareMalicious entities may gain unauthorized access to resources elsewhere in the organization’s network via a successful attack on the server Source: NIST SP 800-123 – Guide to General Server Security – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-123.pdf Server Security Attacks (contd.) Most common server security attacks (continued): 35Attack TypeDescriptionMan-in-the Middle (MITM)Password
information can be intercepted using network sniffers and used by an attacker to masquerade as an authorized userSYN Flood If the maximum number of open connections (or connections that are half-open—that is, the first part of the TCP handshake was successful) is set to a low number, an attacker can easily consume the available connections with illegitimate requests (often called a SYN flood) Source: NIST SP 800-123 – Guide to General Server Security – https://nvlpubs.nist.gov/nis tpubs/Legacy/SP/nistspecialpublicati on800-123.pdf Server Security Attacks (contd.) Most common server security attacks (continued): 36Attack TypeDescriptionBrute ForceAttackers try every possible password to attempt to gain access to a user’s accountCommand InjectionCompromise of sensitive information on backend databases that are used to support a web applicationDirectory TraversalUnauthorized access including gaining access to files or folders and being able to execute commands and/or install software on the web serverReplay AttackAn impostor verifier replays the OTP authenticator output to the verifier and successfully authenticates to the web server (NIST SP 800-63b) Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-44ver2.pdf
Server Security Attacks (contd.) Replay Attacks – Professor Messer 37 Source: Replay Attacks – CompTIA Security+ Sy0-401: 3.2 – https://www.youtube.com/watch?v=Ar97HbWLijU Server Security Best Practices 38 Server Security Best Practices Best practices for web server security include : Planning and managing web servers (pg. 33) Plan the configuration and deployment of the web server Choose an appropriate Operating System (OS) for the web server Choose an appropriate platform for the web server General purpose OS, Trusted OS, web server appliance, virtualized platform, etc. Securing the web server OS (pg. 41) Patch and upgrade the OS Remove or disable unnecessary services and applications Configure OS user authentication Configure resource controls appropriately Install and configure additional security controls Test the security of the OS 39 Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-44ver2.pdf
Server Security Best Practices (contd.) Best practices for web server security include : Securing the web server (pg. 51) Securely install the web server Configure IS and web server access controls Configure a secure web content directory Securing web content (pg. 70) Ensure that sensitive information is not available on the web server Establish an organizational-wide documented formal policy and process for approving public web content Maintain Web user privacy Mitigate indirect attacks on content Consider client-side active content security Maintain server-side active content security 40 Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Lega cy/SP/nistspecialpublicati on800-44ver2.pdf Server Security Best Practices (contd.) Best practices for web server security include : Using authentication and encryption technologies (pg. 86) Configure web authentication and encryption technologies Configure SSL / TLS Protect against brute force attacks Implementing a secure network infrastructure (pg. 99) Identify a network location Assess firewall configuration Evaluate intrusion detection and prevention systems Assess network switches Evaluate load balancers
Evaluate reverse proxies 41 Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-44ver2.pdf Server Security Best Practices (contd.) Best practices for web server security include : Administering the web server (pg. 113) Perform logging Perform web server backups Recover from a compromise Test security Conduct remote administration and content updates 42 Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-44ver2.pdf Server Security Best Practices (contd.) Use the following server security best practices to protect against security misconfiguration: 43 Source: OWASP Top 10 2017 A6 – Security Misconfiguration – https://owasp.org/www-project-top-ten/2017/A6_2017- Security_Misconfiguration Server Security Best Practices (contd.) Use the following server security best practices to protect against insufficient logging and monitoring:
44 Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring – https://owasp.org/www-project-top-ten/2017/A10_2017- Insufficient_Logging%2526Monitoring Recap Server security issues continue to be among the OWASP Top 10 list of web application security risks This is due to weaknesses in server technologies such as authentication, access controls, configuration, connections, encryption, active content, logs, etc. Hackers are able to exploit the weaknesses using attacks such as DoS, malware, MITM, SYN flood, brute force, command injection, directory traversal, replay attacks, etc. Best practices to protect servers include planning and managing web servers, securing the web server OS, securing the web server, securing web content, using authentication and encryption technologies, implementing a secure network infrastructure, administering the web server, etc. 45 Thank you!!! 46
Ad

Recommended

Ch21 system administration
Ch21 system administration Ch21 system administration
Ch21 system administration
Raja Waseem Akhtar
 
Web browser and Security Threats
Web browser and Security ThreatsWeb browser and Security Threats
Web browser and Security Threats
HTS Hosting
 
Module 11 (hacking web servers)
Module 11 (hacking web servers)Module 11 (hacking web servers)
Module 11 (hacking web servers)
Wail Hassan
 
A security note for web developers
A security note for web developersA security note for web developers
A security note for web developers
John Ombagi
 
How PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applicationsHow PCI And PA DSS will change enterprise applications
How PCI And PA DSS will change enterprise applications
Ben Rothke
 
Cq3210191021
Cq3210191021Cq3210191021
Cq3210191021
IJMER
 
Browser Security ppt.pptx
Browser Security ppt.pptxBrowser Security ppt.pptx
Browser Security ppt.pptx
AjaySahre
 
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012Social Enterprise Rises! …and so are the Risks - DefCamp 2012
Social Enterprise Rises! …and so are the Risks - DefCamp 2012
DefCamp
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
Wail Hassan
 
Essential Security Practices for Modern Web Developers.pdf
Essential Security Practices for Modern Web Developers.pdfEssential Security Practices for Modern Web Developers.pdf
Essential Security Practices for Modern Web Developers.pdf
Zinavo Pvt Ltd
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
Achim D. Brucker
 
WebSec_MSR.ppt
WebSec_MSR.pptWebSec_MSR.ppt
WebSec_MSR.ppt
LucaMartins7
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
Tobias Koprowski
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
9781423903055 ppt ch10
9781423903055 ppt ch109781423903055 ppt ch10
9781423903055 ppt ch10
临枫 盖
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)
Microsoft Argentina y Uruguay [Official Space]
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
ITrust - Cybersecurity as a Service
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application Environment
Sheri Elliott
 
منصة شليلة
منصة شليلةمنصة شليلة
منصة شليلة
ssuser81f53f
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
Editor IJCATR
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
Dr. Ramchandra Mangrulkar
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
HTS Hosting
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
 
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
Rajkumars275092
 
Topic that identifies characteristics of Native American Culture and.docx
Topic that identifies characteristics of Native American Culture and.docxTopic that identifies characteristics of Native American Culture and.docx
Topic that identifies characteristics of Native American Culture and.docx
VannaSchrader3
 
Topic Stem Cell ResearchAPA Format I need these topics. don.docx
Topic Stem Cell ResearchAPA Format I need these topics. don.docxTopic Stem Cell ResearchAPA Format I need these topics. don.docx
Topic Stem Cell ResearchAPA Format I need these topics. don.docx
VannaSchrader3
 
Ad

More Related Content

Similar to Browser Security – Issues and Best Practices1Outli (20)

Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
Wail Hassan
 
Essential Security Practices for Modern Web Developers.pdf
Essential Security Practices for Modern Web Developers.pdfEssential Security Practices for Modern Web Developers.pdf
Essential Security Practices for Modern Web Developers.pdf
Zinavo Pvt Ltd
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
Achim D. Brucker
 
WebSec_MSR.ppt
WebSec_MSR.pptWebSec_MSR.ppt
WebSec_MSR.ppt
LucaMartins7
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
Tobias Koprowski
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
9781423903055 ppt ch10
9781423903055 ppt ch109781423903055 ppt ch10
9781423903055 ppt ch10
临枫 盖
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)
Microsoft Argentina y Uruguay [Official Space]
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
ITrust - Cybersecurity as a Service
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application Environment
Sheri Elliott
 
منصة شليلة
منصة شليلةمنصة شليلة
منصة شليلة
ssuser81f53f
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
Editor IJCATR
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
Dr. Ramchandra Mangrulkar
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
HTS Hosting
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
 
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
Rajkumars275092
 
Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)Module 12 (web application vulnerabilities)
Module 12 (web application vulnerabilities)
Wail Hassan
 
Essential Security Practices for Modern Web Developers.pdf
Essential Security Practices for Modern Web Developers.pdfEssential Security Practices for Modern Web Developers.pdf
Essential Security Practices for Modern Web Developers.pdf
Zinavo Pvt Ltd
 
Web Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging ThreatsWeb Application Testing for Today’s Biggest and Emerging Threats
Web Application Testing for Today’s Biggest and Emerging Threats
Alan Kan
 
The Evil Friend in Your Browser
The Evil Friend in Your BrowserThe Evil Friend in Your Browser
The Evil Friend in Your Browser
Achim D. Brucker
 
WebSec_MSR.ppt
WebSec_MSR.pptWebSec_MSR.ppt
WebSec_MSR.ppt
LucaMartins7
 
Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)Welcome to International Journal of Engineering Research and Development (IJERD)
Welcome to International Journal of Engineering Research and Development (IJERD)
IJERD Editor
 
DataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPSDataMindsConnect2018_SECDEVOPS
DataMindsConnect2018_SECDEVOPS
Tobias Koprowski
 
Security in the cloud protecting your cloud apps
Security in the cloud protecting your cloud appsSecurity in the cloud protecting your cloud apps
Security in the cloud protecting your cloud apps
Cenzic
 
9781423903055 ppt ch10
9781423903055 ppt ch109781423903055 ppt ch10
9781423903055 ppt ch10
临枫 盖
 
C01461422
C01461422C01461422
C01461422
IOSR Journals
 
Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)Seguridad Corporativa Con Internet Explorer 8(1)
Seguridad Corporativa Con Internet Explorer 8(1)
Microsoft Argentina y Uruguay [Official Space]
 
Ceh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilitiesCeh v5 module 12 web application vulnerabilities
Ceh v5 module 12 web application vulnerabilities
Vi Tính Hoàng Nam
 
Cisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magicCisco WebEx vulnerability: it’s a kind of magic
Cisco WebEx vulnerability: it’s a kind of magic
ITrust - Cybersecurity as a Service
 
Sql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application EnvironmentSql Injection Attacks And A Web Application Environment
Sql Injection Attacks And A Web Application Environment
Sheri Elliott
 
منصة شليلة
منصة شليلةمنصة شليلة
منصة شليلة
ssuser81f53f
 
CMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer SystemCMS Website Security Threat Protection Oriented Analyzer System
CMS Website Security Threat Protection Oriented Analyzer System
Editor IJCATR
 
Lecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application SecurityLecture #18 - #20: Web Browser and Web Application Security
Lecture #18 - #20: Web Browser and Web Application Security
Dr. Ramchandra Mangrulkar
 
The Nitty Gritty of Website Security
The Nitty Gritty of Website SecurityThe Nitty Gritty of Website Security
The Nitty Gritty of Website Security
HTS Hosting
 
Get Ready for Web Application Security Testing
Get Ready for Web Application Security TestingGet Ready for Web Application Security Testing
Get Ready for Web Application Security Testing
Alan Kan
 
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
21CSB02T UNIT 1 NOTES. FOR WEB APPLICATION SECURITY VERTICAL COURSES
Rajkumars275092
 

More from VannaSchrader3 (20)

Topic that identifies characteristics of Native American Culture and.docx
Topic that identifies characteristics of Native American Culture and.docxTopic that identifies characteristics of Native American Culture and.docx
Topic that identifies characteristics of Native American Culture and.docx
VannaSchrader3
 
Topic Stem Cell ResearchAPA Format I need these topics. don.docx
Topic Stem Cell ResearchAPA Format I need these topics. don.docxTopic Stem Cell ResearchAPA Format I need these topics. don.docx
Topic Stem Cell ResearchAPA Format I need these topics. don.docx
VannaSchrader3
 
Topic Styles of PolicingYou are a patrol officer in a middle- to .docx
Topic Styles of PolicingYou are a patrol officer in a middle- to .docxTopic Styles of PolicingYou are a patrol officer in a middle- to .docx
Topic Styles of PolicingYou are a patrol officer in a middle- to .docx
VannaSchrader3
 
Topic the legalization of same sex adoptionThese same sex adopti.docx
Topic the legalization of same sex adoptionThese same sex adopti.docxTopic the legalization of same sex adoptionThese same sex adopti.docx
Topic the legalization of same sex adoptionThese same sex adopti.docx
VannaSchrader3
 
TOPIC The Truth About Caffeine3 pages,give some statistics of neg.docx
TOPIC The Truth About Caffeine3 pages,give some statistics of neg.docxTOPIC The Truth About Caffeine3 pages,give some statistics of neg.docx
TOPIC The Truth About Caffeine3 pages,give some statistics of neg.docx
VannaSchrader3
 
Topic Media Example (article)1) as usual, do an analysis of the.docx
Topic Media Example (article)1) as usual, do an analysis of the.docxTopic Media Example (article)1) as usual, do an analysis of the.docx
Topic Media Example (article)1) as usual, do an analysis of the.docx
VannaSchrader3
 
Topic Servant LeadershipThread In our reading we explored th.docx
Topic Servant LeadershipThread In our reading we explored th.docxTopic Servant LeadershipThread In our reading we explored th.docx
Topic Servant LeadershipThread In our reading we explored th.docx
VannaSchrader3
 
Topic Organization of Law Enforcement AgenciesDo you agree or d.docx
Topic Organization of Law Enforcement AgenciesDo you agree or d.docxTopic Organization of Law Enforcement AgenciesDo you agree or d.docx
Topic Organization of Law Enforcement AgenciesDo you agree or d.docx
VannaSchrader3
 
Topic Parents Should have a license to have childrenaprox. 500 wo.docx
Topic Parents Should have a license to have childrenaprox. 500 wo.docxTopic Parents Should have a license to have childrenaprox. 500 wo.docx
Topic Parents Should have a license to have childrenaprox. 500 wo.docx
VannaSchrader3
 
Topic PATIENT DATA PRIVACYPerformance Improvement plan Proper an.docx
Topic PATIENT DATA PRIVACYPerformance Improvement plan Proper an.docxTopic PATIENT DATA PRIVACYPerformance Improvement plan Proper an.docx
Topic PATIENT DATA PRIVACYPerformance Improvement plan Proper an.docx
VannaSchrader3
 
Topic Kelly’s Personal ConstructsQuestionPrompt  Analyze th.docx
Topic Kelly’s Personal ConstructsQuestionPrompt  Analyze th.docxTopic Kelly’s Personal ConstructsQuestionPrompt  Analyze th.docx
Topic Kelly’s Personal ConstructsQuestionPrompt  Analyze th.docx
VannaSchrader3
 
Topic Fingerprints.Study fingerprinting in the textbook and res.docx
Topic Fingerprints.Study fingerprinting in the textbook and res.docxTopic Fingerprints.Study fingerprinting in the textbook and res.docx
Topic Fingerprints.Study fingerprinting in the textbook and res.docx
VannaSchrader3
 
Topic is Domestic Violence, Both men and women being the abus.docx
Topic is Domestic Violence, Both men and women being the abus.docxTopic is Domestic Violence, Both men and women being the abus.docx
Topic is Domestic Violence, Both men and women being the abus.docx
VannaSchrader3
 
Topic is regional integration .First You need to find article and re.docx
Topic is regional integration .First You need to find article and re.docxTopic is regional integration .First You need to find article and re.docx
Topic is regional integration .First You need to find article and re.docx
VannaSchrader3
 
Topic Human Trafficking in relation to US Border and Coastal securi.docx
Topic Human Trafficking in relation to US Border and Coastal securi.docxTopic Human Trafficking in relation to US Border and Coastal securi.docx
Topic Human Trafficking in relation to US Border and Coastal securi.docx
VannaSchrader3
 
Topic is AutonomyShort papers should use double spacing, 12-point .docx
Topic is AutonomyShort papers should use double spacing, 12-point .docxTopic is AutonomyShort papers should use double spacing, 12-point .docx
Topic is AutonomyShort papers should use double spacing, 12-point .docx
VannaSchrader3
 
Topic Genetic connection of hypertension to cardiovascular disease .docx
Topic Genetic connection of hypertension to cardiovascular disease .docxTopic Genetic connection of hypertension to cardiovascular disease .docx
Topic Genetic connection of hypertension to cardiovascular disease .docx
VannaSchrader3
 
topic Errors (medication or patient injury)in particular stra.docx
topic Errors (medication or patient injury)in particular stra.docxtopic Errors (medication or patient injury)in particular stra.docx
topic Errors (medication or patient injury)in particular stra.docx
VannaSchrader3
 
Topic differences between folk guitar and classic guitar.Minimu.docx
Topic differences between folk guitar and classic guitar.Minimu.docxTopic differences between folk guitar and classic guitar.Minimu.docx
Topic differences between folk guitar and classic guitar.Minimu.docx
VannaSchrader3
 
Topic Death Investigations. Review homicide investigation as de.docx
Topic Death Investigations. Review homicide investigation as de.docxTopic Death Investigations. Review homicide investigation as de.docx
Topic Death Investigations. Review homicide investigation as de.docx
VannaSchrader3
 
Topic that identifies characteristics of Native American Culture and.docx
Topic that identifies characteristics of Native American Culture and.docxTopic that identifies characteristics of Native American Culture and.docx
Topic that identifies characteristics of Native American Culture and.docx
VannaSchrader3
 
Topic Stem Cell ResearchAPA Format I need these topics. don.docx
Topic Stem Cell ResearchAPA Format I need these topics. don.docxTopic Stem Cell ResearchAPA Format I need these topics. don.docx
Topic Stem Cell ResearchAPA Format I need these topics. don.docx
VannaSchrader3
 
Topic Styles of PolicingYou are a patrol officer in a middle- to .docx
Topic Styles of PolicingYou are a patrol officer in a middle- to .docxTopic Styles of PolicingYou are a patrol officer in a middle- to .docx
Topic Styles of PolicingYou are a patrol officer in a middle- to .docx
VannaSchrader3
 
Topic the legalization of same sex adoptionThese same sex adopti.docx
Topic the legalization of same sex adoptionThese same sex adopti.docxTopic the legalization of same sex adoptionThese same sex adopti.docx
Topic the legalization of same sex adoptionThese same sex adopti.docx
VannaSchrader3
 
TOPIC The Truth About Caffeine3 pages,give some statistics of neg.docx
TOPIC The Truth About Caffeine3 pages,give some statistics of neg.docxTOPIC The Truth About Caffeine3 pages,give some statistics of neg.docx
TOPIC The Truth About Caffeine3 pages,give some statistics of neg.docx
VannaSchrader3
 
Topic Media Example (article)1) as usual, do an analysis of the.docx
Topic Media Example (article)1) as usual, do an analysis of the.docxTopic Media Example (article)1) as usual, do an analysis of the.docx
Topic Media Example (article)1) as usual, do an analysis of the.docx
VannaSchrader3
 
Topic Servant LeadershipThread In our reading we explored th.docx
Topic Servant LeadershipThread In our reading we explored th.docxTopic Servant LeadershipThread In our reading we explored th.docx
Topic Servant LeadershipThread In our reading we explored th.docx
VannaSchrader3
 
Topic Organization of Law Enforcement AgenciesDo you agree or d.docx
Topic Organization of Law Enforcement AgenciesDo you agree or d.docxTopic Organization of Law Enforcement AgenciesDo you agree or d.docx
Topic Organization of Law Enforcement AgenciesDo you agree or d.docx
VannaSchrader3
 
Topic Parents Should have a license to have childrenaprox. 500 wo.docx
Topic Parents Should have a license to have childrenaprox. 500 wo.docxTopic Parents Should have a license to have childrenaprox. 500 wo.docx
Topic Parents Should have a license to have childrenaprox. 500 wo.docx
VannaSchrader3
 
Topic PATIENT DATA PRIVACYPerformance Improvement plan Proper an.docx
Topic PATIENT DATA PRIVACYPerformance Improvement plan Proper an.docxTopic PATIENT DATA PRIVACYPerformance Improvement plan Proper an.docx
Topic PATIENT DATA PRIVACYPerformance Improvement plan Proper an.docx
VannaSchrader3
 
Topic Kelly’s Personal ConstructsQuestionPrompt  Analyze th.docx
Topic Kelly’s Personal ConstructsQuestionPrompt  Analyze th.docxTopic Kelly’s Personal ConstructsQuestionPrompt  Analyze th.docx
Topic Kelly’s Personal ConstructsQuestionPrompt  Analyze th.docx
VannaSchrader3
 
Topic Fingerprints.Study fingerprinting in the textbook and res.docx
Topic Fingerprints.Study fingerprinting in the textbook and res.docxTopic Fingerprints.Study fingerprinting in the textbook and res.docx
Topic Fingerprints.Study fingerprinting in the textbook and res.docx
VannaSchrader3
 
Topic is Domestic Violence, Both men and women being the abus.docx
Topic is Domestic Violence, Both men and women being the abus.docxTopic is Domestic Violence, Both men and women being the abus.docx
Topic is Domestic Violence, Both men and women being the abus.docx
VannaSchrader3
 
Topic is regional integration .First You need to find article and re.docx
Topic is regional integration .First You need to find article and re.docxTopic is regional integration .First You need to find article and re.docx
Topic is regional integration .First You need to find article and re.docx
VannaSchrader3
 
Topic Human Trafficking in relation to US Border and Coastal securi.docx
Topic Human Trafficking in relation to US Border and Coastal securi.docxTopic Human Trafficking in relation to US Border and Coastal securi.docx
Topic Human Trafficking in relation to US Border and Coastal securi.docx
VannaSchrader3
 
Topic is AutonomyShort papers should use double spacing, 12-point .docx
Topic is AutonomyShort papers should use double spacing, 12-point .docxTopic is AutonomyShort papers should use double spacing, 12-point .docx
Topic is AutonomyShort papers should use double spacing, 12-point .docx
VannaSchrader3
 
Topic Genetic connection of hypertension to cardiovascular disease .docx
Topic Genetic connection of hypertension to cardiovascular disease .docxTopic Genetic connection of hypertension to cardiovascular disease .docx
Topic Genetic connection of hypertension to cardiovascular disease .docx
VannaSchrader3
 
topic Errors (medication or patient injury)in particular stra.docx
topic Errors (medication or patient injury)in particular stra.docxtopic Errors (medication or patient injury)in particular stra.docx
topic Errors (medication or patient injury)in particular stra.docx
VannaSchrader3
 
Topic differences between folk guitar and classic guitar.Minimu.docx
Topic differences between folk guitar and classic guitar.Minimu.docxTopic differences between folk guitar and classic guitar.Minimu.docx
Topic differences between folk guitar and classic guitar.Minimu.docx
VannaSchrader3
 
Topic Death Investigations. Review homicide investigation as de.docx
Topic Death Investigations. Review homicide investigation as de.docxTopic Death Investigations. Review homicide investigation as de.docx
Topic Death Investigations. Review homicide investigation as de.docx
VannaSchrader3
 
Ad

Recently uploaded (20)

How to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of saleHow to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of sale
Celine George
 
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Celine George
 
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Library Association of Ireland
 
2541William_McCollough_DigitalDetox.docx
2541William_McCollough_DigitalDetox.docx2541William_McCollough_DigitalDetox.docx
2541William_McCollough_DigitalDetox.docx
contactwilliamm2546
 
One Hot encoding a revolution in Machine learning
One Hot encoding a revolution in Machine learningOne Hot encoding a revolution in Machine learning
One Hot encoding a revolution in Machine learning
momer9505
 
Anti-Depressants pharmacology 1slide.pptx
Anti-Depressants pharmacology 1slide.pptxAnti-Depressants pharmacology 1slide.pptx
Anti-Depressants pharmacology 1slide.pptx
Mayuri Chavan
 
How to Manage Opening & Closing Controls in Odoo 17 POS
How to Manage Opening & Closing Controls in Odoo 17 POSHow to Manage Opening & Closing Controls in Odoo 17 POS
How to Manage Opening & Closing Controls in Odoo 17 POS
Celine George
 
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Library Association of Ireland
 
Political History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptxPolitical History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptx
Arya Mahila P. G. College, Banaras Hindu University, Varanasi, India.
 
Understanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s GuideUnderstanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s Guide
GS Virdi
 
Metamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative JourneyMetamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative Journey
Arshad Shaikh
 
How to Subscribe Newsletter From Odoo 18 Website
How to Subscribe Newsletter From Odoo 18 WebsiteHow to Subscribe Newsletter From Odoo 18 Website
How to Subscribe Newsletter From Odoo 18 Website
Celine George
 
Handling Multiple Choice Responses: Fortune Effiong.pptx
Handling Multiple Choice Responses: Fortune Effiong.pptxHandling Multiple Choice Responses: Fortune Effiong.pptx
Handling Multiple Choice Responses: Fortune Effiong.pptx
AuthorAIDNationalRes
 
Ultimate VMware 2V0-11.25 Exam Dumps for Exam Success
Ultimate VMware 2V0-11.25 Exam Dumps for Exam SuccessUltimate VMware 2V0-11.25 Exam Dumps for Exam Success
Ultimate VMware 2V0-11.25 Exam Dumps for Exam Success
Mark Soia
 
LDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini UpdatesLDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini Updates
LDM Mia eStudios
 
How to Set warnings for invoicing specific customers in odoo
How to Set warnings for invoicing specific customers in odooHow to Set warnings for invoicing specific customers in odoo
How to Set warnings for invoicing specific customers in odoo
Celine George
 
How to Customize Your Financial Reports & Tax Reports With Odoo 17 Accounting
How to Customize Your Financial Reports & Tax Reports With Odoo 17 AccountingHow to Customize Your Financial Reports & Tax Reports With Odoo 17 Accounting
How to Customize Your Financial Reports & Tax Reports With Odoo 17 Accounting
Celine George
 
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptxYSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
Yale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public SchoolsK12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
dogden2
 
P-glycoprotein pamphlet: iteration 4 of 4 final
P-glycoprotein pamphlet: iteration 4 of 4 finalP-glycoprotein pamphlet: iteration 4 of 4 final
P-glycoprotein pamphlet: iteration 4 of 4 final
bs22n2s
 
How to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of saleHow to manage Multiple Warehouses for multiple floors in odoo point of sale
How to manage Multiple Warehouses for multiple floors in odoo point of sale
Celine George
 
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...Multi-currency in odoo accounting and Update exchange rates automatically in ...
Multi-currency in odoo accounting and Update exchange rates automatically in ...
Celine George
 
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Phoenix – A Collaborative Renewal of Children’s and Young People’s Services C...
Library Association of Ireland
 
2541William_McCollough_DigitalDetox.docx
2541William_McCollough_DigitalDetox.docx2541William_McCollough_DigitalDetox.docx
2541William_McCollough_DigitalDetox.docx
contactwilliamm2546
 
One Hot encoding a revolution in Machine learning
One Hot encoding a revolution in Machine learningOne Hot encoding a revolution in Machine learning
One Hot encoding a revolution in Machine learning
momer9505
 
Anti-Depressants pharmacology 1slide.pptx
Anti-Depressants pharmacology 1slide.pptxAnti-Depressants pharmacology 1slide.pptx
Anti-Depressants pharmacology 1slide.pptx
Mayuri Chavan
 
How to Manage Opening & Closing Controls in Odoo 17 POS
How to Manage Opening & Closing Controls in Odoo 17 POSHow to Manage Opening & Closing Controls in Odoo 17 POS
How to Manage Opening & Closing Controls in Odoo 17 POS
Celine George
 
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Marie Boran Special Collections Librarian Hardiman Library, University of Gal...
Library Association of Ireland
 
Political History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptxPolitical History of Pala dynasty Pala Rulers NEP.pptx
Political History of Pala dynasty Pala Rulers NEP.pptx
Arya Mahila P. G. College, Banaras Hindu University, Varanasi, India.
 
Understanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s GuideUnderstanding P–N Junction Semiconductors: A Beginner’s Guide
Understanding P–N Junction Semiconductors: A Beginner’s Guide
GS Virdi
 
Metamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative JourneyMetamorphosis: Life's Transformative Journey
Metamorphosis: Life's Transformative Journey
Arshad Shaikh
 
How to Subscribe Newsletter From Odoo 18 Website
How to Subscribe Newsletter From Odoo 18 WebsiteHow to Subscribe Newsletter From Odoo 18 Website
How to Subscribe Newsletter From Odoo 18 Website
Celine George
 
Handling Multiple Choice Responses: Fortune Effiong.pptx
Handling Multiple Choice Responses: Fortune Effiong.pptxHandling Multiple Choice Responses: Fortune Effiong.pptx
Handling Multiple Choice Responses: Fortune Effiong.pptx
AuthorAIDNationalRes
 
Ultimate VMware 2V0-11.25 Exam Dumps for Exam Success
Ultimate VMware 2V0-11.25 Exam Dumps for Exam SuccessUltimate VMware 2V0-11.25 Exam Dumps for Exam Success
Ultimate VMware 2V0-11.25 Exam Dumps for Exam Success
Mark Soia
 
LDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini UpdatesLDMMIA Reiki Master Spring 2025 Mini Updates
LDMMIA Reiki Master Spring 2025 Mini Updates
LDM Mia eStudios
 
How to Set warnings for invoicing specific customers in odoo
How to Set warnings for invoicing specific customers in odooHow to Set warnings for invoicing specific customers in odoo
How to Set warnings for invoicing specific customers in odoo
Celine George
 
How to Customize Your Financial Reports & Tax Reports With Odoo 17 Accounting
How to Customize Your Financial Reports & Tax Reports With Odoo 17 AccountingHow to Customize Your Financial Reports & Tax Reports With Odoo 17 Accounting
How to Customize Your Financial Reports & Tax Reports With Odoo 17 Accounting
Celine George
 
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptxYSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
YSPH VMOC Special Report - Measles Outbreak Southwest US 4-30-2025.pptx
Yale School of Public Health - The Virtual Medical Operations Center (VMOC)
 
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public SchoolsK12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
K12 Tableau Tuesday - Algebra Equity and Access in Atlanta Public Schools
dogden2
 
P-glycoprotein pamphlet: iteration 4 of 4 final
P-glycoprotein pamphlet: iteration 4 of 4 finalP-glycoprotein pamphlet: iteration 4 of 4 final
P-glycoprotein pamphlet: iteration 4 of 4 final
bs22n2s
 
Ad

Browser Security – Issues and Best Practices1Outli

  • 1. Browser Security – Issues and Best Practices 1 Outline Intro to Browser Security Need for Browser Security Browser Security Fundamentals Browser Security Issues OWASP Top 10 – A7:2017– Cross-Site Scripting XSS OWASP Top 10 – A3:2017– Sensitive Data Exposure Attacks against Browser Security Mechanisms Browser Security Best Practices 2 Intro to Browser Security 3 Intro to Browser Security How does a web application work? 4 Client Server Involves browsers
  • 2. Intro to Browser Security (contd.) Browser A browser is “an application that finds and displays web pages”. It coordinates communication between your computer and the web server where a particular website “lives” by: Accepting a website address as a URL Submitting a request to the server to retrieve the content for the page Processing the code (HTML, CSS, JavaScript, etc.) from the server Loading active content (Flash, ActiveX, etc.) needed by the page Displaying the complete, formatted web page Repeating the process for every single user interaction with the page 5 Source: Understanding Your Computer: Web Browsers – U.S. CERT – https://www.cisa.gov/uscert/ncas/tips/st04-022 Intro to Browser Security (contd.) Examples: Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, Opera, etc. Browser Market Share as of February 2022: 6 Source: Global Web Stats – W3Counter– https://www.w3counter.com/globalstats.php Intro to Browser Security (contd.)
  • 3. Browser security refers to “how differences in design and implementation of various security technologies in modern web browsers might affect their security” (X41 Browser Security White Paper, 2017, pg. 8) Browser security involves the following: Protection against common client-side attacks Protection against phishing Management of browser extensions Use of adequate cryptography protocols 7 Source: X41 Browser Security White Paper – https://browser-security.x41-dsec.de/X41-Browser-Security- White-Paper.pdf Intro to Browser Security (contd.) Browser security also involves the following: Protection against active content Active content refers to scripts that execute programs within the browser e.g.: scripts used to create splash pages or options like drop- down menus JavaScript is widely used to create active content ActiveX controls reside on your computer and can be used as spyware Protecting cookies Cookies store information such as IP address, domain names, browser info, browsing habits, etc. Both session cookies and persistent cookies must be protected from security attacks by adjusting the browser’s security settings to block or limit access to cookie information 8 Source: U.S. CERT – Browsing Safely: Understanding Active Content and Cookies – https://www.cisa.gov/uscert/ncas/tips/ST04-012
  • 4. Intro to Browser Security (contd.) Browser-specific security features: Google Chrome security features Apple Safari security features Internet Explorer security features Microsoft Edge security features Mozilla Firefox security features Opera security features 9 Intro to Browser Security (contd.) Your Browser’s Security Features – GCFLearnFree.org Source: GCFLearnFree.org – Internet Safety: Your Browser’s Security Features – https://www.youtube.com/watch?v=2ZZQlgV2Gus 10 Need for Browser Security 11 Need for Browser Security As per U.S. CERT (2015): Browsers such as Firefox, Chrome, Edge, and Safari are installed on almost all computers Default browsers that come with the Operating Systems are not setup using secure default configurations Unsecure browsers can lead to spyware being installed on your computers allowing intruders to take control There is an increasing threat from attacks that take advantage of vulnerable web browsers
  • 5. Hackers are using compromised or malicious websites to exploit vulnerabilities in browsers 12 Need for Browser Security (contd.) As per U.S. CERT (2015), the problem is made worse by a number of factors including the following: 13 Need for Browser Security (contd.) As per the EdgeScan (2019) Vulnerability Statistics Report: 19% of all vulnerabilities were associated with Layer 7 web applications However, the risk density is much higher for web application vulnerabilities compared to network vulnerabilities 14 Need for Browser Security (contd.) As per the EdgeScan (2019) Vulnerability Statistics Report, the most common browser-related vulnerabilities are: Cross-Site Scripting – 14.69% Other Injection – 8.18% DOM-based Vulnerability – 1.82% Cross-Site Request Forgery – 1.75% 15
  • 6. Need for Browser Security (contd.) Hackers are increasingly using browsers to cause data breaches (Privacy Rights Clearinghouse, 2020) 16 Need for Browser Security (contd.) Hackers are increasingly using browsers to cause data breaches (Privacy Rights Clearinghouse, 2020) 17 Browser Security Fundamentals 18 Browser Security Fundamentals How Web Browsers Function – Open Canvas Source: OpenCanvas – How Web Browsers Function – https://www.youtube.com/watch?v=z0HN-fG6oT4 19 Browser Security Fundamentals (contd.) As per Open Canvas (2016), web browsers use the following architectural components: User interface Rendering engine Browser engine
  • 7. Networking JavaScript interpreter Data storage – cookies, local storage, etc. 20 Browser Security Fundamentals (contd.) Google Chrome Architecture Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) – https://www.youtube.com/watch?v=PzzNuCk-e0Y 21 Browser Security Fundamentals (contd.) Google Chrome Architecture: Browser Process Includes the User Interface (UI), networking, and storage GPU Process Handles rich web page content built using features like WebGL Is a separate process to ensure stability and security Utility Process Runs untrusted code on behalf of browser in a sandbox e.g.: installing an extension, processing JSON Is a short-lived process Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) – https://www.youtube.com/watch?v=PzzNuCk-e0Y 22 Browser Security Fundamentals (contd.) Google Chrome Architecture (continued):
  • 8. Extension Process Ensures extensions have limited access to browser, page, & system Stops poorly written extension code from adversely affecting pages Pepper Plugins Handles plugin code not controlled by Google (Flash, PDF, etc.) Uses new plugin API that is sandboxed Renderer – Blink rendering engine JavaScript Interpreter – v8 JavaScript engine Source: Google Chrome Developers – Anatomy of the Browser 101 (Chrome University) – https://www.youtube.com/watch?v=PzzNuCk-e0Y 23 Browser Security Fundamentals (contd.) Google Chrome Security: Sandboxing Limits the impact of many browser vulnerabilities by isolating different components of an application from the rest of the system Components are run with their access privileges to system resources and/or other components limited to the bare essentials needed to perform its function Thus, the privileges an attacker can gain by exploiting a security issue in these components is fairly limited Process and Origin Isolation Chrome uses Site Isolation to isolate websites with different origins Source: X41 – Browser Security White Paper – https://browser-security.x41-dsec.de/X41-Browser-Security- White-Paper.pdf 24
  • 9. Browser Security Fundamentals (contd.) Google Chrome Security: Hardening and Exploit Mitigation Supports /GS, ASLR, DEP, no direct win32k syscalls, SEHOP, etc. Web Security Same Origin Policy Enforcement Restricts interaction between websites of different origins Port Banning Enforcement Denies connections to non-standard TCP ports Content Security Policy Enforcement Limits what sources of scripts are acceptable HTML5 Features Support Supports Service Workers, WebRTC, History API, WebGL, Web Notifications, etc. Source: X41 – Browser Security White Paper – https://browser-security.x41-dsec.de/X41-Browser-Security- White-Paper.pdf 25 Browser Security Issues 26 Browser Security Issues Specific browser security issues include the following: Client-side JavaScript code for checking user input is not enough Information sent from the browser can be modified before it reaches the server Plenty of HTTP/HTTPS proxy tools are available to hackers for this very purpose Protocols such as SSL that browsers rely on have their own issues
  • 10. Likewise, attackers can use browser mechanisms such as cache, cookies, session IDs, etc. to steal sensitive information Java applets are susceptible to Man-in-the-Middle (MITM) attacks Java servlets may be vulnerable to SQL injection Source: OWASP – Application Security FAQ – https://owasp.org/www- community/OWASP_Application_Security_FAQ 27 Browser Security Issues (contd.) Specific browser security issues include the following: Browsers pose a unique risk to the enterprise infrastructure because of their frequent exposure to untrusted dynamic content Configuring browser security settings is challenging due to uncertainty of both attack mitigation effectiveness and impact on end users Administrator-driven manual patching often incurs significant lag time before patches are deployed Administrators are often hesitant to enable automatic updating out of fear that patches will break existing functionality 88% of publicly disclosed vulnerabilities exploited within a day of release Browser plugins accounted for 34.5% of browser-related vulnerabilities Source: NSA.gov – Steps to Secure Web Browsing – https://www.nsa.gov/Portals/70/documents/what-we- do/cybersecurity/professional-resources/csi-steps-to-secure- web-browsing.pdf 28 Browser Security Issues (contd.)
  • 11. OWASP Top 10 – A7:2017 – Cross-Site Scripting XSS Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS – https://owasp.org/www-project-top-ten/2017/A7_2017-Cross- Site_Scripting_(XSS) 29 Browser Security Issues (contd.) Common browser security vulnerabilities: Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS – https://owasp.org/www-project-top-ten/2017/A7_2017-Cross- Site_Scripting_(XSS) 30 Browser Security Issues (contd.) Cross-Site Scripting – XSS – Professor Messer Source: Cross-Site Scripting – XSS – CompTIA Security+ Sy0- 501 – 1.2 – https://www.youtube.com/watch?v=AjsYOMatAcg 31 Browser Security Issues (contd.) OWASP Top 10 – A3:2017–Sensitive Data Exposure Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017- Sensitive_Data_Exposure 32
  • 12. Browser Security Issues (contd.) Common browser security vulnerabilities: Source: OWASP Top 10 2017 A3-Sensitive Data Exposure – https://owasp.org/www-project-top-ten/2017/A3_2017- Sensitive_Data_Exposure 33 Browser Security Attacks 34 Browser Security Attacks Most common browser security attacks: Source: OWASP – Attacks – https://owasp.org/www-community/attacks/Attack TypeDescriptionCache Poisoning A maliciously constructed response is cached by the browserClickjackingThe attacker hijacks clicks meant for their own page and routes them to another pageCross-Site Request Forgery (CSRF)An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticatedCross-Site Scripting (XSS)A type of injection in which malicious scripts are injected into otherwise benign and trusted websites 35
  • 13. Browser Security Attacks (contd.) Most common browser security attacks (continued): Attack TypeDescriptionMan-in-the-BrowserA previously installed Trojan horse is used to act between the browser and the browser’s security mechanism, sniffing or modifying transactions as they are formed on the browser, but still displaying back the user’s intended transactionSession HijackingAn attack that compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web ServerSpywareA program that captures statistical information from a user’s computer and sends it over internet without user acceptance. This information is usually obtained from cookies and the web browser’s history. Source: OWASP – Attacks – https://owasp.org/www-community/attacks/ 36 Browser Security Best Practices 37 Browser Security Best Practices Best practices for web browser security include : Setting up browsers to Auto Update Disabling malicious browser plugins such as Adware Connecting to websites only using HTTPS Clearing the browser history including cookies Disabling the browser’s auto-complete of forms (including
  • 14. stored passwords) functionality Blocking browser pop-ups using extensions such as AdBlock Using VPN or proxy servers Source: InfoSec Institute – Best Practices for Web Browser Security – https://resources.infosecinstitute.com/best-practices-web- browser-security/ 38 Browser Security Best Practices (contd.) Best practices for web browser security include : Enabling automatic updates Mitigates 91% of publicly known vulnerabilities Enabling reputation services such as Google Safe Browsing or Microsoft SmartScreen Prevents 87.7% of socially engineered malware and phishing attempts Disable unsafe plugins and extensions Use advanced mitigation techniques/tools Browser isolation, Cloud Browsers, O/S level mitigations, etc. Source: NSA.gov – Steps to Secure Web Browsing – https://www.nsa.gov/Portals/70/documents/what-we- do/cybersecurity/professional-resources/csi-steps-to-secure- web-browsing.pdf 39 Browser Security Best Practices (contd.) Use the following best practices to protect against XSS: Source: OWASP Top 10 2017 A7-Cross Site Scripting XSS – https://owasp.org/www-project-top-ten/2017/A7_2017-Cross- Site_Scripting_(XSS).html 40
  • 15. Recap Browser security issues continue to be among the OWASP Top 10 list of web application security risks This is due to weaknesses in browser mechanisms such as browser processes, renderers, plugins, extensions, etc. Hackers are able to exploit the weaknesses using attacks such as cache poisoning, clickjacking, CSRF, XSS, MITM, session hijacking, spyware, etc. Best practices to protect browsers include using auto update, HTTPS, pop-up blockers, VPNs or proxy servers, reputation services, sandboxing, isolation, hardening, same origin policy, port banning, content security policy, cloud browsers, etc. 41 Thank you!!! 42 Server Security – Issues and Best Practices 1 Outline Intro to Server Security Need for Server Security Server Security Fundamentals
  • 16. Server Security Issues OWASP Top 10 – A6:2017– Security Misconfiguration OWASP Top 10 – A10:2017– Insufficient Logging and Monitoring Attacks against Server Security Mechanisms Server Security Best Practices 2 Intro to Server Security 3 Intro to Server Security How does a web application work? 4 Client Server Involves servers Intro to Server Security (contd.) Server A server serves as the host for web applications It refers to the “server” portion of the client-server architecture It receives the HyperText Transfer Protocol (HTTP) request message from the client machine’s browser It authenticates the client based on the user-supplied credentials It authorizes the client’s access to the requested web application after authentication 5
  • 17. Intro to Server Security (contd.) Server (continued) It sends an HTTP response header back to the client machine with the response code 200 for successful requests or the response code 404 for page not found (maybe due to a broken link) It uses ports to make services available to clients Common port numbers: 80 for HTTP traffic, 443 for HTTPS traffic, 25 for SMTP traffic, 21 for FTP traffic, 23 for telnet traffic, etc. Examples: Apache HTTP Server, Apache Tomcat, Microsoft IIS, IBM WebSphere, Oracle WebLogic, Red Hat JBoss EAP, etc. 6 Intro to Server Security (contd.) Server Market Share: 7 Source: Web and Application Servers Market Share Report – Datanyze – https://www.datanyze.com/market-share/web-and-application- servers--425 Intro to Server Security (contd.) What is a Server? – PowerCert Animated Videos
  • 18. 8 Source: PowerCert Animated Videos – What is a Server? – https://www.youtube.com/watch?v=UjCDWCeHCzY Intro to Server Security (contd.) Server security refers to “the fundame ntal activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function” (NIST SP 800-123, pg.10) Server security involves the following (NIST SP 800-44, pg.18): Installing, configuring, and securing the server Operating System (OS) Installing, configuring, and securing the server software Employing appropriate network protection mechanisms Firewalls, packet filtering routers, proxies, etc. Ensuring that the hosted web applications are securely coded Employing secure administration and maintenance processes Patching and upgrading, testing, monitoring of logs, backing up data and OS Protecting information and data in a careful/systemic manner Conducting initial/periodic vulnerability scans of server/network infrastructure 9 Intro to Server Security (contd.) Server security (by technology): Apache HTTP Server security settings NGINX security settings Internet Information Services (IIS) security settings LiteSpeed Web Server security settings OpenResty security settings Server security (by Operating System) Ubuntu Linux Server guide
  • 19. Windows Server security guide macOS Server Guide 10 Need for Server Security 11 Need for Server Security As per NIST SP 800-123: Servers are frequently targeted by attackers because of the value of their data and services Servers might contain personally identifiable information that could be used to perform identity theft Most organizations install servers with standard directory names, directory locations, and filenames making it easy for attackers to target those servers The failure of organizations to fully recognize the amount of expense and skills required to field a secure server often results in overworked employees and insecure systems 12 Need for Server Security (contd.) As per NIST SP 800-123 (continued): Default hardware and software configurations are typically set by manufacturers to emphasize features, functions, and ease of use, at the expense of security The default configuration of the OS often includes guest accounts (with and without passwords), administrator or root level accounts, and accounts associated with local and network services Because manufacturers are unaware of each organization’s security needs, server administrators need to configure new servers to reflect their organizations’ security requirements and
  • 20. reconfigure them as needed 13 Need for Server Security (contd.) As per NIST SP 800-44: Compromised web sites can serve as an entry point for intrusions into many organizations’ internal networks Organizations can face monetary losses, damage to reputation, or legal action if an intruder successfully violates the confidentiality of their data Hackers could compromise web server security by: defacing organizations’ web site or otherwise affecting integrity executing unauthorized commands on the host OS launching attacks on external sites from the web server using the server to deliver attacks against vulnerable clients using the server to distribute illegally copied software 14 Need for Server Security (contd.) As per the EdgeScan (2019) Vulnerability Statistics Report, the most common infrastructure vulnerabilities include the following server-related issues: 44.70% – SSL / TLS Version & Configuration Issues 29.53% – SMB Security Issues 8.61% – OpenSSH Vulnerabilities & Configuration Issues 6.25% – Windows Remote Desktop Protocol Server MITM 4.15% – Unencrypted Telnet Services 1.69% – Unsupported & Unpatched Server Detection 15
  • 21. Need for Server Security (contd.) As per the EdgeScan (2019) Vulnerability Statistics Report: 33.33% of all high and critical risk vulnerabilities discovered in 2018 were in relation to unsupported Windows Server 2003 systems (no patching, support, end-of-life systems) 7.53% of all high and critical risk vulnerabilities discovered in 2018 related to exposure to NotPetya CVEs (CVE-2017-0144, CVE-2017-0145) – Windows Server Message Block (SMB) Remote Code Execution Vulnerability Systems using Apache and PHP also contributed to the Top 10 due to weak component security and traditional patch management of exposed systems 16 Need for Server Security (contd.) Hackers are increasingly using servers to cause data breaches (Privacy Rights Clearinghouse, 2020) 17 Server Security Fundamentals 18 Server Security Fundamentals What is the Apache HTTP Server? – CBT Nuggets 19 Source: CBT Nuggets – What is the Apache HTTP Server? – https://www.youtube.com/watch?v=fRLJ3bnbHmE
  • 22. Server Security Fundamentals (contd.) A basic Apache web server architecture includes the following components (Kew, 2007): Modules Multi-Processing Modules (MPM) Apache Portable Runtime (APR) Libraries 20 Server Security Fundamentals (contd.) Apache web server architecture: Modules Functionality that can be used to do things such as authentication, dynamic content generation, encryption, virus scanning, file compression, email services, file transfer services, etc. Multi Processing Modules (MPM) Special module which allows Apache to be configured as a pure process-based server, a pure threaded server, or both Apache Portable Runtime (APR) Libraries Provides for platform-specific tuning and optimization 21 Source: Apache – Apache HTTP Server Version 2.4 Documentation – https://httpd.apache.org/docs/2.4/ Server Security Fundamentals (contd.) Apache web server security: Modular architecture Allows modules to be enabled or disabled to add and remove web server functionality
  • 23. Only MPM modules can interact directly with the Operating System Authentication Modules can authenticate against plain text files and database files including Oracle, MySQL, PostgreSQL, etc. E.g. mod_auth_basic, mod_auth_digest, mod_auth_form, mod_authn_dbd, etc. 22 Source: Apache – Apache HTTP Server Version 2.4 Documentation – https://httpd.apache.org/docs/2.4/ Server Security Fundamentals (contd.) Apache web server security (continued): Access Control The mod_access_compat module can restrict access to resources based on IP address or hostname of the client SSL / TLS The mod_ssl module provides strong encryption to protect data transmitted between the web server and the client Proxy Apache supports both a traditional HTTP proxy and a reverse proxy Reverse proxy can be used for load balancing Virtual Hosting Support and XML Security 23 Source: TLDP.org – Apache Overview HOWTO – https://www.tldp.org/HOWTO/pdf/Apache-Overview- HOWTO.pdf Server Security Fundamentals (contd.) Apache web server security (continued): Configuration Settings Modules come with several directives related to timeouts,
  • 24. resource consumption, request processing, concurrent connections, etc. Common Gateway Interface (CGI) & Server Side Includes (SSI) The suEXEC feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs Logs The mod_log_config, mod_log_forensic modules can be used to log everything that happens on the server 24 Source: Apache.org – Apache HTTP Server Documentation Version 2.4 – https://archive.apache.org/dist/httpd/docs/httpd-docs- 2.4.33.en.pdf Server Security Issues 25 Server Security Issues As per NIST SP 800-123 (pg. 7), server security issues include: 26 Source: NIST SP 800-123 – Guide to General Server Security – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-123.pdf Server Security Issues (contd.) As per NIST SP 800-44 (pg. 17-18), other server security issues include the following: Misconfiguration or other improper operation of the Web server, which may result, for example, in the disclosure or alteration of proprietary or sensitive information. This information can include items such as:
  • 25. Assets of the organization Configuration of the server or network that could be exploited for subsequent attacks Credentials of the users or administrator(s) of the Web server Inadequate or unavailable defense mechanisms for the Web server to prevent certain classes of attacks, such as DoS attacks, which disrupt the availability of the Web server and prevent authorized users from accessing the Web site when required 27 Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-44ver2.pdf Server Security Issues (contd.) Other server security issues include the following (continued): Vulnerabilities within the Web server that might allow, for example, attackers to compromise the security of the server and other hosts on the organization’s network by taking actions such as the following: 28 Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-44ver2.pdf Server Security Issues (contd.) OWASP Top 10–A6:2017 – Security Misconfiguration 29 Source: OWASP Top 10 2017 A6 – Security Misconfiguration – https://owasp.org/www-project-top-ten/2017/A6_2017-
  • 26. Security_Misconfiguration.html Server Security Issues (contd.) Common server security vulnerabilities: 30 Source: OWASP Top 10 2017 A6 – Security Misconfiguration – https://owasp.org/www-project-top-ten/2017/A6_2017- Security_Misconfiguration.html Server Security Issues (contd.) OWASP Top 10–A10:2017 – Insufficient Logging & Monitoring 31 Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring – https://owasp.org/www-project-top-ten/2017/A10_2017- Insufficient_Logging%2526Monitoring Server Security Issues (contd.) Common server security vulnerabilities: 32 Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring – https://owasp.org/www-project-top-ten/2017/A10_2017- Insufficient_Logging%2526Monitoring Server Security Attacks
  • 27. 33 Server Security Attacks Most common server security attacks: 34Attack TypeDescriptionDenial of Service (DoS)Attacks may be directed to the server or its supporting network infrastructure, denying or hindering valid users from making use of its services. Attacks may take advantage of the server’s account lockout policy. Attacks may involve uploading many large files Attacks take advantage of simultaneous network connections.MalwareMalicious entities may gain unauthorized access to resources elsewhere in the organization’s network via a successful attack on the server Source: NIST SP 800-123 – Guide to General Server Security – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-123.pdf Server Security Attacks (contd.) Most common server security attacks (continued): 35Attack TypeDescriptionMan-in-the Middle (MITM)Password
  • 28. information can be intercepted using network sniffers and used by an attacker to masquerade as an authorized userSYN Flood If the maximum number of open connections (or connections that are half-open—that is, the first part of the TCP handshake was successful) is set to a low number, an attacker can easily consume the available connections with illegitimate requests (often called a SYN flood) Source: NIST SP 800-123 – Guide to General Server Security – https://nvlpubs.nist.gov/nis tpubs/Legacy/SP/nistspecialpublicati on800-123.pdf Server Security Attacks (contd.) Most common server security attacks (continued): 36Attack TypeDescriptionBrute ForceAttackers try every possible password to attempt to gain access to a user’s accountCommand InjectionCompromise of sensitive information on backend databases that are used to support a web applicationDirectory TraversalUnauthorized access including gaining access to files or folders and being able to execute commands and/or install software on the web serverReplay AttackAn impostor verifier replays the OTP authenticator output to the verifier and successfully authenticates to the web server (NIST SP 800-63b) Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-44ver2.pdf
  • 29. Server Security Attacks (contd.) Replay Attacks – Professor Messer 37 Source: Replay Attacks – CompTIA Security+ Sy0-401: 3.2 – https://www.youtube.com/watch?v=Ar97HbWLijU Server Security Best Practices 38 Server Security Best Practices Best practices for web server security include : Planning and managing web servers (pg. 33) Plan the configuration and deployment of the web server Choose an appropriate Operating System (OS) for the web server Choose an appropriate platform for the web server General purpose OS, Trusted OS, web server appliance, virtualized platform, etc. Securing the web server OS (pg. 41) Patch and upgrade the OS Remove or disable unnecessary services and applications Configure OS user authentication Configure resource controls appropriately Install and configure additional security controls Test the security of the OS 39 Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-44ver2.pdf
  • 30. Server Security Best Practices (contd.) Best practices for web server security include : Securing the web server (pg. 51) Securely install the web server Configure IS and web server access controls Configure a secure web content directory Securing web content (pg. 70) Ensure that sensitive information is not available on the web server Establish an organizational-wide documented formal policy and process for approving public web content Maintain Web user privacy Mitigate indirect attacks on content Consider client-side active content security Maintain server-side active content security 40 Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Lega cy/SP/nistspecialpublicati on800-44ver2.pdf Server Security Best Practices (contd.) Best practices for web server security include : Using authentication and encryption technologies (pg. 86) Configure web authentication and encryption technologies Configure SSL / TLS Protect against brute force attacks Implementing a secure network infrastructure (pg. 99) Identify a network location Assess firewall configuration Evaluate intrusion detection and prevention systems Assess network switches Evaluate load balancers
  • 31. Evaluate reverse proxies 41 Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-44ver2.pdf Server Security Best Practices (contd.) Best practices for web server security include : Administering the web server (pg. 113) Perform logging Perform web server backups Recover from a compromise Test security Conduct remote administration and content updates 42 Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers – https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublicati on800-44ver2.pdf Server Security Best Practices (contd.) Use the following server security best practices to protect against security misconfiguration: 43 Source: OWASP Top 10 2017 A6 – Security Misconfiguration – https://owasp.org/www-project-top-ten/2017/A6_2017- Security_Misconfiguration Server Security Best Practices (contd.) Use the following server security best practices to protect against insufficient logging and monitoring:
  • 32. 44 Source: OWASP Top 10 2017 A10 – Insufficient Logging & Monitoring – https://owasp.org/www-project-top-ten/2017/A10_2017- Insufficient_Logging%2526Monitoring Recap Server security issues continue to be among the OWASP Top 10 list of web application security risks This is due to weaknesses in server technologies such as authentication, access controls, configuration, connections, encryption, active content, logs, etc. Hackers are able to exploit the weaknesses using attacks such as DoS, malware, MITM, SYN flood, brute force, command injection, directory traversal, replay attacks, etc. Best practices to protect servers include planning and managing web servers, securing the web server OS, securing the web server, securing web content, using authentication and encryption technologies, implementing a secure network infrastructure, administering the web server, etc. 45 Thank you!!! 46