Week 3: Web Security

Now we move away from low-level security and turn our attention to security on the worldwide web (WWW).

The web utilizes a variety of technologies, from HTTP (hypertext transfer protocol) and HTML (hypertext markup language) to SQL (standard query language) and the Javascript programming language. Unfortunately, these technologies can be used in ways that constitute significant vulnerabilities. We will examine several important kinds of vulnerabilities, see how they can be exploited, and explore how to defend against them.

Learning Objectives

After the completion of this week’s material, you will be able to:

• Understand how SQL injection attacks affect web application back ends
• Understand how the web implements session state, using cookies and hidden form fields, and how improper implementations are subject to session hijacking and Cross-site Request Forgery (CSRF) attacks
• Understand how popular, browser-executed Javascript programs can be used incorrectly by web sites, leading to Cross-site Scripting (XSS) vulnerabilities
• Avoid flaws and bugs that introduce these vulnerabilities, with a focus on employing input validation and sanitization

Video Lectures

• Security for the Web: Introduction (3:33)
• Web Basics (10:31)
• SQL Injection (10:35)
• SQL Injection Countermeasures (9:17)
• Web-based State Using Hidden Fields and Cookies (13:51)
• Session Hijacking (6:56)
• Cross-site Request Forgery (CSRF) (6:36)
• Web 2.0 (5:16)
• Cross-site Scripting (13:39)

Break out: Interview with Kevin Haley

In March 2015, Mike had the pleasure of interviewing Kevin Haley. Kevin was a Director of Symantec Security Response. In this interview we discussed the state of cybersecurity at that time: the trends, the hacks, and the situations that define the state of play in which technology developers and users find themselves. The interview is optional from an assessment perspective – there will no quiz questions on it. We hope you find it interesting!

Mike Hicks interviews Kevin Haley (21:13). Highlights, indexed by time:

• start-2:11 Kevin’s background and early activities in security
• 2:11 Symantec’s vantage point
• 4:14 Scope of the security threat
• 5:38 Commoditization of vulnerability exploitation
• 7:31 Vulnerabilities trending upward
• 8:16 Role and approach of anti-virus and related technologies
• 11:38 Advice on building secure systems, and education
• 16:14 The expanding security landscape
• 19:44-end Learning more

Readings

No readings are required for this week, but you may find the following references helpful.

• OWASP’s guide to SQL injection - This is a good overview. You might find the linked page on Testing for SQL injection to be useful for the project.
• SQL injection cheat sheet - This is a good reference for doing SQL injection
• OWASP’s guide to cross-site scripting (XSS) - Pay particular attention to the testing guide, for finding XSS vulnerabilities.
• OWASP’s guide to session hijacking - Note that they give an example of stealing a session cookie via XSS, which is in play for the project.
• OWASP’s guide to cross-site request forgery (CSRF)
• CWE/SANS top 25 most dangerous software errors - past versions are archived.

Quiz

The quiz for this week covers all of the material for this week. You must submit the quiz no later than the start of week 5.

Project

The second project tests your ability to exploit vulnerabilities in a web application called BadStore. It is due in three weeks, at the start of week 6. You will complete the work for the project on your own computer, and then take the on-line assessment to show that you’ve done so.