|
|
@@ -0,0 +1,103 @@
|
|
|
+# Computer Security - lesson 13
|
|
|
+#### Stefano Zanero
|
|
|
+###### 15 May 2016
|
|
|
+## Web Security pt.3
|
|
|
+The debug messages of dbms when left enabled are very useful to an attacker
|
|
|
+Because this *information disclosure* brings a lot of useful data.
|
|
|
+
|
|
|
+### URL Parameter Tampering
|
|
|
+Consist in changing the parameter encoded in the URL,
|
|
|
+but that is not the problem itself, the problem is that whether
|
|
|
+i change that value, the site should not allow me to see other pages.
|
|
|
+Example: changing patient id and seeing the page of another patient.
|
|
|
+
|
|
|
+If the user is already logged in, it doesn't make sense to specify its id on the URL.
|
|
|
+Also if the parameter is used for a SQL query, i can make a SQL injection.
|
|
|
+
|
|
|
+Another example would be appending
|
|
|
+```
|
|
|
+%2f..%2f..%2f..%2fetc/passwd
|
|
|
+```
|
|
|
+If the webserver has a vulnerability I could be able to read an arbitrary file on disk.
|
|
|
+
|
|
|
+### Password management
|
|
|
+It is really important not to store the passwords in clear on the server,
|
|
|
+but even if someone stole a list with hashes of the password.
|
|
|
+The attacker could compare the list to a precomputed list of hashes,
|
|
|
+and do a sort of *bruteforce* attack but with the work done offline and before time.
|
|
|
+
|
|
|
+A common trick to avoid this is __salting__, and consists as a hashing the password
|
|
|
+together with a number used only once (called nonce in crypto)
|
|
|
+
|
|
|
+Another good measure is using *slower* hashing function, so that bruteforcing
|
|
|
+becomes harder.
|
|
|
+
|
|
|
+In summary normal people:
|
|
|
+- use always the same password
|
|
|
+- or use a different one every time and use the reset password procedure
|
|
|
+
|
|
|
+The __reset password procedure__ is itself an alternative autenthication measure.
|
|
|
+this procedure use a reset link which can be used only once, and this way it is
|
|
|
+*tamper evident*, so i know if it has been compromised.
|
|
|
+
|
|
|
+Another way is to send an email to the register address whenever an important information
|
|
|
+is changed in the account, so at least we know.
|
|
|
+
|
|
|
+The __weak point__ of this procedure is the email account,
|
|
|
+if someone breaks through the email account you use for registering,
|
|
|
+it can reset the passwords of your social networks and other.
|
|
|
+
|
|
|
+If the compromised account is the one of a trade journalist,
|
|
|
+and a fake tweet is made about a great trade operation.
|
|
|
+
|
|
|
+This can cause great consequences, because people will trade
|
|
|
+according to the news, sometmes even if it's not confirmed
|
|
|
+And so it becomes a __self realizing prophecy__
|
|
|
+
|
|
|
+Or for example a video shared by an important sport athlete would
|
|
|
+be spread very fast.
|
|
|
+
|
|
|
+Why do sites use __security questions__?
|
|
|
+they are not meant to authenticate the user but to prevent
|
|
|
+An unlimited number of reset requests, making a denial of service.
|
|
|
+
|
|
|
+Regarding __account locking__
|
|
|
+it can be target of *reverse bruteforcing* such as trying the most used passwords on
|
|
|
+all the different accounts of the website.
|
|
|
+
|
|
|
+Locking the accounts turns the problem of bruteforcing into a possibility
|
|
|
+of denial of service, because if someone runs a bruteforse everytime the
|
|
|
+lock expires, i would not be able to access the account anymore.
|
|
|
+
|
|
|
+A good way to avoid this is to use non enumerable user names.
|
|
|
+Blocking IP address is a good approach but it can block entire
|
|
|
+group of users that use the same IP behind NAT.
|
|
|
+
|
|
|
+Adding an exponentially increasing delay for a specific IP address is another good measure.
|
|
|
+
|
|
|
+We can also use a captcha to avoid widespread use of scripting.
|
|
|
+
|
|
|
+### Cookies
|
|
|
+
|
|
|
+Were meant initially for user customization of websites, a lot of years ago.
|
|
|
+They are a code that allows the site to recognize you whenever you connect again.
|
|
|
+
|
|
|
+The nasty side of this is when they are used by advertisement and tracking websites.
|
|
|
+They are a code that allows the site to recognize you whenever you connect again.
|
|
|
+
|
|
|
+The nasty side of this is when they are used by advertisement and tracking websites.
|
|
|
+And if a cookie is stolen, it is as valuable as username and password.
|
|
|
+
|
|
|
+### Multiple sessions
|
|
|
+To create __multiple sessions__ *unique identifiers* are used.
|
|
|
+Often the websites are using a session from which you can never log out
|
|
|
+and every time you visit the website, you are presented the last page you were the last time.
|
|
|
+This is done to gather the greatest data possible, because that's their business.
|
|
|
+
|
|
|
+Facebook sells data so the app is the most streamlined possible, and creation
|
|
|
+of events or so is easy, because all these things brings money to facebook.
|
|
|
+
|
|
|
+## Recap on web security
|
|
|
+The essence of the problem is that using web technology
|
|
|
+we need to mix code(e.g. HTML) and data (e.g. the blog comment)
|
|
|
+
|
