stateless HTTP
http request and response pairs is independent and has no memory. Does not know if user is already logged in
sessions
- data structure to store data only during time user is interacting with website
- used to manage states
- session data stored in server
- session id stored on client using cookies
- session id is passed to server to retrieve stored data
- when closed, lose session
session hijacking
- session starts when user logs in and return session id to user
- attacker steals the session id that will remain unchanged after authentication
- attacker is then able to hijack the session using the session id
GET vs POST
get is less secure as data can be found in URL
post is more secure as data is in body
OWASP top web security risks
- sql injection
- broken authentication
- sensitive data exposure
- broken access control
- security misconfiguration
- cross site scripting
- insecure direct object reference
sql injection
tricks server into executing wrong command
fred’ OR ‘1’=’1’
‘OR 1=1 –
problem
- allowing characters with special meaning
defense
- prepared statements
- stored procedures
broken authentication
error in implementation
- what if user forget to logout
- what if password is not hashed and salted
- is the session id encrypted
cross site scripting
- reflected
- non persistent
- script passed using URL
- trick the user to clicking - stored
- store script on server eg. forum
- next user becomes the victim - DOM based
- crafts malicious code
- trick victim to click the link and sends code to server
- server wraps it with search template
- server returns and execute real script
- malicious code gets rendered
defense
- escape before inserting untrusted data
insecure direct object reference
unauthorised change in parameter value to refer to another user account
eg https://www.blablabla.com/customerID=1234 ->1233
security misconfiguration
can be misconfigured at many levels
- not keeping software up to date
- not patching vulnerabilities
- using default user credentials
defence
- principle of least privilege
sensitive data exposure
- database not protected adequately
- data in database not encrypted
- SQLI, sniffing, rainbow tables
defence
- encrypt data
- store password that is salted and hashed
- apply access control
- employee training and awareness
missing function level access control
function fulfilled without checking o user privileges
defence
- don’t show function that user not allowed to use
- principle of least privilege
cross site request forgery
trick user to execute undesired action when they are already authenticated
- depends on the privilege of the user
- requires social engineering
defence
- use challenge tokens
- for sensitive operations, include challenge token in request. Server checks token to ensure request is valid
using components with known vulnerabilities
defence
- keep components up to date
- evaluate vulnerabilities before using
- keep track of attack surface(3rd party software that you are not sure about)
unvalidated redirect
defence
- avoid links
- have user confirm redirect
- white list of redirects
