+1443 776-2705 panelessays@gmail.com
  

Please go through the 2 slides below

1.  Bowser Security – Issues and Best Practices.

2.  Server Security – Issues and Best Practices 

and summarize the content of each slide in one paragraph each.

Use an APA format to conduct separate research that is related to the topics in the two slides in another paragraph (now 3 paragraphs), Everything should be between 1 and 2 pages.

Bowser Security – Issues and Best Prarctices

ITC 766-899

WEB APPLICATION SECURITY

Spring 2022

1

Outline

Intro to Browser Security

Need for Browser Security

Browser Security Fundamentals

Browser Security Issues

OWASP Top 10 – A7:2017– Cross-Site Scripting XSS

OWASP Top 10 – A3:2017– Sensitive Data Exposure

Attacks against Browser Security Mechanisms

Browser Security Best Practices

2

Intro to Browser Security

3

Intro to Browser Security

How does a web application work?

Client

Server

Involves browsers

4

Browser

A browser is “an application that finds and displays web pages”.

It coordinates communication between your computer and the web server where a particular website “lives” by:

Accepting a website address as a URL

Submitting a request to the server to retrieve the content for the page

Processing the code (HTML, CSS, JavaScript, etc.) from the server

Loading active content (Flash, ActiveX, etc.) needed by the page

Displaying the complete, formatted web page

Repeating the process for every single user interaction with the page

Source: Understanding Your Computer: Web Browsers – U.S. CERT –

https://www.cisa.gov/uscert/ncas/tips/st04-022

Intro to Browser Security (contd.)

5

Examples:

Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, Opera, etc.

Browser Market Share as of February 2022:

Intro to Browser Security (contd.)

Source: Global Web Stats – W3Counter–

https://www.w3counter.com/globalstats.php

6

Browser security refers to “how differences in design and implementation of various security technologies in modern web browsers might affect their security” (X41 Browser Security White Paper, 2017, pg. 8)

Browser security involves the following:

Protection against common client-side attacks

Protection against phishing

Management of browser extensions

Use of adequate cryptography protocols

Intro to Browser Security (contd.)

Source: X41 Browser Security White Paper –

https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf

7

Browser security also involves the following:

Protection against active content

Active content refers to scripts that execute programs within the browser

e.g.: scripts used to create splash pages or options like drop-down menus

JavaScript is widely used to create active content

ActiveX controls reside on your computer and can be used as spyware

Protecting cookies

Cookies store information such as IP address, domain names, browser info, browsing habits, etc.

Both session cookies and persistent cookies must be protected from security attacks by adjusting the browser’s security settings to block or limit access to cookie information

Intro to Browser Security (contd.)

Source: U.S. CERT – Browsing Safely: Understanding Active Content and Cookies –

https://www.cisa.gov/uscert/ncas/tips/ST04-012

8

Browser-specific security features:

Google Chrome security features

Apple Safari security features

Internet Explorer security features

Microsoft Edge security features

Mozilla Firefox security features

Opera security features

Intro to Browser Security (contd.)

9

Your Browser’s Security Features – GCFLearnFree.org

Intro to Browser Security (contd.)

Source: GCFLearnFree.org – Internet Safety: Your Browser’s Security Features –

https://www.youtube.com/watch?v=2ZZQlgV2Gus

10

Need for Browser Security

11

As per U.S. CERT (2015):

Browsers such as Firefox, Chrome, Edge, and Safari are installed on almost all computers

Default browsers that come with the Operating Systems are not setup using secure default configurations

Unsecure browsers can lead to spyware being installed on your computers allowing intruders to take control

There is an increasing threat from attacks that take advantage of vulnerable web browsers

Hackers are using compromised or malicious websites to exploit vulnerabilities in browsers

Need for Browser Security

12

As per U.S. CERT (2015), the problem is made worse by a number of factors including the following:

Need for Browser Security (contd.)

13

As per the EdgeScan (2019) Vulnerability Statistics Report:

Need for Browser Security (contd.)

19% of all vulnerabilities were associated with Layer 7 web applications

However, the risk density is much higher for web application vulnerabilities compared to network vulnerabilities

14

As per the EdgeScan (2019) Vulnerability Statistics Report, the most common browser-related vulnerabilities are:

Cross-Site Scripting – 14.69%

Other Injection – 8.18%

DOM-based Vulnerability – 1.82%

Cross-Site Request Forgery – 1.75%

Need for Browser Security (contd.)

15

Hackers are increasingly using browsers to cause data breaches (Privacy Rights Clearinghouse, 2020)

Need for Browser Security (contd.)

16

Hackers are increasingly using browsers to cause data breaches (Privacy Rights Clearinghouse, 2020)

Need for Browser Security (contd.)

17

Browser Security Fundamentals

18

How Web Browsers Function – Open Canvas

Browser Security Fundamentals

Source: OpenCanvas – How Web Browsers Function –

https://www.youtube.com/watch?v=z0HN-fG6oT4

19

As per Open Canvas (2016), web browsers use the following architectural components:

User interface

Rendering engine

Browser engine

Networking

JavaScript interpreter

Data storage – cookies, local storage, etc.

Browser Security Fundamentals (contd.)

20

Google Chrome Architecture

Browser Security Fundamentals (contd.)

Source: Google Chrome Developers – Anatomy of the Browser 101
(Chrome University) –

https://www.youtube.com/watch?v=PzzNuCk-e0Y

21

Google Chrome Architecture:

Browser Process

Includes the User Interface (UI), networking, and storage

GPU Process

Handles rich web page content built using features like WebGL

Is a separate process to ensure stability and security

Utility Process

Runs untrusted code on behalf of browser in a sandbox

e.g.: installing an extension, processing JSON

Is a short-lived process

Browser Security Fundamentals (contd.)

Source: Google Chrome Developers – Anatomy of the Browser 101
(Chrome University) –

https://www.youtube.com/watch?v=PzzNuCk-e0Y

22

Google Chrome Architecture (continued):

Extension Process

Ensures extensions have limited access to browser, page, & system

Stops poorly written extension code from adversely affecting pages

Pepper Plugins

Handles plugin code not controlled by Google (Flash, PDF, etc.)

Uses new plugin API that is sandboxed

Renderer – Blink rendering engine

JavaScript Interpreter – v8 JavaScript engine

Browser Security Fundamentals (contd.)

Source: Google Chrome Developers – Anatomy of the Browser 101
(Chrome University) –

https://www.youtube.com/watch?v=PzzNuCk-e0Y

23

Google Chrome Security:

Sandboxing

Limits the impact of many browser vulnerabilities by isolating different components of an application from the rest of the system

Components are run with their access privileges to system resources and/or other components limited to the bare essentials needed to perform its function

Thus, the privileges an attacker can gain by exploiting a security issue in these components is fairly limited

Process and Origin Isolation

Chrome uses Site Isolation to isolate websites with different origins

Browser Security Fundamentals (contd.)

Source: X41 – Browser Security White Paper –

https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf

24

Google Chrome Security:

Hardening and Exploit Mitigation

Supports /GS, ASLR, DEP, no direct win32k syscalls, SEHOP, etc.

Web Security

Same Origin Policy Enforcement

Restricts interaction between websites of different origins

Port Banning Enforcement

Denies connections to non-standard TCP ports

Content Security Policy Enforcement

Limits what sources of scripts are acceptable

HTML5 Features Support

Supports Service Workers, WebRTC, History API, WebGL, Web Notifications, etc.

Browser Security Fundamentals (contd.)

Source: X41 – Browser Security White Paper –

https://browser-security.x41-dsec.de/X41-Browser-Security-White-Paper.pdf

25

Browser Security Issues

26

Specific browser security issues include the following:

Client-side JavaScript code for checking user input is not enough

Information sent from the browser can be modified before it reaches the server

Plenty of HTTP/HTTPS proxy tools are available to hackers for this very purpose

Protocols such as SSL that browsers rely on have their own issues

Likewise, attackers can use browser mechanisms such as cache, cookies, session IDs, etc. to steal sensitive information

Java applets are susceptible to Man-in-the-Middle (MITM) attacks

Java servlets may be vulnerable to SQL injection

Browser Security Issues

Source: OWASP – Application Security FAQ –

https://owasp.org/www-community/OWASP_Application_Security_FAQ

27

Specific browser security issues include the following:

Browsers pose a unique risk to the enterprise infrastructure because of their frequent exposure to untrusted dynamic content

Configuring browser security settings is challenging due to uncertainty of both attack mitigation effectiveness and impact on end users

Administrator-driven manual patching often incurs significant lag time before patches are deployed

Administrators are often hesitant to enable automatic updating out of fear that patches will break existing functionality

88% of publicly disclosed vulnerabilities exploited within a day of release

Browser plugins accounted for 34.5% of browser-related vulnerabilities

Browser Security Issues (contd.)

Source: NSA.gov – Steps to Secure Web Browsing –

https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-steps-to-secure-web-browsing.pdf

28

OWASP Top 10 – A7:2017 – Cross-Site Scripting XSS

Browser Security Issues (contd.)

Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS –

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)

29

Common browser security vulnerabilities:

Browser Security Issues (contd.)

Source: OWASP Top 10 2017 A7 – Cross Site Scripting XSS –

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS)

30

Cross-Site Scripting – XSS – Professor Messer

Browser Security Issues (contd.)

Source: Cross-Site Scripting – XSS – CompTIA Security+ Sy0-501 – 1.2 –

https://www.youtube.com/watch?v=AjsYOMatAcg

31

OWASP Top 10 – A3:2017–Sensitive Data Exposure

Browser Security Issues (contd.)

Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –

https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure

32

Common browser security vulnerabilities:

Browser Security Issues (contd.)

Source: OWASP Top 10 2017 A3-Sensitive Data Exposure –

https://owasp.org/www-project-top-ten/2017/A3_2017-Sensitive_Data_Exposure

33

Browser Security Attacks

34

Most common browser security attacks:

Browser Security Attacks

Source: OWASP – Attacks –

https://owasp.org/www-community/attacks/

Attack Type Description
Cache Poisoning A maliciously constructed response is cached by the browser
Clickjacking The attacker hijacks clicks meant for their own page and routes them to another page
Cross-Site Request Forgery (CSRF) An attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated
Cross-Site Scripting (XSS) A type of injection in which malicious scripts are injected into otherwise benign and trusted websites

35

Most common browser security attacks (continued):

Browser Security Attacks (contd.)

Attack Type Description
Man-in-the-Browser A previously installed Trojan horse is used to act between the browser and the browser’s security mechanism, sniffing or modifying transactions as they are formed on the browser, but still displaying back the user’s intended transaction
Session Hijacking An attack that compromises the session token by stealing or predicting a valid session token to gain unauthorized access to the Web Server
Spyware A program that captures statistical information from a user’s computer and sends it over internet without user acceptance. This information is usually obtained from cookies and the web browser’s history.

Source: OWASP – Attacks –

https://owasp.org/www-community/attacks/

36

Browser Security
Best Practices

37

Browser Security Best Practices

Best practices for web browser security include :

Setting up browsers to Auto Update

Disabling malicious browser plugins such as Adware

Connecting to websites only using HTTPS

Clearing the browser history including cookies

Disabling the browser’s auto-complete of forms (including stored passwords) functionality

Blocking browser pop-ups using extensions such as AdBlock

Using VPN or proxy servers

Source: InfoSec Institute – Best Practices for Web Browser Security –

https://resources.infosecinstitute.com/best-practices-web-browser-security/

38

Browser Security Best Practices (contd.)

Best practices for web browser security include :

Enabling automatic updates

Mitigates 91% of publicly known vulnerabilities

Enabling reputation services such as Google Safe Browsing or Microsoft SmartScreen

Prevents 87.7% of socially engineered malware and phishing attempts

Disable unsafe plugins and extensions

Use advanced mitigation techniques/tools

Browser isolation, Cloud Browsers, O/S level mitigations, etc.

Source: NSA.gov – Steps to Secure Web Browsing –

https://www.nsa.gov/Portals/70/documents/what-we-do/cybersecurity/professional-resources/csi-steps-to-secure-web-browsing.pdf

39

Use the following best practices to protect against XSS:

Browser Security Best Practices (contd.)

Source: OWASP Top 10 2017 A7-Cross Site Scripting XSS –

https://owasp.org/www-project-top-ten/2017/A7_2017-Cross-Site_Scripting_(XSS).html

40

Browser security issues continue to be among the OWASP Top 10 list of web application security risks

This is due to weaknesses in browser mechanisms such as browser processes, renderers, plugins, extensions, etc.

Hackers are able to exploit the weaknesses using attacks such as cache poisoning, clickjacking, CSRF, XSS, MITM, session hijacking, spyware, etc.

Best practices to protect browsers include using auto update, HTTPS, pop-up blockers, VPNs or proxy servers, reputation services, sandboxing, isolation, hardening, same origin policy, port banning, content security policy, cloud browsers, etc.

Recap

41

Thank you!!!

42

Server Security – Issues and Best Practices

ITC 766-899

WEB APPLICATION SECURITY

Spring 2022

1

Outline

Intro to Server Security

Need for Server Security

Server Security Fundamentals

Server Security Issues

OWASP Top 10 – A6:2017– Security Misconfiguration

OWASP Top 10 – A10:2017– Insufficient Logging and Monitoring

Attacks against Server Security Mechanisms

Server Security Best Practices

2

Intro to Server Security

3

Intro to Server Security

How does a web application work?

Client

Server

Involves servers

4

Server

A server serves as the host for web applications

It refers to the “server” portion of the client-server architecture

It receives the HyperText Transfer Protocol (HTTP) request message from the client machine’s browser

It authenticates the client based on the user-supplied credentials

It authorizes the client’s access to the requested web application after authentication

Intro to Server Security (contd.)

5

Server (continued)

It sends an HTTP response header back to the client machine with the response code 200 for successful requests or the response code 404 for page not found (maybe due to a broken link)

It uses ports to make services available to clients

Common port numbers: 80 for HTTP traffic, 443 for HTTPS traffic, 25 for SMTP traffic, 21 for FTP traffic, 23 for telnet traffic, etc.

Examples:

Apache HTTP Server, Apache Tomcat, Microsoft IIS, IBM WebSphere, Oracle WebLogic, Red Hat JBoss EAP, etc.

Intro to Server Security (contd.)

6

Server Market Share:

Intro to Server Security (contd.)

Source: Web and Application Servers Market Share Report – Datanyze –

https://www.datanyze.com/market-share/web-and-application-servers–425

7

What is a Server? – PowerCert Animated Videos

Intro to Server Security (contd.)

Source: PowerCert Animated Videos – What is a Server? –

https://www.youtube.com/watch?v=UjCDWCeHCzY

8

Server security refers to “the fundamental activities performed as part of securing and maintaining the security of servers that provide services over network communications as a main function” (NIST SP 800-123, pg.10)

Server security involves the following (NIST SP 800-44, pg.18):

Installing, configuring, and securing the server Operating System (OS)

Installing, configuring, and securing the server software

Employing appropriate network protection mechanisms

Firewalls, packet filtering routers, proxies, etc.

Ensuring that the hosted web applications are securely coded

Employing secure administration and maintenance processes

Patching and upgrading, testing, monitoring of logs, backing up data and OS

Protecting information and data in a careful/systemic manner

Conducting initial/periodic vulnerability scans of server/network infrastructure

Intro to Server Security (contd.)

9

Server security (by technology):

Apache HTTP Server security settings

NGINX security settings

Internet Information Services (IIS) security settings

LiteSpeed Web Server security settings

OpenResty security settings

Server security (by Operating System)

Ubuntu Linux Server guide

Windows Server security guide

macOS Server Guide

Intro to Server Security (contd.)

10

Need for Server Security

11

As per NIST SP 800-123:

Servers are frequently targeted by attackers because of the value of their data and services

Servers might contain personally identifiable information that could be used to perform identity theft

Most organizations install servers with standard directory names, directory locations, and filenames making it easy for attackers to target those servers

The failure of organizations to fully recognize the amount of expense and skills required to field a secure server often results in overworked employees and insecure systems

Need for Server Security

12

As per NIST SP 800-123 (continued):

Default hardware and software configurations are typically set by manufacturers to emphasize features, functions, and ease of use, at the expense of security

The default configuration of the OS often includes guest accounts (with and without passwords), administrator or root level accounts, and accounts associated with local and network services

Because manufacturers are unaware of each organization’s security needs, server administrators need to configure new servers to reflect their organizations’ security requirements and reconfigure them as needed

Need for Server Security (contd.)

13

As per NIST SP 800-44:

Compromised web sites can serve as an entry point for intrusions into many organizations’ internal networks

Organizations can face monetary losses, damage to reputation, or legal action if an intruder successfully violates the confidentiality of their data

Hackers could compromise web server security by:

defacing organizations’ web site or otherwise affecting integrity

executing unauthorized commands on the host OS

launching attacks on external sites from the web server

using the server to deliver attacks against vulnerable clients

using the server to distribute illegally copied software

Need for Server Security (contd.)

14

As per the EdgeScan (2019) Vulnerability Statistics Report, the most common infrastructure vulnerabilities include the following server-related issues:

44.70% – SSL / TLS Version & Configuration Issues

29.53% – SMB Security Issues

8.61% – OpenSSH Vulnerabilities & Configuration Issues

6.25% – Windows Remote Desktop Protocol Server MITM

4.15% – Unencrypted Telnet Services

1.69% – Unsupported & Unpatched Server Detection

Need for Server Security (contd.)

15

As per the EdgeScan (2019) Vulnerability Statistics Report:

33.33% of all high and critical risk vulnerabilities discovered in 2018 were in relation to unsupported Windows Server 2003 systems (no patching, support, end-of-life systems)

7.53% of all high and critical risk vulnerabilities discovered in 2018 related to exposure to NotPetya CVEs (CVE-2017-0144, CVE-2017-0145) – Windows Server Message Block (SMB) Remote Code Execution Vulnerability

Systems using Apache and PHP also contributed to the Top 10 due to weak component security and traditional patch management of exposed systems

Need for Server Security (contd.)

16

Hackers are increasingly using servers to cause data breaches (Privacy Rights Clearinghouse, 2020)

Need for Server Security (contd.)

17

Server Security Fundamentals

18

What is the Apache HTTP Server? – CBT Nuggets

Server Security Fundamentals

Source: CBT Nuggets – What is the Apache HTTP Server? –

https://www.youtube.com/watch?v=fRLJ3bnbHmE

19

A basic Apache web server architecture includes the following components (Kew, 2007):

Modules

Multi-Processing Modules (MPM)

Apache Portable Runtime (APR) Libraries

Server Security Fundamentals (contd.)

20

Apache web server architecture:

Modules

Functionality that can be used to do things such as authentication, dynamic content generation, encryption, virus scanning, file compression, email services, file transfer services, etc.

Multi Processing Modules (MPM)

Special module which allows Apache to be configured as a pure process-based server, a pure threaded server, or both

Apache Portable Runtime (APR) Libraries

Provides for platform-specific tuning and optimization

Server Security Fundamentals (contd.)

Source: Apache – Apache HTTP Server Version 2.4 Documentation –

https://httpd.apache.org/docs/2.4/

21

Apache web server security:

Modular architecture

Allows modules to be enabled or disabled to add and remove web server functionality

Only MPM modules can interact directly with the Operating System

Authentication

Modules can authenticate against plain text files and database files including Oracle, MySQL, PostgreSQL, etc.

E.g. mod_auth_basic, mod_auth_digest, mod_auth_form, mod_authn_dbd, etc.

Server Security Fundamentals (contd.)

Source: Apache – Apache HTTP Server Version 2.4 Documentation –

https://httpd.apache.org/docs/2.4/

22

Apache web server security (continued):

Access Control

The mod_access_compat module can restrict access to resources based on IP address or hostname of the client

SSL / TLS

The mod_ssl module provides strong encryption to protect data transmitted between the web server and the client

Proxy

Apache supports both a traditional HTTP proxy and a reverse proxy

Reverse proxy can be used for load balancing

Virtual Hosting Support and XML Security

Server Security Fundamentals (contd.)

Source: TLDP.org – Apache Overview HOWTO –

https://www.tldp.org/HOWTO/pdf/Apache-Overview-HOWTO.pdf

23

Apache web server security (continued):

Configuration Settings

Modules come with several directives related to timeouts, resource consumption, request processing, concurrent connections, etc.

Common Gateway Interface (CGI) & Server Side Includes (SSI)

The suEXEC feature can reduce considerably the security risks involved with allowing users to develop and run private CGI or SSI programs

Logs

The mod_log_config, mod_log_forensic modules can be used to log everything that happens on the server

Server Security Fundamentals (contd.)

Source: Apache.org – Apache HTTP Server Documentation Version 2.4 –

https://archive.apache.org/dist/httpd/docs/httpd-docs-2.4.33.en.pdf

24

Server Security Issues

25

As per NIST SP 800-123 (pg. 7), server security issues include:

Server Security Issues

Source: NIST SP 800-123 – Guide to General Server Security –

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf

26

As per NIST SP 800-44 (pg. 17-18), other server security issues include the following:

Misconfiguration or other improper operation of the Web server, which may result, for example, in the disclosure or alteration of proprietary or sensitive information. This information can include items such as:

Assets of the organization

Configuration of the server or network that could be exploited for subsequent attacks

Credentials of the users or administrator(s) of the Web server

Inadequate or unavailable defense mechanisms for the Web server to prevent certain classes of attacks, such as DoS attacks, which disrupt the availability of the Web server and prevent authorized users from accessing the Web site when required

Server Security Issues (contd.)

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf

27

Other server security issues include the following (continued):

Vulnerabilities within the Web server that might allow, for example, attackers to compromise the security of the server and other hosts on the organization’s network by taking actions such as the following:

Server Security Issues (contd.)

Source: NIST SP 800-44 – Guidelines on Securing Public Web Servers –

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-44ver2.pdf

28

OWASP Top 10–A6:2017 – Security Misconfiguration

Server Security Issues (contd.)