Security Issues in Web Programming Robert M. Dondero, Ph.D. Princeton University 1
Objectives You will learn about: Authentication and authorization Secure storage of usernames and passwords Secure data transmission In: Python CGI Web programming Java CGI Web programming PHP Web programming 2
Part 1: Authentication and Authorization 3
A&A Definitions Authentication Is the user authentic? Is the user who he/she says he/she is? Authorization Does the user have proper authority? Does the user have permission to use the application in the manner he/she has requested? 4
Authorization Approaches Approaches to authorization Application specific Typically: Use database table(s) User login ids permission to use each facet of application (We will not discuss further) 5
Authentication Approaches Three approaches to authentication: (1) "Do it yourself" authentication (2) Basic access authentication (3) Central Authentication System (CAS) Let's consider one at a time... 6
(1) "Do It Yourself" Authentication Demo PennypackPythonAuth app Demo PennypackJavaAuth app Demo PennypackPhpAuth app 7
"Do It Yourself" Authentication Browser <a href="searchform.cgi/php"> Web Server (and CGI program) Calls authenticate() Valid username/password in form or cookies? No! 8
"Do It Yourself" Authentication Browser Login page <form action="searchform.cgi"> <input type="text" name="username"> <input type="password" name="password">... Username/password in form Web Server (and CGI program) Calls authenticate() Valid username/password in form or cookies? Yes! In form. Set username/password cookies 9
"Do It Yourself" Authentication Browser Search form page <form action="searchresults.cgi">... Browser retains cookies Username/password in cookies Web Server (and CGI program) Calls authenticate() Valid username/password in form or cookies? Yes! In cookies. Continue as usual 10
PennypackPythonAuth App See PennypackPythonAuth application book.py, database.py, common.py index.html searchform.cgi, searchform.py searchresults.cgi, searchresults.py auth.py 11
PennypackJavaAuth App See PennypackJavaAuth application Book.java, Database.java, Common.java index.html searchform.cgi, SearchForm.java searchresults.cgi, SearchResults.java Cgi.java Auth.java 12
PennypackPhpAuth App See PennypackPhpAuth application book.php, database.php, header.php, footer.php index.html searchform.php searchresults.php auth.php login.php 13
"Do It Yourself" Auth: Logout App can provide "logout" link or form Commands browser to: Destroy the username/password cookie Set username/password to incorrect values 14
"Do It Yourself" Auth Assessment Pros: Simple Works with any browser and web server Can implement logout Cons: Must write yourself! Widely used 15
(2) Basic Access Authentication Wikipedia: "The basic access authentication is a method designed to allow a web browser, or other client program, to provide credentials in the form of a user name and password when making a request." Demo PennypackPythonAuthBasic app Demo PennypackJavaAuthBasic app Demo PennypackPhpAuthBasic app 16
CGI Basic Access Authentication Browser <a href="searchform.cgi"> GET /~rdondero/cos333/pennypackpythonauthbasic/searchform.cgi HTTP/1.1 Host: www.cs.princeton.edu <Blank line> Web Server Calls authenticate() searchform.cgi Valid username/password in HTTP_AUTHORIZATION env var? No! WWW-Authenticate: Basic realm="log into Pennypack.com." Status: 401 Unauthorized access Content-type: Text/plain Web Server WWW-Authenticate: Basic realm="log into Pennypack.com." Status: 401 Unauthorized access Content-type: Text/plain 17
CGI Basic Access Authentication Browser Displays dialog box, collects username (rdondero) and password (xxx) Retains rdondero:xxx GET /~rdondero/cos333/pennypackpythonauthbasic/searchform.cgi HTTP/1.1 Host: www.cs.princeton.edu Authorization: Basic rdondero:xxx Base64 encoded <Blank line> Web Server Sets HTTP_AUTHORIZATION="Basic rdondero:xxx" HTTP_AUTHORIZATION env var searchform.cgi Calls authenticate() Gets HTTP_AUTHORIZATION env var Is "rdondero:xxx" valid? Yes! Web Server 18
CGI Basic Access Authentication Browser Search form page <form action="searchresults.cgi">... Browser retains rdondero:xxx Base64 encoded GET /~rdondero/cos333/pennypackpython1/searchresults.cgi HTTP/1.1 Host: www.cs.princeton.edu Authorization: Basic rdondero:xxx <Blank line> Web Server Sets HTTP_AUTHORIZATION="Basic rdondero:xxx" HTTP_AUTHORIZATION env var searchresults.cgi Calls authenticate() Gets HTTP_AUTHORIZATION env var Is "rdondero:xxx" valid? Yes! Continue as usual 19
PennypackPythonAuthBasic App See PennypackPythonAuthBasic book.py, database.py, common.py index.html searchform.cgi, searchform.py searchresults.cgi, searchresults.py auth.py 20
PennypackJavaAuthBasic App See PennypackJavaAuthBasic book.php, database.php, header.php, footer.php index.html searchform.cgi, SearchForm.java searchresults.cgi, SearchResults.java Cgi.java Auth.java 21
Apache and CGI Basic Web Auth CGI apps must create.htaccess file RewriteEngine on RewriteRule.* - [env=http_authorization:%{http:authorization},last] Specific to Apache web server Contains "rewrite rule" Commands web server to pass HTTP_AUTHORIZATION env var to CGI pgm 22
PHP Basic Access Authentication Browser <a href="searchform.php"> GET /~rdondero/cos333/pennypackphpauthbasic/searchform.php HTTP/1.1 Host: www.cs.princeton.edu <Blank line> Web Server Require_once authenticate() $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"] valid? No! WWW-Authenticate: Basic realm="log into Pennypack.com." Status: 401 Unauthorized access Content-type: Text/plain 23
PHP Basic Access Authentication Browser Displays dialog box, collects username (rdondero) and password (xxx) Retains rdondero:xxx GET ~rdondero/cos333/pennypackphpauthbasic/searchform.cgi HTTP/1.1 Host: www.cs.princeton.edu Authorization: Basic rdondero:xxx Base64 encoded <Blank line> Web Server Require_once authenticate() $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"]) valid? Yes! 24
PHP Basic Access Authentication Browser Search form page <form action="searchresults.php">... Retains rdondero:xxx GET /~rdondero/cos333/pennypackphpauthbasid/searchresults.php HTTP/1.1 Host: www.cs.princeton.edu Authorization: Basic rdondero:xxx Base64 encoded <Blank line> Web Server Require_once authenticate() $_SERVER["PHP_AUTH_USER"] and $_SERVER["PHP_AUTH_PW"]) valid? Yes! Continue as usual 25
PennypackPhpAuthBasic App See PennypackPhpAuthBasic application book.php, database.php, header.php, footer.php index.html searchform.php searchresults.php auth.php 26
Aside: Base64 Encoding Question: How to represent arbitrary bit sequence using only 64 characters? A-Z (26) a-z (26) 0-9 (10) + (1) / (1) Answer: Base64 encoding Email uses to represent images, etc. 27
Aside: Base64 Encoding Could be any arbitrary bit pattern From Wikipedia 28
Aside: Base64 Encoding From Wikipedia 29
Basic Access Auth: Logout Limitation of basic access authentication... Browser retains authentication info until: Browser is closed User clears "active logins" history No way for Web server to command browser to discard authentication info No way for app to implement "logout" 30
Basic Access Auth: Assessment Pros Less code Less work for application programmer Works with any browser/web server Cons Less control No logout Frequently used by small private websites Rarely used by large public websites 31
Basic Access Auth: Alternative Incidentally... Can let the Web server and browser do all the work... 32
Basic Access Auth: Alternative.htaccess File RewriteEngine on RewriteRule.* - [env=http_authorization:%{http:authorization},last] AuthUserFile /u/rdondero/public_html/cos333/pennypackpythonauthapache/.htpasswd AuthType Basic AuthName "Please login to Pennypack" Require valid-user Informs web server to: Use basic access authentication Find usernames and passwords in file.htpasswd 33
Basic Access Auth: Alternative.htpasswd File rdondero:ryo7czqcz5wva cos217:ncjw.2c0vbz8. Contains usernames and encrypted passwords Created automatically by the commands htpasswd -c.htpasswd rdondero htpasswd.htpasswd cos217 htpasswd command is available on penguins 34
Basic Access Auth: Alternative Pros: Simple No work for application programmer Cons: Specific to Apache web server How to manage usernames and passwords? Apache has plug-in modules to allow usernames and passwords to reside in DB 35
(3) CAS Authentication Wikipedia: "The Central Authentication Service (CAS) is a single sign-on protocol for the web Its purpose is to permit a user to access multiple applications while providing their credentials (such as userid and password) only once. It also allows web applications to authenticate users without gaining access to a user's security credentials, such as a password." 36
CAS Authentication Demo PennypackPythonAuthCas app Demo PennypackJavaAuthCas app Demo PennypackPhpAuthCas app 37
CAS Authentication Question: How does it work? Answer: Beyond the scope of the course See http://www.jasig.org/cas/protocol if interested Question: How do I use it in my apps? Answer:...
PennypackPythonAuthCas App See PennypackPythonAuthCas application book.py, database.py, common.py index.html searchform.cgi, searchform.py searchresults.cgi, searchresults.py CASClient.py Written by Brian Kernighan, translated from PHP version written by Scott Karlin and Alex Halderman 39
PennypackJavaAuthCas App See PennypackJavaAuthCas application book.php, database.php, header.php, footer.php index.html searchform.cgi, SearchForm.java searchresults.cgi, SearchResults.java Cgi.java CASClient.java Written by Dondero, translated from CASClient.py 40
PennypackPhpAuthCas App See PennypackPhpAuthCas application book.php, database.php, header.php, footer.php index.html searchform.php searchresults.php CASClient.php Written by Scott Karlin and Alex Halderman, with small edits by Dondero 41
CAS Authentication Assessment Pros Application need not manage usernames or passwords Application cannot access passwords! Cons Suppose you want to make your application available to the Princeton community, and only that community Can't ask for passwords!!! Complex Adds overhead 42
Part 2: Secure Storage of Usernames and Passwords 43
Storing Usernames & Passwords Problem: How to store usernames/passwords securely? I.e., How to store usernames/passwords (in DB) such that attackers cannot steal them? 44
One-Way Functions Insight: Maybe you don't need to store the usernames or passwords! Maybe it's sufficient to know whether a given username and password are correct! Solution: One-way function storedusername = onewayfunction(username) storedpassword = onewayfunction(password) 45
Example One-Way Function Example: md5() hash function Given string, generates integer Given integer, cannot generate string Given same string, generates same integer May generate same integer for two distinct strings, but improbable Given username/password, can determine (to high degree of probability) that they are valid Attacker sees storedusername/storedpassword => attacker doesn't know username/password 46
The Need for Salting Problem: One-way function approach is susceptible to a brute force attack... Given md5 sum, attacker could search (malevolent) DB of known md5 sums for username/password 47
Salting Solution: salting "Salt" the username/password with some extra application-specific text Example: storedusername = md5('!@#' + username + '$%^') storedpassword = md5('&*(' + password + ')_+') 48
Salting Note: Given username/password, can verify (to a high degree of certainty) that they are correct One-way function: Attacker sees storedusername/storedpassword => doesn't know username/password Salting: Attacker finds md5 sum in malevolent DB => still doesn't know username/password Attacker also must see salting code 49
Part 3: Secure Data Transmission 50
The Problem Problem: Bob wants to send message to Alice Bob wants message to be secure Solution... Unintelligible to eavesdroppers 51
Secret Key Encryption msg Bob encode(key) msgencodedusingkey msgencodedusingkey Alice decode(key) msg (1) Alice sends key to Bob (2) Bob encodes msg using key (3) Alice decodes msg using key 52
Problem Eavesdropping attack When Alice sends key to Bob, Hacker eavesdrops Hacker knows key When Bob sends encoded msg to Alice, Hacker eavesdrops Solution... Hacker decodes msg 53
Public Key Encryption msg Bob encode(alicespublickey) msgencodedusingalicespublickey Can't decode w/o Alice's private key -- See Computers Limited by David Harel msgencodedusingalicespublickey Alice decode(alicesprivatekey) msg (1) Alice sends her public key to Bob (2) Bob encodes msg using Alice's public key (3) Alice decodes msg using her private key 54
Problem Authentication How can Alice know that msg really is from Bob? Previously: user authentication How can app authenticate user? How does amazon.com know that I'm who I say? Solution: usernames and passwords Now: process authentication Solution... How can client & server processes authenticate themselves? How do I know that I'm really communicating with amazon.com? 55
Public Key Encryption with Auth msg Bob decode(bobsprivatekey) msgdecodedusingbobsprivatekey encode(alicespublickey) msgdecodedusingbobsprivatekeyandencodedusingalicespublickey msgdecodedusingbobsprivatekeyandencodedusingalicespublickey decode(alicesprivatekey) Alice msgdecodedusingbobsprivatekey encode(bobspublickey) msg (1) Alice sends her public key to Bob (2) Bob sends his public key to Alice (3) Bob decodes and encodes (4) Alice decodes and encodes 56
Problem Man-in-the-middle attack When Bob sends public key to Alice, Hacker intercepts Hacker replaces Bob's public key with Hacker's public key Alice stores Hacker's public key Later, Hacker sends message to Alice using Hacker's public key Solution... Alice thinks message is from Bob 57
Certificates Bob & Alice store their public keys ("certificates") with a certification authority E.g. Verisign Costs money!!! Bob retrieves Alice's public key from certification authority (not from Alice) Alice retrieves Bob's public key from certification authority (not from Bob) Still not perfect, but harder for Hacker to "get between" Bob & Alice 58
Certificates In practice: Certificates often used by client (browser) to authenticate server (web server) Certificates rarely used by server (web server) to authenticate client (browser) Would require browser user to create certificate and store it with certification authority Costs money! 59
TLS TLS (Transport Layer Security) Based upon earlier SSL (Secure Sockets Layer) Operates on top of TCP Provides public key encryption & authentication with certificates to HTTP 60
HTTPS HTTPS (Hypertext Transfer Protocol Secure) HTTP + TLS Provides public key encryption & authentication with certificates to Web applications 61
Using HTTPS Assumptions Administrators have configured Web server for HTTPS Generated public keys Paid money to store with certification authority Etc. Using Apache Web server 62
Using HTTPS HTTPS is between browser and web server Your app need not be concerned To tell web server to use HTTPS for your app: Create.htaccess file in app directory Add this line: SSLRequireSSL To tell browser to use HTTPS: https://host:443/file 443 is the default port 63
PennypackJavaSecure App PennypackJavaSecure App All files identical to PennypackJava3 Add.htaccess file to app directory Try accessing as: https://www.cs.princeton.edu/~rdondero/cos333/ PennypackJavaSecure/index.html (yes) https://www.cs.princeton.edu:443/~rdondero/cos 333/PennypackJavaSecure/index.html (yes) https://www.cs.princeton.edu:80/~rdondero/cos3 33/PennypackJavaSecure/index.html (no) http://www.cs.princeton.edu/~rdondero/cos333/p ennypackjavasecure/index.html (no!!!) 64
Problem Session hijacking Some websites use HTTPS for initial login, and not thereafter Hacker can eavesdrop on transmission of session id cookies Hacker can "hijack" a user's session!!! Solution Websites should use HTTPS throughout and tolerate slightly worse performance 65
Firesheep Firesheep Makes the problem extremely visible Even to non-tech Web users Firefox browser plug-in See demo at: For Windows and Mac; not yet Linux http://www.youtube.com/watch?v=ztzpr-taezw 66
Summary We have covered: Authentication and authorization Secure storage of usernames and passwords Secure data transmission In: Python CGI Web programming Java CGI Web programming PHP Web programming 67