introduction to web security
TRANSCRIPT
![Page 1: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/1.jpg)
Web Security• What is security in web app context?• Authentication vs Authorization• „Standard” way - Stateful• „Modern” way - Stateless• Cookies and Tokens• Double and 2-step verification• Useful libraries• Summary
![Page 2: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/2.jpg)
Whatis
Security?
• practice of defending information from unauthorized access• keeping away all valuable information from unprivileged users• protecting data from leaking outside the company• storing confidential informations only for provisioned roles
![Page 3: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/3.jpg)
Authorization
vs
Authentication
![Page 4: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/4.jpg)
Unauthorized
Forbidden
![Page 5: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/5.jpg)
Session
• Storing data on server side• Client passes back only id• Server knows what user it is talking to• Lasts form first user's visit on the page and is kept
some time after his last activity (request)• It almost impossible to know that user left the
page• In most servers session express after particular
period
![Page 6: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/6.jpg)
RESTful
• The whole state need to be held by the client, not the server
• State is being transfered in every request to release server from remembering it
• An ideal RESTful service allows clients to perform any needed task in one request
Stateless?
Actually, there is a state!
When it comes to authentication, some information has to stay on the server side for security reasons
![Page 7: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/7.jpg)
And what about cookies?
• If cookies are used to maintain state at the client side, for the client, of the client and by the client then they are restful.
• For clients besides browsers, managing cookies is a pretty big inconvenience compared to query params
• However in browser, using cookies can make lots of things much simpler
• API should first look in the Authorization header for the authentication data (the place for non-browser clients) and in case authentication data is missing then may also check for a session cookie
• When we are the only developers who creating apps which can access to our web service, we can depend on cookies and implement cookie mechanisms in our applications
![Page 8: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/8.jpg)
Login
Token
Request
Response
Data
DB
Use the new TLS!• Asymmetric cryptography• Secure data between connection endpoints• Client encrypts data, Server decrypts it• Protects from MITM
![Page 9: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/9.jpg)
Multi-factor authentication
Token +• IP• User Agent
• SMS• Biometric• Face• Electronic signature• Codes from card
![Page 10: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/10.jpg)
![Page 11: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/11.jpg)
Cross-Site Scriptinghttps://xss-game.appspot.com/
https://github.com/gbirke/Sanitize.js
![Page 12: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/12.jpg)
2-step verification
![Page 13: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/13.jpg)
![Page 14: Introduction to Web Security](https://reader036.vdocuments.us/reader036/viewer/2022062313/55c35a05bb61eb4a1f8b4887/html5/thumbnails/14.jpg)
Useful GEMs for Rails
• the_role | https://github.com/the-teacher/the_role
Which resources are available for what role (group of users)Roles and permissions are declared with JSON and stored in DBAccess can be managed from administrative panel within our web app
• declarative_authorization | https://github.com/stffn/declarative_authorization
The developer needs to specify which roles are allowed to access a specific controller action or a part of a viewAuthorization at controller, model or view levelDSL for specifying Authorization rules
• devise | https://github.com/plataformatec/devise
Complete MVC solution based on modularity conceptOffers complete session model for authenticationProvide generators for scaffolding authorization skeleton