The most common information security problems in web development

Tässä kandidaatin tutkielmassa esitellään web-ohjelmoinnin yleisimpiä ongelmia JavaScript-ohjelmointikielen näkökulmasta ja tutkitaan miten AngularJS-työkalun käyttö kehityksessä vaikuttaa ongelmien välttämiseen tai ratkaisemiseen. Tutkielmassa tutustutaan JavaScript-kieleen ja tietoturvaan yleisesti ja käydään läpi tarkemmin muutamia tärkeitä heikkouksia JavaScript-kielen tietoturvallisuudessa. Tutkielmassa esitellään AngularJS-työkalu ja kuinka sen käyttö voi helpottaa verkkokehitystä. AngularJS-työkalu sisältää monia sisäänrakennettuja suojia JavaScript-kielen tyypillisimmille ongelmille, kuten XSS-hyökkäyksille. Nämä suojat eivät kuitenkaan ole täydellisiä, sillä ohjelmointivirheet sekä huolimattomuus voivat tehdä jopa AngularJS-työkalulla luodusta ohjelmasta haavoittuvaisen. Työkalujen käyttö on kuitenkin suositeltavaa verkkokehityksessä, sillä oikein käytettynä työkalut tekevät verkkokehityksestä nopeampaa, sulavampaa ja turvallisempaa

WPSE: Fortifying Web Protocols via Browser-Side Security Monitoring

We present WPSE, a browser-side security monitor for web protocols designed to ensure compliance with the intended protocol flow, as well as confidentiality and integrity properties of messages. We formally prove that WPSE is expressive enough to protect web applications from a wide range of protocol implementation bugs and web attacks. We discuss concrete examples of attacks which can be prevented by WPSE on OAuth 2.0 and SAML 2.0, including a novel attack on the Google implementation of SAML 2.0 which we discovered by formalizing the protocol specification in WPSE. Moreover, we use WPSE to carry out an extensive experimental evaluation of OAuth 2.0 in the wild. Out of 90 tested websites, we identify security flaws in 55 websites (61.1%), including new critical vulnerabilities introduced by tracking libraries such as Facebook Pixel, all of which fixable by WPSE. Finally, we show that WPSE works flawlessly on 83 websites (92.2%), with the 7 compatibility issues being caused by custom implementations deviating from the OAuth 2.0 specification, one of which introducing a critical vulnerability

Interactive spatial web-based system for eco-tourism in Royal Belum state park, Perak

Royal Belum State Park (RBSP) is one of the main global destinations for nature-based tourism activities and locations of eco-tourism in national eco-tourism plan. However, due to the limitations of outdated promotion, lack of visible infrastructure and unavailability of an interactive web-based map provided for tourists, RBSP is yet to be recognized as one of the attractions for tourism activities. To address these problems, the research developed an interactive web-based system of eco-tourism for RBSP. In this research, geographic information system (GIS), an auxiliary tool in developing eco-tourism system was distributed across a network computer to integrate, disseminate, and communicate geographic information visually on the existing World Wide Web. Several phases were involved in this research, namely User Requirement Analysis (URA), design database system, data collection, web-based development and system validation. The URA was distributed online via Google document to 46 respondents and manually distributed to 4 staffs of Perak State Park Corporation (PSPC). Feedbacks from the respondents were included in the interactive web-based system. Next, a database system was created using ArcGIS 10 software to produce geospatial data and digital maps, while data of the attractive places were collected in RBSP to be input in the web-based system. Following that, a web-based system was developed using HTML, CSS, PHP, MySQL Workbench and JavaScript. Complete information such as facilities, price, activities and an interactive map with functioning tools such as database system, network analysis and cross section were included to help tourists pre-plan their vacations. Finally, the web-based system was validated by distributing another questionnaire to fifty respondents. The results revealed that 60% (n=30) respondents stated that the web–based was an excellent interactive system followed by 38% (n=19) saying it was good and 2% (n=1) gave moderate results. As a conclusion, this interactive tourism web-based system for RBSP provide users easy access of the characteristics of the earth surface, accessibility of the infrastructure and activity-based information

The Web SSO Standard OpenID Connect: In-Depth Formal Security Analysis and Security Guidelines

Web-based single sign-on (SSO) services such as Google Sign-In and Log In with Paypal are based on the OpenID Connect protocol. This protocol enables so-called relying parties to delegate user authentication to so-called identity providers. OpenID Connect is one of the newest and most widely deployed single sign-on protocols on the web. Despite its importance, it has not received much attention from security researchers so far, and in particular, has not undergone any rigorous security analysis. In this paper, we carry out the first in-depth security analysis of OpenID Connect. To this end, we use a comprehensive generic model of the web to develop a detailed formal model of OpenID Connect. Based on this model, we then precisely formalize and prove central security properties for OpenID Connect, including authentication, authorization, and session integrity properties. In our modeling of OpenID Connect, we employ security measures in order to avoid attacks on OpenID Connect that have been discovered previously and new attack variants that we document for the first time in this paper. Based on these security measures, we propose security guidelines for implementors of OpenID Connect. Our formal analysis demonstrates that these guidelines are in fact effective and sufficient.Comment: An abridged version appears in CSF 2017. Parts of this work extend the web model presented in arXiv:1411.7210, arXiv:1403.1866, arXiv:1508.01719, and arXiv:1601.0122

Clockwork: Tracking Remote Timing Attacks

International audienc

Are cookie banners indeed compliant with the law?: Deciphering EU legal requirements on consent and technical means to verify compliance of cookie banners

International audienceIn this paper, we describe how cookie banners, as a consent mechanism in web applications, should be designed and implemented to be compliant with the ePrivacy Directive and the GDPR, defining 22 legal requirements. While some are provided by legal sources, others result from the domain expertise of computer scientists. We perform a technical assessment of whether technical (with computer science tools), manual (with a human operator) or user studies verification is needed. We show that it is not possible to assess legal compliance for the majority of requirements because of the current architecture of the web. With this approach, we aim to support policy makers assessing compliance in cookie banners, especially under the current revision of the EU ePrivacy framework

Automated Security Analysis of Web Application Technologies

TheWeb today is a complex universe of pages and applications teeming with interactive content that we use for commercial and social purposes. Accordingly, the security of Web applications has become a concern of utmost importance. Devising automated methods to help developers to spot security flaws and thereby make the Web safer is a challenging but vital area of research. In this thesis, we leverage static analysis methods to automatically discover vulnerabilities in programs written in JavaScript or PHP. While JavaScript is the number one language fueling the client-side logic of virtually every Web application, PHP is the most widespread language on the server side. In the first part, we use a series of program transformations and information flow analysis to examine the JavaScript Helios voting client. Helios is a stateof- the-art voting system that has been exhaustively analyzed by the security community on a conceptual level and whose implementation is claimed to be highly secure. We expose two severe and so far undiscovered vulnerabilities. In the second part, we present a framework allowing developers to analyze PHP code for vulnerabilities that can be freely modeled. To do so, we build socalled code property graphs for PHP and import them into a graph database. Vulnerabilities can then be modeled as appropriate database queries. We show how to model common vulnerabilities and evaluate our framework in a large-scale study, spotting hundreds of vulnerabilities.DasWeb hat sich zu einem komplexen Netz aus hochinteraktiven Seiten und Anwendungen entwickelt, welches wir täglich zu kommerziellen und sozialen Zwecken einsetzen. Dementsprechend ist die Sicherheit von Webanwendungen von höchster Relevanz. Das automatisierte Auffinden von Sicherheitslücken ist ein anspruchsvolles, aber wichtiges Forschungsgebiet mit dem Ziel, Entwickler zu unterstützen und das Web sicherer zu machen. In dieser Arbeit nutzen wir statische Analysemethoden, um automatisiert Lücken in JavaScript- und PHP-Programmen zu entdecken. JavaScript ist clientseitig die wichtigste Sprache des Webs, während PHP auf der Serverseite am weitesten verbreitet ist. Im ersten Teil nutzen wir eine Reihe von Programmtransformationen und Informationsflussanalyse, um den JavaScript HeliosWahl-Client zu untersuchen. Helios ist ein modernesWahlsystem, welches auf konzeptueller Ebene eingehend analysiert wurde und dessen Implementierung als sehr sicher gilt. Wir enthüllen zwei schwere und bis dato unentdeckte Sicherheitslücken. Im zweiten Teil präsentieren wir ein Framework, das es Entwicklern ermöglicht, PHP Code auf frei modellierbare Schwachstellen zu untersuchen. Zu diesem Zweck konstruieren wir sogenannte Code-Property-Graphen und importieren diese anschließend in eine Graphdatenbank. Schwachstellen können nun als geeignete Datenbankanfragen formuliert werden. Wir zeigen, wie wir herkömmliche Schwachstellen modellieren können und evaluieren unser Framework in einer groß angelegten Studie, in der wir hunderte Sicherheitslücken identifizieren.CISP

Information-flow security for JavaScript and its APIs

JavaScript drives the evolution of the web into a powerful application platform. Increasingly, web applications combine services from different providers. The script inclusion mechanism routinely turns barebone web pages into full-fledged services built up from third-party code. Script inclusion poses a challenge of ensuring that the integrated third-party code respects security and privacy. This paper presents a dynamic mechanism for securing script executions by tracking information flow in JavaScript and its APIs. On the formal side, the paper identifies language constructs that constitute a core of JavaScript: dynamic objects, higher-order functions, exceptions, and dynamic code evaluation. It develops a dynamic type system that guarantees information-flow security for this language. Based on this formal model, the paper presents JSFlow, a practical security-enhanced interpreter for fine-grained tracking of information flow in full JavaScript and its APIs. Our experiments with JSFlow deployed as a browser extension provide in-depth understanding of information manipulation by third-party scripts. We find that different sites intended to provide similar services effectuate rather different security policies for the user\u27s sensitive information: some ensure it does not leave the browser, others share it with the originating server, while yet others freely propagate it to third parties