Security Overview

Dr. Greg M. Bernstein

Updated October 19th 2021

Web Security Overview

Learning Objectives

  • Understand basic InfoSec concepts: Confidentiality, Integrity, Availability
  • Learn and understand the main website threats: OWASP Top 10
  • Learn the fundamentals of access control: Authentication, Authorization, and Accounting



No, not the U.S. Government Agency

  • Confidentiality
  • Integrity
  • Availability

Confidentiality 1


Confidentiality refers to protecting information from being accessed by unauthorized parties. In other words, only the people who are authorized to do so can gain access to sensitive data.

Imagine your bank records. You should be able to access them, of course, and employees at the bank who are helping you with a transaction should be able to access them, but no one else should. A failure to maintain confidentiality means that someone who shouldn’t have access has managed to get it, through intentional behavior or by accident.

Confidentiality 2


Such a failure of confidentiality, commonly known as a breach, typically cannot be remedied. Once the secret has been revealed, there’s no way to un-reveal it. If your bank records are posted on a public website, everyone can know your bank account number, balance, etc., and that information can’t be erased from their minds, papers, computers, and other places. Nearly all the major security incidents reported in the media today involve major losses of confidentiality.

Why we need HTTPS

  • All HTTP traffic is visible when on the network!

  • Login Password fields are not encrypted by the Browser!

  • Number of IP hops from your browser to site?

IP Hops to my site

$ pathping
Tracing route to []
over a maximum of 30 hops:
  0  DESKTOP-NOE6DKP.lan []
  1  OpenWrt.lan []
  4 []
  6 []
  7 []
  8 []
  9 []
 10 []
 11 []
 12 []

But Wait, its Worse

  • The previous traceroute only includes IP routers.

  • Lower layer switching devices do not show up in trace route including: layer 2 switches devices using Ethernet, MPLS, and Software Defined Networking (SDN) devices

    • See my SDN Fun page for simple example of setting up a packet intercept.

Integrity 1


Integrity refers to ensuring the authenticity of information—that information is not altered, and that the source of the information is genuine. Imagine that you have a website and you sell products on that site. Now imagine that an attacker can shop on your web site and maliciously alter the prices of your products, so that they can buy anything for whatever price they choose. That would be a failure of integrity, because your information—in this case, the price of a product—has been altered and you didn’t authorize this alteration.

Integrity 2


Another example of a failure of integrity is when you try to connect to a website and a malicious attacker between you and the website redirects your traffic to a different website. In this case, the site you are directed to is not genuine.


From Wikipedia

For any information system to serve its purpose, the information must be available when it is needed. This means the computing systems used to store and process the information, the security controls used to protect it, and the communication channels used to access it must be functioning correctly.

Ensuring availability also involves preventing denial-of-service attacks, such as a flood of incoming messages to the target system, essentially forcing it to shut down.

Access Control

The AAA Framework

How do we control who can see and modify data? The most common approach is based on the trio of:

  • Authentication
  • Authorization
  • Accounting


From Wikipedia

Authentication is the act of verifying a claim of identity.

Authentication: Analog Example

From Wikipedia

When John Doe goes into a bank to make a withdrawal, he tells the bank teller he is John Doe, a claim of identity. The bank teller asks to see a photo ID, so he hands the teller his driver’s license. The bank teller checks the license to make sure it has John Doe printed on it and compares the photograph on the license against the person claiming to be John Doe. If the photo and name match the person, then the teller has authenticated that John Doe is who he claimed to be.

Authentication Information

From Wikipedia

There are three different types of information that can be used for authentication:

  • Something you know: things such as a PIN, a password, etc…
  • Something you have: a driver’s license or a magnetic swipe card
  • Something you are: biometrics, including fingerprints, retina (eye) scans, etc…

Multi-Factor Authentication

For stronger authentication multiple pieces of authentication information can be use including those from multiple categories (know, have, are)


From Wikipedia

After a person, program or computer has successfully been identified and authenticated then it must be determined what informational resources they are permitted to access and what actions they will be allowed to perform (run, view, create, delete, or change). This is called authorization. Authorization to access information and other computing services begins with administrative policies and procedures.

Authorization Systems

  • Role Based Access Control (RBAC): Example BlackBoard (LMS) – admin, student, teacher, grader
  • File permissions: Example Linux user, group, and other permissions
  • Access Control Lists: Commonly used in firewalls and routers


We use logging and monitoring to determine:

  • Who is using the system(s)?
  • How are they using the systems?
  • Is that use appropriate?


What are threats?

Threats are any mechanism or technique that can intentionally or accidentally compromise the confidentiality, integrity or availability of a system.

Threat Classification

  • Threats can be broadly or narrowly classified
  • These stem from general approaches to specific attack vectors

OWASP Top Ten Threat Project

“A primary aim of the OWASP Top 10 is to educate developers, designers, architects, managers, and organizations about the consequences of the most common and most important web application security weaknesses. The Top 10 provides basic techniques to protect against these high risk problem areas, and provides guidance on where to go from here.”

OWASP Top Ten 1-4

  • A1: Injection
  • A2: Broken Authentication
  • A3: Sensitive Data Exposure
  • A4: XML External Entities Not applicable to us

OWASP Top Ten 5-7

  • A5: Broken Access Control
  • A6: Security Misconfiguration
  • A7: Cross-Site Scripting (XSS) A type of injection

OWASP Top Ten 8-10

  • A8: Insecure Deserialization
  • A9: Using Components with Known Vulnerabilities
  • A10: Insufficient Logging & Monitoring

Applicability of OWASP to CS351/CS651

Multi User Web Application Project

  • We need to support multiple-users
  • Users have both private and shared information
  • Users have different roles
  • Users create and modify information via the application


Almost any source of data can be an injection vector, environment variables, parameters, external and internal web services, and all types of users. Injection flaws occur when an attacker can send hostile data to an interpreter.

This is almost entirely a software development issue

Broken Authentication 1

From OWASP Broken Authentication

Attackers have access to hundreds of millions of valid username and password combinations for credential stuffing, default administrative account lists, automated brute force, and dictionary attack tools. Session management attacks are well understood, particularly in relation to unexpired session tokens.

Broken Authentication 2

From OWASP Broken Authentication

The prevalence of broken authentication is widespread due to the design and implementation of most identity and access controls. Session management is the bedrock of authentication and access controls, and is present in all stateful applications.

CS351/CS651 Implications

  • We must implement access control (authentication, authorization) for our multi-user web application.
  • We have to implement session management to enable the above!
// reveal.js plugins