Question Assignment:

Web Application Security Mechanisms: For the web application that you have identified in section b., what web application safety mechanisms are used for authentication and why? What entry management mannequin(s) are used and why? What safety controls do you plan to make use of to guard your group’s knowledge (information, databases, and so forth.)? What safety mechanisms are you planning to make use of to implement browser safety and server safety? (Minimal web page restrict: four pages; Most web page restrict: 5 pages). Please contains references supply

SECTION B
Priceline has quite a few web functions hosted inside their web site, although a lot of them are comparable all require completely different inputs and supply completely different outputs. With out the crucial perception into the actual title of the chosen web application, we’ll check with this application as “Journey Reserving” as we discover the application in additional element. Journey Reserving is hosted at the URL https://www.priceline.com/?tab=holidays which incorporates data as being hosted at 4 completely different IP addresses (151.101.194.186, 151.101.66.186, 151.101.130.186, 151.101.2.186).
Journey Booker is a web application that serves finish customers by giving them the capacity to search out journey preparations for many of the wants they have for a trip in one handy location. Flights, rental automobiles, and lodges can all be looked for a specified date vary of a possible journey and all of the outcomes are offered to the finish consumer. For added performance the consumer can even specify for a number of lodges for use over completely different time spans of the total journey, in addition to a technique flight lodging for the journey.
The top consumer for this web application is just a little exhausting to outline in greater than a broad generic group as the public is the goal consumer. A few of the customers can be individuals trying to determine for enterprise journeys, whereas others may very well be reserving household holidays. The choices are practically limitless, and the customers and locations span the breadth of the world. Actually the application is aimed toward everybody who would possibly have any curiosity in travelling to any vacation spot in the world.
For this web application to operate appropriately, 5 inputs are required from the consumer. The primary of those inputs is in the type of a radio button to pick the wanted elements for the journey (lodge, flight, automotive, or mixtures of those). Subsequent is a departure location after which a vacation spot location each of which take the consumer enter and prompts for the nearest airport to the vacation spot title offered. An interactive calendar gives choose for a departure date and return date to be enter, after which numerous travels choice which is damaged down to incorporate adults, kids, and numerous rooms wanted. Non-obligatory inputs embody an choice to supply separate dates for lodges, which Priceline.com refers to as “I Solely Want a Lodge For A part of My Keep.”
Upon execution of the web application by the consumer, first a return of lodges accessible for the specified parameter is displayed in the browser. The outputs can at this level be filtered down based mostly upon accessible standards comparable to facilities or distance from a specified location. After choice a lodge for additional assessment, output returned is a extra detailed take a look at the room together with pictures, accessible charges, and optionally available add-ons, whole value for the period specified in addition to a capability to pick the room to be added to the reserving. After reserving the room, output is that of a listing of accessible flights for the consumer to pick an applicable flight with costs and occasions for every displayed. Lastly on the return is a listing of accessible rental automobiles, displaying completely different manufacturers and value factors for the journey. After choosing the rental automotive, the application returns a visit overview displaying all of the particulars from the earlier inputs and outputs and an choice to proceed to the checkout application for the specified journey.
The structure of the web application is intently protected, however because of an settlement between Priceline and HackerOne’s bug bounty program, testing was capable of be finished to disclose a few of the structure. The web application servers use a CDN or content material supply community to which is offered by Forter.com. “A CDN is a community of servers linked along with the purpose of delivering content material as shortly, cheaply, reliably, and securely as potential.” (What’s a CDN? | how do Cdns work? | cloudflare n.d.) The application sits behind a WAF or web application firewall, however via reconnaissance was unable to establish which kind of WAF was in use. The servers themselves have an working system that has eluded discovery, although focused Nmap scans have proven them to doubtless be hosted on a Linux host. Behind the servers, doubtless on the different aspect of the DMZ (De-Militarized Zone) can be the databases, although the sort in use has additionally eluded discovery however is probably going some type of SQL database, from assessment of the GET and POST messages seen when a request is created from the application. Additionally of unknown origin is the authenticating server, which seems to supply authentication both via regionally saved (on the authenticating server) or via FIM or Federated Identification Administration. “Federated login permits customers to make use of a single authentication ticket/token to acquire entry throughout all the networks of the completely different IT methods.” (Robinson, 2019) The FIM suppliers in use for Priceline are Apple, Google, and Fb.
The structure of the web application follows a really particular movement to make sure most availability of the service with a excessive diploma of safety for the options. When a consumer visits the URL of the web application a request is distributed to the Forter CDN, which then will both permit the request or immediate for a captcha problem to scale back the affect of automated hacking instruments. As soon as the CDN has offered entry, the request is forwarded via the web application firewall to the web application server. Authentication mechanisms have been seen in a number of sorts for the application. Firstly, is thru the use of cookies and session tokens, and the second via id administration companies permitting log ins to a registered account and persistence via the session tokens. The authenticating server receives the request and upon profitable authentication the session is opened between the server and the consumer browser. On the server aspect, when a correctly authenticated request comes in, the server queries the database, and forwards the structured response to the consumer browser for parsing and show of the content material.
The Priceline web functions require some very particular applied sciences to have the ability to run. Shopper browsers are required to be of a Safari or Chromium based mostly construct for the application to run appropriately. For safety expertise the web application requires TLS (Transport Layer Security) model 1.2 or 1.three to have the ability to function, and variations predating this might be rejected by the application. On the server aspect of there’s the language Subsequent.js in use, which is constructed upon a Node.js infrastructure to supply uniform rendering for the web application. “Rendering the similar elements on the server aspect as on the consumer aspect (common rendering) means that improvement time is decreased as we are able to construct our React elements as soon as and Subsequent JS takes care of every part to do with re-rendering these elements in the consumer’s browser.” (Duncan, n.d.) Additionally in use is Istio-Envoy to behave as proxy. “Envoy is a high-performance proxy developed in C++ to mediate all inbound and outbound visitors for all companies in the service mesh.” (Structure n.d.) To boost the speeds of such a formidable application Varnish 1.1 is used for caching the application to have the ability to facilitate quicker load occasions on the consumer aspect.
SECTION C:
Priceline collects plenty of delicate knowledge from a consumer resulting from its enterprise operations nature. Correct authentication and safety are essential for on-line companies working worldwide like Priceline since they’re nice targets for hackers. A profitable breach would end result in gaining beneficial, delicate data, which attracts hackers worldwide. At present, Priceline retains data of the following elements: authorized title, handle, contact data, age, date of beginning, gender, IP handle, credit score or debit card data, gadget data, web logs, normal gadget areas, particular gadget location (with consent), and extra. Priceline may additionally retrieve this data from different sources like third-party functions, like Google and Fb, third social gathering knowledge suppliers, and others. The actual fact that this firm operates on-line and retains data of elements of such delicate nature places excessive safety, authentication, and knowledge dealing with requirements on this firm and its enterprise associates.
Priceline makes use of password authentication for customers signing in their private accounts. A password for a private account should be at the least eight characters with a quantity or a particular character. A consumer is given 5 makes an attempt to enter the password appropriately, if a consumer has exceeded all makes an attempt, the account locks routinely and may be additional unlocked by verifying your id with Priceline buyer care. Consumer`s password is linked to a private e mail; due to this fact, consumer can manually reset a password for the account by way of e mail. The web site additionally helps Single sign-on with Google, Fb, and Apple accounts for customers’ comfort.
Priceline presently works with Okta to supply customers with high-standard authentication and entry controls. Okta implements centralized cloud options for managing Priceline and their accomplice functions whereas offering consumer capacity of SSO and admins to handle customers entry throughout all sister functions. For authentication and entry management, Okta makes use of LDAP protocol. LDAP is a light-weight subset of the X.500 Listing Entry Protocol and has been round since the early 1990s. LDAP single sign-on lets system admins set permissions to manage entry to the LDAP database. It may well take care of password expiration, password high quality validation, and account lockout after a consumer has too many failed makes an attempt. An LDAP agent can authenticate customers in real-time – it compares the knowledge introduced to what’s saved in the LDAP database immediately, so no delicate consumer knowledge must be saved in the cloud. Okta permits admins to manage their very own customers and allow entry to a joint application–with out having to fret about Energetic Listing trusts, firewall guidelines, or proxies. For entry management, LDAP implements RBAC methodology, which simplifies administration by assigning roles to customers after which assigning permissions to these roles.
Deploying Okta has contributed to a deeper understanding of worker app utilization throughout Priceline. This helps IT ensure that the apps they’re supporting are these that their customers want and are proud of and permits the enterprise to maintain higher monitor of licenses. For Priceline, change to Okta decreased customers` down time drastically, allowed customers to higher self-handle sign-in issues, improved orphan accounts monitoring, enchased safety, and automatic many processes. Transferring ahead, Priceline plans to include Okta’s Menace Perception capabilities to achieve deeper, actionable understanding at the gadget stage round the place its customers and threats are coming from. Bolstered by the wins to this point, Priceline continues to actively search for methods to additional combine Okta throughout the enterprise. For each upcoming challenge, Priceline engineers plan on integrating these with Okta if potential. (Priceline | Okta, n.d.)
For any monetary transactions, Priceline requires the consumer`s following data: full authorized title, credit score or debit card data together with CVV code, bodily handle, together with metropolis, nation, and zip code, private e mail handle, and a telephone quantity. A consumer can cancel an order made on his/her title by way of e mail inside 24 hours after the order was created. After each submitted order, a consumer will get an automated affirmation e mail that features a hyperlink to cancellation, until a reserving is a non-refundable deal. For automotive renting reservations, customers id is confirmed by requesting the consumer`s full authorized title, date of beginning, bank card data, and typically passport data for worldwide drivers.
To obtain on-line funds, Priceline or some other web site should all the time be Cost Card Trade (PCI) compliant. PCI has 12 necessities, and a requirement № eight addresses authentication points. Listed here are some examples of PCI necessities: commonplace eight.1.1 – each consumer should have a singular ID earlier than being allowed to entry system elements or cardholder knowledge; commonplace eight.1.four – inactive consumer accounts should be disabled after 90 days; commonplace eight.2.5 – prohibit the use of the 4 final recognized passwords. A few of the necessities listed by PCI apply to customers and their authentication, whereas others apply to the firm and its workers who have entry to that delicate data. PCI necessities would possibly differ relying on the publicity of an worker to delicate knowledge. (Bartels, 2017)
To offer safety for bank card transactions whereas in transit, Priceline presently makes use of Safe Socket Layer encryption. Safe Sockets Layer (SSL) is a regular expertise behind establishing an encrypted connection between a web server (host) and a web browser (consumer). This connection between the two makes certain that all the knowledge handed between them stays non-public and intrinsic. SSL is an trade commonplace and is utilized by thousands and thousands of internet sites to guard their on-line transactions with their clients. Having an SSL certificates put in is considered one of the 12 main necessities set by the PCI.
Priceline presently helps HTTPS certificates for its web application which suggests the web web site itself helps SSL commonplace. In keeping with SSL Checker, Priceline makes use of a varnish accelerator, and SSL certificates for the web site was issued by GlobalSign, which is legitimate from October 20, 2021, to October 20, 2024. The algorithm utilized by Priceline is SHA-256. The SHA-256 algorithm is one taste of SHA-2 (Safe Hash Algorithm 2), which was created by the Nationwide Security Company in 2001 as a successor to SHA-1. SHA-256 is a patented cryptographic hash operate that outputs a price that is 256 bits lengthy. SHA-256 is used in a few of the hottest authentication and encryption protocols, together with SSL, TLS, IPsec, SSH, and PGP. In Unix and Linux, SHA-256 is used for safe password hashing. Some cryptocurrencies, comparable to Bitcoin use SHA-256 for verifying transactions. SHA-256 is considered one of the most safe hashing features on the market. The US authorities requires its businesses to guard sure delicate data utilizing SHA-256. Whereas the actual particulars of how SHA-256 works are categorised, we all know that it’s constructed with a Merkle-Damgård construction derived from a one-way compression operate itself created with the Davies-Meyer construction from a specialised block cipher. (N-In a position, 2019)
Priceline makes use of RSA encryption with the SHA-256 algorithm. Below RSA encryption, messages are encrypted with a code known as a public key, which may be shared brazenly. Because of some distinct mathematical properties of the RSA algorithm, as soon as a message has been encrypted with the public key, it may solely be decrypted by one other key, referred to as the non-public key. Public-key encryption schemes differ from symmetric-key encryption, the place each the encryption and decryption processes use the similar non-public key. These variations make public-key encryption like RSA helpful for speaking in conditions the place there was no alternative to securely distribute keys beforehand. RSA encryption is commonly used in mixture with different encryption schemes, or for digital signatures, which might show the authenticity and integrity of a message. (Lake, 2021)
The most recent world affect produced by COVID-19 made many corporations shift to a distant operational mannequin for workers and customers. Since then, Priceline had its sight on a coffee-shop mannequin, in which customers may come and go freely between places of work with out going via contortions to confirm permissions and authorization to the company property they wanted to do their work. Dropkin and his workforce have been in safe remote-access expertise to permit for simpler least privilege enforcement and simplify the means of granting entry to consultants and different third-party customers. Priceline is attempting to meet up with the newest developments and supply workers and customers with quick and environment friendly fashionable options. A few of the firm’s future priorities are automation and cloud implementation. For these functions, the firm is planning to work with trade recognized safe options suppliers.
Priceline will adjust to any future necessities of PCI for encryption and anonymizing a regular like CCPA for buyer knowledge safety. GDPR as considered one of the latest and most wide-ranging requirements will have an effect on Priceline as effectively, since Priceline operates worldwide and has clients who’re particular person topics to the EU’s jurisdiction. A few of the GDPR necessities embody having an information safety officer and utilizing commonplace contractual clauses when sharing knowledge with non-EU-based organizations. For browser and server safety Priceline will adjust to any potential U.S. rules and comply with greatest pointers.

———-

Question Assignment:

Web Application Security Mechanisms: What web application safety mechanisms are used for authentication for the web application you talked about in section b., and why? What mannequin(s) of entry management are employed, and why? What safety controls do you intend to implement to safeguard your organization’s knowledge (information, databases, and so forth)? What safety methods do you intend to make use of to make sure browser and server safety? (Minimal web page restrict: four pages; Most web page restrict: 5 pages). Please contains references supply

SECTION B
Priceline has quite a few web functions hosted inside their web site, although a lot of them are comparable all require completely different inputs and supply completely different outputs. With out the crucial perception into the actual title of the chosen web application, we’ll check with this application as

Published by
Write
View all posts