WEB SECURITY: WEB BACKGROUND

Transcription

1 WEB SECURITY: WEB BACKGROUND CMSC 414 FEB

2 A very basic web architecture Client Server Browser Web server (Private) Data Database DB is a separate entity, logically (and often physically)

3 A very basic web architecture Client Server Browser Web server (Private) Data Database (Much) user data is part of the browser DB is a separate entity, logically (and often physically)

4 Interacting with web servers Get and put resources which are identified by a URL

5 Interacting with web servers Get and put resources which are identified by a URL Protocol ftp https tor

6 Interacting with web servers Get and put resources which are identified by a URL

7 Interacting with web servers Get and put resources which are identified by a URL Hostname/server Translated to an IP address by DNS (more on this later)

8 Interacting with web servers Get and put resources which are identified by a URL

9 Interacting with web servers Get and put resources which are identified by a URL Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server

10 Interacting with web servers Get and put resources which are identified by a URL Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server

11 Interacting with web servers Get and put resources which are identified by a URL Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server Path to a resource Here, the file home.html is dynamic content i.e., the server generates the content on the fly

12 Interacting with web servers Get and put resources which are identified by a URL Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server Here, the file home.html is dynamic content i.e., the server generates the content on the fly

13 Interacting with web servers Get and put resources which are identified by a URL Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server Here, the file home.html is dynamic content i.e., the server generates the content on the fly

14 Interacting with web servers Get and put resources which are identified by a URL Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server Arguments Here, the file home.html is dynamic content i.e., the server generates the content on the fly

15 Basic structure of web traffic Client Server Browser Web server (Private) Data Database

16 Basic structure of web traffic Client Server Browser Web server

17 Basic structure of web traffic Client Server Browser HTTP Web server

18 Basic structure of web traffic Client Server Browser HTTP Web server HyperText Transfer Protocol (HTTP) An application-layer protocol for exchanging collections of data

19 Basic structure of web traffic Client Server Browser Web server

20 Basic structure of web traffic Client Server Browser Web server User clicks

21 Basic structure of web traffic Client Server Browser HTTP Request Web server User clicks

22 Basic structure of web traffic Client Server Browser HTTP Request Web server User clicks Requests contain: The URL of the resource the client wishes to obtain Headers describing what the browser can do Requests be GET or POST GET: all data is in the URL itself (supposed to have no side-effects) POST: includes the data as separate fields (can have side-effects)

23 HTTP GET requests

24 HTTP GET requests

25 HTTP GET requests User-Agent is typically a browser but it can be wget, JDK, etc.

26

27

28 Referrer URL: the site from which this request was issued.

29 HTTP POST requests Posting on Piazza

30 HTTP POST requests Posting on Piazza

31 HTTP POST requests Posting on Piazza Implicitly includes data as a part of the URL

32 HTTP POST requests Posting on Piazza Implicitly includes data as a part of the URL Explicitly includes data as a part of the request s content

33 Basic structure of web traffic Client Server Browser HTTP Request Web server User clicks

34 Basic structure of web traffic Client Server Browser Web server User clicks

35 Basic structure of web traffic Client Server Browser HTTP Response Web server User clicks

36 Basic structure of web traffic Client Server Browser HTTP Response Web server User clicks Responses contain: Status code Headers describing what the server provides Data Cookies State it would like the browser to store on the site s behalf

37 <html> </html> HTTP responses

38 HTTP version Status code Reason phrase HTTP responses Data Headers <html> </html>

39

40

41

42 HTTP is stateless The lifetime of an HTTP session is typically: Client connects to the server Client issues a request Server responds Client issues a request for something in the response. repeat. Client disconnects HTTP has no means of noting oh this is the same client from that previous session With this alone, you d have to log in at every page load

43 Maintaining state across HTTP sessions Client Server Browser HTTP Request Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

44 Maintaining state across HTTP sessions Client Server Browser HTTP Request Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

45 Maintaining state across HTTP sessions Client Server Browser Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

46 Maintaining state across HTTP sessions Client Server Browser HTTP Response Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

47 Maintaining state across HTTP sessions Client Server Browser HTTP Response State Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

48 Maintaining state across HTTP sessions Client Server Browser State HTTP Response Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

49 Maintaining state across HTTP sessions Client Server Browser Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

50 Maintaining state across HTTP sessions Client Server Browser State HTTP Request Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

51 Maintaining state across HTTP sessions Client Server Browser HTTP Request State Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

52 Maintaining state across HTTP sessions Client Server Browser HTTP Request Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

53 Online ordering socks.com Order Order $5.50

54 Online ordering socks.com Order socks.com Pay Order The total cost is $5.50. Confirm order? $5.50 Yes No Separate page

55 Online ordering <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user

56 Online ordering <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user

57 Online ordering The corresponding backend processing if(pay == yes && price!= NULL) { bill_creditcard(price); deliver_socks(); } else display_transaction_cancelled_page();

58 Online ordering The corresponding backend processing if(pay == yes && price!= NULL) { bill_creditcard(price); deliver_socks(); } else display_transaction_cancelled_page();

59 Online ordering <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user

60 Online ordering <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 0.01 value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user

61 Minimizing trust in the client <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user

62 Minimizing trust in the client <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price name= sid value= > value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user

63 Minimizing trust in the client The corresponding backend processing price = lookup(sid); if(pay == yes && price!= NULL) { bill_creditcard(price); deliver_socks(); } else display_transaction_cancelled_page();

64 Minimizing trust in the client The corresponding backend processing price = lookup(sid); if(pay == yes && price!= NULL) { bill_creditcard(price); deliver_socks(); } else display_transaction_cancelled_page(); We don t want to pass hidden fields around all the time

65 Statefulness with Cookies Client Server Browser HTTP Request Web server Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

66 Statefulness with Cookies Client Server Browser HTTP Request Web server State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

67 Statefulness with Cookies Client Server Browser HTTP Request Web server Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

68 Statefulness with Cookies Client Server Browser Web server Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

69 Statefulness with Cookies Client Server Browser HTTP Response Web server Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

70 Statefulness with Cookies Client Server Browser HTTP Response Web server Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

71 Statefulness with Cookies Client Server Browser HTTP Response Web server Cookie Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

72 Statefulness with Cookies Client Server Server Browser HTTP Response Web server Cookie Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

73 Statefulness with Cookies Client Server Server Browser Web server Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

74 Statefulness with Cookies Client Server Server Browser HTTP Request Web server Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

75 Statefulness with Cookies Client Server Server Browser HTTP Request Web server Cookie Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

76 Cookies are key-value pairs Set-Cookie:key=value; options;. Data Headers <html> </html>

77 Cookies are key-value pairs Set-Cookie:key=value; options;. Data Headers <html> </html>

78 Cookies Client Semantics Browser (Private) Data

79 Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) (Private) Data

80 Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 (Private) Data

81 Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 This value should only be readable by any domain ending in.zdnet.com (Private) Data

82 Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 This value should only be readable by any domain ending in.zdnet.com (Private) Data This should be available to any resource within a subdirectory of /

83 Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 This value should only be readable by any domain ending in.zdnet.com (Private) Data This should be available to any resource within a subdirectory of / Send the cookie to any future requests to <domain>/<path>

84 Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 This value should only be readable by any domain ending in.zdnet.com (Private) Data This should be available to any resource within a subdirectory of / Send the cookie to any future requests to <domain>/<path>

85 Requests with cookies Subsequent visit

86 Requests with cookies Response Subsequent visit

87 Requests with cookies Response Subsequent visit

88 Why use cookies? Personalization Let an anonymous user customize your site Store font choice, etc., in the cookie

89 Tracking users Why use cookies? Advertisers want to know your behavior Ideally build a profile across different websites - Read about ipad on CNN, then see ads on Amazon?! How can an advertiser (A) know what you did on another site (S)?

90 Tracking users Why use cookies? Advertisers want to know your behavior Ideally build a profile across different websites - Read about ipad on CNN, then see ads on Amazon?! How can an advertiser (A) know what you did on another site (S)? S shows you an ad from A; A scrapes the referrer URL

91 Tracking users Why use cookies? Advertisers want to know your behavior Ideally build a profile across different websites - Read about ipad on CNN, then see ads on Amazon?! How can an advertiser (A) know what you did on another site (S)? S shows you an ad from A; A scrapes the referrer URL Option 1: A maintains a DB, indexed by your IP address Problem: IP addrs change

92 Tracking users Why use cookies? Advertisers want to know your behavior Ideally build a profile across different websites - Read about ipad on CNN, then see ads on Amazon?! How can an advertiser (A) know what you did on another site (S)? S shows you an ad from A; A scrapes the referrer URL Option 1: A maintains a DB, indexed by your IP address Option 2: A maintains a DB indexed by a cookie Problem: IP addrs change - Third-party cookie - Commonly used by large ad networks (doubleclick)

93

94 Ad provided by an ad network

95 Snippet of reddit.com source

96 Snippet of reddit.com source Our first time accessing adzerk.net

97 I visit reddit.com

98 I visit reddit.com

99 I visit reddit.com

100 I visit reddit.com Later, I go to reddit.com/r/security

101 I visit reddit.com Later, I go to reddit.com/r/security

102 I visit reddit.com Later, I go to reddit.com/r/security

103 I visit reddit.com We are only sharing this cookie with *.adzerk.net; but we are telling them about where we just came from Later, I go to reddit.com/r/security

104 Cookies and web authentication An extremely common use of cookies is to track users who have already authenticated If the user already visited with the correct password, then the server associates a session cookie with the logged-in user s info Subsequent requests (GET and POST) include the cookie in the request headers and/or as one of the fields: The idea is for the server to be able to say I am talking to the same browser that authenticated Alice earlier.

105 Cookies and web authentication An extremely common use of cookies is to track users who have already authenticated If the user already visited with the correct password, then the server associates a session cookie with the logged-in user s info Subsequent requests (GET and POST) include the cookie in the request headers and/or as one of the fields: The idea is for the server to be able to say I am talking to the same browser that authenticated Alice earlier. Attacks?