WEB SECURITY: WEB BACKGROUND
|
|
- Martin Dawson
- 5 years ago
- Views:
Transcription
1 WEB SECURITY: WEB BACKGROUND CMSC 414 FEB
2 A very basic web architecture Client Server Browser Web server (Private) Data Database DB is a separate entity, logically (and often physically)
3 A very basic web architecture Client Server Browser Web server (Private) Data Database (Much) user data is part of the browser DB is a separate entity, logically (and often physically)
4 Interacting with web servers Get and put resources which are identified by a URL
5 Interacting with web servers Get and put resources which are identified by a URL Protocol ftp https tor
6 Interacting with web servers Get and put resources which are identified by a URL
7 Interacting with web servers Get and put resources which are identified by a URL Hostname/server Translated to an IP address by DNS (more on this later)
8 Interacting with web servers Get and put resources which are identified by a URL
9 Interacting with web servers Get and put resources which are identified by a URL Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server
10 Interacting with web servers Get and put resources which are identified by a URL Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server
11 Interacting with web servers Get and put resources which are identified by a URL Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server Path to a resource Here, the file home.html is dynamic content i.e., the server generates the content on the fly
12 Interacting with web servers Get and put resources which are identified by a URL Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server Here, the file home.html is dynamic content i.e., the server generates the content on the fly
13 Interacting with web servers Get and put resources which are identified by a URL Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server Here, the file home.html is dynamic content i.e., the server generates the content on the fly
14 Interacting with web servers Get and put resources which are identified by a URL Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server Arguments Here, the file home.html is dynamic content i.e., the server generates the content on the fly
15 Basic structure of web traffic Client Server Browser Web server (Private) Data Database
16 Basic structure of web traffic Client Server Browser Web server
17 Basic structure of web traffic Client Server Browser HTTP Web server
18 Basic structure of web traffic Client Server Browser HTTP Web server HyperText Transfer Protocol (HTTP) An application-layer protocol for exchanging collections of data
19 Basic structure of web traffic Client Server Browser Web server
20 Basic structure of web traffic Client Server Browser Web server User clicks
21 Basic structure of web traffic Client Server Browser HTTP Request Web server User clicks
22 Basic structure of web traffic Client Server Browser HTTP Request Web server User clicks Requests contain: The URL of the resource the client wishes to obtain Headers describing what the browser can do Requests be GET or POST GET: all data is in the URL itself (supposed to have no side-effects) POST: includes the data as separate fields (can have side-effects)
23 HTTP GET requests
24 HTTP GET requests
25 HTTP GET requests User-Agent is typically a browser but it can be wget, JDK, etc.
26
27
28 Referrer URL: the site from which this request was issued.
29 HTTP POST requests Posting on Piazza
30 HTTP POST requests Posting on Piazza
31 HTTP POST requests Posting on Piazza Implicitly includes data as a part of the URL
32 HTTP POST requests Posting on Piazza Implicitly includes data as a part of the URL Explicitly includes data as a part of the request s content
33 Basic structure of web traffic Client Server Browser HTTP Request Web server User clicks
34 Basic structure of web traffic Client Server Browser Web server User clicks
35 Basic structure of web traffic Client Server Browser HTTP Response Web server User clicks
36 Basic structure of web traffic Client Server Browser HTTP Response Web server User clicks Responses contain: Status code Headers describing what the server provides Data Cookies State it would like the browser to store on the site s behalf
37 <html> </html> HTTP responses
38 HTTP version Status code Reason phrase HTTP responses Data Headers <html> </html>
39
40
41
42 HTTP is stateless The lifetime of an HTTP session is typically: Client connects to the server Client issues a request Server responds Client issues a request for something in the response. repeat. Client disconnects HTTP has no means of noting oh this is the same client from that previous session With this alone, you d have to log in at every page load
43 Maintaining state across HTTP sessions Client Server Browser HTTP Request Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses
44 Maintaining state across HTTP sessions Client Server Browser HTTP Request Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses
45 Maintaining state across HTTP sessions Client Server Browser Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses
46 Maintaining state across HTTP sessions Client Server Browser HTTP Response Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses
47 Maintaining state across HTTP sessions Client Server Browser HTTP Response State Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses
48 Maintaining state across HTTP sessions Client Server Browser State HTTP Response Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses
49 Maintaining state across HTTP sessions Client Server Browser Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses
50 Maintaining state across HTTP sessions Client Server Browser State HTTP Request Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses
51 Maintaining state across HTTP sessions Client Server Browser HTTP Request State Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses
52 Maintaining state across HTTP sessions Client Server Browser HTTP Request Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses
53 Online ordering socks.com Order Order $5.50
54 Online ordering socks.com Order socks.com Pay Order The total cost is $5.50. Confirm order? $5.50 Yes No Separate page
55 Online ordering <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user
56 Online ordering <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user
57 Online ordering The corresponding backend processing if(pay == yes && price!= NULL) { bill_creditcard(price); deliver_socks(); } else display_transaction_cancelled_page();
58 Online ordering The corresponding backend processing if(pay == yes && price!= NULL) { bill_creditcard(price); deliver_socks(); } else display_transaction_cancelled_page();
59 Online ordering <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user
60 Online ordering <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 0.01 value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user
61 Minimizing trust in the client <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user
62 Minimizing trust in the client <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price name= sid value= > value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user
63 Minimizing trust in the client The corresponding backend processing price = lookup(sid); if(pay == yes && price!= NULL) { bill_creditcard(price); deliver_socks(); } else display_transaction_cancelled_page();
64 Minimizing trust in the client The corresponding backend processing price = lookup(sid); if(pay == yes && price!= NULL) { bill_creditcard(price); deliver_socks(); } else display_transaction_cancelled_page(); We don t want to pass hidden fields around all the time
65 Statefulness with Cookies Client Server Browser HTTP Request Web server Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server
66 Statefulness with Cookies Client Server Browser HTTP Request Web server State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server
67 Statefulness with Cookies Client Server Browser HTTP Request Web server Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server
68 Statefulness with Cookies Client Server Browser Web server Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server
69 Statefulness with Cookies Client Server Browser HTTP Response Web server Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server
70 Statefulness with Cookies Client Server Browser HTTP Response Web server Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server
71 Statefulness with Cookies Client Server Browser HTTP Response Web server Cookie Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server
72 Statefulness with Cookies Client Server Server Browser HTTP Response Web server Cookie Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server
73 Statefulness with Cookies Client Server Server Browser Web server Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server
74 Statefulness with Cookies Client Server Server Browser HTTP Request Web server Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server
75 Statefulness with Cookies Client Server Server Browser HTTP Request Web server Cookie Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server
76 Cookies are key-value pairs Set-Cookie:key=value; options;. Data Headers <html> </html>
77 Cookies are key-value pairs Set-Cookie:key=value; options;. Data Headers <html> </html>
78 Cookies Client Semantics Browser (Private) Data
79 Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) (Private) Data
80 Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 (Private) Data
81 Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 This value should only be readable by any domain ending in.zdnet.com (Private) Data
82 Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 This value should only be readable by any domain ending in.zdnet.com (Private) Data This should be available to any resource within a subdirectory of /
83 Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 This value should only be readable by any domain ending in.zdnet.com (Private) Data This should be available to any resource within a subdirectory of / Send the cookie to any future requests to <domain>/<path>
84 Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 This value should only be readable by any domain ending in.zdnet.com (Private) Data This should be available to any resource within a subdirectory of / Send the cookie to any future requests to <domain>/<path>
85 Requests with cookies Subsequent visit
86 Requests with cookies Response Subsequent visit
87 Requests with cookies Response Subsequent visit
88 Why use cookies? Personalization Let an anonymous user customize your site Store font choice, etc., in the cookie
89 Tracking users Why use cookies? Advertisers want to know your behavior Ideally build a profile across different websites - Read about ipad on CNN, then see ads on Amazon?! How can an advertiser (A) know what you did on another site (S)?
90 Tracking users Why use cookies? Advertisers want to know your behavior Ideally build a profile across different websites - Read about ipad on CNN, then see ads on Amazon?! How can an advertiser (A) know what you did on another site (S)? S shows you an ad from A; A scrapes the referrer URL
91 Tracking users Why use cookies? Advertisers want to know your behavior Ideally build a profile across different websites - Read about ipad on CNN, then see ads on Amazon?! How can an advertiser (A) know what you did on another site (S)? S shows you an ad from A; A scrapes the referrer URL Option 1: A maintains a DB, indexed by your IP address Problem: IP addrs change
92 Tracking users Why use cookies? Advertisers want to know your behavior Ideally build a profile across different websites - Read about ipad on CNN, then see ads on Amazon?! How can an advertiser (A) know what you did on another site (S)? S shows you an ad from A; A scrapes the referrer URL Option 1: A maintains a DB, indexed by your IP address Option 2: A maintains a DB indexed by a cookie Problem: IP addrs change - Third-party cookie - Commonly used by large ad networks (doubleclick)
93
94 Ad provided by an ad network
95 Snippet of reddit.com source
96 Snippet of reddit.com source Our first time accessing adzerk.net
97 I visit reddit.com
98 I visit reddit.com
99 I visit reddit.com
100 I visit reddit.com Later, I go to reddit.com/r/security
101 I visit reddit.com Later, I go to reddit.com/r/security
102 I visit reddit.com Later, I go to reddit.com/r/security
103 I visit reddit.com We are only sharing this cookie with *.adzerk.net; but we are telling them about where we just came from Later, I go to reddit.com/r/security
104 Cookies and web authentication An extremely common use of cookies is to track users who have already authenticated If the user already visited with the correct password, then the server associates a session cookie with the logged-in user s info Subsequent requests (GET and POST) include the cookie in the request headers and/or as one of the fields: The idea is for the server to be able to say I am talking to the same browser that authenticated Alice earlier.
105 Cookies and web authentication An extremely common use of cookies is to track users who have already authenticated If the user already visited with the correct password, then the server associates a session cookie with the logged-in user s info Subsequent requests (GET and POST) include the cookie in the request headers and/or as one of the fields: The idea is for the server to be able to say I am talking to the same browser that authenticated Alice earlier. Attacks?
Security for the Web. Thanks to Dave Levin for some slides
Security for the Web Thanks to Dave Levin for some slides The Web Security for the World-Wide Web (WWW) presents new vulnerabilities to consider: SQL injection, Cross-site Scripting (XSS), These share
More informationI n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:
This time Continuing with Software Security Getting insane with I n p u t sanitization ); drop table slides New attacks and countermeasures: SQL injection Background on web architectures A very basic web
More informationSecurity for the Web. Thanks to Dave Levin for some slides
Security for the Web Thanks to Dave Levin for some slides The Web Security for the World-Wide Web (WWW) presents new vulnerabilities to consider: SQL injection, Cross-site Scripting (XSS), These share
More information2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More information2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.
Secure Coding CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationCMSC 332 Computer Networking Web and FTP
CMSC 332 Computer Networking Web and FTP Professor Szajda CMSC 332: Computer Networks Project The first project has been posted on the website. Check the web page for the link! Due 2/2! Enter strings into
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationAbusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)
Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Narendra Bhati @NarendraBhatiB http://websecgeeks.com Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page
More informationWeb, HTTP and Web Caching
Web, HTTP and Web Caching 1 HTTP overview HTTP: hypertext transfer protocol Web s application layer protocol client/ model client: browser that requests, receives, displays Web objects : Web sends objects
More informationWeb Security II. Slides from M. Hicks, University of Maryland
Web Security II Slides from M. Hicks, University of Maryland Recall: Putting State to HTTP Web application maintains ephemeral state Server processing often produces intermediate results; not long-lived
More informationComputer Networks. Wenzhong Li. Nanjing University
Computer Networks Wenzhong Li Nanjing University 1 Chapter 8. Internet Applications Internet Applications Overview Domain Name Service (DNS) Electronic Mail File Transfer Protocol (FTP) WWW and HTTP Content
More informationLecture 7b: HTTP. Feb. 24, Internet and Intranet Protocols and Applications
Internet and Intranet Protocols and Applications Lecture 7b: HTTP Feb. 24, 2004 Arthur Goldberg Computer Science Department New York University artg@cs.nyu.edu WWW - HTTP/1.1 Web s application layer protocol
More informationCS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.
CS 355 Computer Networking Wei Lu, Ph.D., P.Eng. Chapter 2: Application Layer Overview: Principles of network applications? Introduction to Wireshark Web and HTTP FTP Electronic Mail SMTP, POP3, IMAP DNS
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationCaching. Caching Overview
Overview Responses to specific URLs cached in intermediate stores: Motivation: improve performance by reducing response time and network bandwidth. Ideally, subsequent request for the same URL should be
More informationRobust Defenses for Cross-Site Request Forgery
Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis Petros Paper Authors: Adam Barth, Collin Jackson, John C. Mitchell Outline What is CSRF attack? What is a login
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationManipulating Web Application Interfaces a New Approach to Input Validation Testing. AppSec DC Nov 13, The OWASP Foundation
Manipulating Web Application Interfaces a New Approach to Input Validation Testing Felipe Moreno-Strauch AppSec DC Nov 13, 2009 felipe@wobot.org http://groundspeed.wobot.org The Foundation http://www.owasp.org
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationLecture 6 Application Layer. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it
Lecture 6 Application Layer Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it Application-layer protocols Application: communicating, distributed processes running in network hosts
More informationUNIT I. A protocol is a precise set of rules defining how components communicate, the format of addresses, how data is split into packets
UNIT I Web Essentials: Clients, Servers, and Communication. The Internet- Basic Internet Protocols -The World Wide Web-HTTP request message-response message- Web Clients Web Servers-Case Study. Markup
More informationICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies
ICS 351: Today's plan IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies IPv6 routing almost the same routing protocols as for IPv4: RIPng, OSPFv6, BGP with
More informationFeatures of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy
Que: -Proxy server Introduction: Proxy simply means acting on someone other s behalf. A Proxy acts on behalf of the client or user to provide access to a network service, and it shields each side from
More informationOptions. Real SQL Programming 1. Stored Procedures. Embedded SQL
Real 1 Options We have seen only how SQL is used at the generic query interface an environment where we sit at a terminal and ask queries of a database. Reality is almost always different: conventional
More informationLecture 9a: Sessions and Cookies
CS 655 / 441 Fall 2007 Lecture 9a: Sessions and Cookies 1 Review: Structure of a Web Application On every interchange between client and server, server must: Parse request. Look up session state and global
More informationReview of Previous Lecture
Review of Previous Lecture Network access and physical media Internet structure and ISPs Delay & loss in packet-switched networks Protocol layers, service models Some slides are in courtesy of J. Kurose
More informationWebshop Plus! v Pablo Software Solutions DB Technosystems
Webshop Plus! v.2.0 2009 Pablo Software Solutions http://www.wysiwygwebbuilder.com 2009 DB Technosystems http://www.dbtechnosystems.com Webshos Plus! V.2. is an evolution of the original webshop script
More informationComputer Networks. HTTP and more. Jianping Pan Spring /20/17 CSC361 1
Computer Networks HTTP and more Jianping Pan Spring 2017 1/20/17 CSC361 1 First things first W1 due next Monday (Jan 23) submit a single PDF file through connex Noah posted a docx for for questions on
More informationHypertext Transport Protocol
Hypertext Transport Protocol HTTP Hypertext Transport Protocol Language of the Web protocol used for communication between web browsers and web servers TCP port 80 HTTP - URLs URL Uniform Resource Locator
More informationBrowser behavior can be quite complex, using more HTTP features than the basic exchange, this trace will show us how much gets transferred.
Lab Exercise HTTP Objective HTTP (HyperText Transfer Protocol) is the main protocol underlying the Web. HTTP functions as a request response protocol in the client server computing model. A web browser,
More informationCOMPUTER NETWORKS AND COMMUNICATION PROTOCOLS. Web Access: HTTP Mehmet KORKMAZ
COMPUTER NETWORKS AND COMMUNICATION PROTOCOLS Web Access: HTTP 16501018 Mehmet KORKMAZ World Wide Web What is WWW? WWW = World Wide Web = Web!= Internet Internet is a global system of interconnected computer
More informationHTTP Protocol and Server-Side Basics
HTTP Protocol and Server-Side Basics Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming HTTP Protocol and Server-Side Basics Slide 1/26 Outline The HTTP protocol Environment Variables
More informationSPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006
SPOOFING Information Security in Systems & Networks Public Development Program Sanjay Goel University at Albany, SUNY Fall 2006 1 Learning Objectives Students should be able to: Determine relevance of
More information1-1. Switching Networks (Fall 2010) EE 586 Communication and. September Lecture 10
EE 586 Communication and Switching Networks (Fall 2010) Lecture 10 September 17 2010 1-1 Announcement Send me your group and get group ID HW3 (short) out on Monday Personal leave for next two weeks No
More informationConfiguration examples for the D-Link NetDefend Firewall series DFL-260/860
Configuration examples for the D-Link NetDefend Firewall series DFL-260/860 Scenario: How to configure User Authentication for multiple groups Last update: 2008-04-29 Overview In this document, the notation
More informationHow Facebook knows exactly what turns you on
How Facebook knows exactly what turns you on We have developed our anti tracking system to combat a culture of user data collection which, we believe, has gone too far. These systems operate hidden from
More informationCN Assignment I. 1. With an example explain how cookies are used in e-commerce application to improve the performance.
CN Assignment I 1. With an example explain how cookies are used in e-commerce application to improve the performance. In an e-commerce application, when the user sends a login form to the server, the server
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Web Security: Vulnerabilities & Attacks Type 2 Type 1 Type 0 Three Types of XSS Type 2: Persistent or Stored The attack vector is stored at the server Type 1: Reflected The attack
More informationSEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security
SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security Consider 2. Based on DNS, identified the IP address of www.cuhk.edu.hk is 137.189.11.73. 1. Go to http://www.cuhk.edu.hk 3. Forward the
More informationCS6120: Intelligent Media Systems. User Models. How is User Model Data Obtained? 11/01/2014
CS6120: Intelligent Media Systems Dr. Derek Bridge School of Computer Science & Information Technology UCC User Models For personalization, we need user models which contain some or all of: Identification
More informationApplication Layer. Applications and application-layer protocols. Goals:
Application Layer Goals: Conceptual aspects of network application protocols Client paradigm Service models Learn about protocols by examining popular application-level protocols HTTP DNS 1 Applications
More informationSC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers
SC/CSE 3213 Winter 2013 L8: TCP/IP Overview Sebastian Magierowski York University 1 Outline TCP/IP Reference Model A set of protocols for internetworking The basis of the modern IP Datagram Exchange Examples
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationAuthentication for Web Services. Ray Miller Systems Development and Support Computing Services, University of Oxford
Authentication for Web Services Ray Miller Systems Development and Support Computing Services, University of Oxford Overview Password-based authentication Cookie-based authentication
More informationHyperText Transfer Protocol
Outline Introduce Socket Programming Domain Name Service (DNS) Standard Application-level Protocols email (SMTP) HTTP HyperText Transfer Protocol Defintitions A web page consists of a base HTML-file which
More informationHow A Website Works. - Shobha
How A Website Works - Shobha Synopsis 1. 2. 3. 4. 5. 6. 7. 8. 9. What is World Wide Web? What makes web work? HTTP and Internet Protocols. URL s Client-Server model. Domain Name System. Web Browser, Web
More informationNetworking. Layered Model. DoD Model. Application Layer. ISO/OSI Model
Networking Networking is concerned with the physical topology of two or more communicating entities and the logical topology of data transmission. Layered Model Systems communicate over a shared communication
More informationWireshark HTTP. Introduction. The Basic HTTP GET/response interaction
Wireshark HTTP Introduction Having gotten our feet wet with the Wireshark packet sniffer in the introductory lab, we re now ready to use Wireshark to investigate protocols in operation. In this lab, we
More informationCommunication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner
Communication Networks (0368-3030) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University Allon Wagner Several slides adapted from a presentation made by Dan Touitou on behalf of Cisco.
More informationReST 2000 Roy Fielding W3C
Outline What is ReST? Constraints in ReST REST Architecture Components Features of ReST applications Example of requests in REST & SOAP Complex REST request REST Server response Real REST examples REST
More informationBIG-IP DataSafe Configuration. Version 13.1
BIG-IP DataSafe Configuration Version 13.1 Table of Contents Table of Contents Adding BIG-IP DataSafe to the BIG-IP System...5 Overview: Adding BIG-IP DataSafe to the BIG-IP system... 5 Provisioning Fraud
More informationskm skm skm 85 dagonet.cs.purdue.edu bradley User Name: Job Name: Host Name: Printer Name: 05/04/ :44:24 AM
S skm User Name: Job Name: Host Name: Printer Name: Date: skm 85 dagonet.cs.purdue.edu bradley 05/04/2000 11:44:24 AM S skm User Profile Driven Web Security Sanjay Madria, Mukesh Mohania Bharat Bhargava
More informationSession 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes
Session 8 Deployment Descriptor 1 Reading Reading and Reference en.wikipedia.org/wiki/http Reference http headers en.wikipedia.org/wiki/list_of_http_headers http status codes en.wikipedia.org/wiki/_status_codes
More informationPrivacy. CS Computer Security Profs. Vern Paxson & David Wagner
Privacy CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ March 31,
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 web scripting languages web content described by HTML was originally static, corresponding to files
More informationChapter 8. User Authentication
Chapter 8. User Authentication This chapter describes how NetDefendOS implements user authentication. Overview, page 220 Authentication Setup, page 221 8.1. Overview In situations where individual users
More informationAssignment #2. Csci4211 Spring Due on March 6th, Notes: There are five questions in this assignment. Each question has 10 points.
Assignment #2 Csci4211 Spring 2017 Due on March 6th, 2017 Notes: There are five questions in this assignment. Each question has 10 points. 1. (10 pt.) Design and describe an application-level protocol
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationASP.NET State Management Techniques
ASP.NET State Management Techniques This article is for complete beginners who are new to ASP.NET and want to get some good knowledge about ASP.NET State Management. What is the need of State Management?
More informationCSC 4900 Computer Networks:
CSC 4900 Computer Networks: Email Professor Henry Carter Fall 2017 Villanova University Department of Computing Sciences Review Last week we talked about design principles, and the application protocols
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationCSCE 120: Learning To Code
CSCE 120: Learning To Code Module 11.0: Consuming Data I Introduction to Ajax This module is designed to familiarize you with web services and web APIs and how to connect to such services and consume and
More informationLecture 4. Wednesday, January 27, 2016
Lecture 4 Wednesday, January 27, 2016 PHP through Apache Last week, we talked about building command line scripts This week, we will transition to building scripts that will run through the web server,
More informationICS 351: Today's plan. HTTPS: SSL and TLS certificates cookies DNS reminder Simple Network Management Protocol
ICS 351: Today's plan HTTPS: SSL and TLS certificates cookies DNS reminder Simple Network Management Protocol secure HTTP HTTP by itself is very insecure: any man-in-the-middle attacker can observe all
More informationCSCE 813 Internet Security Kerberos
CSCE 813 Internet Security Kerberos Professor Lisa Luo Fall 2017 What is Kerberos? An authentication server system from MIT; versions 4 and 5 Provide authentication for a user that works on a workstation
More informationInformation Network Systems The application layer. Stephan Sigg
Information Network Systems The application layer Stephan Sigg Tokyo, November 15, 2012 Introduction 04.10.2012 Introduction to the internet 11.10.2012 The link layer 18.10.2012 The network layer 25.10.2012
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationNetwork Applications Principles of Network Applications
Network Applications Principles of Network Applications A Network application is an application running on one host and provides communication to another application running on a different host. At the
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationLucidWorks: Searching with curl October 1, 2012
LucidWorks: Searching with curl October 1, 2012 1. Module name: LucidWorks: Searching with curl 2. Scope: Utilizing curl and the Query admin to search documents 3. Learning objectives Students will be
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 client-side scripts and security while client-side scripts do much to improve the appearance of pages,
More informationF5 Big-IP Application Security Manager v11
F5 F5 Big-IP Application Security Manager v11 Code: ACBE F5-ASM Days: 4 Course Description: This four-day course gives networking professionals a functional understanding of the BIG- IP LTM v11 system
More informationWeb Applica+on Security
Web Applica+on Security Raluca Ada Popa Feb 25, 2013 6.857: Computer and Network Security See last slide for credits Outline Web basics: HTTP Web security: Authen+ca+on: passwords, cookies Security amacks
More informationCSMC 412. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala Set 2. September 15 CMSC417 Set 2 1
CSMC 412 Computer Networks Prof. Ashok K Agrawala 2015 Ashok Agrawala Set 2 September 15 CMSC417 Set 2 1 Contents Client-server paradigm End systems Clients and servers Sockets Socket abstraction Socket
More informationLab 2. All datagrams related to favicon.ico had been ignored. Diagram 1. Diagram 2
Lab 2 All datagrams related to favicon.ico had been ignored. Diagram 1 Diagram 2 1. Is your browser running HTTP version 1.0 or 1.1? What version of HTTP is the server running? According to the diagram
More information3. WWW and HTTP. Fig.3.1 Architecture of WWW
3. WWW and HTTP The World Wide Web (WWW) is a repository of information linked together from points all over the world. The WWW has a unique combination of flexibility, portability, and user-friendly features
More informationApplication Layer Security
Application Layer Security General overview Ma. Angel Marquez Andrade Benefits of web Applications: No need to distribute separate client software Changes to the interface take effect immediately Client-side
More informationApplication Design and Development: October 30
M149: Database Systems Winter 2018 Lecturer: Panagiotis Liakos Application Design and Development: October 30 1 Applications Programs and User Interfaces very few people use a query language to interact
More informationRobust Defenses for Cross-Site Request Forgery
University of Cyprus Department of Computer Science Advanced Security Topics Robust Defenses for Cross-Site Request Forgery Name: Elena Prodromou Instructor: Dr. Elias Athanasopoulos Authors: Adam Barth,
More informationThe World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
More informationSophos UTM Web Application Firewall For: Microsoft Exchange Services
How to configure: Sophos UTM Web Application Firewall For: Microsoft Exchange Services This guide explains how to configure your Sophos UTM 9.3+ to allow access to the relevant Microsoft Exchange services
More informationCS Paul Krzyzanowski
Computer Security 17. Tor & Anonymous Connectivity Anonymous Connectivity Paul Krzyzanowski Rutgers University Spring 2018 1 2 Anonymity on the Internet Often considered bad Only criminals need to hide
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationCNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls
CNIT 129S: Securing Web Applications Ch 8: Attacking Access Controls Access Control Authentication and session management Ensure that you know who is using the application Access Controls Limit what actions
More information(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationReal Life Web Development. Joseph Paul Cohen
Real Life Web Development Joseph Paul Cohen joecohen@cs.umb.edu Index 201 - The code 404 - How to run it? 500 - Your code is broken? 200 - Someone broke into your server? 400 - How are people using your
More informationCS 43: Computer Networks. HTTP September 10, 2018
CS 43: Computer Networks HTTP September 10, 2018 Reading Quiz Lecture 4 - Slide 2 Five-layer protocol stack HTTP Request message Headers protocol delineators Last class Lecture 4 - Slide 3 HTTP GET vs.
More informationVarargs Training & Software Development Centre Private Limited, Module: HTML5, CSS3 & JavaScript
PHP Curriculum Module: HTML5, CSS3 & JavaScript Introduction to the Web o Explain the evolution of HTML o Explain the page structure used by HTML o List the drawbacks in HTML 4 and XHTML o List the new
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationLarge-Scale Web Applications
Large-Scale Web Applications Mendel Rosenblum Web Application Architecture Web Browser Web Server / Application server Storage System HTTP Internet CS142 Lecture Notes - Intro LAN 2 Large-Scale: Scale-Out
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationGoogle Analytics Health Check Checklist: Property Settings
Google Analytics Health Check Checklist: Property Settings One of the reasons Next Steps Digital exists is because we not only want to dispel common misconceptions about Google Analytics (and everything
More informationCSCE 463/612 Networks and Distributed Processing Spring 2018
CSCE 463/612 Networks and Distributed Processing Spring 2018 Application Layer II Dmitri Loguinov Texas A&M University February 6, 2018 Original slides copyright 1996-2004 J.F Kurose and K.W. Ross 1 Chapter
More informationCS4/MSc Computer Networking. Lecture 3: The Application Layer
CS4/MSc Computer Networking Lecture 3: The Application Layer Computer Networking, Copyright University of Edinburgh 2005 Network Applications Examine a popular network application: Web Client-server architecture
More informationPemrograman Jaringan Web Client Access PTIIK
Pemrograman Jaringan Web Client Access PTIIK - 2012 In This Chapter You'll learn how to : Download web pages Authenticate to a remote HTTP server Submit form data Handle errors Communicate with protocols
More informationWEB TECHNOLOGIES CHAPTER 1
WEB TECHNOLOGIES CHAPTER 1 WEB ESSENTIALS: CLIENTS, SERVERS, AND COMMUNICATION Modified by Ahmed Sallam Based on original slides by Jeffrey C. Jackson THE INTERNET Technical origin: ARPANET (late 1960
More informationApplications & Application-Layer Protocols: The Web & HTTP
CPSC 360 Network Programming Applications & Application-Layer Protocols: The Web & HTTP Michele Weigle Department of Computer Science Clemson University mweigle@cs.clemson.edu http://www.cs.clemson.edu/~mweigle/courses/cpsc360
More information