CS 5450 HTTP. Vitaly Shmatikov

Similar documents
s642 web security computer security adam everspaugh

0x1A Great Papers in Computer Security

Running Remote Code is Risky. Why Study Browser Security. Browser Sandbox. Threat Models. Security User Interface.

CIS 5373 Systems Security

Web Security [SSL/TLS and Browser Security Model]

LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Information Security CS 526 Topic 8

Web Security, Part 2

Web Security: XSS; Sessions

Computer and Network Security

Web Security. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

Information Security CS 526 Topic 11

Browser Security Model

Web Security. CS642: Computer Security. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

CSE392/ISE331. Web Security Goals & Workings of the Web. Nick Nikiforakis

CIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 24

Cookies and Passwords

Announcements. Schedule. Homework 1 was due on Monday... quesgons? Homework 2 will be assigned as soon as I can

CS526: Information security

Lecture 3. HTTP v1.0 application layer protocol. into details. HTTP 1.0: RFC 1945, T. Berners-Lee HTTP 1.1: RFC 2068, 2616

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Web Applica+on Security

s642 web security computer security adam everspaugh

Browser Security Model

Browser Security Model

Lecture 7b: HTTP. Feb. 24, Internet and Intranet Protocols and Applications

Content Delivery on the Web: HTTP and CDNs

HTTP Protocol and Server-Side Basics

Web basics: HTTP cookies

Applications & Application-Layer Protocols: The Web & HTTP

Web, HTTP and Web Caching

CSCI-1680 WWW Rodrigo Fonseca

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Introduc)on to Computer Networks

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Lecture 9a: Sessions and Cookies

CSCI-1680 WWW Rodrigo Fonseca

How to work with HTTP requests and responses

Produced by. Mobile Application Development. Higher Diploma in Science in Computer Science. Eamonn de Leastar

Computer Networks. Wenzhong Li. Nanjing University

INTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary

CS 43: Computer Networks. HTTP September 10, 2018

Web Security: Cross-Site Attacks

3. WWW and HTTP. Fig.3.1 Architecture of WWW

Unraveling the Mysteries of J2EE Web Application Communications

Outline of Lecture 3 Protocols

Common Websites Security Issues. Ziv Perry

ICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies

Review of Previous Lecture

Some Facts Web 2.0/Ajax Security

OSI Session / presentation / application Layer. Dr. Luca Allodi - Network Security - University of Trento, DISI (AA 2015/2016)

Web Security: Loose Ends

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

Internet Architecture. Web Programming - 2 (Ref: Chapter 2) IP Software. IP Addressing. TCP/IP Basics. Client Server Basics. URL and MIME Types HTTP

CMSC 332 Computer Networking Web and FTP

Web Technology. COMP476 Networked Computer Systems. Hypertext and Hypermedia. Document Representation. Client-Server Paradigm.

Announcements. The World Wide Web. Retrieving From the Server. Goals of Today s Lecture. The World Wide Web. POP3 Protocol

CS 43: Computer Networks. Layering & HTTP September 7, 2018

Notes beforehand... For more details: See the (online) presentation program.

The World Wide Web. EE 122: Intro to Communication Networks. Fall 2006 (MW 4-5:30 in Donner 155) Vern Paxson TAs: Dilip Antony Joseph and Sukun Kim

CS 161 Computer Security

CS 142 Winter Session Management. Dan Boneh

EE 122: HyperText Transfer Protocol (HTTP)

RKN 2015 Application Layer Short Summary

Lecture 6 Application Layer. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

CS144: Sessions. Cookie : CS144: Web Applications

October 08: Introduction to Web Security

WEB APPLICATION ENGINEERING II

World-Wide Web Protocols CS 571 Fall Kenneth L. Calvert All rights reserved

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

COMPUTER NETWORK. Homework #1. Due Date: March 29, 2017 in class

WWW: the http protocol

HyperText Transfer Protocol

RESTful Services. Distributed Enabling Platform

WEB SECURITY: XSS & CSRF

8/19/2018. Web Development & Design Foundations with HTML5. Learning Objectives (1 of 2) Learning Objectives (2 of 2) What is JavaScript?

CMPE 151: Network Administration. Servers

Web Development & Design Foundations with HTML5, 8 th Edition Instructor Materials Chapter 14 Test Bank

HTTP Reading: Section and COS 461: Computer Networks Spring 2013

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

Web Security: Web Application Security [continued]

P2_L12 Web Security Page 1

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Web Standards. Web Technologies. Web Standards. URI and URL

Electronic Mail. Three Components: SMTP SMTP. SMTP mail server. 1. User Agents. 2. Mail Servers. 3. SMTP protocol

Session 9. Deployment Descriptor Http. Reading and Reference. en.wikipedia.org/wiki/http. en.wikipedia.org/wiki/list_of_http_headers

Application Layer: The Web and HTTP Sec 2.2 Prof Lina Battestilli Fall 2017

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Networking. Layered Model. DoD Model. Application Layer. ISO/OSI Model

Announcements. The World Wide Web. Goals of Today s Lecture. The World Wide Web HTML. Web Components

7.2.4 on Media content; on XSS) sws2 1

WEB TECHNOLOGIES CHAPTER 1

The HTTP protocol. Fulvio Corno, Dario Bonino. 08/10/09 http 1

CORS Attacks. Author: Milad Khoshdel Blog: P a g e. CORS Attacks

1-1. Switching Networks (Fall 2010) EE 586 Communication and. September Lecture 10

CS155. *Original slides were created by Prof. Dan Boneh

Transcription:

CS 5450 HTTP Vitaly Shmatikov

Browser and Network Browser OS Hardware request reply website Network slide 2

HTML A web page includes Base HTML file Referenced objects (e.g., images) HTML: Hypertext Markup Language Representation of hypertext documents in ASCII Web browsers interpret HTML when rendering a page Format text, reference images, embed hyperlinks (HREF) slide 3

HTTP: HyperText Transfer Protocol Used to request and return data Methods: GET, POST, HEAD, Stateless request/response protocol Each request is independent of previous requests Statelessness has a significant impact on design and implementation of applications Evolution HTTP 1.0: simple HTTP 1.1: more complex slide 4

Steps in an HTTP Request Client Server SYN (i) SYN(j) + ACK(i+1) HTTP GET HTTP Response Server processes the request Client parses the response FIN slide 5

HTTP Request Method File HTTP version Headers GET /default.asp HTTP/1.0 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Connection: Keep-Alive If-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMT Blank line Body none for GET slide 6

HTTP Methods GET Return current value of a resource, run program, etc. HEAD Return the metadata associated with a resource POST Update resource, provide input to a program slide 7

Generating a Response Return a file ( static content ) URL matches a file (e.g., /www/index.html) Server returns the file s contents as the response Server generates appropriate response header Generate a response dynamically URL triggers a program on the server Server executes the program and sends output to client in the HTTP response Return metadata with no body slide 8

HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Content-Length: 2543 Data <HTML> Some data... blah, blah, blah </HTML> slide 9

HTTP Is Stateless Each request-response exchange is treated independently, server not required to retain state Good: improves scalability on the server side Don t have to retain info across client requests Can handle higher rate of client requests Order of client requests doesn t matter Bad: some apps need persistent state Uniquely identify user or store temporary info (e.g., shopping cart, user preferences/profiles, usage tracking, etc.) slide 10

Website Storing Info In Browser A cookie is a file created by a website to store information in the browser Browser POST login.cgi username and pwd Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (send only over HTTPS) If expires = NULL, this session only Browser GET restricted.html Cookie: NAME=VALUE Server HTTP is a stateless protocol; cookies add state slide 11

What Are Cookies Used For? Authentication The cookie proves to the website that the client previously authenticated correctly Personalization Helps the website recognize the user from a previous visit Tracking Follow the user from site to site; learn his/her browsing behavior, preferences, and so on slide 12

Web Authentication with Cookies Authentication system that works over HTTP and does not require servers to store session data except for logout status After client successfully authenticates, server computes an authenticator token and gives it to the browser as a cookie Client should not be able forge authenticator on his own Example: HMAC(server s secret key, session information) With each request, browser presents the cookie; server recomputes and verifies the authenticator Server does not need to remember the authenticator slide 13

Typical Session with Cookies client server POST /login.cgi Set-Cookie:authenticator GET /restricted.html Cookie:authenticator Restricted content Verify that this client is authorized Check validity of authenticator recompute hash(key, session) Authenticators must be unforgeable and tamper-proof (malicious client shouldn t be able to compute his own or modify an existing authenticator) slide 14

Goals of Browser Security Safe to visit an evil website Safe to visit two pages at the same time Safe delegation slide 15

Browser: Basic Execution Model Each browser window or frame: Loads content Renders Processes HTML and scripts to display the page May involve images, subframes, etc. Responds to events Events User actions: OnClick, OnMouseover Rendering: OnLoad, OnUnload slide 16

JavaScript The world s most misunderstood programming language Language executed by the browser Scripts are embedded in Web pages Can run before HTML is loaded, before page is viewed, while it is being viewed, or when leaving the page Used to implement active web pages AJAX, huge number of Web-based applications slide 17

JavaScript History Developed by Brendan Eich at Netscape Scripting language for Navigator 2 Later standardized for browser compatibility ECMAScript Edition 3 (aka JavaScript 1.5) Related to Java in name only Name was part of a marketing deal Java is to JavaScript as car is to carpet Various implementations available slide 18

JavaScript in Web Pages Embedded in HTML page as <script> element JavaScript written directly inside <script> element <script> alert("hello World!") </script> Linked file as src attribute of the <script> element <script type="text/javascript" src= functions.js"></script> Event handler attribute <a href="http://www.yahoo.com" onmouseover="alert('hi');"> Pseudo-URL referenced by a link <a href= JavaScript: alert( You clicked ); >Click me</a> Many other ways slide 19

Document Object Model (DOM) HTML page is structured data DOM is object-oriented representation of the hierarchical HTML structure Properties: document.alinkcolor, document.url, document.forms[ ], document.links[ ], Methods: document.write(document.referrer) These change the content of the page! Also Browser Object Model (BOM) Window, Document, Frames[], History, Location, Navigator (type and version of browser) slide 20

Browser Sandbox Goal: safely execute JavaScript code provided by a remote website No direct file access, limited access to OS, network, browser data, content that came from other websites Same origin policy (SOP) Can only read properties of documents and windows from the same protocol, domain, and port slide 21

SOP for Reading Cookies Browser GET //URL-domain/URL-path Cookie: NAME = VALUE Server Browser sends all cookies in URL scope: cookie-domain is domain-suffix of URL-domain cookie-path is prefix of URL-path protocol=https if cookie is secure slide 22

Examples of Cookie Reading SOP cookie 1 name = userid value = u1 domain = login.site.com path = / secure cookie 2 name = userid value = u2 domain =.site.com path = / non-secure both set by login.site.com http://checkout.site.com/ http://login.site.com/ https://login.site.com/ cookie: userid=u2 cookie: userid=u2 cookie: userid=u1; userid=u2 slide 23

SOP for JavaScript in Browser Same domain scoping rules as for sending cookies to the server document.cookie returns a string with all cookies available for the document Often used in JavaScript to customize page Javascript can set and delete cookies via DOM document.cookie = name=value; expires= ; document.cookie = name=; expires= Thu, 01-Jan-70 slide 24

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback