WEB SECURITY: WEB BACKGROUND

Similar documents
Security for the Web. Thanks to Dave Levin for some slides

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

Security for the Web. Thanks to Dave Levin for some slides

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

CMSC 332 Computer Networking Web and FTP

WEB SECURITY: XSS & CSRF

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Web, HTTP and Web Caching

Web Security II. Slides from M. Hicks, University of Maryland

Computer Networks. Wenzhong Li. Nanjing University

Lecture 7b: HTTP. Feb. 24, Internet and Intranet Protocols and Applications

CS 355. Computer Networking. Wei Lu, Ph.D., P.Eng.

P2_L12 Web Security Page 1

Caching. Caching Overview

Robust Defenses for Cross-Site Request Forgery

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Manipulating Web Application Interfaces a New Approach to Input Validation Testing. AppSec DC Nov 13, The OWASP Foundation

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

RKN 2015 Application Layer Short Summary

Lecture 6 Application Layer. Antonio Cianfrani DIET Department Networking Group netlab.uniroma1.it

UNIT I. A protocol is a precise set of rules defining how components communicate, the format of addresses, how data is split into packets

ICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

Options. Real SQL Programming 1. Stored Procedures. Embedded SQL

Lecture 9a: Sessions and Cookies

Review of Previous Lecture

Webshop Plus! v Pablo Software Solutions DB Technosystems

Computer Networks. HTTP and more. Jianping Pan Spring /20/17 CSC361 1

Hypertext Transport Protocol

Browser behavior can be quite complex, using more HTTP features than the basic exchange, this trace will show us how much gets transferred.

COMPUTER NETWORKS AND COMMUNICATION PROTOCOLS. Web Access: HTTP Mehmet KORKMAZ

HTTP Protocol and Server-Side Basics

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

1-1. Switching Networks (Fall 2010) EE 586 Communication and. September Lecture 10

Configuration examples for the D-Link NetDefend Firewall series DFL-260/860

How Facebook knows exactly what turns you on

CN Assignment I. 1. With an example explain how cookies are used in e-commerce application to improve the performance.

Web Security: Vulnerabilities & Attacks

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

CS6120: Intelligent Media Systems. User Models. How is User Model Data Obtained? 11/01/2014

Application Layer. Applications and application-layer protocols. Goals:

SC/CSE 3213 Winter Sebastian Magierowski York University CSE 3213, W13 L8: TCP/IP. Outline. Forwarding over network and data link layers

Application vulnerabilities and defences

Authentication for Web Services. Ray Miller Systems Development and Support Computing Services, University of Oxford

HyperText Transfer Protocol

How A Website Works. - Shobha

Networking. Layered Model. DoD Model. Application Layer. ISO/OSI Model

Wireshark HTTP. Introduction. The Basic HTTP GET/response interaction

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

ReST 2000 Roy Fielding W3C

BIG-IP DataSafe Configuration. Version 13.1

skm skm skm 85 dagonet.cs.purdue.edu bradley User Name: Job Name: Host Name: Printer Name: 05/04/ :44:24 AM

Session 8. Reading and Reference. en.wikipedia.org/wiki/list_of_http_headers. en.wikipedia.org/wiki/http_status_codes

Privacy. CS Computer Security Profs. Vern Paxson & David Wagner

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

Chapter 8. User Authentication

Assignment #2. Csci4211 Spring Due on March 6th, Notes: There are five questions in this assignment. Each question has 10 points.

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

ASP.NET State Management Techniques

CSC 4900 Computer Networks:

Combating Common Web App Authentication Threats

CSCE 120: Learning To Code

Lecture 4. Wednesday, January 27, 2016

ICS 351: Today's plan. HTTPS: SSL and TLS certificates cookies DNS reminder Simple Network Management Protocol

CSCE 813 Internet Security Kerberos

Information Network Systems The application layer. Stephan Sigg

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

Network Applications Principles of Network Applications

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

LucidWorks: Searching with curl October 1, 2012

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

F5 Big-IP Application Security Manager v11

Web Applica+on Security

CSMC 412. Computer Networks Prof. Ashok K Agrawala Ashok Agrawala Set 2. September 15 CMSC417 Set 2 1

Lab 2. All datagrams related to favicon.ico had been ignored. Diagram 1. Diagram 2

3. WWW and HTTP. Fig.3.1 Architecture of WWW

Application Layer Security

Application Design and Development: October 30

Robust Defenses for Cross-Site Request Forgery

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

Sophos UTM Web Application Firewall For: Microsoft Exchange Services

CS Paul Krzyzanowski

Web basics: HTTP cookies

CNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web basics: HTTP cookies

Real Life Web Development. Joseph Paul Cohen

CS 43: Computer Networks. HTTP September 10, 2018

Varargs Training & Software Development Centre Private Limited, Module: HTML5, CSS3 & JavaScript

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Large-Scale Web Applications

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Google Analytics Health Check Checklist: Property Settings

CSCE 463/612 Networks and Distributed Processing Spring 2018

CS4/MSc Computer Networking. Lecture 3: The Application Layer

Pemrograman Jaringan Web Client Access PTIIK

WEB TECHNOLOGIES CHAPTER 1

Applications & Application-Layer Protocols: The Web & HTTP

Transcription:

WEB SECURITY: WEB BACKGROUND CMSC 414 FEB 20 2018

A very basic web architecture Client Server Browser Web server (Private) Data Database DB is a separate entity, logically (and often physically)

A very basic web architecture Client Server Browser Web server (Private) Data Database (Much) user data is part of the browser DB is a separate entity, logically (and often physically)

Interacting with web servers Get and put resources which are identified by a URL http://www.cs.umd.edu/~dml/home.html

Interacting with web servers Get and put resources which are identified by a URL http://www.cs.umd.edu/~dml/home.html Protocol ftp https tor

Interacting with web servers Get and put resources which are identified by a URL http://www.cs.umd.edu/~dml/home.html

Interacting with web servers Get and put resources which are identified by a URL http://www.cs.umd.edu/~dml/home.html Hostname/server Translated to an IP address by DNS (more on this later)

Interacting with web servers Get and put resources which are identified by a URL http://www.cs.umd.edu/~dml/home.html

Interacting with web servers Get and put resources which are identified by a URL http://www.cs.umd.edu/~dml/home.html Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server

Interacting with web servers Get and put resources which are identified by a URL http://www.cs.umd.edu/~dml/home.html Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server http://facebook.com/delete.php

Interacting with web servers Get and put resources which are identified by a URL http://www.cs.umd.edu/~dml/home.html Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server http://facebook.com/delete.php Path to a resource Here, the file home.html is dynamic content i.e., the server generates the content on the fly

Interacting with web servers Get and put resources which are identified by a URL http://www.cs.umd.edu/~dml/home.html Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server http://facebook.com/delete.php Here, the file home.html is dynamic content i.e., the server generates the content on the fly

Interacting with web servers Get and put resources which are identified by a URL http://www.cs.umd.edu/~dml/home.html Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server http://facebook.com/delete.php?f=joe123&w=16 Here, the file home.html is dynamic content i.e., the server generates the content on the fly

Interacting with web servers Get and put resources which are identified by a URL http://www.cs.umd.edu/~dml/home.html Path to a resource Here, the file home.html is static content i.e., a fixed file returned by the server http://facebook.com/delete.php?f=joe123&w=16 Arguments Here, the file home.html is dynamic content i.e., the server generates the content on the fly

Basic structure of web traffic Client Server Browser Web server (Private) Data Database

Basic structure of web traffic Client Server Browser Web server

Basic structure of web traffic Client Server Browser HTTP Web server

Basic structure of web traffic Client Server Browser HTTP Web server HyperText Transfer Protocol (HTTP) An application-layer protocol for exchanging collections of data

Basic structure of web traffic Client Server Browser Web server

Basic structure of web traffic Client Server Browser Web server User clicks

Basic structure of web traffic Client Server Browser HTTP Request Web server User clicks

Basic structure of web traffic Client Server Browser HTTP Request Web server User clicks Requests contain: The URL of the resource the client wishes to obtain Headers describing what the browser can do Requests be GET or POST GET: all data is in the URL itself (supposed to have no side-effects) POST: includes the data as separate fields (can have side-effects)

HTTP GET requests http://www.reddit.com/r/security

HTTP GET requests http://www.reddit.com/r/security

HTTP GET requests http://www.reddit.com/r/security User-Agent is typically a browser but it can be wget, JDK, etc.

Referrer URL: the site from which this request was issued.

HTTP POST requests Posting on Piazza

HTTP POST requests Posting on Piazza

HTTP POST requests Posting on Piazza Implicitly includes data as a part of the URL

HTTP POST requests Posting on Piazza Implicitly includes data as a part of the URL Explicitly includes data as a part of the request s content

Basic structure of web traffic Client Server Browser HTTP Request Web server User clicks

Basic structure of web traffic Client Server Browser Web server User clicks

Basic structure of web traffic Client Server Browser HTTP Response Web server User clicks

Basic structure of web traffic Client Server Browser HTTP Response Web server User clicks Responses contain: Status code Headers describing what the server provides Data Cookies State it would like the browser to store on the site s behalf

<html> </html> HTTP responses

HTTP version Status code Reason phrase HTTP responses Data Headers <html> </html>

HTTP is stateless The lifetime of an HTTP session is typically: Client connects to the server Client issues a request Server responds Client issues a request for something in the response. repeat. Client disconnects HTTP has no means of noting oh this is the same client from that previous session With this alone, you d have to log in at every page load

Maintaining state across HTTP sessions Client Server Browser HTTP Request Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

Maintaining state across HTTP sessions Client Server Browser HTTP Request Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

Maintaining state across HTTP sessions Client Server Browser Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

Maintaining state across HTTP sessions Client Server Browser HTTP Response Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

Maintaining state across HTTP sessions Client Server Browser HTTP Response State Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

Maintaining state across HTTP sessions Client Server Browser State HTTP Response Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

Maintaining state across HTTP sessions Client Server Browser Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

Maintaining state across HTTP sessions Client Server Browser State HTTP Request Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

Maintaining state across HTTP sessions Client Server Browser HTTP Request State Web server Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

Maintaining state across HTTP sessions Client Server Browser HTTP Request Web server State Server processing results in intermediate state Send the state to the client in hidden fields Client returns the state in subsequent responses

Online ordering socks.com Order Order $5.50

Online ordering socks.com Order socks.com Pay Order The total cost is $5.50. Confirm order? $5.50 Yes No Separate page

Online ordering <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user

Online ordering <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user

Online ordering The corresponding backend processing if(pay == yes && price!= NULL) { bill_creditcard(price); deliver_socks(); } else display_transaction_cancelled_page();

Online ordering The corresponding backend processing if(pay == yes && price!= NULL) { bill_creditcard(price); deliver_socks(); } else display_transaction_cancelled_page();

Online ordering <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user

Online ordering <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 0.01 value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user

Minimizing trust in the client <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user

Minimizing trust in the client <html> <head> <title>pay</title> </head> <body> <form action= submit_order method= GET > The total cost is $5.50. Confirm order? <input type= hidden name= price name= sid value= 781234 > value= 5.50 > <input type= submit name= pay value= yes > <input type= submit name= pay value= no > </body> </html> What s presented to the user

Minimizing trust in the client The corresponding backend processing price = lookup(sid); if(pay == yes && price!= NULL) { bill_creditcard(price); deliver_socks(); } else display_transaction_cancelled_page();

Minimizing trust in the client The corresponding backend processing price = lookup(sid); if(pay == yes && price!= NULL) { bill_creditcard(price); deliver_socks(); } else display_transaction_cancelled_page(); We don t want to pass hidden fields around all the time

Statefulness with Cookies Client Server Browser HTTP Request Web server Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

Statefulness with Cookies Client Server Browser HTTP Request Web server State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

Statefulness with Cookies Client Server Browser HTTP Request Web server Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

Statefulness with Cookies Client Server Browser Web server Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

Statefulness with Cookies Client Server Browser HTTP Response Web server Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

Statefulness with Cookies Client Server Browser HTTP Response Web server Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

Statefulness with Cookies Client Server Browser HTTP Response Web server Cookie Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

Statefulness with Cookies Client Server Server Browser HTTP Response Web server Cookie Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

Statefulness with Cookies Client Server Server Browser Web server Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

Statefulness with Cookies Client Server Server Browser HTTP Request Web server Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

Statefulness with Cookies Client Server Server Browser HTTP Request Web server Cookie Cookie Cookie State Server stores state, indexes it with a cookie Send this cookie to the client Client stores the cookie and returns it with subsequent queries to that same server

Cookies are key-value pairs Set-Cookie:key=value; options;. Data Headers <html> </html>

Cookies are key-value pairs Set-Cookie:key=value; options;. Data Headers <html> </html>

Cookies Client Semantics Browser (Private) Data

Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) (Private) Data

Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 (Private) Data

Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 This value should only be readable by any domain ending in.zdnet.com (Private) Data

Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 This value should only be readable by any domain ending in.zdnet.com (Private) Data This should be available to any resource within a subdirectory of /

Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 This value should only be readable by any domain ending in.zdnet.com (Private) Data This should be available to any resource within a subdirectory of / Send the cookie to any future requests to <domain>/<path>

Cookies Client Browser Semantics Store us under the key edition (think of it like one big hash table) This value is no good as of Wed Feb 18 This value should only be readable by any domain ending in.zdnet.com (Private) Data This should be available to any resource within a subdirectory of / Send the cookie to any future requests to <domain>/<path>

Requests with cookies Subsequent visit

Requests with cookies Response Subsequent visit

Requests with cookies Response Subsequent visit

Why use cookies? Personalization Let an anonymous user customize your site Store font choice, etc., in the cookie

Tracking users Why use cookies? Advertisers want to know your behavior Ideally build a profile across different websites - Read about ipad on CNN, then see ads on Amazon?! How can an advertiser (A) know what you did on another site (S)?

Tracking users Why use cookies? Advertisers want to know your behavior Ideally build a profile across different websites - Read about ipad on CNN, then see ads on Amazon?! How can an advertiser (A) know what you did on another site (S)? S shows you an ad from A; A scrapes the referrer URL

Tracking users Why use cookies? Advertisers want to know your behavior Ideally build a profile across different websites - Read about ipad on CNN, then see ads on Amazon?! How can an advertiser (A) know what you did on another site (S)? S shows you an ad from A; A scrapes the referrer URL Option 1: A maintains a DB, indexed by your IP address Problem: IP addrs change

Tracking users Why use cookies? Advertisers want to know your behavior Ideally build a profile across different websites - Read about ipad on CNN, then see ads on Amazon?! How can an advertiser (A) know what you did on another site (S)? S shows you an ad from A; A scrapes the referrer URL Option 1: A maintains a DB, indexed by your IP address Option 2: A maintains a DB indexed by a cookie Problem: IP addrs change - Third-party cookie - Commonly used by large ad networks (doubleclick)

Ad provided by an ad network

Snippet of reddit.com source

Snippet of reddit.com source Our first time accessing adzerk.net

I visit reddit.com

I visit reddit.com

I visit reddit.com

I visit reddit.com Later, I go to reddit.com/r/security

I visit reddit.com Later, I go to reddit.com/r/security

I visit reddit.com Later, I go to reddit.com/r/security

I visit reddit.com We are only sharing this cookie with *.adzerk.net; but we are telling them about where we just came from Later, I go to reddit.com/r/security

Cookies and web authentication An extremely common use of cookies is to track users who have already authenticated If the user already visited http://website.com/login.html?user=alice&pass=secret with the correct password, then the server associates a session cookie with the logged-in user s info Subsequent requests (GET and POST) include the cookie in the request headers and/or as one of the fields: http://website.com/dostuff.html?sid=81asf98as8eak The idea is for the server to be able to say I am talking to the same browser that authenticated Alice earlier.

Cookies and web authentication An extremely common use of cookies is to track users who have already authenticated If the user already visited http://website.com/login.html?user=alice&pass=secret with the correct password, then the server associates a session cookie with the logged-in user s info Subsequent requests (GET and POST) include the cookie in the request headers and/or as one of the fields: http://website.com/dostuff.html?sid=81asf98as8eak The idea is for the server to be able to say I am talking to the same browser that authenticated Alice earlier. Attacks?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback