Ch07 Web Security
Ch07 Web Security
• Itemized lists: which list items set apart with bullets or numbers, such
as <ul> <li>first-item</li> <li>second-item</li> </ul>
• Scripting code: which describes various actions for the web page, such
as in <script>Computer code</script>
• Here, www.example.com is the domain of the web server holding the web
site of interest, directory is the name of the folder that is storing the web
site of interest, and file.html is a file that describes the text and images for
a page on this web site
Connecting to a Web Server
• Given such a URL, the web browser first checks the local DNS cache on
its system for an entry corresponding to the domain of the web site being
requested.
• If no entry is found locally, the browser queries a DNS server to
resolve the IP address of the domain name.
• After the IP address of the web server is resolved, the client makes a TCP
connection to a specified port on the web server, which is, by default, port
80 for HTTP.
• Other protocols besides HTTP could also be used in a URL
• Port: 21 File Transfer Protocol (FTP)
Port: 80 Hypertext Transfer Protocol (HTTP)
Port: 443 Hypertext Transfer Protocol over TLS/SSL (HTTPS)
HTTP Request
• After establishing a TCP connection to the web server, the browser sends
requests, known as HTTP requests, to that web server, encapsulated in
the data portion of a TCP packet.
• HTTP requests typically begin with a request line, usually consisting of a
command such as GET or POST.
• Next is the headers section that identifies additional information.
• Finally, there may be more information provided in an optional message
body.
HTTP Request
GET VS POST
Request
More on get and post
GET POST
• GET requests can be cached • POST requests are never cached
• GET requests remain in the • POST requests do not remain in
browser history the browser history
• GET requests can be bookmarked • POST requests can not be
• GET requests should never be used bookmarked
when dealing with sensitive data • POST request have no restriction
• GET requests have length on data length
restrictions • POST requests is used to modify
• GET requests is only used to data
request data (not modify)
HTML Form
<form action="/product/update" method="post">
Product: <input type="text" name="product"/><br />
Deluxe: <input type="checkbox" name="delux" /><br />
<input type="submit" value="Submit"/>
</form>
• Passive attacks:
• Eavesdrop on network traffic
• Active attacks:
• Inject network packets
• Modify packets
• Reorder, replay packets
• Block packets
Cryptography to the rescue
• Solution: use encryption to prevent eavesdropping and detect active attacks.
• Old idea: Scramble the information before transmitting it, unscramble when received
• Traditional encryption:
• Symmetric keys (same key on both ends)
• Key distribution problem: how can we exchange keys without meeting in person?
• HTTPS must be used in conjunction with sessions implemented with GET or POST
variables to protect the user from these attacks.
• A typical mechanism for issuing sesssion IDs involves the use of a random number
generator or of a message authentication code(MAC).
Cookies
• uses small packets of data, called cookies, which are sent to the client by the web server
and stored on the client’s machine
POST …
Browser
Server
HTTP Header:
Set-cookie: NAME=VALUE ;
domain = (who can read) ;
If expires=NULL: expires = (when expires) ;
this session only
secure = (only over SSL)
Browser POST …
Server
Cookie: NAME = VALUE
POST login.cgi
Username & pwd Validate user
GET restricted.html
Cookie: auth=val restricted.html
auth=val Check val
If YES, YES/NO
restricted.html
Cookie Expiry
• If no expiration date is specified, the cookie defaults to being deleted
when the user exits the browser
if expires=NULL:
this session only
if expires=past date:
browser deletes cookie
Cookie security
• Cookies have profound implications for the security of user sessions
• For instance, it is dangerous to store any sensitive information unencrypted in
the body of a cookie, since cookies can typically be accessed by users of the
system on which they are stored
• Even if sensitive information is encrypted, however, accessing a user’s cookies for
a web site may allow an attacker to assume that user’s session
• Because of this, there is a need for users to protect their cookies as they would
any login information
• The expiration date built into cookies is a good preventive measure, but it is still
recommended that users erase their cookies on a regular basis to prevent such
attacks
• In addition to these security concerns, cookies also raise several issues related to
user privacy discussed later
Client Side
Attacks
Session hijacking
Phishing
URL obfuscation
www.bank.com/accounts/login.php?q=me.badguy.cn
<a onMouseUp=window.open("http://www.evilsite.com")
href="http://www.trustedsite.com/">Trust me!</a>
• it is possible for malicious sites to use other Javascript event handlers such
as onMouseOver
Click Fraud
• Click-jacking extends beyond the action of actually clicking on a page, since it is
possible for malicious sites to use other JavaScript event handlers such as
onMouseOver
• which triggers an action whenever a user simply moves their mouse over that element
• Another common scenario where click-jacking might be used is advertisement
fraud
• Most online advertisers pay the sites that host their advertisements based on the
number of click-throughs
• how many times the site actually convinced users to click on the advertisements
• Click-jacking can be used to force users to unwillingly click on advertisements,
raising the fraudulent site’s revenue, which is an attack known as click fraud
Cross Site Request Forgery (CSRF)
Cross-Site Requests
● When a page from a website sends
an HTTP request back to the
website, it is called same-site
request.
● If a request is sent to a different
website, it is called cross-site request
because the where the page comes
from and where the request goes are
different.
● Because of above behaviour of the browsers, the server cannot distinguish between
the same-site and cross-site requests
● It is possible for third-party websites to forge requests that are exactly the same as
the same-site requests.
● This is called Cross-Site Request Forgery (CSRF).
CSRF Attack : Prerequisites
• Victim must be logged in to target
website (a session must be active)
• Attacker must allure the victim to trust
the attacker’s website
• The target website does not have any
defence against CSRF.
Basic CSRF
• For launching CSRF on HTTP GET services, we can simply use HTML tags
instead of javascript
• Would work even if JS is disabled for untrusted websites on browser
CSRF: Countermeasures
• Very difficult to prevent, as to the websites, the request looks
legitimate
• Without a persistent cookie, use a session token and pass it with every
request
• The attacker needs to get hold of this session token to launch the attack
• However, different session tokens must be used for every session
• Also, don’t forget to log out after every session!
Cross Site Scripting (XSS)
Cross Site Scripting (XSS) Attack
Cross Site Scripting (XSS) Attack
Example: Attack on HTTP POST Service
• In persistent XSS, attacker script is stored on a persistent storage by
the vulnerable website’s server
• Following the general principle of least privilege, the web server application
should be run under an account with the lowest privileges possible.
• might only have read access to files within certain directories and have no
ability to write to files or even navigate outside of the web site’s root
directory.
• if an attacker compromised a web site with a server-side vulnerability, they
typically would only be able to operate with the permissions of the web
server, which would be rather limited.
DDoS Attacks To Web Servers
DDoS Attacks To
Web Servers
• A denial-of-service attack (DoS attack)
is a cyber-attack in which the
perpetrator seeks to make a machine
or network resource unavailable to its
intended users by temporarily or
indefinitely disrupting services of a host
connected to a network.