Web Security and Attack Models

Questions and Answers

What is the name of the protocol that allows fetching resources like HTML files from a server?

HTTP

Which of the following are the main goals of web security? (Select all that apply)

Safely browse the web in the face of attackers. (correct)

Support secure high-performance web applications. (correct)

Protect users' personal information from malicious websites.

Ensure that all websites are accessible to users worldwide.

Visit websites without incurring harm. (correct)

Match the Web Attack Models with their descriptions.

Malicious Website = The attacker intends to compromise the user's device by sending malicious code directly to the user's computer. Malicious External Resource = The attacker sends malicious code to the user's computer through a third-party resource like an image or a script. Network Attacker = The attacker compromises the network itself and intercepts communication between the user and the website. Malware Attacker = The attacker uses malware on the user's device to intercept and redirect communication or steal data.

What are the two messages involved in HTTP communication?

Request and response.

HTTP is a stateful protocol.

False

What is the purpose of HTTP cookies?

Cookies are small pieces of data that servers send to web browsers to store and retrieve information for various purposes, including session management, personalization, and tracking.

Which of the following is NOT a typical use case for HTTP cookies?

Password storage.

How do websites maintain statefulness despite HTTP being stateless?

Websites use cookies, small pieces of data sent to and stored by browsers, to maintain session information and keep track of user activity across multiple requests.

The browser can see the content of another tab in the same browser window.

False

What is the purpose of the Same Origin Policy (SOP) in web security?

The Same Origin Policy isolates content from different origins (websites) to prevent malicious scripts from one website from interfering with or accessing data from another website.

How is 'origin' defined in the Same Origin Policy?

Origin is defined as a combination of scheme, domain, and port. Sites with the same scheme, domain, and port are considered to be of the same origin.

Which of the following scenarios would trigger a CORS (Cross-Origin Resource Sharing) request?

A website submitting user data to a backend API on a different domain.

The Same Origin Policy restricts a website from making requests to different origins.

False

Explain the concept of 'document.domain' in web security.

The 'document.domain' property allows a website to relax the Same Origin Policy restrictions, enabling specific communication and data sharing between pages from different origins.

The 'document.domain' property can be used to make the origin of a website less specific.

True

What is the purpose of the Public Suffix List (PSL) in web security?

The Public Suffix List is a database maintained by Mozilla that lists domain suffixes, helping browsers identify the most significant part of a domain name, improving security and enhancing user experience.

The Public Suffix List is a static database that cannot be modified.

False

Which of the following is NOT a valid reason for using the Public Suffix List?

To prevent the loading of malicious scripts from untrusted websites.

What are 'HttpOnly' cookies, and how do they enhance web security?

HttpOnly cookies are special cookies that cannot be accessed by JavaScript, making it harder for malicious scripts to steal sensitive information like passwords or session tokens.

A secure cookie is only sent to the server over an HTTPS protocol.

True

Explain the concept of 'third party cookies'.

Third-party cookies are set by a domain different from the website the user is visiting, typically used for tracking and advertising. They are often accessed by external scripts, such as analytics platforms or ad networks.

What is the primary function of a 'cookie jar' in a web browser?

Store cookies associated with specific websites.

Study Notes

Web Security Model

• Web security aims to safely browse the web, including malicious sites, without harm to the user's device or session.
• It involves protecting against data theft, malware installation, camera access, session hijacking, and eavesdropping on other sites.
• Secure high-performance web applications are also a core aspect of the model, such as Google Meet.

Web Attack Models

• Malicious Websites: A malicious website directly interacts with the user's device to deliver attacks.
• Malicious External Resource: A malicious external resource, often a file or server, is accessed by the user's device and can harm it.
• Network Attacker: An attacker targets the user's network and can harm the device, network, and potentially other devices on the network.
• Malware Attacker: Malware, installed on the user's device, can cause damage.

HTTP Protocol

• HTTP is a protocol used to fetch resources from a server, primarily HTML files like web pages.
• Communication methods are described as request and response.
• The interaction is stateless, meaning that each request is independent of previous ones.
• Every resource has a unique URL (Uniform Resource Locator).
• A URL has components including scheme, domain, port, path, query string, and fragment ID.

HTTP Request Anatomy

• Method: The action to be performed (e.g., GET, POST)
• Path: The resource being requested (e.g., /index.html)
• Version: The protocol version (e.g., HTTP/1.1)
• Headers: Metadata about the request (e.g., Accept, Accept-Language, Connection, User-Agent, Host, Referer).
• Body: The content sent with the request for processes like sending data.

HTTP Response Anatomy

• Status Code: Indicates the outcome of the request (e.g., 200 OK, 404 Not Found).
• Headers: Metadata about the response (e.g., Date, Server, Content-Type, Last-Modified, Content-Length).
• Body: The content returned by the web server.

HTTP Methods

• GET: Retrieves a resource from a specified URL; does not include a request body.
• POST: Creates a new resource or updates an existing one to a specified URL with a payload.
• PUT: Replaces a target resource with a payload.
• PATCH: Updates part of a resource.
• DELETE: Removes the specified resource from a URL.

HTTP Methods - Security Considerations

• GET requests are generally safe and stateless; in practice, some servers may have side effects.
• Older browsers don't support PUT, PATCH, and DELETE methods.

JavaScript

• JavaScript is a scripting language that adds dynamic behaviour to web pages.
• Websites use Javascript to deliver functionalities like manipulating pages, reading browser data, and accessing local hardware.
• It is used within HTML to control features.

DOM (Document Object Model)

• The DOM is a structured representation of the HTML content of web pages.
• Javascript can read and modify content, using DOM, by interacting with the elements.
• The browser parses the HTML content into a tree-like structure.

Frames

• Frames allow websites to load content from different sources.
• iFrames, an embedded frame type, float inline and can include content from other resources.

Basic Execution Model

• The browser loads the initial page content, parses the HTML, and executes embedded JavaScript.
• It fetches additional assets like images, CSS, and Javascript, then acts on various event triggers.
• The browser iterates until the page is fully loaded.

HTTP/2

• HTTP/2 is a newer version of HTTP, improving performance.
• It allows pipelining multiple requests over a single TCP connection.
• Header compression reduces the size of headers.
• Server push allows servers proactively send resources.
• The structure of applications is usually not affected.

Cookies + Sessions

• HTTP is stateless and requires a mechanism like cookies to maintain sessions.
• HTTP cookies are snippets of data exchanged between a server and browser.

Third Party Access

• Code from another origin (third party) can interact with your page's data if your site includes resources that include that code.
• This can include Javascript or any embedded resource.

Same Origin Policy (SOP)

• The SOP is a mechanism to prevent cross-site scripting (XSS) by isolating origin data, improving application security.
• SOP ensures that elements from one domain/origin cannot access resources (and data) from another domain/origin.
• This limits a malicious site from accessing other sites' data, such as cookies.

Cross-Origin Resource Sharing (CORS)

• This is a mechanism that helps to determine if a server is willing to accept a specific request from a different origin.
• Different Origins will have different configurations to access and interact/exchange data related to the current site.

HTTP vs. HTTPS

• HTTPS uses encryption for the communication, whereas HTTP does not.
• This crucial difference is key for protecting sensitive information being transmitted over networks.

Scope of Cookies

• Cookies may only be set to a portion of a site
• The cookie scope is confined to the requested origin, and is not extended to subdomains or subpaths.

Description

This quiz explores the fundamental concepts of web security, focusing on how to safely navigate the web and the various types of web attack models. It covers malicious websites, network attackers, and the importance of secure protocols like HTTP. Enhance your understanding of web security measures and threats.