Web Security Overview and Attack Models
16 Questions
0 Views

Choose a study mode

Play Quiz
Study Flashcards
Spaced Repetition
Chat to lesson

Podcast

Play an AI-generated podcast conversation about this lesson

Questions and Answers

What is the primary purpose of a POST request in HTTP?

  • Delete a specified resource from the server
  • Retrieve data from the server without a payload
  • Update a resource without replacing it
  • Create a new resource at the specified URL (correct)

    • Which of the following HTTP methods should never cause changes to the server state?

  • GET (correct)
  • DELETE
  • POST
  • PATCH

    • What is the correct action when a browser loads a specific site's root HTML page?

  • The browser updates the server state
  • The browser sends a GET request to the server (correct)
  • The browser sends an image request to the server
  • The browser sends a POST request to the server

    • Which HTTP method is used to replace a target resource with a request payload?

    <p>PUT (A)</p> Signup and view all the answers

    What is a common consequence of using GET requests to transfer sensitive information?

    <p>GET requests can potentially expose sensitive information in URLs (B)</p> Signup and view all the answers

    In terms of security precautions, how are HTTP methods evaluated?

    <p>Different methods have varying levels of security precautions (B)</p> Signup and view all the answers

    What does the HTTP method DELETE do?

    <p>Delete the specified resource from the server (A)</p> Signup and view all the answers

    What is a limitation of older web browsers regarding HTTP methods?

    <p>They only support GET and POST methods (C)</p> Signup and view all the answers

    What is the primary goal of web security?

    <p>To ensure that sites cannot steal data from your device (A)</p> Signup and view all the answers

    Which of the following best describes a malicious website in the context of web attack models?

    <p>A site intended to compromise the user's security or privacy (B)</p> Signup and view all the answers

    What does HTTPS stand for?

    <p>HyperText Protocol Secure (D)</p> Signup and view all the answers

    Which part of the HTTP request specifies the activity to be performed?

    <p>Method (D)</p> Signup and view all the answers

    In the context of an HTTP response, what does the status code '200 OK' indicate?

    <p>The request was successful and the server returned the requested resource (C)</p> Signup and view all the answers

    What is NOT a part of the anatomy of an HTTP request?

    <p>Response Body (B)</p> Signup and view all the answers

    Which of these options is a key characteristic of the HTTP protocol?

    <p>It is a stateless protocol outside of a single request and response (B)</p> Signup and view all the answers

    What is a potential consequence of visiting a malicious external resource?

    <p>Possible exposure to malware or data theft (D)</p> Signup and view all the answers

    Study Notes

    Web Security Model Overview

    • This model focuses on safely browsing the web, even while visiting malicious websites.
    • Crucially, it aims to prevent websites from stealing data from the user's device, installing malware, accessing the camera or microphone, or affecting sessions on other websites, or eavesdropping.
    • The model also supports performant web applications like Google Meet.

    Web Attack Models

    • Malicious Website: An attacker's website directly targeting a victim.
    • Malicious External Resource: Attacker's website that leverages outside resources to attack a victim
    • Network Attacker: Direct network attacks against a target
    • Malware Attacker: Attacker's use of malicious software.

    HTTP Protocol

    • A fundamental protocol for web communications, standardized in 1989.
    • It utilizes a request-response message structure.
    • Each data resource has a unique URL (Uniform Resource Locator).
    • URLs have a defined structure separating the scheme, domain, port, path, query string and sometimes a fragment identifier from each other.
    • HTTP is stateless, meaning each request is independent, necessitating mechanisms to maintain sessions.

    Anatomy of HTTP Request

    • A request contains a method, path, and HTTP version.
    • The request also includes headers containing information like accepted content-types, language preferences, and connection parameters.
    • The body is optional, carrying data such as form submissions.

    Anatomy of HTTP Response

    • A response gives back a status code, which represents the outcome of the request.
    • Headers with information about the data being sent back follow.
    • The response body contains the data requested by the client.

    HTTP Methods (GET, POST, PUT, PATCH, DELETE)

    • GET: Retrieves resource from a specified URL; does not carry data in the request body.
    • POST: Creates a new resource, or performs an action on an existing resource using data in the request body.
    • PUT: Replaces an existing resource using data from the request body.
    • PATCH: Modifies part of an existing resource using data from the request body.
    • DELETE: Deletes a resource.

    HTTP Methods Considerations

    • Not all methods are used equally for security reasons.
    • Many browsers don't support PUT, PATCH, and DELETE.
    • Most actions with side effects are usually performed with the POST method.

    HTTP → Website

    • When loading a web page, the browser initiates a GET request to retrieve the main HTML page.

    Loading Resources

    • The root HTML page can embed references to additional resources (images, videos, fonts).
    • After parsing the HTML, the browser fetches these linked resources to display the complete web page.

    External Resources

    • Websites can load resources from different domains/hosts without restriction.

    Client Doesn't Know Server Configuration

    • The web browser doesn't know the outcome of a request until it receives the server response and subsequent data.

    Not only GETs

    • Websites can submit forms to any URL using multiple types of HTTP methods like POST.

    JavaScript

    • HTML content is generated by a server.
    • Modern websites also include Javascript code to enhance the functionality and dynamic actions of webpages.
    • Javascript enables additional web requests, page manipulation, access to browser data and hardware, and has made websites highly dynamic today

    Document Object Model (DOM)

    • The browser displays HTML as a structured data model.
    • Javascript can read and modify the page's content using the DOM.

    Frames (iFrames)

    • Websites can embed other websites inside their frames.
    • This creates embedded windows (frames) within the main webpage.
    • They enable the loading of content from other domains.

    Basic Execution Model

    • Each browser window loads a root page, parses the HTML, and executes Javascript code on the page.
    • Additional resources (e.g., images, CSS) are fetched, and the browser listens for events like clicks and responds interactively.

    HTTP/2

    • A revision of HTTP protocol, focused on performance improvements.
    • It allows multiplexing requests over a single TCP connection.
    • It offers header compression and server-push capabilities.

    Cookies and Sessions

    • Cookies are small pieces of data sent by a server to a user's browser, stored by the browser and sent back to the server upon subsequent requests.
    • Sessions use cookies to track user logins, actions on shopping carts and other interactions.
    • Maintaining and managing sessions is crucial for stateless web apps using a request-response scheme.

    HTTP Cookies

    • Key mechanisms to manage website personalization and tracking user activity by using data stored on the client side.
    • Cookies track client sessions for website logins, shopping carts, etc.

    Setting Cookies

    • Servers establish cookies with relevant details using the Set-Cookie HTTP header.

    Sending Cookies

    • Browsers automatically send cookies with requests to the same domain as the cookie's origin in headers.

    Login Session

    • Shows the common steps of a user login process: first request for the login form, then posting the login credentials and finally getting the successful login page.
    • The browser maintains shared cookies for different tabs accessing the same origin.

    Cookies are always sent

    • Cookies for one domain are sent with all requests to that domain, regardless of the type.

    Cookies, for better or worse

    • Websites can abuse cookies for potentially harmful actions; this topic introduces potential vulnerability.

    Modern Website

    • Modern websites can get thousands of external resources from different domains and networks
    • Many features of a modern webpage's functionality and design are handled and affected by the resources fetched from external domains.

    Third party Access

    • Javascript from a website can read your third-party cookies if you have the appropriate security settings enabled. This allows tracking your activity across different websites that you use.

    HttpOnly Cookies

    • These cookies are especially designed to prevent Javascript on a website from reading, modifying or changing the cookie's value. (This setting limits access to cookies from the client-side scripts).
    • This measure helps to prevent certain malicious attacks.

    Secure Cookies

    • Secure cookies prevent potential eavesdropping by encrypting data (using protocols like HTTPS) when data is sent back to the website's server ensuring the transmitted data is secure.

    Web Isolation

    • Websites are isolated from one another to prevent malicious ones from affecting or gaining access to another website's contents.

    UNIX Security Model

    • This model categorizes components (subjects like users and processes, and objects like files/directories) and operations (read, write, execute).

    Web Security Model (Subjects and Objects)

    • The “Origins” or (scheme://domain:port) act as subjects/owners that define access rules.
    • “Objects” are the web pages, DOM trees, storage, Javascript and hardware permissions

    Origins Examples

    • Origins are defined by protocols (http, https), domain, and ports (e.g., 80 or 443).
    • These definitions differentiate different websites from each other and limit access on the websites.

    Bounding Origins — Windows and Frames

    • The browser prevents one website from gaining access to data on another website using the same browser window.
    • Similar isolation rules apply across frames (iFrames) in the same browser.

    SOP for HTTP Responses

    • SOP does not prevent one website from requesting data resources from another.
    • This doesn't hinder data transfer from one website to another but protects associated cookies from external access.

    SOP for Other HTTP Resources (images, CSS, Fonts, Frames)

    • SOPs have different rules for different types of data
    • Certain types of data are treated differently; one example is that a website can load a font but cannot see the details of that font.

    Script Execution

    • Scripts can be loaded from various origins. Scripts have the permissions of the web page to run and interact with the same origin in a browser window.
    • If a malicious script is loaded from a third-party website (a malicious domain), it has access to your data and can affect the target web page.

    Frames — Domain Relaxation

    • There are situations where frames from a domain can access the DOM or data of a completely different domain.
    • It is a security issue if this boundary relaxation is not properly handled.

    Domain Relaxation Attacks

    • Attack scenarios that take advantage of document.domain property to bypass SOP.

    Mutual Agreement

    • A crucial method to fix the problem is to have a mutually agreed-upon origin for sharing data across different domains.

    Inter-Frame Communication

    • This mechanism allows messages to be exchanged between parent and child frames.

    Same Origin Policy (Javascript)

    • This protects data access and prevents unwanted interactions with different origins in browsers.

    Javascript XMLHttpRequests

    • Allows Javascript to make requests to other origins; SOP can be violated for GET but not for POST.

    Malicious XMLHttpRequests

    • How malicious scripts might violate security to access restricted data in another domain.

    XMLHttpRequests SOP

    • GET requests from one site to another are limited.
    • POST requests are not permitted unless there's explicit authorization/settings.

    Cross-Origin Resource Sharing (CORS)

    • CORS defines server settings that allow third-party JavaScript to interact with your website.

    CORS Success

    • Showing CORS successfully implemented where necessary origins can communicate with each other properly.

    Wildcard Origins

    • Wildcard Origins: Allow access between the origin on the left side and any origin that exists on the right side.

    CORS Failure

    • A situation where one is not properly authorized to interact between a server (in this case, a back-end application) and a web application (in this case, a front-end application).

    Usually: Simple Requests

    • Simple requests do not use pre-flight checks and the headers are simplified.
    • This is a simplified type of request used for data interaction on the web that does not need elaborate checking by the client/server.

    Simple CORS Success

    • A successful execution of a simple request without problems in accessing the data from the origin.

    Simple CORS Failure

    • A request that fails to match the requirements for CORS simple requests.

    Many Attacks are Possible

    • Showing various attacks on different website functionalities
    • These attacks require sufficient permissions and domain access.

    Same Origin Policy for Cookies

    • Cookies have a unique origin definition (domain, path).
    • The SOP for cookies ensures that cookies get scope in one domain and are not used by another domain.
    • The browser sends the cookies according to the origin's scope when one is making requests.
    • Cookies are restricted to certain web pages that coincide according to their specified domain.
    • They are determined by domain suffixes or prefixes.
    • Similar to SOP, but has more specific rules for cookies scope to prevent data abuse across different web functionalities.

    Scoping Example

    • Showing examples and scoping rules that determine if a cookie can be sent or used cross-domain.
    • How cookies are set to limit access to domain or path.
    • Setting a cookie's scope controls where it can be accessed across the web pages.

    No Domain Cookies

    • Most websites do not set the domain attribute of Set-Cookie header to avoid misuse across different web pages.
    • Such situations limit the cookie to the same domain.

    SOP Policy Collisions

    • When two parts of a website have separate cookie scope, these cookies may not be accessible to each other.

    SOP Policy Collisions (Example)

    • Explaining a specific example scenario where SOP rules are violated when domain rules don't match and how that can be used in malicious attacks.

    Third-Party Access

    • Explaining a potential security vulnerability where Javascript from a third-party domain on your site can access your website's data.

    HttpOnly Cookies

    • A method to prevent Javascript from accessing cookies.

    Secure Cookies

    • A security enhancement to cookies that ensure data transmission is secure. (Use of HTTPS for encryption)

    Studying That Suits You

    Use AI to generate personalized quizzes and flashcards to suit your learning preferences.

    Quiz Team

    Related Documents

    Web Security Model PDF

    Description

    Explore the essential concepts of web security models and the different types of web attack models. This quiz covers important protocols and practices for safe browsing and protecting user data against various threats. Test your knowledge on web security and defense mechanisms.

    More Like This

    Use Quizgecko on...
    Browser
    Open
    Browser
    Browser