Web Security: Sessions and Cookies

Questions and Answers

What is the primary purpose of the Content Security Policy (CSP)?

• To specify approved origins of content for web browsers. (correct)
• To eliminate all types of web security threats.
• To enhance the performance of web applications.
• To allow unrestricted access to all web resources.

What characteristic of URLs contributes to the risk of Cross-site Request Forgery (CSRF)?

• URLs are often long and complex, making them hard to guess.
• URLs cannot be sent as parameters in emails.
• URLs must be encrypted to prevent attacks.
• URLs are reproducible and guessable, especially with GET parameters. (correct)

In a CSRF attack, what role do cookies play?

• Cookies prevent any requests from being sent.
• Cookies are automatically sent with requests, which may execute unauthorized actions. (correct)
• Cookies are not affected in CSRF attacks.
• Cookies must be manually attached for requests to work.

How can a malicious user potentially execute a CSRF attack using a banking URL?

By tricking a user into clicking a crafted URL when logged into their bank account. (C)

What distinguishes CSRF attacks from XSS attacks?

CSRF attacks manipulate URLs while XSS relies on JavaScript code. (D)

What is a key characteristic of HTTP as mentioned in the content?

HTTP is stateless. (B)

What type of request is demonstrated in the POST example provided?

Adding an item to a cart. (A)

Why is maintaining state important in web applications?

To enable interactions that require knowledge of previous requests. (D)

Which method is mentioned as a defense against cross-site scripting (XSS)?

Tying cookies to the user's IP address. (C)

What does the method encodeURI() primarily do?

Escapes special characters in URLs. (C)

What does a session represent in web applications?

A series of interactions between communicating parties (D)

What does the HTTP response 'HTTP/1.1 200 OK' signify?

The request was successfully processed. (B)

How does a session improve user experience in web applications?

By tracking interactions and maintaining context (B)

How do servers typically handle the stateless nature of HTTP in web applications?

By using cookies to maintain state. (B)

What is NOT a characteristic of a session in the context of web security?

It is stored permanently on the client side (A)

Disabling scripts on a page can help mitigate which type of security threat?

Cross-site scripting. (C)

What is the primary purpose of a session in web applications?

To keep track of user interactions with the server (A)

What is the primary purpose of unique tokens in web applications?

To prevent cross-site request forgery (CSRF) (B)

What protocol is typically used for establishing sessions in web applications?

HTTP (A)

Which SameSite cookie attribute provides the strongest defense against CSRF attacks?

SameSite=Strict (B)

What are custom headers in Ajax requests primarily used for?

Providing additional security checks (B)

Which of the following statements about sessions is FALSE?

Sessions can be used to track user behavior across different websites. (C)

What role does a Certificate Authority (CA) play in Public Key Infrastructure?

To manage digital signatures and verify identities (B)

What type of information could a session store during its lifecycle?

Temporary data like user preferences and interactions (A)

Which TCP port is primarily used for HTTPS communication?

443 (D)

What happens when a session expires in a web application?

The user is automatically logged off. (D)

Why is it important to periodically renew SSL/TLS certificates?

To maintain authentication and trust (B)

How does HTTPS secure HTTP traffic?

By encrypting and authenticating all HTTP bytes (B)

What is the primary function of a public key certificate in the context of security?

To bind an identity to a public key (A)

What is a common method used by attackers to execute Cross-site Request Forgery (CSRF) attacks?

Utilizing social engineering techniques to manipulate victims (A)

What is one way that malicious URLs might be disguised in a CSRF attack?

Embedding them in images (D)

In the provided HTTP request, what occurs after a successful login at the bank site?

The session ID is set in a cookie for the user (D)

What is a key characteristic of browser behavior during a CSRF attack?

The browser automatically includes stored cookies in requests (D)

What method might a malicious server use to submit a transfer request in a CSRF attack?

Using a POST request with the user's session ID (B)

Which of the following is NOT a typical depiction of how CSRF operates?

The server validating user credentials with identical requests (D)

What would likely be a target in a CSRF attack, based on the provided content?

An online banking transaction (D)

What is the goal of a CSRF attack as illustrated in the content?

To make unauthorized transactions on behalf of the user (B)

Which type of request is primarily utilized to execute a CSRF attack?

POST request to send data securely (D)

What response might the user see after an unauthorized transaction due to a CSRF attack?

A redirect to a payment confirmation page (B)

Which of the following defenses could help prevent CSRF attacks?

Implementing anti-CSRF tokens in forms (C)

What visual indicator is typically associated with phishing emails involved in CSRF attacks?

Suspicious URLs disguised as legitimate links (A)

Which method could attackers use to hide their malicious activities during a CSRF attack?

Employing obscure subdomains similar to the target (B)

Which statement about cookies and CSRF attacks is accurate?

Cookies are automatically included with unauthorized requests (B)

Flashcards

HTTP Statelessness

The inability of a server to remember past interactions with a client. Each request is treated independently, without any knowledge of previous requests.

Session

A mechanism to keep track of user-specific information during a web session. It allows a server to maintain state even though HTTP is stateless.

Web Session

A sequence of requests and responses between a client and a server that represents a single interaction, often associated with a user being logged into a website.

Cross-Site Scripting (XSS)

A harmful technique that allows attackers to inject malicious scripts into a website, potentially stealing user data or causing other damage.

Input Validation

A technique used to mitigate the risk of Cross-Site Scripting attacks by filtering user inputs for potentially harmful characters or code.

Defense-in-Depth

A type of defense against Cross-Site Scripting attacks that aims to limit the impact of a successful attack by restricting the actions the attacker can perform.

What is a web session?

A session in web applications is a mechanism to keep track of the communication between a client (user's browser) and the server. It stores information about the user's activity and preferences during a single browsing session.

What is a session like?

A session is like a shared context. It keeps track of all the interactions between you (the client) and the server, allowing the server to remember things about you during your visit.

Why are sessions relevant to web applications?

A session is essential in web applications because it allows the server to maintain information about individual users' actions, preferences, or even authentication details.

When does a session get created?

A session is created when a user starts interacting with a web application. It allows the server to track various activities and preferences, creating a personalized browsing experience for each user.

What information does a session store?

A session is used to keep track of information about a user's actions on a website, such as items added to a shopping cart or authentication details.

How does a session store information?

Sessions can be a simple key-value store or an object model that stores information about a user's session, allowing the server to remember details about individual users.

How long do sessions last?

Sessions are temporary, meaning they are only valid for a certain period of time, typically until the user closes their browser or after a specified session timeout.

How are sessions implemented?

Sessions are generally implemented using server-side mechanisms like databases or in-memory data structures, allowing the server to manage session data efficiently and securely.

Content Security Policy (CSP)

A security mechanism that allows servers to control which sources of content a web browser can load, improving security by preventing malicious scripts from executing.

Cross-site Request Forgery (CSRF)

An attack where a malicious user tricks a user into clicking a link that executes a malicious action on the victim's behalf. This exploit doesn't require JavaScript like XSS. It uses predictable URLs to exploit cookie authentication. This is often used to trigger unauthorized bank transfers, for example.

CSRF attack scenario

A malicious user might craft a link mimicking a familiar website or service, hoping unsuspecting users will click it. This link can lead to unexpected consequences for the victim's online accounts or other sites they are logged into, as the user's cookies are automatically sent with the request.

Preventing CSRF

A web application should avoid using easily guessable URLs, especially for sensitive tasks. Instead, use more complex and unpredictable URLs or methods that don't rely on GET requests.

CSRF vulnerability

Websites using cookie-based authentication are particularly vulnerable to CSRF attacks because attackers can exploit cookies to execute requests with the victim's privileges. These attacks are often targeted towards sensitive actions like bank transfers, login attempts, or authorization changes.

CSRF Prevention: Tokens

A unique, server-generated token included in web forms. The server verifies the token on subsequent requests to prevent CSRF attacks.

CSRF Prevention: Same-Site Cookies

Web browser setting that restricts cookies to prevent malicious cross-site requests.

CSRF Prevention: Custom Headers

A security mechanism that uses custom headers in AJAX requests, verified by the server, to protect against CSRF attacks.

Eavesdropper

Someone who listens secretly to network communications, potentially stealing confidential data.

Man-in-the-middle

Someone who intercepts communications and alters data passing between the user and the server, potentially stealing information.

Impersonation

An attacker who creates a fake website to trick users into providing authentication credentials, gaining confidential access.

HTTPS (Secure HTTP)

A secure communication protocol that encrypts and authenticates all data transfer between a user and a server.

Malicious URL in CSRF

A malicious URL designed to exploit CSRF vulnerabilities. It's often disguised as a link within an image or social media post, luring users to click it unknowingly.

Attacker's Server in CSRF

The attacker's website or server that hosts the malicious request, redirecting unsuspecting users to the target website.

Target Website in CSRF

A trusted website, like an online bank, becomes the target of a CSRF attack. The attacker aims to exploit vulnerabilities on this website to hijack user accounts.

Sending Malicious Request in CSRF

The process of sending a malicious request to a web server, aiming to execute unauthorized actions within a user's session on the target website.

User Session in CSRF

The user's active session, containing their credentials and permissions on the target website. Attackers exploit this session to execute actions in their name without their awareness.

Target Website Receiving Malicious Request in CSRF

The process of receiving a malicious request from the attacker's server, potentially causing unauthorized actions within a user's session.

Exploiting Vulnerabilities in CSRF

The attacker exploits the target website's vulnerabilities to gain access to the user's session and execute commands in their name, without their knowledge.

Malicious Command in CSRF

The malicious command sent from the attacker's server to the target website, causing unauthorized actions within the user's session.

Victim Account Details in CSRF

The victim's account details, like their username and password, used by attackers to exploit CSRF vulnerabilities.

Unauthorized Actions in CSRF

Unauthorized actions performed on behalf of the user, like funds transfers, changing account settings, or sending messages. These actions are initiated by exploitng the CSRF vulnerability without user knowledge.

CSRF Defense

Implementing measures to prevent CSRF attacks, including using unique request tokens, verifying origin of Requests, and encoding user-sensitive data.

Validating Request Origin in CSRF Defense

Preventing CSRF attacks by ensuring that HTTP requests originate from a trusted domain or app, and only allow requests from intended sources.

Using Request Tokens in CSRF Defense

Using unique tokens to validate user actions and prevent CSRF attacks. This is often achieved by including a random token in every form submission, which must match a token generated on the server side.

Encoding User-Sensitive Data in CSRF Defense

The process of encoding user-sensitive data in web forms, making it less vulnerable to manipulation by attackers. This helps prevent injection attacks and CSRF vulnerabilities.

Study Notes

Sessions, Cookies, and Web Security

• Web sessions are a high-level concept of a shared context between communicating parties
• In the context of web applications, a session keeps track of communication between the server and the client.
• HTTP is a stateless protocol meaning one request-response pair has no information about another request-response pair.
• A server cannot maintain stateful information about a client, for instance, how many times a client has viewed a page.
• Interactions between two communicating parties (client & server) involving multiple messages require "state" to be maintained

Cookie

• A cookie is a piece of data that is always passed between the server and the client, in consecutive HTTP messages.
• At least, a cookie can store a session ID to relate multiple HTTP requests and responses.
• Commonly used for: Session management, Personalization, and Tracking User Behavior.
• Stored in the browser and used by the web application to authenticate users, track user activity, store user information, such as site preferences, contents of shopping carts, & etc
• Once a cookie is stored on a computer, only the site that created the cookie can read it.

Cookie Format

• A cookie's format is a name-value pair meaning each cookie contains a name (name/type of information) and a value representing the information.
• Attributes are included for further specificity.
  • Domain: The scope of the cookie
  • Path: Where a cookie is sent
  • Expires: When the cookie must expire
  • Secure: Enforces cookie to be sent over HTTPS
  • HttpOnly: Prevents JavaScript access to the cookie

Web Storage API

• sessionStorage: Temporary storage, available when the page is open
• localStorage: Persistent storage, lasting beyond page sessions
• Standard key-value interface allows storing values with descriptive keys.
• Limited space (~10MB)

Cross-Site Scripting (XSS)

• Scripts embedded in web pages run in browsers accessing cookies, getting private information, manipulating DOM objects and more.
• User-provided input is used as part of a webpage and may contain scripts if not escaped or properly sanitized.
• XSS can occur in any situation involving user input that isn't properly sanitized, and it can be used to perform various malicious actions..

Cross-Site Request Forgery (CSRF)

• An attacker attempts to access a URL sent to a user by spoofing it for personal gain or benefit.
• Relies on reproducible and guessable URLs (typically as parameters of GET requests).
• Cookies are sent automatically, allowing malicious actions on behalf of the client.
• Does not require the server to accept/allow JavaScript code.

HTTP Security

• Threats can occur during communication, such as eavesdropping, man-in-the-middle attacks, modifying content and impersonation.
• Bogus websites exploit vulnerabilities in the authentication and confidentiality of websites.

HTTPS

• Uses secure channels (SSL/TLS) to encrypt and authenticate HTTP communication.
• Uses TCP port 443 for secure communication, in contrast to HTTP's use of port 80.
• Provides encryption of all HTTP bytes.

Public Key Infrastructure (PKI)

• PKI establishes a bridge between identity and public keys, for example, a domain name (e.g., example.com), through digital signatures that assure integrity.
• It uses Certificate Authorities like GoDaddy to verify identities and issue public key certificates.
• Preconfigured certificates exist within web browsers for verification purposes.

Enabling HTTPS

• Web Hosting Providers often include HTTPS security features.
• SSL/TLS certificates can be requested from Certificate Authorities and then installed on a server.
• These certificates might need periodic renewal.