Cookies PDF
Document Details
Uploaded by FavoriteConstructivism6060
Tags
Summary
This document covers sessions, cookies, and web security, including explanations, diagrams, and examples.
Full Transcript
Sessions, Cookies, and Web Security Session 1. Session 2. Cookie 3. Web Security Session: What is it? Session: What is it? How many times did I visit this page? This is your first time H...
Sessions, Cookies, and Web Security Session 1. Session 2. Cookie 3. Web Security Session: What is it? Session: What is it? How many times did I visit this page? This is your first time How many times did I visit this page? This is your first time Session: What is it? At a high-level, a session is something that keeps track of the series of interactions between communicating parties ○ It is a shared “context” In the context of web applications, a session keeps track of the communication between the server and the client Session: Why is it relevant to Web Applications? http://example.com/index.html example.com HTTP GET /index.html HTTP/1.1 Host: example.com Session: Why is it relevant to Web Applications? http://example.com/index.html example.com HTTP GET /index.html HTTP/1.1 Host: example.com HTTP/1.1 200 OK Content-Type: text/html Hello World Session: Why is it relevant to Web Applications? http://example.com/index.html example.com HTTP POST /cart/add/ HTTP/1.1 Host: example.com { "item_id": "abc-123-def", "quantity": 5 } Session: Why is it relevant to Web Applications? http://example.com/index.html example.com HTTP POST /cart/add/ HTTP/1.1 Host: example.com { "item_id": "abc-123-def", "quantity": 5 } abc-123-def: 5 HTTP/1.1 200 OK Content-Type: application/json { "item_id": "abc-123-def", "quantity": 5 } Session: Why is it relevant to Web Applications? http://example.com/index.html example.com HTTP POST /cart/add/ HTTP/1.1 Host: example.com { "item_id": "ghi-456-jkl", "quantity": 4 } abc-123-def: 5 Session: Why is it relevant to Web Applications? http://example.com/index.html example.com HTTP POST /cart/add/ HTTP/1.1 Host: example.com { "item_id": "ghi-456-jkl", "quantity": 4 } abc-123-def: 5 Which cart? Session: Why is it relevant to Web Applications? HTTP is stateless ○ One request-response pair has no information about another request-response pair ○ Server cannot tell if 2 requests came from the same browser → server cannot maintain stateful information about the client (e.g., how many times a client viewed a page) Interaction between 2 communicating parties (client & server) involving multiple messages requires some state to be maintained Login http://example.com/login.html example.com HTTP GET /login.html HTTP/1.1 Host: example.com Login http://example.com/login.html example.com HTTP GET /login.html HTTP/1.1 Host: example.com HTTP/1.1 200 OK Content-Type: text/html Login Username with > etc Encode user data Use context-specific encoding, especially for URLs encodeURI() to escape special chars lik , ) Web Security: Cross-site Scripting Defense Lighter-weight but incomplete methods ○ Tying cookies to the IP address of the user logged in ○ (works only for XSS attacks that try to steal cookies) ○ Disabling scripts on the page or in a specific section of the page ○ (may prevent legit. scripts from running) ○ New method: Content Security Policy (CSP) ○ allow servers to specify approved origins of content for web browsers ○ not yet implemented in all browsers ○ https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP Web Security: Cross-site Request Forgery An attacker attempts to request a URL sent to a user by spoofing it to their benefit Relies on the use of reproducible and guessable URLs (typically as parameters of GET requests) Cookies are automatically sent with every request, and hence the URL can perform malicious actions on behalf of the client ○ Do not require the server to accept/allow JavaScript code (unlike XSS attacks) Web Security: Cross-site Request Forgery Example Assume that a banking website allows money transfers using the following URL format http://bank.com/transfer.do?to=me&amt=100 A malicious user can trick another user into clicking the URL (say through an email). If they have logged into the bank’s website, then the request will execute with the privileges of the logged in user. ○ Relies on social engineering to carry out attack ○ Malicious URL can be hidden (e.g., in images) Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP POST /login HTTP/1.1 Host: bank.com username=vicky.i password=SecretPassword Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP HTTP/1.1 200 OK Content-Type: text/html Set-Cookie: sessionid=abcd1234 Welcome Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP Web Security: Cross-site Request Forgery http://bank.com/transfer bank.com HTTP Web Security: Cross-site Request Forgery http://bank.com/transfer bank.com HTTP Web Security: Cross-site Request Forgery http://bank.com/transfer bank.com HTTP Web Security: Cross-site Request Forgery http://bank.com/transfer bank.com HTTP POST /transfer HTTP/1.1 Host: bank.com Cookie: sessionid=abcd1234 recipient=fred amount=500 Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP HTTP/1.1 200 OK Content-Type: text/html Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP bad-server.com Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP bad-server.com Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP bad-server.com Phishing Email Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP bad-server.com Phishing Email Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP bad-server.com Sig n-in to CRA Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP bad-server.com Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP GET / HTTP/1.1 Host: bad-server.com bad-server.com Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP HTTP/1.1 200 OK Content-Type: text/html bad-server.com Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP HTTP/1.1 window.onload = ()200 OK => document.forms.submit() Content-Type: text/html bad-server.com Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP HTTP/1.1 window.onload = ()200 OK => document.forms.submit() Content-Type: text/html bad-server.com Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP POST /transfer HTTP/1.1 Host: bank.com Cookie: sessionid=abcd1234 recipient=malcom amount=5000 bad-server.com Web Security: Cross-site Request Forgery vicky http://bank.com/ bank.com $5000 HTTP malcom bad-server.com Web Security: Cross-site Request Forgery vicky http://bank.com/ bank.com $5000 HTTP malcom HTTP/1.1 200 OK Content-Type: text/html bad-server.com Web Security: Cross-site Request Forgery http://bank.com/ bank.com HTTP bad-server.com Defense: Cross-site Request Forgery In pairs, think of two ways you can defend against Cross- Site Request Forgery. Write them down! Defense: Cross-site Request Forgery Tokens: Unique tokens are generated by the server and included in the forms of the web application. The server then verifies the presence and correctness of the token on subsequent requests. Same-Site Cookies: The SameSite cookie attribute can prevent the browser from sending cookies along with cross-site requests. Setting cookies with SameSite=Lax or SameSite=Strict provides a level of defense against CSRF. Using Custom Headers: add custom headers in Ajax requests and check on the server 86 HTTP Security 87 HTTP Threat Model Eavesdropper Listening on conversation (confidentiality) Man-in-the-middle Modifying content (integrity) Impersonation Bogus website (authentication, confidentiality) 88 HTTPS: Securing HTTP HTTP HTTP sits on top of secure channel (SSL/TLS) https:// vs. http:// Secure Transport Layer TCP port 443 vs. 80 TCP All (HTTP) bytes encrypted and authenticated No change to HTTP itself! IP Where to get the key??? Link layer 89 Public Key Infrastructure Public key certificate Binding between identity and a public key “Identity” is, for example, a domain name example.com Digital signature to ensure integrity Certificate authority Issues public key certificates and verifies identities Trusted parties (e.g., GoDaddy) Preconfigured certificates in Web browsers How to enable HTTPS for your server? How to enable HTTPS for your server? Your Web Hosting Provider may offer HTTPS security or You can request a SSL/TLS certificate from Certificate Authorities and install it yourself. SSL/TLS certificates may need to be renewed periodically.
