LECTURE 22: SECURE CODING BASICS CSE 442 – Software Engineering
Lessons Already Learned ¨ Hackers take advantage of any opening provided ¤ But most also lazy (talk to struggling 115/116 student) ¤ Any easy success in breaking code encourages them ¨ Copy-and-pasting easy but who executes user input?
Stupidity Never Stops
Stupidity Never Stops
Stupidity Never Stops
Stupidity Never Stops
Stupidity Never Stops
Stupidity Never Stops
Human Nature: 1 Humanity: 0 ¨ Also need to remember some people are just jerks
Security Key Concept Hackers always win when it becomes a game Prevention is key
Web Applications ¨ Increasingly common software, even in industry ¨ Requires very different coding approach ¤ Should improve over time, but still new ¤ Distribution methods make security holes easier to find ¤ Over 70% of web apps had at least 1 security flaw
Javascript ¨ Javascript can be force for good and evil ¨ Improves interactivity & enables good UI/UX ¨ Also means many security exploits opened ¨ Very open language with many ways to integrate ¤ Foreshadowing alert: creates big problem later ¨ Includes hooks to respond to lots of page events
Hypertext Transfer Protocol ¨ Primary application layer protocol for web apps ¨ HTTP not encrypted; HTTPS is more secure version ¤ Browser encrypts/decrypts traffic with web server ¨ Both standards define stateless protocol ¤ Each request & response full interaction for protocol ¤ Connection info not retained by sender or receiver ¨ Stateless protocol good if only serving static page ¤ But this became problem once applications served ¤ Drove storing session data parallel to using protocol
GET vs. POST ¨ Two ways to send data from page to server ¤ GET default approach; must specify when POST wanted GET POST ¨ GET uses URI with data embedded after link ¤ Data included as name-value pairs after ? ¨ POST sends data along page request ¤ Still readable, but harder since not included in URI
Cookies ¨ Small pieces of data that provide interaction state ¤ Each cookie stored as text on user's computer ¤ Set & retrieved when requested by server (or Javascript) ¨ Set of information defined by each cookie ¤ Name : unique string to identify it ¤ Value : stored data set by server ¤ Attributes : More name-value pairs for holding other information (optional)
Cookie Types • Short-term use; • Long-term use; • Security use; Deleted when Eventually • Only sent over browser closes expires HTTPS • Sent to creating site each visit Session Secure Persistent cookie cookie cookie • Tracking use; • Avoids XSS; • Avoids CSRF; • Set by • Limited use • Not domain other by Javascript supported in than main site all browsers Third-party HTTPOnly SameSite cookie cookie cookie
Cookie Scope ¨ Domain attribute sets which servers can use cookie ¤ Page on www-student.cse.buffalo.edu could specify Domain=.buffalo.edu & then usable by all UB servers Domain=.cse.buffalo.edu for departmental servers Domain=www-student.cse.buffalo.edu for itself ¨ Path attribute adds restrictions to paths on server ¤ Path=/team01 limits to pages in folders: /team01 , /team01/fac , /team01/fac/hertz , etc. ¤ Path=/team01/fac not usable if page just in /team01
Viewing/Managing cookies ¨ Chrome: use URI chrome://settings/ content/cookies ¨ Firefox: Select menu Item Tools / Web Developer / Storage Inspector ¨ MS Edge: Select menu item Developer tools & then open Debugger tab
Benefits of Cookies Session Authentication Management Personalization Tracking
Benefits of Cookies Session Authentication Management Personalization Tracking
Persistent Authentication ¨ PHP already includes support for browser cookies ¤ Stores client data that can be used to track a user ¤ May not be accepted; should include tests to be certain ¤ Cookies not secure ; many attack vectors possible ¨ Cookies sent within HTTP[S] header during request ¤ setcookie() directs creation of cookie by PHP code ¤ Can also check if cookie already exists using isset() ¤ setcookie() also deletes cookie, but requires trick
Persistent Cookie Example <?php if( (!isset($_COOKIE["SSID"])) || ($_COOKIE["SSID"] != retrieve_ssid_from_db($username) ) { header('Location: test.edu/login.php'); } else { setcookie("SSID", "Bob", time()+60, ".cse.buffalo.edu", "/CSE442-542", 1); setcookie("shoeSize", "12"); setcookie("deleted", "", time()-3600); } ?> <HTML>
Persistent Cookie Example <?php if( (!isset($_COOKIE["SSID"])) || ($_COOKIE["SSID"] != retrieve_ssid_from_db($username) ) { header('Location: test.edu/login.php'); isset - Returns true if cookie already exists } else { setcookie("SSID", "Bob", time()+60, $COOKIE[] - Site's cookies read via assoc array ".cse.buffalo.edu", "/CSE442-542", 1); "SSID" – Specifies the name of cookie to read setcookie("shoeSize", "12"); setcookie("deleted", "", time()-3600); retrieve_ssid_from_db - "Retrieves" "correct" SSID } ?> <HTML>
Persistent Cookie Example <?php if( (!isset($_COOKIE["SSID"])) || ($_COOKIE["SSID"] != retrieve_ssid_from_db($username) ) { header('Location: test.edu/login.php'); } else { setcookie("SSID", "Bob", time()+60, header - Built-in function issues browser redirect ".cse.buffalo.edu", "/CSE442-542", 1); 'Location: - Required text for this function setcookie("shoeSize", "12"); setcookie("deleted", "", time()-3600); } test.edu/login.php – target URI to load ?> <HTML>
Persistent Cookie Example <?php if( (!isset($_COOKIE["SSID"])) || setcookie - PHP's built-in function which ($_COOKIE["SSID"] != creates, updates, & deletes cookie retrieve_ssid_from_db($username) ) { Must appear BEFORE <HTML> tag header('Location: test.edu/login.php'); } else { setcookie("SSID", "Bob", time()+60, ".cse.buffalo.edu", "/CSE442-542", 1); setcookie("shoeSize", "12"); setcookie("deleted", "", time()-3600); } ?> <html>
Persistent Cookie Example <?php if( (!isset($_COOKIE["SSID"])) || "SSID" ($_COOKIE["SSID"] != "shoeSize" – Name of cookie is first argument retrieve_ssid_from_db($username) ) { "deleted" header('Location: test.edu/login.php'); } else { setcookie("SSID", "Bob", time()+60, ".cse.buffalo.edu", "/CSE442-542", 1); setcookie("shoeSize", "12"); setcookie("deleted", "", time()-3600); } ?> <HTML>
Persistent Cookie Example <?php if( (!isset($_COOKIE["SSID"])) || "Bob" ($_COOKIE["SSID"] != "12" - Value of cookie is second argument; retrieve_ssid_from_db($username) ) { "" using "" theoretically deletes cookie header('Location: test.edu/login.php'); } else { setcookie("SSID", "Bob", time()+60, ".cse.buffalo.edu", "/CSE442-542", 1); setcookie("shoeSize", "12"); setcookie("deleted", "", time()-3600); } ?> <HTML>
Persistent Cookie Example <?php if( (!isset($_COOKIE["SSID"])) || ".cse.buffalo.edu" - Sets domain attribute ($_COOKIE["SSID"] != retrieve_ssid_from_db($username) ) { "/CSE442-542" - Path attribute also optional header('Location: test.edu/login.php'); } else { setcookie("SSID", "Bob", time()+60, ".cse.buffalo.edu", "/CSE442-542", 1); setcookie("shoeSize", "12"); setcookie("deleted", "", time()-3600); } ?> <HTML>
Persistent Cookie Example <?php if( (!isset($_COOKIE["SSID"])) || Third argument specifies time cookie will expire ($_COOKIE["SSID"] != • If 0 (or skipped), lasts "forever" within client retrieve_ssid_from_db($username) ) { • All browsers delete cookie using expired time header('Location: test.edu/login.php'); } else { setcookie("SSID", "Bob", time()+60, ".cse.buffalo.edu", "/CSE442-542", 1); setcookie("shoeSize", "12"); setcookie("deleted", "", time()-3600); } ?> <HTML>
Persistent Cookie Example <?php if( (!isset($_COOKIE["SSID"])) || ($_COOKIE["SSID"] != retrieve_ssid_from_db($username) ) { 1 in last argument limits use to HTTPS requests header('Location: test.edu/login.php'); } else { setcookie("SSID", "Bob", time()+60, ".cse.buffalo.edu", "/CSE442-542", 1); setcookie("shoeSize", "12"); setcookie("deleted", "", time()-3600); } ?> <HTML>
Script Kiddie Hacking
Script Kiddie Hacking
Recommend
More recommend
