this time
play

This time Continuing with Web Security Cookies XSS & CSRF - PowerPoint PPT Presentation

May 27, 2023 •285 likes •1.77k views

This time Continuing with Web Security Cookies XSS & CSRF Required reading for this lecture: Web Security: Are You Part Of The Problem? Cross Site Request Forgery: An Introduction HTTP GET requests Contain headers.

  1. Statefulness with Cookies Client Server HTTP Request Browser Web server State • Server stores state, indexes it with a cookie • Send this cookie to the client • Client stores the cookie and returns it with subsequent queries to that same server

  2. Statefulness with Cookies Client Server HTTP Request Cookie Browser Web server State • Server stores state, indexes it with a cookie • Send this cookie to the client • Client stores the cookie and returns it with subsequent queries to that same server

  3. Statefulness with Cookies Client Server Cookie Browser Web server State • Server stores state, indexes it with a cookie • Send this cookie to the client • Client stores the cookie and returns it with subsequent queries to that same server

  4. Statefulness with Cookies Client Server HTTP Response Cookie Browser Web server State • Server stores state, indexes it with a cookie • Send this cookie to the client • Client stores the cookie and returns it with subsequent queries to that same server

  5. Statefulness with Cookies Client Server HTTP Response Cookie Browser Web server Cookie State • Server stores state, indexes it with a cookie • Send this cookie to the client • Client stores the cookie and returns it with subsequent queries to that same server

  6. Statefulness with Cookies Client Server HTTP Response Cookie Browser Web server Cookie Cookie State • Server stores state, indexes it with a cookie • Send this cookie to the client • Client stores the cookie and returns it with subsequent queries to that same server

  7. Statefulness with Cookies Client Server HTTP Response Server Cookie Browser Web server Cookie Cookie State • Server stores state, indexes it with a cookie • Send this cookie to the client • Client stores the cookie and returns it with subsequent queries to that same server

  8. Statefulness with Cookies Client Server Server Cookie Browser Web server Cookie State • Server stores state, indexes it with a cookie • Send this cookie to the client • Client stores the cookie and returns it with subsequent queries to that same server

  9. Statefulness with Cookies Client Server HTTP Request Server Cookie Browser Web server Cookie State • Server stores state, indexes it with a cookie • Send this cookie to the client • Client stores the cookie and returns it with subsequent queries to that same server

  10. Statefulness with Cookies Client Server HTTP Request Server Cookie Browser Web server Cookie Cookie State • Server stores state, indexes it with a cookie • Send this cookie to the client • Client stores the cookie and returns it with subsequent queries to that same server

  11. Cookies are key-value pairs Set-Cookie:key=value; options; …. Headers Data <html> …… </html>

  12. Cookies are key-value pairs Set-Cookie:key=value; options; …. Headers Data <html> …… </html>

  13. Cookies Client Semantics Browser (Private) Data

  14. Cookies Client Semantics • Store “us” under the key “edition” (think of it like one big hash table) Browser (Private) Data

  15. Cookies Client Semantics • Store “us” under the key “edition” (think of it like one big hash table) Browser • This value is no good as of Wed Feb 18… (Private) Data

  16. Cookies Client Semantics • Store “us” under the key “edition” (think of it like one big hash table) Browser • This value is no good as of Wed Feb 18… • This value should only be readable by any domain ending in .zdnet.com (Private) Data

  17. Cookies Client Semantics • Store “us” under the key “edition” (think of it like one big hash table) Browser • This value is no good as of Wed Feb 18… • This value should only be readable by any domain ending in .zdnet.com • This should be available to any resource (Private) within a subdirectory of / Data

  18. Cookies Client Semantics • Store “us” under the key “edition” (think of it like one big hash table) Browser • This value is no good as of Wed Feb 18… • This value should only be readable by any domain ending in .zdnet.com • This should be available to any resource (Private) within a subdirectory of / Data • Send the cookie to any future requests to <domain>/<path>

  19. Cookies Client Semantics • Store “us” under the key “edition” (think of it like one big hash table) Browser • This value is no good as of Wed Feb 18… • This value should only be readable by any domain ending in .zdnet.com • This should be available to any resource (Private) within a subdirectory of / Data • Send the cookie to any future requests to <domain>/<path>

  20. Requests with cookies Subsequent visit …

  21. Requests with cookies Response Subsequent visit …

  22. Requests with cookies Response Subsequent visit …

  23. Why use cookies? • Personalization • Let an anonymous user customize your site • Store font choice, etc., in the cookie

  24. Why use cookies? • Tracking users • Advertisers want to know your behavior • Ideally build a profile across different websites Read about iPad on CNN, then see ads on Amazon?! - • How can an advertiser (A) know what you did on another site (S)?

  25. Why use cookies? • Tracking users • Advertisers want to know your behavior • Ideally build a profile across different websites Read about iPad on CNN, then see ads on Amazon?! - • How can an advertiser (A) know what you did on another site (S)? S shows you an ad from A; A scrapes the referrer URL

  26. Why use cookies? • Tracking users • Advertisers want to know your behavior • Ideally build a profile across different websites Read about iPad on CNN, then see ads on Amazon?! - • How can an advertiser (A) know what you did on another site (S)? S shows you an ad from A; A scrapes the referrer URL Option 1: A maintains a DB, Problem: IP addrs change indexed by your IP address

  27. Why use cookies? • Tracking users • Advertisers want to know your behavior • Ideally build a profile across different websites Read about iPad on CNN, then see ads on Amazon?! - • How can an advertiser (A) know what you did on another site (S)? S shows you an ad from A; A scrapes the referrer URL Option 1: A maintains a DB, Problem: IP addrs change indexed by your IP address - “Third-party cookie” Option 2: A maintains a DB 
 - Commonly used by large 
 indexed by a cookie ad networks (doubleclick)

  29. Ad provided by 
 an ad network

  30. Snippet of reddit.com source

  31. Snippet of reddit.com source Our first time accessing adzerk.net

  32. I visit reddit.com

  33. I visit reddit.com

  34. I visit reddit.com

  35. I visit reddit.com Later, I go to reddit.com/r/security

  36. I visit reddit.com Later, I go to reddit.com/r/security

  37. I visit reddit.com Later, I go to reddit.com/r/security

  38. I visit reddit.com We are only sharing this cookie with 
 *.adzerk.net; but we are telling them 
 about where we just came from Later, I go to reddit.com/r/security

  39. Cookies and web authentication • An extremely common use of cookies is to 
 track users who have already authenticated • If the user already visited 
 http://website.com/login.html?user=alice&pass=secret 
 with the correct password, then the server associates a “session cookie” with the logged-in user’s info • Subsequent requests (GET and POST) include the cookie in the request headers and/or as one of the fields : 
 http://website.com/doStuff.html?sid=81asf98as8eak • The idea is for the server to be able to say “I am talking to the same browser that authenticated Alice earlier.”

  40. Cookies and web authentication • An extremely common use of cookies is to 
 track users who have already authenticated • If the user already visited 
 http://website.com/login.html?user=alice&pass=secret 
 with the correct password, then the server associates a “session cookie” with the logged-in user’s info • Subsequent requests (GET and POST) include the cookie in the request headers and/or as one of the fields : 
 http://website.com/doStuff.html?sid=81asf98as8eak • The idea is for the server to be able to say “I am talking to the same browser that authenticated Alice earlier.” Attacks?

  41. Cross-Site Request Forgery (CSRF)

  42. URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker • GET requests should have no side-effects, but often do • What happens if the user is logged in with an active session cookie and visits this link? • How could you possibly get a user to visit this link?

  43. Exploiting URLs with side-effects Client attacker.com Browser

  44. Exploiting URLs with side-effects Client attacker.com <img src=“http://bank.com/ transfer.cgi?amt=9999&to=attacker”> Browser

  45. Exploiting URLs with side-effects Client attacker.com <img src=“http://bank.com/ transfer.cgi?amt=9999&to=attacker”> Browser Browser automatically visits the URL to obtain what it believes will be 
 an image.

  46. Exploiting URLs with side-effects Client attacker.com <img src=“http://bank.com/ transfer.cgi?amt=9999&to=attacker”> Browser bank.com Browser automatically visits the URL to obtain what it believes will be 
 an image.

  47. Exploiting URLs with side-effects Client attacker.com <img src=“http://bank.com/ transfer.cgi?amt=9999&to=attacker”> Browser transfer.cgi?amt=9999&to=attacker http://bank.com/ 
 bank.com Browser automatically visits the URL to obtain what it believes will be 
 an image.

  48. Exploiting URLs with side-effects Client attacker.com <img src=“http://bank.com/ transfer.cgi?amt=9999&to=attacker”> bank.com Browser Cookie transfer.cgi?amt=9999&to=attacker http://bank.com/ 
 bank.com Browser automatically visits the URL to obtain what it believes will be 
 an image.

  49. Exploiting URLs with side-effects Client attacker.com <img src=“http://bank.com/ transfer.cgi?amt=9999&to=attacker”> bank.com Browser Cookie transfer.cgi?amt=9999&to=attacker http://bank.com/ 
 bank.com Browser automatically C o o k i e visits the URL to obtain what it believes will be 
 an image.

  50. Exploiting URLs with side-effects Client attacker.com <img src=“http://bank.com/ transfer.cgi?amt=9999&to=attacker”> bank.com Browser $$$ Cookie transfer.cgi?amt=9999&to=attacker http://bank.com/ 
 bank.com Browser automatically C o o k i e visits the URL to obtain what it believes will be 
 an image.

  51. Cross-Site Request Forgery • Target: User who has some sort of account on a vulnerable server where requests from the user’s browser to the server have a predictable structure • Attack goal: make requests to the server via the user’s browser that look to the server like the user intended to make them • Attacker tools: ability to get the user to visit a web page under the attacker’s control • Key tricks: • Requests to the web server have predictable structure • Use of something like <img src=…> to force the victim to send it

  52. CSRF protections • Client-side: • Server-side:

  53. CSRF protections • Client-side: Disallow one site to link to another?? The loss of functionality would be too high • Server-side:

  54. CSRF protections • Client-side: Disallow one site to link to another?? The loss of functionality would be too high • Server-side: Referrer URL: Only allow certain actions if the 
 referrer URL is from this site, as well Make the request unpredictable; put the cookie 
 into the request, as well http://website.com/doStuff.html?sid=81asf98as8eak

  55. How can you steal a session cookie? Client Server Cookie Server Browser Web server Cookie Cookie Cookie State

  56. How can you steal a session cookie? Client Server Cookie Server Browser Web server Cookie Cookie Cookie State • Compromise the user’s machine / browser • Sniff the network • DNS cache poisoning • Trick the user into thinking you are Facebook • The user will send you the cookie

Recommend

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed

E N G A G E W I T H D R A W W I T H D R A W B A L A N C E E N G A G E There is an appointed time for everything. And there is a time for every event under heaven A time to give birth and a time to die; A time to plant and a time to

626 views • 16 slides
HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1

HSEye Full Full- Full Full - - -Time HSE eye Time HSE eye Time HSE eye Time HSE eye 1 Health, Safety, and Environment ( HSE ) is crucial for any Oil &amp; Gas and Construction business 2 Main Main accident kinds for the latest three

317 views • 13 slides
THE SOFTWARE Custom camera control software allows extra cameras to be added as needed allowing

THE SOFTWARE Custom camera control software allows extra cameras to be added as needed allowing

Time Slice systems - - also known as bullet time, stop time, or time freeze implement a camera array that ranges anywhere from 24 to 150+ cameras to create an effect of stopped time or extremely slowed time. Although the process was pioneered

197 views • 5 slides
W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

W HAT IS TIME SERIES D ATA ? W HAT IS TIME SERIES D ATA ? A value over time W HAT IS TIME

T IME S ERIES D ATA P APERS C OVERED Interactive Visualization of Serial Periodic Data John V. Carlis and Joseph A. Konstan Visualizing and Discovering Non-Trivial Patterns in Large Time Series Databases Jessica Lin, Eamonn Keogh,

764 views • 32 slides
? Same time Same time Same place Same time Same place 2 different painters Our story really

? Same time Same time Same place Same time Same place 2 different painters Our story really

? Same time Same time Same place Same time Same place 2 different painters Our story really begins here The Wise Man Grard Mari Professor of Art History at Sciences-Po The art guru who told fascinating stories Myself Coline Debayle

1.14k views • 57 slides
Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers

Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers

CPSC-313: Introduction to Computer Systems Time and Timers Time and Timers The time Epoch The Current Time Sleeping and Waiting Timers Reading: R&amp;R, Ch 9 Current Time UNIX Time Zero : 00.00 (midnight), January 1,

244 views • 7 slides
Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization.

Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization.

Time of Arrival (ToA ToA) ) Time of Arrival ( Used in GPS. Need synchronization. If round-trip time is used, then accurate clocks are only needed at the anchors. 9/8/05 Jie Gao, CSE590-fall05 1 Time Difference of Arrival

830 views • 54 slides
International Time Use Community &amp; Policy-Relevant Time Use Research Time Use Research

International Time Use Community &amp; Policy-Relevant Time Use Research Time Use Research

International Time Use Community &amp; Policy-Relevant Time Use Research Time Use Research Kimberly Fisher Secretary International Association for Time Use Research Centre for Time Use Research Early Time Use Developments Earliest

661 views • 34 slides
Time and synchronization (Theres never enough time) Todays outline Time in

Time and synchronization (Theres never enough time) Todays outline Time in

Time and synchronization (Theres never enough time) Todays outline Time in distributed systems A baseball example Synchronizing real clocks Cristians algorithm The Berkeley Algorithm Network

484 views • 21 slides
As a PhD student we have to much to handle and not enough time to get it all done Time

As a PhD student we have to much to handle and not enough time to get it all done Time

As a PhD student we have to much to handle and not enough time to get it all done Time management (Getting more done) Showan Asyabi- Shain Roozkhosh Time Management Techniques Urgent Not Urgent Important Paper Deadlines Quality Time

565 views • 15 slides
Run-time Environments Chapter 7 1 Compiler Construction Run-time Environments Run-time

Run-time Environments Chapter 7 1 Compiler Construction Run-time Environments Run-time

Run-time Environments Chapter 7 1 Compiler Construction Run-time Environments Run-time Environment The static source code requires considerable support to be executed on a computer Data objects must be created and destroyed

590 views • 42 slides
Demography of First Time College Students Gender GENDER FIRST TIME % NOT FIRST TIME % Female

Demography of First Time College Students Gender GENDER FIRST TIME % NOT FIRST TIME % Female

Demography of First Time College Students Gender GENDER FIRST TIME % NOT FIRST TIME % Female 57.7% 63.7% Male 42.3% 36.3% ETHNICITY FIRST TIME % NOT FIRST TIME % Asian 15.8% 17.5% Black 13.9% 13.7% Hispanic 43.2% 42.5% White

456 views • 12 slides
Page 1 Time Stolen by Network Stolen Time Solutions Receive Processing Move CPU-intensive

Page 1 Time Stolen by Network Stolen Time Solutions Receive Processing Move CPU-intensive

Outline of Talk Background Augmented CPU Open real-time systems Reservations Rez and HLS Stolen time Rez-C and Rez-FB John Regehr John A. Stankovic Design University of Virginia Performance More stolen time

164 views • 3 slides
Time z ones W OR K IN G W ITH DATE S AN D TIME S IN R Charlo e Wickham Instr u ctor Time z

Time z ones W OR K IN G W ITH DATE S AN D TIME S IN R Charlo e Wickham Instr u ctor Time z

Time z ones W OR K IN G W ITH DATE S AN D TIME S IN R Charlo e Wickham Instr u ctor Time z ones Sys.timezone() &quot;America/Los_Angeles&quot; WORKING WITH DATES AND TIMES IN R IANA Time z ones OlsonNames() &quot;Africa/Abidjan&quot;

735 views • 18 slides
It's about TIME David Hoppe @hopasaurus hopasaurus@gmail.com It's time, so what! What is Time?

It's about TIME David Hoppe @hopasaurus hopasaurus@gmail.com It's time, so what! What is Time?

It's about TIME David Hoppe @hopasaurus hopasaurus@gmail.com It's time, so what! What is Time? What is a day? What is an hour? What is a minute? What is a second? Lets start at the beginning... What is a Day? How is time measured? By

928 views • 50 slides
A Brief History Of Time In Riak Time in Riak Logical Time Logical Clocks

A Brief History Of Time In Riak Time in Riak Logical Time Logical Clocks

A Brief History Of Time In Riak Time in Riak Logical Time Logical Clocks Implementation details Mind the Gap How a venerable, established, simple data structure/algorithm was botched multiple times. Order of Events Dynamo And

2.27k views • 168 slides
Module 6 Cr Craft your r Ti Time Craft1life.com Cr Cr Craft1life @C @Craft1life #C

Module 6 Cr Craft your r Ti Time Craft1life.com Cr Cr Craft1life @C @Craft1life #C

Module 6 Cr Craft your r Ti Time Craft1life.com Cr Cr Craft1life @C @Craft1life #C #Craf aft1life Craft your Cr r Ti Time Time evaluation Time Budget 9 Golden Time Dream time schedule Mantras Cr Craft1life @C @Craft1life #C

629 views • 14 slides
Time within Distributed Systems Time is important, however, it is problematic in distributed

Time within Distributed Systems Time is important, however, it is problematic in distributed

Time within Distributed Systems Time is important, however, it is problematic in distributed systems as we cannot synchronize time perfectly Introducing Time Time is a quantity that we often want to measure accurately Algorithms that

535 views • 29 slides
Bill OHanlon www.billohanlon.com NICABM December 2008 Time leveraging Time leveraging

Bill OHanlon www.billohanlon.com NICABM December 2008 Time leveraging Time leveraging

How to Get more Time in Your Personal and Professional Life: The Promise of the 20-hour Workweek Bill OHanlon www.billohanlon.com NICABM December 2008 Time leveraging Time leveraging Invest some time now for much more time later Time

737 views • 62 slides
Time Series Analysis and Mining with R Time Series Decomposi- tion Time Series Forecasting

Time Series Analysis and Mining with R Time Series Decomposi- tion Time Series Forecasting

R and Time Series Data Time Series Analysis and Mining with R Time Series Decomposi- tion Time Series Forecasting Yanchang Zhao Time Series Clustering Time Series RDataMining.com Classification http://www.rdatamining.com/ R Functions

1.91k views • 42 slides
Global Virtual Time Wallclock time T (GVT t ) during the execution of a Time Warp simulation is

Global Virtual Time Wallclock time T (GVT t ) during the execution of a Time Warp simulation is

Global Virtual Time Wallclock time T (GVT t ) during the execution of a Time Warp simulation is defined as the minimum time stamp among all unprocessed and partially Advanced Simulation processed messages and anti-messages in the system at

198 views • 5 slides
The need for efcient coding I OP TIMIZ IN G P YTH ON CODE W ITH PAN DAS Leonidas Souliotis

The need for efcient coding I OP TIMIZ IN G P YTH ON CODE W ITH PAN DAS Leonidas Souliotis

The need for efcient coding I OP TIMIZ IN G P YTH ON CODE W ITH PAN DAS Leonidas Souliotis PhD Researcher How do we measure time? time.time() : returns current time in seconds since 12:00am, January 1, 1970 import time # record time

346 views • 17 slides
This and upcoming lectures? What time is it? Well focus on concepts relating to time

This and upcoming lectures? What time is it? Well focus on concepts relating to time

This and upcoming lectures? What time is it? Well focus on concepts relating to time In distributed system we need practical ways to deal with time Time as it can be used in systems E.g. we may need to agree that

237 views • 8 slides
MORE TIME &amp; MANAGE YOUR DAYS with Kari Chapin Do you need more time in your day? Are you

MORE TIME &amp; MANAGE YOUR DAYS with Kari Chapin Do you need more time in your day? Are you

PRODUCTIVITY TIPS &amp; TRICKS TO HELP YOU FIND MORE TIME &amp; MANAGE YOUR DAYS with Kari Chapin Do you need more time in your day? Are you tired, overworked, and overwhelmed? What would you do if you had extra time, more energy, and a

338 views • 18 slides

More recommend