Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks.

Slides:

Advertisements

Similar presentations

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

Advertisements

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

Web server security Dr Jim Briggs WEBP security1.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Certificates ID on the Internet. SSL In the early days of the internet content was simply sent unencrypted. It was mostly academic traffic, and no one.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.

Session Hijacking & ARP Poisoning Why web security depends on communications security and how TLS everywhere is the only solution.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

1 Chapter 2 & Chapter 4 §Browsers. 2 Terms §Software §Program §Application.

Reliability & Desirability of Data

Protecting Internet Communications: Encryption  Encryption: Process of transforming plain text or data into cipher text that cannot be read by anyone.

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

COMP3121 E-Commerce Technologies Richard Henson University of Worcester November 2011.

Feedback #2 (under assignments) Lecture Code:

School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.

Protecting Students on the School Computer Network Enfield High School.

CPT 123 Internet Skills Class Notes Internet Security Session A.

Lecture 15 Page 1 CS 136, Fall 2014 Web Security Computer Security Peter Reiher December 9, 2014.

Lecture 7 Page 1 CS 236, Spring 2008 Challenge/Response Authentication Authentication by what questions you can answer correctly –Again, by what you know.

Network Security, CS6262 Richard G. Personal Information Masquerading, Profiling, Snooping.

Lecture 19 Page 1 CS 236 Online Advanced Research Issues in Security: Web Security and Privacy CS 236 On-Line MS Program Networks and Systems Security.

© 2010 Computer Science Faculty, Kabul University HTTP CONTINUED… 4 TH LECTURE 2, May, 2010 Baseer Ahmad Baheer.

Security, NATs and Firewalls Ingate Systems. Basics of SIP Security.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 20 Page 1 Advanced Network Security Basic Approaches to DDoS Defense Advanced Network Security Peter Reiher August, 2014.

Lecture 13 Page 1 CS 236 Online Principles for Secure Software Following these doesn’t guarantee security But they touch on the most commonly seen security.

Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?

Presenter: Le Quoc Thanh SPYWARE ANALYSIS AND DETECTION.

Lecture 5 Page 1 CS 236 Online Key Management Choosing long, random keys doesn’t do you any good if your clerk is selling them for $10 a pop at the back.

© Copyright 2009 SSLPost 01. © Copyright 2009 SSLPost 02 a recipient is sent an encrypted that contains data specific to that recipient the data.

Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.

Lecture 19 Page 1 CS 136, Spring 2009 Web Security and Privacy CS 136 Computer Security Peter Reiher June 4, 2009.

Lecture 15 Page 1 CS 236 Online Evaluating Running Systems Evaluating system security requires knowing what’s going on Many steps are necessary for a full.

8-Mar-16 More About Servlets Session Tracking. Persistent information A server site typically needs to maintain two kinds of persistent (remembered) information:

COOKIES AND SESSIONS.

WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.

Lecture 10 Page 1 CS 236 Online SSL and TLS SSL – Secure Socket Layer TLS – Transport Layer Security The common standards for securing network applications.

Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.

Lecture 15 Page 1 CS 136, Spring 2016 Web Security Computer Security Peter Reiher May 24, 2016.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

1-way String Encryption Rainbows (a.k.a. Spectrums) Public Private Key Encryption HTTPS Encryption.

Lecture 9 Page 1 CS 236 Online Firewalls What is a firewall? A machine to protect a network from malicious external attacks Typically a machine that sits.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

Secure HTTP (HTTPS) Pat Morin COMP 2405.

Web Security CS 136 Computer Security Peter Reiher December 3, 2013

Password Management Limit login attempts Encrypt your passwords

Web Security Computer Security Peter Reiher March 2, 2017

Providing Network Services

Uses Of Encryption Algorithms

What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.

Web Security Lots of Internet traffic is related to the web

Web Systems Development (CSC-215)

Web Security Advanced Network Security Peter Reiher August, 2014

Groups for This Week Golita Benoodi, Zhen Huang, Ioannis Pefkianakis

Web Security CS 136 Computer Security Peter Reiher November 29, 2012

Web Security CS 136 Computer Security Peter Reiher March 11, 2010

Advanced Research Issues in Security: Web Security and Privacy CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

INTERNET SECURITY.

Presentation transcript:

Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks used to achieve statefulness –Usually requiring programmers to provide the state –Often trying to minimize work for the server

Lecture 16 Page 2 CS 236 Online A Simple Example Web sites are set up as graphs of links You start at some predefined point –A top level page, e.g. And you traverse links to get to other pages But HTTP doesn’t “keep track” of where you’ve been –Each request is simply the name of a link

Lecture 16 Page 3 CS 236 Online Why Is That a Problem? What if there are unlinked pages on the server? Should a user be able to reach those merely by naming them? Is that what the site designers intended?

Lecture 16 Page 4 CS 236 Online A Concrete Example The ApplyYourself system Used by colleges to handle student applications For example, by Harvard Business School in 2005 Once all admissions decisions made, results available to students

Lecture 16 Page 5 CS 236 Online What Went Wrong? Pages representing results were created as decisions were made Stored on the web server –But not linked to anything, since results not yet released Some appliers figured out how to craft URLs to access their pages –Finding out early if they were admitted

Lecture 16 Page 6 CS 236 Online The Core Problem No protocol memory of what came before So no protocol way to determine that response matches request Could be built into the application that handles requests But frequently isn’t –Or is wrong

Lecture 16 Page 7 CS 236 Online Solution Approaches Get better programmers –Or better programming tools Back end system that maintains and compares state Front end program that observes requests and responses –Producing state as a result Cookie-based –Store state in cookies (preferably encrypted)

Lecture 16 Page 8 CS 236 Online Data Transport Issues The web is inherently a network application Thus, all issues of network security are relevant And all typical network security solutions are applicable Where do we see problems?

Lecture 16 Page 9 CS 236 Online (Non-) Use of Data Encryption Much web traffic is not encrypted –Or signed As a result, it can be sniffed Allowing eavesdropping, MITM attacks, alteration of data in transit, etc. Why isn’t it encrypted?

Lecture 16 Page 10 CS 236 Online Why Web Sites Don’t Use Encryption Primarily for cost reasons Crypto costs cycles For high-volume sites, not encrypting messages lets them buy fewer servers They are making a cost/benefit analysis decision And maybe it’s right?

Lecture 16 Page 11 CS 236 Online Problems With Not Using Encryption Sensitive data can pass in the clear –Passwords, credit card numbers, SSNs, etc. Attackers can get information from messages to allow injection attacks Attackers can readily profile traffic –Especially on non-secured wireless networks

Lecture 16 Page 12 CS 236 Online Firesheep Many wireless networks aren’t encrypted Many web services don’t use end-to-end encryption for entire sessions Firesheep was a demo of the dangers of those in combination Simple Firefox plug-in to scan unprotected wireless nets for unencrypted cookies –Allowing session hijacking attacks When run in that environment, tended to be highly successful

Lecture 16 Page 13 CS 236 Online Why Does Session Hijacking Work? Web sites try to avoid computation costs of encryption So they only encrypt login Subsequent HTTP messages “authenticated” with a cookie Anyone who has the cookie can authenticate The cookie is sent in the clear... So attacker can “become” legit user

Lecture 16 Page 14 CS 236 Online Using Encryption on the Web Some web sites support use of HTTPS –Which permits encryption of data –Based on TLS/SSL Performs authentication and two-way encryption of traffic –Authentication is certificate-based HSTS (HTTP Strict Transport Security) requires browsers to use HTTPS

Lecture 16 Page 15 CS 236 Online Increased Use of Web Encryption These and other problems have led more major web sites to encrypt traffic E.g., Google announced in 2014 it would encrypt all search requests Facebook and Twitter adopted HSTS in 2014 Arguably, all web interactions should be encrypted

Lecture 16 Page 16 CS 236 Online Sometimes Encryption Isn’t Enough Especially powerful “attackers” can subvert this process –Man-in-the-middle attacks by ISPs –NSA compromised key management –NSA also spied on supposedly private links Usually impossible for typical criminal Hard or impossible for a user to know if this is going on

Lecture 16 Page 17 CS 236 Online Conclusion Web security problems not inherently different than general software security But generality, power, ubiquity of the web make them especially important Like many other security problems, constrained by legacy issues