16. Web security: web basics Flashcards
How does hidden field session tracking work?
Web server sends hidden input field with session ID, when form is submitted web server is sent that session ID
Whats the disadvantage of hidden field session tracking?
- Every form must have session ID (tedious)
- Session ends when page is closed
How does cookie session tracking work?
Browser stores cookies and included them in all subsequent requests to the originating host
What is the disadvantage of cookie for session tracking?
Can be disabled by user
What fields does a cookie contain?
- name
- value
- expires (when to delete)
- domain
- path
- Secure (only over SSL)
- HttpOnly (only over HTTP, no JS)
What domains is a cookie valid for?
The domain and all sub domains
Can mail.example.com access cookies set for example.com
yes
Can example.com access cookies set for mail.example.com
no
Which domains can one.mail.example.com set cookies for?
Any subdomain and only 1 level up (mail.example.com)
How does a network attacker differ from a web attacker?
Web attacker controls website victim visits. Network attacker controls whole network, can intercept, craft and send messages.