web attacks -- part 1 Flashcards
what does http stand for
Hyper Text Transfer Protocol
what is http used for
protocol used for web browsing
Specifies messages exchanged
what are the message in http
messages are text based
are http client based designs stateless?
yes and they quickly became a problem - hence cookies
describe http
HTTP = Hyper Text Transfer Protocol
▶ Protocol used for web browsing
▶ and many other things by now Question: Why?
▶ Specifies messages exchanged
▶ HTTP/1.1 specified in RFC 2616
▶ Request methods: GET, POST, PUT, DELETE
▶ Messages are text-based, in lines (Unix: CR+LF)
▶ Stateless client-side design
▶ Quickly became a problem, hence cookies
▶ NB: HTTP is entirely separate from HTML!
▶ HTTP headers are not HTML <HEAD>
▶ HTML is a text format for web conten
describe http communication
HTTP is a client-server protocol.
▶ Client initiates TCP connection (usually port 80)
▶ Client sends HTTP request over connection
▶ Server responds
▶ May close connection (HTTP 1.0 default)
▶ Or keep it persistent for a short time
▶ Server never initiates a connection
▶ Except in newer HTML5 WebSockets
▶ WebSockets allow low-latency interactivity
▶ Upgrade: websocket handshake & switch to WS
▶ Expect to see rise in use and security issues…
why are inputs via GET requests bad?
SEO optimization: URL not canonical
Cache behavior (not relevant for login)
what is a GET request
input encoded into parameters in URL
What is GET
requet for information:
– can be (transparently) resent by browsers
– may be cached , bookmarked, kept hidden
GET often changes state somewhere
▶ User searches for something, gets recorded
▶ User has navigated somewhere, gets recorded
what is POST
Is an update providing information
– gives impression that input hidden
– browsers may treat differently
can POST and Get provide confidentiality by themselves?
NO —> both need HTTPS to provide confidentiality
plaintext –> can be sniffed
When to use POST instead of GET
– for sensitive data
–> for confidentiality but not enough alone
– for large data
—>URLS should be short
—>Longer URLS can cause problems in some software
– for actions with major side effects
how to make sure application is not vunerable
Credentials can be guessed or overwritten through weak account management
functions:
▶ Default passwords
▶ Broken account creation/recovery
▶ Automated brute-force attacks possible (“credential stuffing”)
▶ Passwords or other credentials are sent over unencrypted connections.
▶ Credentials aren’t protected when stored (stolen entries vulnerable to offline
attack)
▶ Multi-factor (or recovery factor) broken/missing
how to make sure password is secure
▶ Avoid passwords if possible
▶ Don’t require rotation unless compromise signs
▶ Recommend secure storage mechanisms
▶ Check for weak passwords, use (sane) password complexity rules
▶ Rate-limit logins to prevent automated attacks
▶ Use multi-factor authentication for recovery
why is some state desirable for cookies
Some state is highly desirable between requests:
▶ Remember user’s preferences, navigation point, …
▶ Web applications: user logged in
why is states less desirable sometimes for cookies
However, also the less desirable:
▶ Advertising network tracking IDs
▶ May be shared between websites
▶ Thus can profile user browsing behavior
▶ Hence compromise privacy
▶ Also risk of theft
▶ If browser/machine compromised, or
▶ If cookies passed in clear
ddescrobe cookies in HTTP headers
▶ Specified in RFC6265
▶ Just ASCII plain text
▶ Sent by server
▶ Stored in client (database, filesystem, …)
▶ Returned by client when visiting page again
▶ Cookies can be set by the server for a particular path/domain
▶ Then sent for any page matching
▶ Multiple cookies may be set and returned
▶ Cookies may have a limited lifetime
▶ Set by ‘Expires‘ or ‘Max-Age‘
what makes a cookie secure if it has secure attribute?
If a cookie has the “Secure” attribute, it will only be sent over secure connections, like HTTPS. The browser decides what counts as “secure” (usually things like TLS/SSL). This helps keep the cookie safe from being sent over unencrypted or unsafe connections.
Provided the browser obeys this
▶ Still, no harm in using (defense in depth)
how to remove a cookie
To delete a cookie, the server sends a Set-Cookie header back with an expiration date in the past. But for it to actually be deleted, the Path and Domain must be the same as when the cookie was first set.
what is session hijacking
it is when the attacker steals your session IDS , this guarantees them a log in!
what are methods of session hijacking
XXS
interception
sniffing
calculate
brute force
guess
session fixation
what is session fixation in session hijacking
using the same session id from authenticated to logged in
attacker gets ad sets the sid before user visits site
whatt are some session hijacking defences
Web apps (or frameworks) should implement defenses and discard SIDs if something
suspicious happens.
▶ Link SID to IP address of client
▶ Problems if behind NAT, transparent proxies
▶ ISP proxy pools mean need to use subnet, not IP
▶ Subnet may be shared with attacker!
▶ Link SID to HTTP Headers, e.g. User-Agent
▶ Can be trivially faked… and usually guessed
▶ …or captured (trick victim to visit recording site)
what are ways that poor session id management can occur?
▶ Exposing SIDs in the URL (e.g., URL rewriting).
▶ SIDs are vulnerable to session fixation attacks.
▶ SIDs don’t timeout, or sessions/tokens aren’t invalidated in logout.
▶ SIDs are weak (small entropy, or predictable).
▶ Session IDs aren’t rotated after a new login.
