Web Security - Basics, SOP, Sessions Flashcards
Define
Uniform Resource Identifier (URI)
Web Security
Identifies a resource (string)
Define
Scheme
Web Security
Protocol and framework
Components of Uniform Resource Identifier (URI)
Web Security
- Scheme
- Authority
- Path
- Query
Define
Authority
Web Security
Qualifying name (typically DNS host server or IP address)
Define
Path
Web Security
Pathname consisting of “/” separated strings
Define
Query
Web Security
Application-specific information
Define
Uniform Resource Locator (URL)
Web Security
The identifier that contains information on how to locate a existing/available resource
Define
Uniform Resource Name (URN)
Web Security
Identifies an entity regardless of availability/existence
Define
Hypertext Markup Language (HTML)
Web Security
A language that uses tags and attributes to display a webpage
Define
Javascript
Web Security
Powerful script to manipulate client-side data and provides object support
Why is Javascript suitable for HTML?
Javascript is weakly and dynamically typed
Define
HTML Frames
Web Security
The tag that allows for multiple separate views/pages associated with separate URLS on the same page
Directly visiting a page will lead to which frame?
Web Security
Main frame
What does the parent frame do?
Web Security
Specify its own style and the placement of the child frame within itself
Define
Hypertext Transfer Protocol (HTTP)
Web Security
An application-layer protocol to transfer information between web client and server (typically port 80)
What does a client do during HTTP?
Web Security
Opens a connection and sends requests
What does a server do during HTTP?
Web Security
Accept client’s connection and sends replies as a response to the requests
HTTP Request Headers specify
Web Security
- Method
- Resource
- Protocol version
HTTP Methods
Web Security
- GET()
- HEAD()
- POST()
- PUT()
Define
HTTP Method: GET()
Web Security
Reads data from the URL
Define
HTTP Method: HEAD()
Web Security
Fetches information about the data resource from the HTTP header
Define
HTTP Method: POST()
Web Security
Submits “data” and stores data as value in a variable
Define
HTTP Method: PUT()
Web Security
Uploads data to a stored variable under a specific resource
What specifies a resource?
Web Security
An absolute URI or relative path
How does an absolute URI request a resource?
Web Security
Through proxy
How does a relative path request a resource?
Web Security
Through a server that owns the resource
Define
HTTP Response
Web Security
The answer or data read by the server
Define
Web Servers
Web Security
Something that loops forever to receive HTTP requests and send HTTP responses
Outline a TCP connection
Web Security
- Client requests to connect with a server
- Server accepts connection
- Client sends HTTP Request
- Server reads and processes HTTP Request
- Server writes back HTTP Response
- Connection closed
Define
Common Gateway Interface (CGI)
Web Security
Protocol for web servers to execute programs and generate pages dynamically
Define
HTML Forms
Web Security
Collects data using GET and POST methods
Where is data collected from when an HTML form uses GET()?
Web Security
Query
Where is data collected from if an HTML form uses POST()?
Web Security
Body
How is data sent back in an HTML form?
Web Security
Name-value pair
What happens if data from an HTML form is an empty string?
Web Security
Neither name nor value is present
Define
Hypertext Processor (PHP)
Web Security
Executes the page on the server side
Define
Clientside Javascript
Web Security
APIs that control web client in an object-oriented way
Define
User Agent
Web Security
Client side that retrieves and displays web data
Define
Document Object Model (DOM)
Web Security
Documentation that treats an HTML like a tree structure
List the parts of a Document Object Model (DOM)
Web Security
- Node
- Browser Object Model (BOM)
Define
Node in a DOM
Web Security
Part of the document
Define
Browser Object Model (BOM) in a DOM
Web Security
The API to browser properties
Javascript security is much like
Web Security
Sandbox
What is part of Javascript security?
Web Security
- No access to files/network resources or browser history
- Windows must be bigger than 100x100 px
Describe
Frame Isolation
Web Security
Each site is isolated from one another (exception: if it’s the same site)
List the types of frame isolation relationships
Web Security
Frame-Frame and Frame-Principal
Describe
Frame-Frame
Web Security
- canScript(A, B) - can A execute scripts on B?
- canNav(A, B) - can A change B’s origin?
Describe
Frame-Principal
Web Security
readCookie(F, D) and writeCookie(F, D) - can frame F perform on domain D?
Describe
Same Origin Policy (SOP)
Web Security
Isolation of different pages such that a frame in one origin has no access to the resources of a different origin
What is an Origin determined by?
Web Security
Determined by string matching and URL of a loaded frame’s location
What is the tuple for an origin?
Web Security
[Protocol, hostname, port]
Define
XMLHTTPRequests (XHR)
Web Security
Allows Javascript to send HTTP Requests to a server and receive data responses from the same origin
Define
HTTP Responses under SOP
Web Security
Can interact with other frames from different origins but can’t inspect contents on scripts and resources
Ways to relax SOP
Web Security
- Set sites from different origins to be from the same domain
- Access-Control-Allow-Origin/Cross-Origin resource sharing
- Cross-document messaging
Define
HTTP Authentication
Web Security
Basic authentication to deny access until credentials are sent during verification procedures
Where can Access Control Policy be placed?
Web Security
Directory or global configuration file
How can a web application keep track of a state if HTTPs are stateless?
Web Security
- HTTP Cookies
- Server side sessions
- Embedding information in returned pages (i.e. hidden vars, modified URLS)
Define
Session
Web Security
Sequence of HTTP request and responses associated with a user
Define
Basic Authentication
Web Security
Form to send creditionals to server-side and an authenticator is returned for validation (i.e. cookie)
Define
HTTP Cookie
Web Security
Small data set from and set by site stored in web broser to maintain a state on client side
Where can cookies from domain A send its requests to?
Web Security
To domain A
What defines the scope of a cookie?
Web Security
Domain and path
What if no domain is set for a cookie?
Web Security
Host-only cookie is set (handled by browser)
What happens if a path is specified for a cookie?
Web Security
Cookies are used when requesting a page within the path
What happens if no path is specified for a cookie?
Web Security
Cookies are used for the path of the requested resource
What controls the lifetime of a cookie?
Web Security
Expires and Max-Age
Define
Expires
Web Security
When the broswer will delete the cookie
What happens if no expiration or max-age is set for a cookie?
Web Security
Cookie becomes a session cookie and will expire when the session is completed
Define
Secure Cookie
Web Security
Tells the browser how to use the cookie in secure/encrypted connections
Define
HTTP Only Cookie
Web Security
No exposure of the cookie is allowed besides HTTP requests
How can a client access a cookie?
Web Security
- Read in scope
- Sets a new cookie
- Deletes a cookie
SOP: Cookies vs. DOMS
abc.com/x ____ receive cookies for abc.com/y
Web Security
Does not receive
SOP: Cookies vs. DOM
abc.com/x ____ access the DOM of abc.com/y
Can access
SOP: Cookies vs. DOM
Using Javascript, why can abc.com/x see the cookies of abc.com/y?
Web Security
They share the same domain (abc.com)
Ways to indirectly bypass SOP
Web Security
- A related domain attacker controls cookies on another domain
- Meeting the fixed storage limit of the cookie jar
- MITM attacks
What can a.abc.com do to b.abc.com?
Web Security
Influence and control b.abc.com’s cookies
Define
Session Fixation Attack
Web Security
Where a session ID is overwritten and the session is hijacked
How does a session fixation attack happen?
Web Security
Attacker gets the ID => victim visits under wrong ID and authenticates => attacker impersonates as victim with the authentication information
Defenses against Session Fixations
Web Security
- Update session IDs periodically
- Initalize cross-site scripting
Define
Cross-Site Request Forgery (CSRF)
Web Security
Malicious Javascript/server code tricking users to perform acts on a different web application
Defenses against Cross-Site Request Forgery (CSRF)
Web Security
- Avoid using GET() when exporting functionality
- Referer Validation
- Secure Token Validation
Describe
Referer Validation
Web Security
Header fields that indicates who initated the request
Limitation to Referer Validation
Web Security
- Not always available
- May leak information
If the Referer Validation is none, what are the types of defaults?
Web Security
- Allow: less secure, more usable
- Deny: more secure, less usable
Define
Secure Token Validation
Web Security
A randomly generated invisible token on the server side for every user’s action
When is a Secure Token obtained?
Web Security
If the user explicitly visited the right page
What are the goals of web security?
Web Security
Protect CIA, privacy, availability, and computing resource
