Request:
Reply:
URI syntax: <scheme>://<authority><path>?<query>
HTTP authentication:
Basic HTTP authentication
WWW-Authenticate: Basic realm="whatever"
HTTP1.1 authentication:
Web Authentication API
Maintaining state
GET /login.php?user=foo&pwd=bar HTTP/1.1
<input type="hidden" name="user" value="foo" />
Set-Cookie: USER=foo; SHIPPING=fedex; path=/
Cookie
header<name>=<value>
expires
key for expiration datedomain
for more generic domainsecure
to only send via SSL connectionshttponly
to make it inaccessible to client-side scriptsSessions:
Way to invoke programs on server side, with input returning to client. Input passed via URL or body in POST.
CGI programs can be written in any language, and input piped to process’s stdin. Parameters are passed via environment variables.
Pages that contain mix of text, HTML tags, scripting directives, and server-side includes.
Directives are executed on server side before serving the page.
Servlets: Java programs executed on server (similar to CGI). Can run in existing JVM, without making a new process.
JSP are static HTML mixed with Java code, and are compiled into servlets.
Scripting language that can be embedded in HTML. PHP code executed on server side when the page containing the code is requested. Common way is to have a LAMP stack.
Support rapid development, might be based on existing web severs or might have their own. Often based on model-view-controller pattern, and provide automated translation of objects to/from database. Example is Ruby on Rails.
Compiled Java programs that are downloaded and executed in context of a web page.
Binary, OS-specific programs downloaded and executed in context of a web page. Code signed via Authenticode mechanism. Once executed, have complete access to client’s environment.
Scripting languages for dynamic behavior in web pages.
Subset of JS that allows for very fast code. Can use compiler passes to translate e.g. C code to asm.js
Low-level bytecode for client-side scripting, supports compilation from C/C++.
“Window”: top hierarchy of objects
DOM: document object model
BOM: browser object model
JS code downloaded as part of HTML page, executed on-the-fly. Security guaranteed by sandboxing:
Security policies:
Site isolation (Google Chrome): pages from different websites are different processes, each in a sandbox.
Lets JS modify web page based on result of request, without need for explicit user interaction.
XML HTTP request:
onreadystatechange
property of XML-HTTP object to run a callbackonreadystatechange
callback is called on any state change, so you can check the current stateWhat’s the best way to authenticate?
‘Basic’ authentication:
If app includes authenticator in URL, browsers may leak info as part of “Refer” field.
Expiration info should be stored on server side, or included in cookie in cryptographically secure way.
Attacking it:
Authorization: what can a user do?
Path/directory traversal: break out of document space by using relative paths
Forceful browsing: manually jump to any publicly available resource
Automatic directory listing: if no index.html in directory, browser returns listing of the files
Parameter manipulation: changing parameters of valid request
Parameter creation: add new parameters manually, such as &admin=1
Server misconfiguration: e.g. if data can be uploaded via FTP and executed via a web request
Command injection: incorrect validation of user input that leads to executing commands on the server
Simple interpreted server-side scripting language.
You can introduce directives into web pages.
Syntax: <!-- #element attribute=value ... -->
These can also have things like #exec
, which is a security problem.
If allow_url_fopen
is set, you can use URLs in include()
and require()
.
If user input is used to create the filename, then you can execute arbitrary code.
You can inject HTML tags to modify behavior of a web page, e.g. an iframe
, or forms to collect user’s credentials.
Command injection is a sanitization problem, so don’t trust outside input. Always sanitize.
SQL queries are built using parameters provided by users. If a user provides special characters, they can modify queries, find out about stored procedures in database, and even run commands.
If you build a query like this:
var sql = "select * from user_accounts where username = '" + username + "' and password = '" + password + "'";
You can provide the input ' or 1=1 --
for username to get a string like this:
select * from user_accounts whre username='' or 1=1--' and password=''
Since 1=1 is always true, you get all of the records in the table.
You can use this to run subqueries, and if the result is reflected back, you can extract info from other tables.
Identifying SQL injections:
''Foo
instead of Foo
)Number of columns in a query can be determined using progressively longer NULL columns until correct query is returns (i.e. UNION SELECT NULL
, UNION SELECT NULL, NULL
, etc.)
If you want to figure out which column has a string: UNION SELECT 'foo', NULL, NULL
, UNION SELECT NULL, 'foo', NULL
, etc.
SQL code injected into application, but statement invoked at later point in time. Even if application escapes single quotes, second order SQL injection might be possible. E.g. if you save a ‘favorite search’ which contains an SQL injection, and then select it later, running the injection.
If you have no feedback, you can use AND 1=1
to check if input is sanitized.
XSS (Cross-site scripting): used to bypass JS’s same origin policy
Preventing XSS:
httponly
on cookies to prevent access by scriptsAllows attacker to execute requests on behalf of victim.
“Confused deputy attack”: browser uses victim’s authority to do what the attacker wants
Preventing:
Suppose the server is asked to make a request to some back-end API like this:
POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Lenth: 118
stockApi=http://stock...
If the attacker can change the URL, it can provide something like
POST /product/stock HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 118
stockApi=http://localhost/admin
This means that server accesses its own admin URL, which is inaccessible from the outside but not checked from localhost.
another attack is clickjacking:
Exploits the fact that user provided data is in header of reply.
For example, if setting language to english gives you a redirect like this:
HTTP/1.1 302 Moved Temporarily
Date: ...
Location: http://10.1.1.1/by_lang.jsp?lang=English
...
<html>Error</html>
You can provide URL-encoded headers inside of lang, which can be interpreted.
You can add a space after a header, without CRLF, and then an ‘inner’ HTTP request:
![Request smuggling example])(http-request-smuggling.png)
PHP has loose (==
) and strict (===
) comparisons.
When comparing string to number, PHP tries to convert the string to the appropriate number. If both operands look like numbers, PHP converts both to numbers and does numeric comparison.
Serialization of python datatypes.
Pickle allows arbitrary objects to be pickled by providing a __reduce__
method, which should return: