Web Security
1

Today
• Web architecture
– Basics of web security
2

What is the Web?
• A platform for deploying applications, portably and securely
3

Web security: two sides
• Web browser: (client side)
– Interacts with the user
– Fetches and renders pages from the server
– Worry about user’s own data, malware, keyloggers, …
• Web application code: (server side)
– Runs at web site: banks, e-merchants, blogs
– Written in PHP, ASP, JSP, Python, Ruby, Node.js, …
– Decides which page to serve to which users/requests (authorized users, dynamic content, etc)
– Worry about all users’ data, targeted attacks, …
4

A historical perspective
• The web is an example of “bolt-on security”
• Originally, the web was invented to allow
physicists to share their research papers
– Only textual web pages + links to other pages; no security model to speak of
• Then we added embedded images
– Crucial decision: a page can embed images loaded
from another web server
• Then, Javascript, dynamic HTML, AJAX, CSS, frames, audio, video, …
• Today, a web site is a distributed application
5

URLs
• Global identifiers of network-retrievable documents
• Example: http://ecen4133.org:80/tmp/test?foo=1337#top
host
Are URLs case-sensitive?
Fragment
Protocol
Path
Query
6

HTML
• Hypertext markup language (HTML)
– Describes the content and formatting of Web pages – Rendered within browser window
• HTML features
– Static document description language
– Supports linking to other pages and embedding images by reference
– User input sent to server via forms
• HTML extensions
– Additional media content (e.g., PDF, video) supported through plugins
– Embedding programs in supported languages (e.g., JavaScript, Java) provides dynamic content that interacts with the user, modifies the browser user interface, and can access the client computer environment
7

HTTP protocol
• HTTP is
– widely used – Simple
– Stateless
– Unencrypted
8

HTTP Protocol
Method File HTTP version
Headers
GET /index.html HTTP/1.1 Host: www.example.com
HTTP Request HTTP Reply
Browser
HTTP version
Web Server
Status code
Reason phrase

HTTP/1.1 200 OK
Date: Tue, 14 Feb 2012
Server: Apache/1.3.3.7
Last-Modified: Mon, 13 Feb 2012 Content-Length: 438
Set-Cookie: …
Content-Type: text/html; charset=UTF-8
Headers

Hello World!

Cookies
Data
9

HTTP GET request
• Used to fetch resources
• Shouldn’t change state on the server
GET /cat.jpg HTTP/1.1
Host: catpictures.net
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36
Accept: text/html,application/xhtml+xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
10

HTTP POST request
• Used to update state on the server • Clients can send/upload files/data
POST /register HTTP/1.1
Host: catpictures.net
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36
Accept: text/html,application/xhtml+xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Content-Length: 20
User=bob&Pass=abc123
11

HTML Basics
• HyperText Markup Language
– Nested “tag” structure

Look, a cat!

Click here for more cats!



12

HTML, CSS, Javascript
• HTML for structure
– What elements of a page are related? – What resources should be included?
• CSS (Cascading Style Sheet) for style
– What fonts/colors/sizes/positions should
elements be?
• Javascript for dynamic content – When a user clicks this, do that – Here be dragons!
13

Javascript
14

DOM Tree: Document Object Model
• “TheDocumentObject Model is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents.”
15

Javascript
• Functional, imperative, and object-oriented • Oh, and untyped. Good luck!
function factorial(x) {
var r = x;
for (var i=1; i

Click here, quick!



19

Click here, quick!


JQuery
20

AJAX (w/ JQuery)

Loading the weather…

// This function is called with the result of // loading the URL
$(‘#foo’).html(data);
21

http://gmail.com/ says:
Hi!
gmail.com
Web Review | HTTP
GET / HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …




GET /img.png HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK …
<89>PNG^M …

Web Review | Cookies
POST /login HTTP/1.1 Host: gmail.com
user=alice&pass=s3cre7
gmail.com
HTTP/1.1 200 OK
Server: gws
Set-Cookie: foo=“bar” Set-Cookie: token=“8kFmCe…”
…
GET / HTTP/1.1
Host: gmail.com
Cookie: foo=“bar”; token=“8k…”
Ah, it’s alice!

Cookies
• Cookies are a small bit of information stored on a computer associated with a specific server
– When you access a specific website, it might store information as a cookie
– Every time you revisit that server, the cookie is re-sent to the server
– Effectively used to hold state information over sessions
• Cookies can hold any type of information
– Can also hold sensitive information
• This includes passwords, credit card information, social security
number, etc.
• Session cookies, non-persistent cookies, persistent cookies
– Almost every large website uses cookies
24

More on Cookies
• Cookies are stored on your computer and can be controlled
– However, many sites require that you enable cookies in order to use the site
– Their storage on your computer naturally lends itself to exploits (Think about how ActiveX could exploit cookies…)
– You can (and probably should) clear your cookies on a regular basis
– Most browsers will also have ways to turn off cookies, exclude certain sites from adding cookies, and accept only certain sites’ cookies
• Cookies expire
– The expiration is set by the sites’ session by default, which
is chosen by the server
– This means that cookies will probably stick around for a while
25

“Evercookie”
• Cookies are just state servers store in your browser
• Where else can state be stored? – Local Storage (Javascript)
– Image/resource cache
– Flash local shared objects
– Java storage – Others?
26

Third-party cookies
27

Third-party cookies
• External (third-parties) serve ads/trackers on sites you visit
• The trackers can tell what page you are visiting, and correlate this with other page visits your browser makes
• Trackers then sell info to advertisers (often in real time!), who use it to show you ads relevant to you
28

Third-party cookies
• Most browsers let you disable third-party cookies – Only send cookies to first-party sites, never to
external/third-party sites
• Privacy extensions: AdBlock, Ghostery, PrivacyBadger, etc block trackers
29

Taking Care of Your Cookies
• Managing your cookies in Chrome:
– Remove Cookie
– Remove All Cookies
– Displays information of individual cookies
– Also tells names of cookies, which probably gives a good idea of what the cookie stores
• i.e. amazon.com: session-id
30

Security on the web
• Web sites should not be able to read or change files on my computer
• Web sites should not be able to learn what other websites I visit, or how I interact with them
• Web sites should not be able to cause me to interact with other unrelated websites
31

Security on the web
• Risk #1: we don’t want a malicious site to be able to trash my files/programs on my computer
– Browsing to awesomevids.com (or evil.com) should not infect my computer with malware, read or write files on my computer, etc.
• Defense: Javascript is sandboxed;
try to avoid security bugs in browser code; privilege separation; automatic updates; etc.
32

Security on the web
• Risk #2: we don’t want a malicious site to be able to spy on or tamper with my information or interactions with other websites
– Browsing to evil.com should not let evil.com spy on my emails in Gmail or buy stuff with my Amazon account, even if I am logged in
• Defense: the same-origin policy
– A security policy grafted on after-the-fact, and
enforced by web browsers
– Intuition: each web site is isolated from all others
33

Security on the web
• Risk #3: we want data stored on a web server to be protected from unauthorized access
– More on this in the web project!
– Next week: XSS, CSRF, SQL injection…
• Defense: server-side security
34

Same-origin policy
• Each site is isolated from all others
35

Same-origin policy
• Multiple pages from same site aren’t isolated
36

Same-origin policy
• Granularity of protection: the origin
• Origin = protocol + hostname (+ port)
• Javascript on one page can read, change, and interact freely with all other pages from the same origin
37

Same-origin policy
• The origin of a page (frame, image, …) is derived from the URL it was loaded from
• Special case: Javascript runs with the origin of the page that loaded it
38

Confining the Power of JavaScript Scripts
• Given all that power, browsers need to make sure JS scripts don’t abuse it
• For example, don’t want a script sent from hackerz.com web server to read cookies belonging to bank.com …
• … or alter layout of a bank.com web page
• … or read keystrokes typed by user while focus is on a bank.com page!
39

Same-origin policy
• Browsers provide isolation for JS scripts via the Same Origin Policy (SOP)
• Simple version:
– Browser associates web page elements (layout, cookies, events) with a given origin ≈ web server that provided the page/cookies in the first place
• Identity of web server is in terms of its hostname, e.g., bank.com
• SOP = only scripts received from a web page’s origin have access to page’s elements
• XSS: Subverting the Same Origin Policy
40