Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Technologies Computer Security Lecture 9 Tom Chothia.

Published byJoella Bradley Modified over 8 years ago

Similar presentations

Presentation on theme: "Web Technologies Computer Security Lecture 9 Tom Chothia."— Presentation transcript:

1 Web Technologies Computer Security Lecture 9 Tom Chothia

2 Transport Layer Security (TLS) The core protocol goes: 1.C  S : N C 2.S  C : N S, Cert S 3.C  S : E S (K_seed), Sign C (Hash1), {Hash2} K CS 4.S  C : {Hash3} K CS Hash 1 = #(N C,N S, E S (K_seed)) Hash 2 = #(N C,N S, E S (K_seed), Sign C (Hash1) ) Hash 3 = #(N C,N S, E S (K_seed), Sign C (Hash1), {Hash2} K CS )

3 Transport Layer Security (TLS) The core protocol goes: 1.C  S : N C 2.S  C : N S, Cert S 3.C  S : E S (K_seed), Sign C (Hash1), {Hash2} K CS 4.S  C : {Hash3} K CS Hash 1 = #(N C,N S, E S (K_seed)) Hash 2 = #(N C,N S, E S (K_seed), Sign C (Hash1) ) Hash 3 = #(N C,N S, E S (K_seed), Sign C (Hash1), {Hash2} K CS )

4 TLS with no Authentication Create a SSLServerSocketFactory using sockFact=SSLServerSocketFactory.getDefault(); Create a SSLServerSocket: secSock=sockFact.createServerSocket(portNo) Set the Ciphers: secSocket.setEnabledCipherSuites(ciphers); Listen on the socket for an encrypted connection: socket = (Socket) secSocket.accept();

5 Cipher Suites Cipher Suites with encryptions and authentication: SSL_RSA_WITH_3DES_EDE_CBC_SHA SSL_RSA_WITH_DES_CBC_SHA SSL_RSA_WITH_RC4_128_MD5 SSL_RSA_WITH_RC4_128_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5 TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA... Cipher Suites with just authentication : SSL_RSA_WITH_NULL_MD5 SSL_RSA_WITH_NULL_SHA Cipher Suites with just encryptions: SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA SSL_DH_anon_EXPORT_WITH_RC4_40_MD5 SSL_DH_anon_WITH_3DES_EDE_CBC_SHA SSL_DH_anon_WITH_DES_CBC_SHA SSL_DH_anon_WITH_RC4_128_MD5 TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA

6 Encryption Demo

7 Public key infrastructure (PKI) X.509 certificates are an example of a PKI. Bad point: you need to pay a trusted third party. Another system is known as “web of trust” This lets you sign the public keys of any of your friends. Then anyone that trusts you learns all of your friend’s keys.

8

9 This Lecture Some basic building blocks of the web: HTTP: HyperText Transfer Protocol HTML: HyperText Markup Language JavaScript JSP: Java Server Pages SQL: Structured Query Language

10 Uniform Resource Locators Protocol Host FilePath Query String http://www.cs.bham.ac.uk/index.html? field1=valuea&field2=value2

11 HTTP HyperText Transfer Protocol Used to request and deliver webpages. Includes: Set of basic commands Header fields Status codes

12 GET and POST Key HTTP commands: GET: requests a resource, e.g. a webpage in HTTP POST: submits data to the server. e.g. from a form on a webpage.

13 Get demo on www.cs.bham.ac.uk

14 Example laptop:~ laptop$ telnet www.cs.bham.ac.uk 80 Trying 147.188.192.42... Connected to www.cs.bham.ac.uk. Escape character is '^]'. GET /index.php

15 The burp Proxy The burp Proxy lets you monitor and pause an Internet connection. http://portswigger.net/burp/proxy.html Use it to look at your clients HTTP messages: 1.Run proxy (it opens port 8080), 2.Tell web client to use the proxy 3.See the messages

16 Demo with proxy Note the header fields

17 Headers fields These provide extra information, e.g. Host: is compulsory for HTTP 1.1, GET /index.php HTTP/1.1 Host: www.cs.bham.ac.uk

18 Other Headers Fields Cookie: gives a “cookie” Accept: data types client can handle, e.g. Accept: text/plain Content-Length: length of message in bytes. Full list at: http://en.wikipedia.org/wiki/List_of_HTT P_headers

19 Cookies Cookies let you store a string on the client. This can be used to – Identify the user, – (cookie given out after login) – Store user name, preferences etc. – Track the user: time of last visit, etc. How many cookies are in your browser?

20 Headers and Bodies HTTP responses are made up of a header and a body: The header includes a reply code to tell the client what has happened. The body is the resource, e.g. the webpage

21 Status Codes 2--: Success 200 OK: the request worked 201 Created: request worked and server has created a new resource 204 No Context: request worked but there is nothing to return. …

22 Status Codes 3--: Redirection 301 Moved Permanently: Website has moved 4--: Client Error 400 Bad Request: syntax error 401 Unauthorized: needs a cookie? 403 Forbidden: No access allowed

23 Status Codes 5--: Server Error 500 Internal Server Error: general error message 501 Not Implemented: command not supported Full list of status codes at: http://en.wikipedia.org/wiki/List_of_HTTP_ status_codes

24 Example laptop:~ laptop$ telnet www.google.co.uk 80 Trying 173.194.37.104... Connected to www.l.google.com. Escape character is '^]'. GET / HTTP/1.1 Host:www.google.co.uk HTTP/1.1 200 OK Date: Wed, 03 Nov 2010 13:07:18 GMT Expires: -1 Cache-Control: private, max-age=0 Content-Type: text/html; charset=ISO-8859-1 Set-Cookie: PREF=ID=e5e59d5c56d4f722:FF=0:TM=1288789638:LM=1288789638:S=qb0 MGMEGVmqC7eu0; expires=Fri, 02-Nov-2012 13:07:18 GMT; path=/; domain=.google.co.uk

25 OTHER COMMANDS HEAD like GET but only gets header PUT uploads resource to server DELETE deletes resource from server TRACE echoes back message OPTION returns supported HTTP CONNECT used for tunnelling TCP PATCH partially modify resource

26 Hypertext Markup Language HTML Tags tell browser how to display text: hello bob = hello bob Links: link

27 Web Pages Server HTML file HTTP GET HTML HTTP file Client HTML Display

28 HTML Forms Email: http://site.com/index.jsp?email=x@y.com

29 JavaScript JavaScript is a language for web pages, that will run on the client. It can be added to any HTML file. When the client loads the HTML it executes the JavaScript. It’s not Java, but is kind of like it.

30 Why Use JavaScript? Shift computation onto the client. Personalise web pages to the reader. Form validation Keeping track of users: cookies. Pop-up, alerts, new windows....

31 Hello World in JavaScript: Put the JavaScript in a HTML web page. Put JavaScript between the HTML tags... The print command in JavaScript is: document.write( ); HTML between the... will be run if JavaScript is not enabled.

32 JavaScript examples

33 w3Schools

34 Client JavaScript Server HTML + J.S. file HTTP GET HTML&JS HTTP file Display JS interpreter

35 JavaServer Pages (JSP) JavaServer Pages lets you write dynamic webpages using Java. You can put the Java in a HTML file. The Java code will be run on the server every time a page is requested. To run JSP you need to use a compatible webserver, e.g. Tomcat, Glassfish.

36 JSP JSP files end with.jsp Info bar at top with imports etc. Place Java code inside All other code is normal HTML Only runs in a container (easy with Netbeans)

37 JSP Hello world

38 JSP Server HTTP GET HTML HTTP file Java code “Servlet” HTML + Java file Client HTML Display

39 JSP random number page in netbeans(WebApp3)

40 SQL To store data about users and content, most website will use a SQL database. This is a standard database format, which you should know. See e.g.: http://www.w3schools.com/ sql/default.asp

41 Some Key SQL Commands SELECT LastName FROM namesTable WHERE FirstName=‘Fred’ INSERT INTO namesTable VALUES (‘John’,‘Smith’) DROP TABLE namesTable

42 SQL with JSP Show exercise code e.g. contact.jsp

43 A typical web set up Server HTTP GET cookie HTML HTTP file Java code “Servlet” JSP Client HTML Display SQL

44 Typical Web Setup HTTP website: Email: http://site.com/index.jsp?email=x@y.com Users browser:

45 Typical Web Setup http://site.com/index.jsp?email=x@y.com JSP page reads and processes: … email=request.getParameter(”email"); stmt.execute(“INSERT INTO table VALUE(‘“+id+”’,‘“+email+”’); %> Your e-mail has been added

46 Other Popular Web Technologies PHP: plays a similar role to JSP CGI: like JSP but with Perl instead of Java ASP: Microsoft’s version of JSP AJAX: Asynchronous Javascript And XML

47 Next 2 lectures:

48 How this all goes wrong.

49 Next 2 lectures: How this all goes wrong. In particular: Stealing cookies, SQL injection, Cross site scripting attacks (XSS), Cross-site request forgery (CSRF).

Download ppt "Web Technologies Computer Security Lecture 9 Tom Chothia."

Similar presentations

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
HTTP – HyperText Transfer Protocol

HTTP – HyperText Transfer Protocol
HTTP By: Becky Fultz, Joe Flager, Katie Huston, Tom Packard, Allison Wilsey.

HTTP By: Becky Fultz, Joe Flager, Katie Huston, Tom Packard, Allison Wilsey.
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
16-Jun-15 HTTP Hypertext Transfer Protocol. 2 HTTP messages HTTP is the language that web clients and web servers use to talk to each other HTTP is largely.

16-Jun-15 HTTP Hypertext Transfer Protocol. 2 HTTP messages HTTP is the language that web clients and web servers use to talk to each other HTTP is largely.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.

The World Wide Web and the Internet Dr Jim Briggs 1WUCM1.
JavaScript ICW: Lecture 11 Tom Chothia. Last Lecture URLs Threads, to make a process run in parallel: Make it extend Thread Give it a run method Call.

JavaScript ICW: Lecture 11 Tom Chothia. Last Lecture URLs Threads, to make a process run in parallel: Make it extend Thread Give it a run method Call.
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Secure Sockets SSL/TLS ICW: Lecture 6 Tom Chothia.

Secure Sockets SSL/TLS ICW: Lecture 6 Tom Chothia.
2/9/2004 Web and HTTP February 9, 2004. 2/9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.

2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
Hypertext Transport Protocol CS - 328 Dick Steflik.

Hypertext Transport Protocol CS Dick Steflik.
 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.

 What is it ? What is it ?  URI,URN,URL URI,URN,URL  HTTP – methods HTTP – methods  HTTP Request Packets HTTP Request Packets  HTTP Request Headers.
2440: 141 Web Site Administration Web Server-Side Programming Professor: Enoch E. Damson.

2440: 141 Web Site Administration Web Server-Side Programming Professor: Enoch E. Damson.
Web technologies and programming cse4461 - hypermedia and multimedia technology Fanis Tsandilas April 3, 2007.

Web technologies and programming cse hypermedia and multimedia technology Fanis Tsandilas April 3, 2007.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.

CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.

Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Similar presentations

Ads by Google