Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

Published byMarvin Allison Modified over 8 years ago

Similar presentations

Presentation on theme: "Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies."— Presentation transcript:

1 Cookies COEN 351 E-commerce Security

2 Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies

3 Client / Session Identification HTTP Header fields: “From” User’s email address, request. Could be used by all browsers, but are only used for web-bots gathering data. “User-Agent” User’s browser software, request. “Referer” (Sic) Page user came from by following link

4 Client / Session Identification HTTP Header fields: “Authorization” User name and password “Client-ip” “X-Forwarded-For” Client-ip “Cookie”

5 Client / Session Identification User-Agent Gives the server information about the browser.

6 Client / Session Identification Client IP Address Not part of the HTTP header Available from the package Easily spoofed Changed by NATs and Proxies

7 Client / Session Identification HTTP login based on WWW-Authenticate and Authorization headers. 1. Browser requests page with GET 2. Server anwsers with: 401 Login Required, WWW-authenticate: Basic realm=“joe” 3. Browser resends GET request, adds Authorization: Basic am98re45 4. Server fulfills request. 5. Browser now will resend stored user-name with every request.

8 Client / Session Identification Fat URL Maintain state information in the URL Server generates a session id. Server adds session id to all URLs requested from the hyperlink. Amazon.com uses this technique. http://www.amazon.com/exec/obidos/subst/home/home. html/103-6082309-4209430 http://www.amazon.com/exec/obidos/subst/home/home. html/103-6082309-4209430 http://www.amazon.com/exec/obidos/ASIN/0439784549 /ref=s9_ts_r/103-6082309-4209430 http://www.amazon.com/exec/obidos/ASIN/0439784549 /ref=s9_ts_r/103-6082309-4209430 http://www.amazon.com/gp/cart/view.html/ref=ord_cart _shr/103-6082309-4209430 http://www.amazon.com/gp/cart/view.html/ref=ord_cart _shr/103-6082309-4209430

9 Cookies Cookies: ASCI strings stored at the browser. Submitted with each request to a target website.

10 Cookies Cookies: Session cookies Stored only for the duration of a web-session. Persistent cookies Remain stored until they expire.

11 Cookies Cookie-Jar Client-side state storage Netscape / Firefox store cookies in a single text file called cookies.txt MS IE stores cookies in the cache.

12 Cookies Server specifies optional domain. Cookie gets sent with all requests to this domain. Server specifies optional expiration date Server can specify “secure” option: Cookie is only sent when using SSL.

13 Cookies Version 0 cookies (Netscape cookies) Set-Cookie: name=value [;expires=date] [;path=path] [;domain-name = value] [;secure] Set-Cookie: customer=Mary; expires Wednesday, 09- September-2006 24:00:01 GMT; domain=“scu.edu”; path=/soe; secure

14 Cookies Version 1 cookies (RFC 296) Less-used Provides a number of extensions

15 Cookies Privacy risk Can be controlled by web-browser. Used to track consumer behavior. Harder, but possible to track an individual user.

16 Cookies Security Risk Users can change cookies before continuing to browse. Counter-measure: strong encryption Users could swap / steal cookies. E.g. when used for authentication Session Hijacking

17 Cookies Session Hijacking Counter measure: Server needs to send a new cookie after every change in state and verify that a request comes with a valid cookie. For example, by appending a MAC of session state to the cookie after each change of state.

18 Cookies Poor practices: Poor encryption of cookies. Web-based email uses a cookie for authentication. Cookie contains the user name encrypted by XOR-ing with a secret string. Attacker can crack the cookie encryption by creating fake accounts. Attacker can now craft a cookie useful for authentication. Something similar happened to hotmail and yahoo early on.

19 Cookies Poor practices: Poor encryption of cookies. Shopping cart encoded in cookie. Cookie contained shopping cart details in plain text. Attacker changed prices of items. Relying on cookie for authentication Cookie is sniffed from the net. Cookie is stolen by impersonating a web-site.

20 Cookie Alternative: Web Bugs Used to track viewers of web-sites. HTML page contains a request to download a resource from a “counting” site. The resource is so small that the viewer does not notice the download. Counting site receives the request and adds IP address to its user database.

21 Cookie Alternative: Web Bugs Examples: Found by Privacy Foundation on Intuit’s home page for Quicken.com several years ago. <IMG WIDTH=1 HEIGHT=1 border=0 SRC=“http://media.preferences.com/ping?ML_SD=IntuitTE_Intuit_1x1_Ru nOfSite_Any&db_acfr=4B31-C2FB- 10E2&event=reghome&group=register&time=1999.10.27.20.5 6.37”>

22 Cookie Alternative: Web Bugs Can be embedded in any html code. User profiles written in html. Email messages. But only when read with a client that can display HTML messages and with a computer connected to the internet. Usenet messages.

Download ppt "Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies."

Similar presentations

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
1 Client Identification and Cookies Herng-Yow Chen.

1 Client Identification and Cookies Herng-Yow Chen.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.

A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?

6/10/2015Cookies1 What are Cookies? 6/10/2015Cookies2 How did they do that?
XP Browser and E-mail Basics1. XP Browser and E-mail Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.

XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
Online Security Tuesday April 8, 2003 Maxence Crossley.

Online Security Tuesday April 8, 2003 Maxence Crossley.
Servlets and a little bit of Web Services Russell Beale.

Servlets and a little bit of Web Services Russell Beale.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
Browser and E-mail Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.

Browser and Basics Tutorial 1. Learn about Web browser software and Web pages The Web is a collection of files that reside on computers, called.
Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.

Client, Server, HTTP, IP Address, Domain Name. Client-Server Model Client Bob Yahoo Server yahoo.com/finance.html A text file named finance.html.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Lecturer: Ghadah Aldehim

Lecturer: Ghadah Aldehim
Computer Concepts 2014 Chapter 7 The Web and E-mail.

Computer Concepts 2014 Chapter 7 The Web and .
ITIS 1210 Introduction to Web-Based Information Systems Chapter 48 How Internet Sites Can Invade Your Privacy.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 48 How Internet Sites Can Invade Your Privacy.
Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

Similar presentations

Ads by Google