Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.

Slides:

Advertisements

Similar presentations

Cookies, Sessions. Server Side Includes You can insert the content of one file into another file before the server executes it, with the require() function.

Advertisements

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

ATTACKING AUTHENTICATION The Web Application Hacker’s Handbook, Ch. 6 Presenter: Jie Huang 10/31/2012.

Website Development Registering Users – Introducing Cookies.

Security in Application & SDLC

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Designing Security In Web Applications Andrew Tomkowiak 10/8/2013 UW-Platteville Software Engineering Department

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Martin Kruliš by Martin Kruliš (v1.0)1.

Session 11: Security with ASP.NET

Open Source Server Side Scripting ECA 236 Open Source Server Side Scripting Cookies & Sessions.

CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Behzad Akbari Spring 2012 (These slides are based on lecture slides by Lawrie Brown)

Web Programming Language Week 7 Dr. Ken Cosh Security, Sessions & Cookies.

Creating Databases for Web Applications cookie examples lab time: favorites cookies & Sessions class time for group work/questions on projects Next class:

12/3/2012ISC329 Isabelle Bichindaritz1 PHP and MySQL Advanced Features.

Network Security Essentials Chapter 5

Cross-Site Attacks James Walden Northern Kentucky University.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

1 Chapter 9 – Cookies, Sessions, FTP, and More spring into PHP 5 by Steven Holzner Slides were developed by Jack Davis College of Information Science.

Cookies & Session Web Technology

Analysis of SQL injection prevention using a filtering proxy server By: David Rowe Supervisor: Barry Irwin.

Prof Frankl, Spring 2008CS Polytechnic University 1 Overview of Web database applications with PHP.

SEC835 Runtime authentication Secure session management Secure use of cryptomaterials.

Ram Santhanam Application Level Attacks - Session Hijacking & Defences

Broken Authentication & Session Management. What is it ? Bad implementation of authentication and session management. If an attacker can get your session.

COOKIES and SESSIONS. COOKIES A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each.

CIS 450 – Network Security Chapter 4 - Spoofing. Definition - To fool. In networking, the term is used to describe a variety of ways in which hardware.

Web Database Programming Week 7 Session Management & Authentication.

Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.

Cookies Bill Chu. © Bei-Tseng Chu Aug 2000 Definition A cookie is a TEXT object of max 4KB sent from a web server to a browser It is intended for the.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies.

PHP Cookies. Cookies are small files that are stored in the visitor's browser. Cookies can be used to identify return visitors, keep a user logged into.

 A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each time the same computer requests.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.

1 PHP HTTP After this lecture, you should be able to know: How to create and process web forms with HTML and PHP. How to create and process web forms with.

Dos and Don’ts of Client Authentication on the Web Kevin Fu, Emil Sit, Kendra Smith, Nick Feamster Presented: Jesus F. Morales.

COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.

Cookies and Sessions in PHP. Arguments for the setcookie() Function There are several arguments you can use i.e. setcookie(‘name’, ‘value’, expiration,

Unit-6 Handling Sessions and Cookies. Concept of Session Session values are store in server side not in user’s machine. A session is available as long.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

ASP.NET 2.0 Security Alex Mackman CM Group Ltd

Lecture 6 (Chapter 16,17,18) Network and Internet Security Prepared by Dr. Lamiaa M. Elshenawy 1.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

A CSCE 548 presentation: Trusting Network Name Resolution

CSCI 555 Adv Computer Security

Building Secure ColdFusion Applications

XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)

CSCE 548 Student Presentation By Manasa Suthram

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

Failure to protect stored data

Secure Sockets Layer (SSL)

19.10 Using Cookies A cookie is a piece of information that’s stored by a server in a text file on a client’s computer to maintain information about.

PPP – Point to Point Protocol

What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.

Web Programming Language

Cookies and Sessions in PHP

Topic 1: Data, information, knowledge and processing

Cross Sight scripting: Type-2

14-мавзу. Cookie, сеанс, FTP и технологиялари

Amit Kulkarni February 17, 2004

Web Programming Language

CS5220 Advanced Topics in Web Programming Secure REST API

Web Programming Language

Wireless Spoofing Attacks on Mobile Devices

Presentation transcript:

Srinivas Balivada USC CSCE548 07/22/2016

 Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to set arguments for cookies : setcookie( name, value, expire, path, domain, secure, httponly);  SSL/TLS can be used to prevent this by encrypting the network packets,

 How to Predict session ID value ?

 A malicious user connects to the server and provides his valid credentials. He gets an identifier value, 7625, back from the server. This value might be in the form of a URL or a cookie. He then closes the browser and tries again with the same valid username and password. This time he gets the value 7627 back. It looks like this is an incrementing value, and someone else possibly logged on between the first user’s two logons.  CVE is an practical example of sin

 Code Review ◦ Code Review is the best way to detect the attack. ◦ Tools such as TamperIE and Fiddler are used to detect the attack

 Use SSL, TLS, IPSec or any other encryption technology.  Hash the hashing of the concatenated string to mitigate this attack.

 Attacker Modifies Data: ◦ Message authentication code (MAC)

 Attacker predicts the data: ◦ The connection identifier using cryptographically random numbers can be used to solve this problem.

 Do test all web input, including forms and cookies with malicious input.  Do not embed confidential data in any HTTP or HTML construct.  Do not trust any data, confidential or not, in a web form, because malicious.

[1] M. Howard, D. LeBlanc, and J. Viega, 24 deadly sins of software security: programming flaws and how to fix them. New York: McGraw-Hill, [2] n [3]