Presentation is loading. Please wait.

Presentation is loading. Please wait.

CIT 485: Advanced Cybersecurity

Published byΊησους Μπλέτσας Modified over 6 years ago

Similar presentations

Presentation on theme: "CIT 485: Advanced Cybersecurity"— Presentation transcript:

1 CIT 485: Advanced Cybersecurity
HTTP and TLS

2 Topics How HTTP works HTTP methods, headers, and responses
URIs, URLs, and URNs Statelessness Cookies More HTTP methods and headers Proxying and Caching HTTP Vulnerabilities Transport Layer Security (TLS)

3 HTTP: HyperText Transfer Protocol
Request for Resource Response Web Client Web Server

4 Pages Require Many Requests

5 HTTP GET Request Method URL Protocol Version Headers
GET HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.2) Gecko/ Firefox/35.0 Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Cookie: rememberme=true; PREF=ID=21039ab4bbc49153:FF=4 Blank Line No Data for GET method

6 HTTP POST Request Method URL Protocol Version Headers
POST HTTP/1.1 Host: User-Agent: Mozilla/5.0 (Windows NT 6.2) Gecko/ Firefox/35.0 Accept: text/html, image/png, */* Accept-Language: en-us,en;q=0.5 Blank Line name=Jane+Doe&sex=female&color=green&over6feet=true&over200pounds=false&athleticability=NA POST data

7 HTTP Response Protocol Version HTTP Response Code HTTP/1.1 200 OK
Cache-Control: private Content-Type: text/html Server: GWS/2.1 Date: Fri, 13 Oct :16:30 GMT <HTML> ... (page data) ... </HTML> Headers Blank Line Web Page Data

8 Common HTTP Methods Method Description GET
Retrieve resource located at specified URI. HEAD Retrieve metadata about resource located at specified URI. Useful for caches to determine if they need to retrieve an updated resource. PUT Create or replace resource located at specified URI with resource provided by client. DELETE Delete resource located at specified URI. OPTIONS Return list of HTTP methods that can be used with specified URI. POST Create a new resource under the specified URI, e.g. adding a new message in a web forum, adding a comment to a blog post, annotating a photo, etc. In summary, POST is a way for a client to create a new resource without knowing its URI; the client just knows the URI of a “parent” or “factory” resource.

9 Idempotence and Safety
An operation is safe if making the request will not change any state on the server. GET, HEAD, and OPTIONS are safe. An operation is idempotent if making one request has the same effect as making a series of identical requests. PUT and DELETE are idempotent. POST is neither safe nor idempotent. It is possible for servers to misuse requests like GET. Example: GET If misused, testing tools, spiders, caches can destroy data.

10 Common HTTP Response Codes
Meaning 200 OK Resource is available in the body of the response. No errors. 400 BAD REQUEST Client sent a request with an error. If there is a response body, it contains an error message. 500 INTERNAL SERVER ERROR Server error. If there is a response body, it contains an error message. 301 MOVED PERMANENTLY Client triggered action that caused URI to change or attempted to access old URI. 404 NOT FOUND No resource is available at the specified URI. 410 GONE Resource is no longer available at the specified URI. 409 CONFLICT Client requested action that would put resources in an inconsistent state.

11 Common Request Headers
Description Accept: Content-types (Internet media types) acceptable for response. Authorization: Authentication credentials for HTTP authorization. Cookie: Sends state previously set by server back to server. Content-Length: Length of data in body (important for POST requests.) Host: Name of server (and port if not default). Mandatory in HTTP/1.1. If-Modified-Since: Server should only return a response if the data was modified since date specified in this header. Referer: URL of web page from which a link was followed to produce this request. Some URLs contain sensitive information, so some sites use intermediate services to anonymize this header. User-Agent: String that identifies browser, typically containing a product name and version (Firefox/36.0), layout name and version (Gecko/2010), operating system (Linux x86_64), and compatibility (Mozilla/5.0).

12 Common Response Headers
Description Content-Length: Specifies length of response body sent to browser except in the case of chunked data, where chunk lengths are sent in body. Content-Type: Internet media type of data being sent to browser. Location: Used in redirection responses. Server: Server identification string, e.g. Apache/ Set-Cookie: Creation or overwriting of an HTTP cookie. Transfer-Encoding: Specifies encoding (compression type or chunked) for page data sent to browser. WWW-Authenticate: Specifies type of HTTP authentication that should be used.

13 HTTP Header Parsing Handling of duplicate headers.
~50% of browsers/servers will use first header. ~50% of browsers/servers will use last header. Mixing of protocol versions Difficult to predict effect of mixing of 1.0 and 1.1 headers, especially when headers have the same purpose. Ex: Expires(1.0) and Cache-Control(1.1) headers. Semicolon-delimited header values Quoted string format values not handled well by IE. Content-Disposition: attach; filename=“evil.exe;.txt”

14 Internet Media Types Standards Format Handling in HTTP
MIME (Multipurpose Internet Mail Extensions) IANA maintains official registry of types at Format Type/Subtype; Optional Parameters Example: text/html; charset=UTF-8 Handling in HTTP Requested in Accept: header. Specified by server in Content-Type: header. Browser may view directly, use plug-in, or start an external program.

15 HTTP Standards Historical Standards
HTTP 0.9 (1991) 1st documented version. HTTP 1.0 (1996) defined in RFC 1945. HTTP 1.1 (1999) defined in RFC 2616. Current Standard (well specified HTTP/1.1, 2014) RFC 7230: Message Syntax and Routing RFC 7231: Semantics and Content RFC 7232: Conditional Requests RFC 7233: Range Requests RFC 7234: Caching RFC 7235: Authentication

16 HTTP/2 Focused on performance; no semantics changes Status
Based on Google’s SPDY protocol. Single TCP connection for each client/server pair. Allows multiple requests and responses to be sent simultaneously over same connection. HPACK header compression. Server can push additional documents (images, stylesheets, scripts, iframes). Status Released in Used in 31% of web sites in 2018.

17 HTTP/3 HTTP over QUIC Quick UDP Internet Connections (QUIC) vs TCP
Similar to HTTP/2 + TCP + TLS implemented on UDP Uses connection IDs to track HTTP connections Instead of source IP+port + destination IP+port in HTTP/2 Allows mobile devices to migrate connections if IP changes Quick UDP Internet Connections (QUIC) vs TCP Dramatically reduced connection establishment time Improved congestion control Multiplexing without head of line blocking Forward error correction

18 HTTP is a stateless protocol
A stateful protocol allows requests to move the server into a different state, in which a request may produce a different result. Example protocols: FTP, SMTP, TCP FTP command “get rest.txt” will return a different file when cwd is /public rather than /private. A stateless protocol treats each request as an independent transaction that is unrelated to any previous request so that communication consists of independent pairs of requests and responses. Examples: HTTP, IP

19 Stateless and Stateful Architectures

20 Handling Statelessness
Store state information directly in the address (URI) To access second page in google search for “http”: q=http&safe=off&start=10 Works best for web services. Store state indirectly in an HTTP header (cookies) Most common type of state storage. Some plug-ins can store state. Flash cookies are the most common type. HTML 5 provides browser storage features.

21 More HTTP Methods Method Description COPY Copies file to path in Destination header. Part of WebDAV specification. MOVE Moves file to path in Destination header. Part of WebDAV specification. SEARCH Searches directory path for resources. PROPFIND Retrieves information about resources, such as author, size, content-type. CONNECT Make non-HTTP connections via HTTP proxies. TRACE Returns exact request received by header in response body. Can be used to bypass HttpOnly cookie protection against XSS attacks.

22 HTTP TRACE Example $ telnet localhost 80
Trying... Connected to Escape character is '^]'. TRACE / HTTP/1.1 Host: foo x-myheader: spam HTTP/ OK Date: Mon, 04 Mar :34:45 GMT Server: Apache/ (Unix) Connection: close Content-Type: message/http TRACE / HTTP/1.0 Connection closed.

23 HTTP Proxies Browser configured to proxy GET request
GET HTTP/1.1 User-Agent: mybrowser/2.0 Host: URL and Host specifications Perform same task. Evolved separately. Proxy must be careful to avoid being tricked into caching page from one as page from another site Host:

24 HTTP Caching HTTP/1.1 cache behavior Cache-Control header
GETs with 200, 301, &c responses may be cached. Cache may be returned to any future requests for that URL even if headers differ, including cookies. Cache may revalidate content (with If-Modified-Since header) before reuse but is not required to do so. Cache-Control header Public: document is cacheable publicly. Private: proxies are not permitted to cache. No-cache: cache but don’t reuse; only FF supports. No-store: do not cache this document at all. Pragma: no-cache from HTTP/1.0 still in use.

25 HTTP Headers HTTP headers can be vulnerable to
Injection Attacks, including SQL Injection Cross-Site Scripting (XSS) Most commonly vulnerable headers Referer User-Agent String userAgent = request.getHeader(“user-agent”); String sQuery = “DELETE FROM UP_USER_UA_MAP WHERE USER_ID=“ + userId + “ AND USER_AGENT=‘” + userAgent + “’” ... stmt.executeUpdate(sQuery);

26 HTTP Header Injection Add new header + body content to HTTP response.
Client sends input containing end-of-line (EOL) HTTP EOL is CR/LF (\r\n, %0d%0a URL-encoded) Example Code: String author = request.getParameter(AUTHOR_PARAM); ... Cookie cookie = new Cookie("author", author); cookie.setMaxAge(cookieExpiration); response.addCookie(cookie);

27 HTTP Response Splitting
Malicious input submitted via AUTHOR_PARAM form input: A Hacker\r\nHTTP/ OK\r\nContent-Type: text/html\r\n <html>Hacker Content</html> Resulting HTTP responses HTTP/ OK Set-Cookie: author=A Hacker Content-Type: text/html <html>Hacker Content</html>

28 Response Splitting Impact
Attacker controls page contents Page defacement. Can redirect to attacker controlled site. Script executes in context of legitimate site JavaScript sent by attacker as part of second response has access to cookies and other data of legitimate site.

29 Cache Poisoning Attack
Select a page to poison in proxy cache. Replace /admin with phishing trojan. Locate header injection vulnerability. Inject second response body with trojan. Connect to proxy and send requests. First request is header injection described above. Second request is for page that’s being poisoned. Proxy talks to app, gets response. Proxy interprets 2nd response body as response to attacker’s 2nd pipelined request. Updates cache with trojan version.

30 Transport Layer Security (TLS)
TLS protocol provides security features for other protocols, such as HTTP, IMAP, etc. Authentication of server to client. Optional authentication of client to server. Confidentiality of communication. Integrity of communication. TLS 1.0 was published in 1999. SSL 2.0 was first released in 1995 (insecure) TLS 1.2 is current, defined in 2008. TLS 1.3 published on August 10, 2018.

31 TLS Operation Figures 5.3 from Stallings

32 TLS Handshake

33 Cipher Suites Key Exchange Algorithm Bulk Encryption Algorithm
Used to exchange session keys for bulk encryption algorithm. Examples: RSA, Diffie-Hellmann, Elliptic Curve Diffie-Hellman Bulk Encryption Algorithm Used to encrypt message stream. Examples: RC4-128, Triple-DES, AES-128, AES-256 Message Authentication Code MAC is keyed hash function to ensure integrity. Based on MD5, SHA-1, or SHA-2, key based on master secret. Pseudorandom Function Used to create master secret, a 48-byte secret shared with both parties. Used to create session keys.

34 TLS Cipher Suite Example
TLS_DHE_RSA_WITH_AES_128_CBC_SHA DHE is the Key Exchange Algorithm RSA for Authentication (digital signatures) AES is the Bulk Encryption Algorithm 128 is the length of the keys CBC is the mode used for the BEA. SHA is the MAC algorithm used for HMAC.

35 Key Size and Security Protection Symmetric Public Key Diffie- Hellman
Elliptic Curve Hash Short term against small organizations 64 816 128 Very short term against agencies 80 1248 160 Short term against agencies (10 years) 96 1776 192 Medium term against agencies (20 years) 112 2432 224 Long term protection (30 years) 3248 256 Long term protection with increased defense against quantum computers. 15424 512

36 TLS Client Test Test browser TLS by going to
Does your browser support latest TLS version? Does your browser support weak cipher suites? Check other clients by going to Are you or your customers using any of the clients that are missing secure TLS versions and features?

37 TLS Server Test Go to https://www.ssllabs.com/ssltest/
Test the following servers A server of your own choice. Compare configurations with top servers at Discuss server configurations.

38 How Clients Use Certificates

39 Classic TLS MITM Attack
Browser MITM Server Client requests TLS connection Attacker establishes TLS connection with server. Attacker establishes TLS connection with client using MITM certificate. Client requests data via HTTPS Attacker decrypts client request and forwards to server. Attacker decrypts server data and forwards to client. Client receives data from server over SSL link with MITM.

40 Key Points Requests Stateless architecture Cookies
Idempotence Safety Stateless architecture Cookies HTTP response splitting Cache poisoning Transport Layer Security

41 References David Gourley et. Al., HTTP: The Definitive Guide, O’Reilly, 2002. Krishnamurthy et. Al., Key Differences Between HTTP/1.0 and HTTP/1.1, Mark Nottingham, RFC 2616 is Dead, Dafydd Stuttart and Marcus Pinto, The Web Application Hacker’s Handbook, 2nd Edition, Wiley, 2011. HTTP/2 Home Page, Sanctum, “HTTP Response Splitting Whitepaper,” esponse.pdf, 2004. Michael Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications, No Starch Press, 2011. The Illustrated TLS Connection: Every Byte Explained

42 Released under CC BY-SA 3.0
This presentation is released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free: to Share — to copy and redistribute the material in any medium to Adapt— to remix, build, and transform upon the material to use part or all of this presentation in your own classes Under the following conditions: Attribution — You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. Share Alike — If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. Details and full text of the license can be found at

Download ppt "CIT 485: Advanced Cybersecurity"

Similar presentations

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.

Hypertext Transfer PROTOCOL ----HTTP Sen Wang CSE5232 Network Programming.
TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.

TCP/IP Protocol Suite 1 Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. Chapter 22 World Wide Web and HTTP.
Cryptography and Network Security

Cryptography and Network Security
Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)

Socket Layer Security. In this Presentation: need for web security SSL/TLS transport layer security protocols HTTPS secure shell (SSH)
An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.

An Introduction to Secure Sockets Layer (SSL). Overview Types of encryption SSL History Design Goals Protocol Problems Competing Technologies.
Hypertext Transfer Protocol Kyle Roth Mark Hoover.

Hypertext Transfer Protocol Kyle Roth Mark Hoover.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.

HTTP Hypertext Transfer Protocol. HTTP messages HTTP is the language that web clients and web servers use to talk to each other –HTTP is largely “under.
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
Chapter 2 Application Layer Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July.

Chapter 2 Application Layer Computer Networking: A Top Down Approach Featuring the Internet, 3 rd edition. Jim Kurose, Keith Ross Addison-Wesley, July.
2/9/2004 Web and HTTP February 9, 2004. 2/9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.

2/9/2004 Web and HTTP February 9, /9/2004 Assignments Due – Reading and Warmup Work on Message of the Day.
Hypertext Transport Protocol CS - 328 Dick Steflik.

Hypertext Transport Protocol CS Dick Steflik.
Rensselaer Polytechnic Institute CSC-432 – Operating Systems David Goldschmidt, Ph.D.

Rensselaer Polytechnic Institute CSC-432 – Operating Systems David Goldschmidt, Ph.D.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as e-mail.

Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
HTTP and Server Security James Walden Northern Kentucky University.

HTTP and Server Security James Walden Northern Kentucky University.
FTP (File Transfer Protocol) & Telnet

FTP (File Transfer Protocol) & Telnet
Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.

Simple Web Services. Internet Basics The Internet is based on a communication protocol named TCP (Transmission Control Protocol) TCP allows programs running.
HyperText Transfer Protocol (HTTP).  HTTP is the protocol that supports communication between web browsers and web servers.  A “Web Server” is a HTTP.

HyperText Transfer Protocol (HTTP).  HTTP is the protocol that supports communication between web browsers and web servers.  A “Web Server” is a HTTP.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.

CP476 Internet Computing Lecture 5 : HTTP, WWW and URL 1 Lecture 5. WWW, HTTP and URL Objective: to review the concepts of WWW to understand how HTTP works.

Similar presentations

Ads by Google