Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks.

Published byAriel Lynch Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks."— Presentation transcript:

1 Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks used to achieve statefulness –Usually requiring programmers to provide the state –Often trying to minimize work for the server

2 Lecture 16 Page 2 CS 236 Online A Simple Example Web sites are set up as graphs of links You start at some predefined point –A top level page, e.g. And you traverse links to get to other pages But HTTP doesn’t “keep track” of where you’ve been –Each request is simply the name of a link

3 Lecture 16 Page 3 CS 236 Online Why Is That a Problem? What if there are unlinked pages on the server? Should a user be able to reach those merely by naming them? Is that what the site designers intended?

4 Lecture 16 Page 4 CS 236 Online A Concrete Example The ApplyYourself system Used by colleges to handle student applications For example, by Harvard Business School in 2005 Once all admissions decisions made, results available to students

5 Lecture 16 Page 5 CS 236 Online What Went Wrong? Pages representing results were created as decisions were made Stored on the web server –But not linked to anything, since results not yet released Some appliers figured out how to craft URLs to access their pages –Finding out early if they were admitted

6 Lecture 16 Page 6 CS 236 Online The Core Problem No protocol memory of what came before So no protocol way to determine that response matches request Could be built into the application that handles requests But frequently isn’t –Or is wrong

7 Lecture 16 Page 7 CS 236 Online Solution Approaches Get better programmers –Or better programming tools Back end system that maintains and compares state Front end program that observes requests and responses –Producing state as a result Cookie-based –Store state in cookies (preferably encrypted)

8 Lecture 16 Page 8 CS 236 Online Data Transport Issues The web is inherently a network application Thus, all issues of network security are relevant And all typical network security solutions are applicable Where do we see problems?

9 Lecture 16 Page 9 CS 236 Online (Non-) Use of Data Encryption Much web traffic is not encrypted –Or signed As a result, it can be sniffed Allowing eavesdropping, MITM attacks, alteration of data in transit, etc. Why isn’t it encrypted?

10 Lecture 16 Page 10 CS 236 Online Why Web Sites Don’t Use Encryption Primarily for cost reasons Crypto costs cycles For high-volume sites, not encrypting messages lets them buy fewer servers They are making a cost/benefit analysis decision And maybe it’s right?

11 Lecture 16 Page 11 CS 236 Online Problems With Not Using Encryption Sensitive data can pass in the clear –Passwords, credit card numbers, SSNs, etc. Attackers can get information from messages to allow injection attacks Attackers can readily profile traffic –Especially on non-secured wireless networks

12 Lecture 16 Page 12 CS 236 Online Firesheep Many wireless networks aren’t encrypted Many web services don’t use end-to-end encryption for entire sessions Firesheep was a demo of the dangers of those in combination Simple Firefox plug-in to scan unprotected wireless nets for unencrypted cookies –Allowing session hijacking attacks When run in that environment, tended to be highly successful

13 Lecture 16 Page 13 CS 236 Online Why Does Session Hijacking Work? Web sites try to avoid computation costs of encryption So they only encrypt login Subsequent HTTP messages “authenticated” with a cookie Anyone who has the cookie can authenticate The cookie is sent in the clear... So attacker can “become” legit user

14 Lecture 16 Page 14 CS 236 Online Using Encryption on the Web Some web sites support use of HTTPS –Which permits encryption of data –Based on TLS/SSL Performs authentication and two-way encryption of traffic –Authentication is certificate-based HSTS (HTTP Strict Transport Security) requires browsers to use HTTPS

15 Lecture 16 Page 15 CS 236 Online Increased Use of Web Encryption These and other problems have led more major web sites to encrypt traffic E.g., Google announced in 2014 it would encrypt all search requests Facebook and Twitter adopted HSTS in 2014 Arguably, all web interactions should be encrypted

16 Lecture 16 Page 16 CS 236 Online Sometimes Encryption Isn’t Enough Especially powerful “attackers” can subvert this process –Man-in-the-middle attacks by ISPs –NSA compromised key management –NSA also spied on supposedly private links Usually impossible for typical criminal Hard or impossible for a user to know if this is going on

17 Lecture 16 Page 17 CS 236 Online Conclusion Web security problems not inherently different than general software security But generality, power, ubiquity of the web make them especially important Like many other security problems, constrained by legacy issues

Download ppt "Lecture 16 Page 1 CS 236 Online Exploiting Statelessness HTTP is designed to be stateless But many useful web interactions are stateful Various tricks."

Similar presentations

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug 2013 - scotthel.me.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Hacking Presented By :KUMAR ANAND SINGH 04-243,ETC/2008.

Hacking Presented By :KUMAR ANAND SINGH ,ETC/2008.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Man in the Middle Paul Box Beatrice Wilds Will Lefevers.

Man in the Middle Paul Box Beatrice Wilds Will Lefevers.
CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 14 Jonathan Katz.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Certificates ID on the Internet. SSL In the early days of the internet content was simply sent unencrypted. It was mostly academic traffic, and no one.

Certificates ID on the Internet. SSL In the early days of the internet content was simply sent unencrypted. It was mostly academic traffic, and no one.
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.

The World-Wide Web. Why we care? How much of your personal info was released to the Internet each time you view a Web page? How much of your personal.
Session Hijacking & ARP Poisoning Why web security depends on communications security and how TLS everywhere is the only solution.

Session Hijacking & ARP Poisoning Why web security depends on communications security and how TLS everywhere is the only solution.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
1 Chapter 2 & Chapter 4 §Browsers. 2 Terms §Software §Program §Application.

1 Chapter 2 & Chapter 4 §Browsers. 2 Terms §Software §Program §Application.

Similar presentations

Ads by Google