Presentation is loading. Please wait.

Presentation is loading. Please wait.

COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies.

Published byDorothy Shaw Modified over 8 years ago

Similar presentations

Presentation on theme: "COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies."— Presentation transcript:

1 COEN 350: Network Security E-Commerce Issues

2 Table of Content HTTP Authentication Cookies

3 HTTP Authentication HTTP Basically very simple. GET:Used to read a website. POST: Sends data to a website. Some data has security implications FROM field contains email. But not by default, only if browser is configured that way. Used for spiders (crawlers) so that admins can complain about spider behavior.

4 HTTP Authentication HTTP Some data has security implications AUTHORIZATION field: Contains authentication data. COOKIE field: See below REFERRER (REFERER) field: Contains the URL of the page from which the client came.

5 HTTP Authentication Authentication URL allow username / password data. HTTP1.1 has two authentication mechanisms. Can use SSL, integrated as HTTPS.

6 HTTP Authentication URL Authentication

7 HTTP Authentication URL authentication Can be abused in phishing expeditions.

8 HTTP Authentication Native HTTP provides a challenge / response framework.

9 HTTP Authentication HTTP authenticator: A base 64 username / password encoding: The username and the password in the base 64 encoding Completely insecure. Data is not humanly readable It is easy to decode. Even easier to replay authorization

10 HTTP Authentication HTTP authenticator: Digest Authentication Challenge includes The WWW-Authenticate field reads "Digest". The realm field gives the authentication realm. The nonce field contains a value to be used as a nonce. The opaque field contains a value that the server needs the client to pass back to it unchanged. The stale field indicates whether the previous request was denied because the nonce was stale. The algorithm field specifies the hash algorithm to be used, typically MD5. The qop or quality of protection field can contain the value "auth" for authentication only or the value "auth- int" for both authentication and integrity protection.

11 HTTP Authentication HTTP authenticator: Digest Authentication Response includes challenge values and Client nonce Digest Calculated by hash algorithm requested. From challenge data, username, password, client nonce. (This prevents someone spoofing the server to control all data in the digest.)

12 Cookies HTTP is stateless. Good for requesting resources. Bad if server needs to update state based on clients actions. Fat URLs change server state. Cookies maintain state at client site. E-commerce integrates both.

13 Cookies How cookies work: Client contacts server. Server includes cookie in answer. “Slapping a cookie”. Client stores cookie in cookie jar. Client goes to the same website: Browser passes unexpired cookies along.

14 Cookies Cookies: Permanent cookies Valid for more than a single transaction. Session cookies Deleted when browser is closed.

15 Cookies Contain domain field. Example: Alice visits www.scu.edu scu.edu slams her with Set-cookie: user="Alice"; domain="scu.edu“ Alice visits cse.scu.edu Browser includes the cookie in header of request because it matches the domain.

16 Cookies Domain field Specifies to whom cookies will be sent. Limited to specific sites. E.g..com.ft or.edu is not allowed. Path field Limits cookie sending to a given path. path = “www.cse.scu.edu/~tschwarz/coen350_04”

17 Cookies Cookie Versions Netscape Cookies= Version 0 Cookies RFC 2965 Cookies = Version 1 Cookies RFC 2965 : HTTP State Management Mechanism.

18 Cookies Version 0 cookies Set-Cookie: name=value [; expires=date] [;path=path] [;domain=domain] [;secure]. Secure: only include this cookie with HTTPS (i.e. with SSL) requests.

19 Cookies Web Bugs Web page can contain URL addressed resources. Web bug: Typically 1 by 1 image. Hence invisible. Ad from Ad server. Browser goes to the URL specified. Sends along cookies belonging to that URL Referrer field contains the referring URL.

20 Cookies Spying Cookies

21 Cookies Unprotected Cookies Servers need to protect themselves against users altering cookies. Plain text cookies are simple to forge. Change state information such as prices of items in a shopping cart. Gain unauthorized access by changing the user-id. Encryption of cookies needs to be understood and strong.

Download ppt "COEN 350: Network Security E-Commerce Issues. Table of Content HTTP Authentication Cookies."

Similar presentations

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)

UFCE8V-20-3 Information Systems Development 3 (SHAPE HK)
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.

Cryptography Chapter 7 Part 4 Pages 833 to 874. PKI Public Key Infrastructure Framework for Public Key Cryptography and for Secret key exchange.
Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.

Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.
The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.

The Elbert HTTP Server HTTP Authentication, providing security in tough times By: Shawn M. Jones.
The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.

The Basic Authentication Scheme of HTTP. Access Restriction Sometimes, we want to restrict access to certain Web pages to certain users A user is identified.
Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.

Web Security CS-431. HTTP Authentication Protect web content from those who don’t have a “need to know” Require users to authenticate using a userid/password.
Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.

Http Web Authentication Web authentication is used to verify a users identity before allowing access to certain web pages On web browsers you get a login.
Securing web applications using Java EE Dr Jim Briggs 1.

Securing web applications using Java EE Dr Jim Briggs 1.
CC3.12 Lecture 12 Erdal KOSE Based of Prof. Ziegler Lectures.

CC3.12 Lecture 12 Erdal KOSE Based of Prof. Ziegler Lectures.
WEB2P security Java web application security Dr Jim Briggs.

WEB2P security Java web application security Dr Jim Briggs.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.

1 The World Wide Web. 2  Web Fundamentals  Pages are defined by the Hypertext Markup Language (HTML) and contain text, graphics, audio, video and software.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.

Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP does not maintain state. State Information can be passed using: HTTP Headers.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.

Networks and Security. Types of Attacks/Security Issues  Malware  Viruses  Worms  Trojan Horse  Rootkit  Phishing  Spyware  Denial of Service.
Session 11: Security with ASP.NET

Session 11: Security with ASP.NET
Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Cookies Set a cookie – setcookie() Extract data from a cookie - $_COOKIE Augment user authentication script with a cookie.

Similar presentations

Ads by Google