Web Security -Part 1:Cookies Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
Web Security – Part 1: Cookies Haipeng Dai haipengdai@nju.edu.cn 313 CS Building Department of Computer Science and Technology Nanjing University
Web Applications Big trend:software as a(Web-based)service -Online banking,shopping,government,bill payment,tax prep,customer relationship management,etc. -Cloud computing Applications hosted on Web servers -Written in a mixture of PHP,Java,Perl,Python,C,ASP Security is rarely the main concern -Poorly written scripts with inadequate input validation -Sensitive data stored in world-readable files -Recent push from Visa and Mastercard to improve security of data management(PCI-Payment Card Industry standard) 2
2 Web Applications Big trend: software as a (Web-based) service ─ Online banking, shopping, government, bill payment, tax prep, customer relationship management, etc. ─ Cloud computing Applications hosted on Web servers ─ Written in a mixture of PHP, Java, Perl, Python, C, ASP Security is rarely the main concern ─ Poorly written scripts with inadequate input validation ─ Sensitive data stored in world-readable files ─ Recent push from Visa and Mastercard to improve security of data management (PCI – Payment Card Industry standard)
Typical Web application Design Runs on a Web server or application server Takes input from Web users(via Web server) Interacts with back-end databases and third parties Prepares and outputs results for users(via Web server) Dynamically generated HTML pages 一 Contain content from many different sources,often including regular users -Blogs,social networks,photo-sharing websites... 3
3 Typical Web Application Design Runs on a Web server or application server Takes input from Web users (via Web server) Interacts with back-end databases and third parties Prepares and outputs results for users (via Web server) Dynamically generated HTML pages ─ Contain content from many different sources, often including regular users ─ Blogs, social networks, photo-sharing websites…
Dangerous Websites Recent "Web patrol"study at Microsoft identified 752 unique URLs that could successfully exploit unpatched Windows XP machines -Many are interlinked by redirection and controlled by the same major players "“But I never visit risky websites'” -11 exploit pages are among top 10,000 most visited -Trick:put up a page with popular content,get into search engines,page redirects to the exploit site 4
4 Dangerous Websites Recent “Web patrol” study at Microsoft identified 752 unique URLs that could successfully exploit unpatched Windows XP machines ─ Many are interlinked by redirection and controlled by the same major players “But I never visit risky websites” ─ 11 exploit pages are among top 10,000 most visited ─ Trick: put up a page with popular content, get into search engines, page redirects to the exploit site
HTTP and Cookies HTTP (Hypertext Transfer Protocol)is a stateless request/response protocol -Each request is independent of previous requests Advantage being stateless:servers do not need to retain information about users between requests. HTTP is stateless.Web applications are often stateful. -So the Client has to remember things that the Server needs to know. Cookie is a common way for maintaining states. -A cookie is a piece of information that contains the state(or session ID)of a client.A cookie consists of one or more name-value pairs. Server:uses Set-Cookie parameters to ask client's browser to store a cookie. Client:stores the cookie and sends the unchanged cookie in EVERY request to the same server. 5
5 HTTP and Cookies HTTP (Hypertext Transfer Protocol) is a stateless request/response protocol ─ Each request is independent of previous requests Advantage being stateless: servers do not need to retain information about users between requests. HTTP is stateless. Web applications are often stateful. ─ So the Client has to remember things that the Server needs to know. Cookie is a common way for maintaining states. ─ A cookie is a piece of information that contains the state (or session ID) of a client. A cookie consists of one or more name-value pairs. Server: uses Set-Cookie parameters to ask client’s browser to store a cookie. Client: stores the cookie and sends the unchanged cookie in EVERY request to the same server