Chapter 7

Web Security
+
Chapter 3
This Machine Kills Secret

Dr Rudi Rusdiah
T1005
8 Apr 2017
 What is HTTP?
Year 2000 langguage transition from FTP (File Transfer Protocol) to HTTP
(Hypertext Transfer Protocol) as the era of World Wide Web (www).
HTTP: Generic communication protocol to transfer data (text or encoded
binary) requests, response, & data between Web clients & servers.
Also used by clients to access Proxies, Firewall, gateways that communicate to
server in other protocols: (1) SMTP (Simple Mail Transfer); (2)NNTP
(Network News Transfer); (3) FTP; (4) POP (post Office Protocol); (5)
WAIS(Wide Area Information Servers); (6) Gopher Servers.
HTTP Layer 4 TCP (Transmission Control Protocol) transport protocol.
HTTP Session initiates with TCP 3 way handshake (TCP SYN) & terminated with
TCP FIN/ACK-nowledge packet & TCP Port 80
HTTP Commands:
GET / HTTP/1.1 A request to retrieve an object from server
HEAD / HTTP/1.1 Request to retriev emeta-info of an object.
POST /cgi-bin/message.cgi HTTP/1.1 Request to send an object to a handler
on the Server
PUT /home/mypage.html HTTP/1.1 Request to send an object & place
directly on the Server.
DELETE /home/invitation.html HTTP/1.1 - Request to delete an object from
the Server.
HTTP/1.1 301
Location: /WileyCDA/
If we enter : www.google.com in the client browser. The client indicate what it wans from
server. By sending a GET requestThe Server response with PUT with requested data.
Client/Server relationship also used in Email. Email stored in an electronic mailbox
managed by The mail server. Email client ie: Eudora or Outlook send request to the Mail
Server using specified protocol SMTP.
GET retrieving content (page, picture) from Web Server rather than modifying it.
 What is HTML?
HTML is formatting language used in WWW by ISO 8879 for Hypertext Markup Language
Standard Generalized Markup Language (SGML).
Changing text ie: <B>HTML </B> Bold command.
HTML has no active content, so security risk is small.
But if embedded with JavaScript & Active X can be dangerous. Active content on a Website
composed of Server & Client side executables.
CGI (Common Gateway Interface) Script Dynamic content of Website active feedback
environment. Applications: Search Engines, Registration sites, Web based chat forums,
online database queries.
Executable component of CGI script can written in programming language that execute on
host machine (Perl most popular to parse text easily, Python, Shell C, C++ etc) via HTML.
CGI script located in /cgi-bin separate from sensitive file. CGI is an interface, while PHP is a
language. Client Content /Side active content JavaScript embedded directly in HTML
interpreted by Browser. Client side (JavaScript, Java & Active X).
Security issue JavaScript: When viewed on a Website has the ability to open new browser
windows without user permission. <Script> windows. Open
(http://www.google.com...... ); </scipt>
This is how you made pop up advertisement annoying but not really security threat.
Become danger if ithe new Windows is operated by hackers to steel password, PIN, credit
card number etc
 Java & ACTIVE X
Language created by Sun Microsystem in 1991 executable & Platform
independent. First developed for small devices ie VCRs, Toasters & TV,
its popularity in 1994 used in Internet.
Java Security model is based on the notion of SANDBOX. Resides on the
host computer that is executing Java apps, and is designed for a small
play area Sandbox should contain no critical resources. All
access is explicitly granted by the user.
By default, apps only has access to the CPU, display, keyboard, mouse &
its own memory.
Trusted apps can provided larger boundaries & access to additional info.
Ie: file share or doc may require additional access to H/D.
ACTIVE X can be automatically download, installed & executed
Self containing Plug in. If configured by browser, Webpages contain
an OBJECT tag are automatically acted upon simply by viewing.
Active X Microsoft at San Fransisco Conference in 1996. also used by
Outlook & Office apps
 State
Website ability to keep tract users connecting often to site. Not built in
to HTTP & apps ie: e banking or ecommerce needs this functionality.
State is current status of a specific instance of Apps. Human
interaction. Every action you make or response is recorded to shape
the way you approach the future. Thus maintaining memory from
previous action. Can be in the form of a file, entry a database, buffer
in memory.
HTTP is stateless, session less protocol that relies on the use of
external authentication mechanism, such as tokens, to identify
client & their current state. Thus each http transaction is completely
unique & browser do not maintain memory of past history.
But shopping cart can maintain memory Cookies not the HTTP.
Application that associated with multiple pages by a single user require
State. Ie special session tracking Shopping cart on a Website.
It becomes complex when the Website is a server farm composed of
multiple coordination of Web Server
 Tracking State
Internet: every transaction is logged somewhere, because HTTP is
stateless by designed, so tracking must be done by external
mechanism. Website equate State with a session.
Security issue: Associate with creating new sessions, terminating session
or activity/ participant in previous sessions tracking state.
Downside information must be openly passed each time user access
Website potential intercept by attacker.
Cookies ASCII Text (> 80k per domain) stored in file by browser in user
H/D so the Webserver need not to retain in central location (ie:
shopping cart, tracking ID/name &password .. Or index to a database
server etc.
WebServer (Ws) sends cookies to CB (Client Browser by embedding in
HTTP request or via script executing on website, then cookies
reponse & Set-Cookie Header with the following fields:
- expires when cookies should be removed from H/D; Domain= _ ;
path= the pages should trigger the sending of cookies
 Cookie Security
Concern with lack of privacy. Cookies dont contain executable code &
cant be run by attacker. Used Ws to track your previous activity,
because your host name, IP dynamic may changed Secondary ID
ID= 500 means for Ws user is associated with ID=500 on next visit. User
can change ID to 501 cookie poisoning method to attack Web
Server (Ws) by impersonating cookies for legitimate users.
Example of attack: www.verizonwireless.com in Sep 2001, when Marc
Slemko, Seattle s/w dev. Posted this vulnerability token used by
Website to track customer accessing their account information online
was trusted & no authentication check.
By merely changing this token (cookie) & re accessing the Website,
attacker was able to browse sensitive client A/C info.
To combat this: New Cookies are protecting by Mathematical HASH so
can identify if a cookies is modified & suspected.
Netscape or Mozilla store in cookies.txt. Ms IE store in directory Cookies.
 Web Bugs
- Invisible eavesdropping graphic embedded in awebsite; email or
word processing doc Clear GIFs, invisible GIFs, beacon GIFs, they
are hypertext image that are generaly 1x1 pixel in size.
- Web bug track the following: (1) IP address of PC that open image in
Website, email, Word Doc..etc. (2) Time; (3) Type of Browser; (4)
Previous cookies.
 URL Tracking & Hidden Frames /Fields
URL Tracking: When, how often, Who view your Website (Google Ad-
word,SEQ)Google analytic/Big Data insight landing/conversion rate
Data within the HTTP header is collected: (1) Browser Type; (2) O/S; (3)
ISP; (4) Dates; (5) Referrers.
Hidden Frames: Also for Maintaining State, but dont leave any object in
PC(cookies),but in zero frame,when browser active from page 2 page.
Hidden Fields: Also used to Maintain State same as Hidden Frames but
stored in fields in form when you press the submit button.
Attacking WebServer: High value content & high probablity of weakness
since rely on many new apps.
Account Harvesting: Attack on legitimate account by impersonating user
& gain system access via : ie: improper identity authentication;
investigative searching etc
Enumerating Directories: Common mistakes by Web Admin to allow
directory listing. By default index.html within directory will be display.
If index.html does not exist & directory listing will be display (open).
 Attacking WebServer..continue
Investigative Searching: Pieces history posted on Internet rarely
forgotten permanent identified by caching search engine.
A form of reconnaissance by attackers harvesting info ie: user name;
search email address in newsgroup etc
Faulty Authorization: Mistaken authorization can be used for
impersonation improper implementation of cookies etc
SQL (Structured Query Language) Injections is ANSI (American
National Standard Institute) standard for database querry language.
Implemented in Ms SQL Server, Oracle Sybase, MySQL Ingres.
Statement written in SQL capable adding, removing, editing or retrieving
info from Database.
Hacker may inject an error & analyze the error message syntact and
attack the Database.