Web Security
1
Today
• Web architecture
– Basics of web security
2
What is the Web?
• A platform for deploying applications, portably and securely
3
Web security: two sides
• Web browser: (client side)
– Interacts with the user
– Fetches and renders pages from the server
– Worry about user’s own data, malware, keyloggers, …
• Web application code: (server side)
– Runs at web site: banks, e-merchants, blogs
– Written in PHP, ASP, JSP, Python, Ruby, Node.js, …
– Decides which page to serve to which users/requests (authorized users, dynamic content, etc)
– Worry about all users’ data, targeted attacks, …
4
A historical perspective
• The web is an example of “bolt-on security”
• Originally, the web was invented to allow
physicists to share their research papers
– Only textual web pages + links to other pages; no security model to speak of
• Then we added embedded images
– Crucial decision: a page can embed images loaded
from another web server
• Then, Javascript, dynamic HTML, AJAX, CSS, frames, audio, video, …
• Today, a web site is a distributed application
5
URLs
• Global identifiers of network-retrievable documents
• Example: http://ecen4133.org:80/tmp/test?foo=1337#top
host
Are URLs case-sensitive?
Fragment
Protocol
Path
Query
6
HTML
• Hypertext markup language (HTML)
– Describes the content and formatting of Web pages – Rendered within browser window
• HTML features
– Static document description language
– Supports linking to other pages and embedding images by reference
– User input sent to server via forms
• HTML extensions
– Additional media content (e.g., PDF, video) supported through plugins
– Embedding programs in supported languages (e.g., JavaScript, Java) provides dynamic content that interacts with the user, modifies the browser user interface, and can access the client computer environment
7
HTTP protocol
• HTTP is
– widely used – Simple
– Stateless
– Unencrypted
8
HTTP Protocol
Method File HTTP version
Headers
GET /index.html HTTP/1.1 Host: www.example.com
HTTP Request HTTP Reply
Browser
HTTP version
Web Server
Status code
Reason phrase
HTTP/1.1 200 OK
Date: Tue, 14 Feb 2012
Server: Apache/1.3.3.7
Last-Modified: Mon, 13 Feb 2012 Content-Length: 438
Set-Cookie: …
Content-Type: text/html; charset=UTF-8
Headers
Hello World!
Cookies
Data
9
HTTP GET request
• Used to fetch resources
• Shouldn’t change state on the server
GET /cat.jpg HTTP/1.1
Host: catpictures.net
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36
Accept: text/html,application/xhtml+xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
10
HTTP POST request
• Used to update state on the server • Clients can send/upload files/data
POST /register HTTP/1.1
Host: catpictures.net
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/56.0.2924.76 Safari/537.36
Accept: text/html,application/xhtml+xml;q=0.9,image/webp,*/*;q=0.8 Accept-Encoding: gzip, deflate, sdch, br
Accept-Language: en-US,en;q=0.8
Content-Length: 20
User=bob&Pass=abc123
11
HTML Basics
• HyperText Markup Language
– Nested “tag” structure
Look, a cat!
HTML, CSS, Javascript
• HTML for structure
– What elements of a page are related? – What resources should be included?
• CSS (Cascading Style Sheet) for style
– What fonts/colors/sizes/positions should
elements be?
• Javascript for dynamic content – When a user clicks this, do that – Here be dragons!
13
Javascript
14
DOM Tree: Document Object Model
• “TheDocumentObject Model is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents.”
15
Javascript
• Functional, imperative, and object-oriented • Oh, and untyped. Good luck!
function factorial(x) {
var r = x;
for (var i=1; i
Click here, quick!