Web security - Stanford University
Web security
Web Session Management
Dan Boneh
Recap: Web attacker model
attacker
Web attacker: (simplified) Attacker origin tries to disrupt another origin, or see its data. Both running in a correct browser.
Why is this hard to prevent? the Web is a hodgepodge of technologies, often with conflicting security policies
Dan Boneh
Recap: same origin policy
Review: Same Origin Policy (SOP) for DOM: ? Origin A can access origin B's DOM if match on
(scheme, domain, port)
Review: Same Original Policy (SOP) for cookies:
? Based on: ([scheme], domain, path)
optional
scheme://domain:port/path?params Dan Boneh
Setting/deleting cookies by server
Browser
GET ...
HTTP Header:
Set-cookie: NAME=VALUE ;
Server
if expires=NULL: this session only
if expires=past date: browser deletes cookie
domain = (when to send) ; scope path = (when to send) ;
secure = (only send over HTTPS) ;
expires = (when expires) ;
HttpOnly ;
weak XSS defense
SameSite = [lax | strict]
Default scope is domain and path of setting URL weak CSRF defense
Dan Boneh
Remember: Cookies have no integrity
User can change and delete cookie values
? Edit cookie database (FF: cookies.sqlite) ? Modify Cookie header (FF: TamperData extension)
Silly example: shopping cart software Set-cookie: shopping-cart-total = 150 ($)
User edits cookie file (cookie poisoning):
Cookie:
shopping-cart-total = 15 ($)
Similar problem with localStorage and hidden fields:
Dan Bo5neh
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- 1 2 https 20xvfi
- using jquery to embed a slideshow in a tumblr blog
- 1 2 https 21oe2f
- infor m3 h5 development guide
- extending adobe captivate with javascript
- documantion advanced iframe pro studio 2 media
- introduction to html javascript dom
- javascript security html5
- web security stanford university
- how to merge pdf documents jquery for pdf merging api in
Related searches
- stanford university philosophy department
- stanford university plato
- stanford university encyclopedia of philosophy
- stanford university philosophy encyclopedia
- stanford university philosophy
- stanford university ein number
- stanford university master computer science
- stanford university graduate programs
- stanford university computer science ms
- stanford university phd programs
- stanford university phd in education
- stanford university online doctoral programs