Modern Web Design
Security Lecture, Dr.
HTTP is an incredibly simple text-based protocol for fetching
resources from web servers. From root shell, you can see the
request by standing up any text-based server on TCP port 80, the
default HTTP port:
If you then surf to http://localhost/foo/bar, you should see this
nc -l 80
You can respond with:
GET /foo/bar HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
Accept-Encoding: gzip, deflate, br
The ASCII headers continue until a blank line, where it switches over to the content. So this should show up an OK! in the browser.
HTTP/1.1 200 OK
both were used to script web pages. Java on the web subsequently died
out due to persistent security holes.
page. The simplest is to pop up a dialog box:
Or you can change the title of this page like this:
Here "x" is a variable storing a handle to the DOM node object representing the headline.
The big advantage of cookies is that you don't need to repeatedly log in to Facebook every time you visit a link. But there are many other places this can cause huge problems:
Web services need to be structured to prevent Cross-Site Request Forgery, for example by passing along an unguessable random session token in legitimate sessions, and checking the HTTP Referer field.
- A phishing scam email can include a link that performs any one-click action. The browser will again forward all cookies as it follows the link.
- On any web page, a tiny invisible 1x1 pixel image like <img src="https://192.168.1.1/admin/reset_dns_server.htm?new_dns_server=126.96.36.199&user_confirm=yup"> can subvert your browser to attack your home internet router from inside your network, in this case spoofing a request to change your DNS server to one the attacker controls. Again, the browser will happily forward saved login credentials or session cookies, even if you last looked at your router several years ago. The attacker does need to guess your internal IP address.