I. Pizza Delivery Web Site
a. Web App for delivering pizza
- Online order από order.html – όπου ο χρήστης μπορεί να αγοράσει μία πίτσα για 5.50$
- Confirmation form: παράγεται από confirm_order script, ο χρήστης πρέπει να πιστοποιήσει την παραγγελία, κι η τιμή παρέχεται από ένα hidden field της φόρμας.
- Fullfilment: submit_order script το οποίο διαχειρίζεται την order του χρήστη την οποία έλαβε με GET request από την confirmation form.
a. Web App for delivering pizza
- Online order από order.html – όπου ο χρήστης μπορεί να αγοράσει μία πίτσα για 5.50$
- Confirmation form: παράγεται από confirm_order script, ο χρήστης πρέπει να πιστοποιήσει την παραγγελία, κι η τιμή παρέχεται από ένα hidden field της φόρμας.
- Fullfilment: submit_order script το οποίο διαχειρίζεται την order του χρήστη την οποία έλαβε με GET request από την confirmation form.
b. Confirmation Form
<HTML><head><title>Pay for Pizza</title></head>
<body><form action=”submit_order” method=”GET”>
<p>The total cost is 5.50. Are you sure you would like to order?</p>
<input type=”hidden” name=”price” value=”5.50”>
<input type=”submit” name=”pay” value=”yes”>
<input type=”submit” name=”pay” value=”no”>
</form></body></HTML>
c. Submit Order Script
if (pay = yes) {
success = authorize_credit_card_charge(price);
if (success) {
settle_transaction(price);
dispatch_delivery_person();
} else { //Could not authorize card
tell_user_card_declined();
}
} else { display_transaction_cancelled_page(); //no}
<input type=”hidden” name=”price” value=”0.01”>
d. Command line tools to generate HTTP requests
curl or wget automates & speeds up attack
curl http://www.deliver-me-pizza.com/submit_order?price=0.01&pay=yes
Even against POST can specify parameters as arguments to curl or wget command
curl –dprice=0.01 –dpay=yes https://www.delivery-me-pizza.com/submit_order
wget –post-data ‘price=0.01&pay=yes’ https://www.deliver-me-pizza.com/submit_order
e. Authoritative State stays on Server
- O server στέλενει session-id στον client.
- O server κρατάει table όπου έχει mapped τα session-ids με τα prices.
- Γεννήτρια τυχαίων αριθμών για την παραγωγή 128-bit id, όπου θα σταλθεί από την hidden form field αντί της τιμής.
f. Αλλαγές στο submit_order script
if (pay = yes) {
price = lookup(session-id); // in table
if (price != NULL) {
//same as before
}
else { // Cannot find session
display_transaction_cancelled_page();
log_client_IP_and_info(); }
} else {
//same no case
}
g. Session Management
- 128-bit session-id, n=# of session-ids, limit chance of correct guest to n/2128
- Management
- Time-out idle session-ids
- Clear expired session-ids
- Session-id: hash random # & IP address – harder to attack, but fragile
- Server requires DB lookup for each request
- Performance bottleneck – possible DoS from attackers sending random session-ids
- Distribute DB, load balance requests
h. Signed State to Client
- Keep server stateless, attach a signature to state and send to client
- Can detect tampering through MACs
- Sign whole transaction
- Security based on secret key known only to server
II. Information Leakage
a. GET: form parameters leak in URL, could anchor these links of hidden form fields
b. Referers can leak through outlinks
- This <a href=http://www.grocery-store-site.com/> link
- Sends request: GET / HTTP/1.1 Referer: http….
- Session-id leaked to grocery-store-site’s logs!
c. Benefits of POST
- Referers can still leak without user interaction
- Instead of link, image: <a href=http://www.grocery-store-site.com/banner.gif>
- GET request for banner.gif still leaks session-id
- POST request: POST /submit_order HTTP/1.1 Content-Type: application/x-www-form-urlencoded Content-Length: 45 session-id ….
- Session-id not visible in URL
- Pasting into e-mail wouldn’t leak it
- Slightly inconvenient for user, but more secure
III. Cookies
a. Cookie: piece of state maintained by client
- O server στέλνει cookies στον client
- O client στέλνει cookies στον server μέσο HTTP requests
- Ex: session-id in cookie in lieu of hidden form field
HTTP/1.1 200 OK
SET-Cookie: session-id = … ; secure
- Secure dictates using SSL
- Browser replies
GET /submit_order?pay=yes HTTP/1.1
Cookie: session-id= …
b. Problems with Cookies
- Cookies are associated with browser, sent back with each request, no hidden field to tack on
- If user doesn’t log out, attacker can use same browser to impersonate user
- Session-ids should have limited lifetime
IV. Javascript
a. Popular client-side scripting language
b. Evil user can just delete JavaScript code, substitute desired parameters & submit. Could also just submit request & bypass JavaScript
c. Data validation or computations done by JavaScript cannot be trusted by server
- Attacker may alter script in HTML code to modify computations
- Must be redone on server to verify