DOC PREVIEW
UT CS 361s - Web Authentication and Session Management

This preview shows page 1-2-16-17-18-33-34 out of 34 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 34 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Web Authentication and Session ManagementReading AssignmentHTTP Digest AuthenticationProblems with HTTP AuthenticationSessionsPrimitive Browser SessionBad Idea: Encoding State in URLStoring State in Hidden FormsShopping Cart Form TamperingOther Risks of Hidden FormsSession Tokens (Identifiers)Generating Session Tokens (1)Generating Session Tokens (2)FatBrain.com circa 1999Examples of Weak TokensBinding Token to Client’s MachineStoring Session TokensIssuesHTTP Referer HeaderTypical Redirection CodeXSUH: Cross-Site URL HijackingDefenses Against XSUHCookiesStoring State in Browser CookiesWeb Authentication with CookiesTypical Session with CookiesWSJ.com circa 1999Attack.NET 2.0Cookie Theft: SideJackingCookie Theft: Surf JackingSession Fixation AttacksPreventing Session FixationLogout IssuesVitaly ShmatikovCS 361SWeb Authentication andSession Managementslide 2Reading AssignmentRead Kaufman, Chapter 25Read “Dos and Don’ts of Client Authentication on the Web”slide 3HTTP Digest Authenticationclient serverRequest URL withGET or POST method• HTTP 401 Unauthorised• Authentication “realm” (description of system being accessed)• Fresh, random nonceH3=hash(H1, server nonce, H2)Recompute H3 and verify H1=hash(username, realm, password)H2=hash(method, URL)WWW-Authenticate: Basic realm="Password Required"Problems with HTTP AuthenticationCan only log out by closing browser•What if user has multiple accounts? Multiple users of the same browser?Cannot customize password dialogEasily spoofedIn old browsers, defeated by TRACE HTTP•TRACE causes Web server to reflect HTTP back to browser, TRACE via XHR reveals password to a script on the web page, can then be stolenHardly used in commercial sitesslide 4SessionsA sequence of requests and responses fromone browser to one or more sites•Can be long or short (Gmail – 2 weeks)•Without session management, users would have to constantly re-authenticateSession management•Authorize user once•All subsequent requests are tied to userslide 5slide 6Primitive Browser Sessionwww.e_buy.comwww.e_buy.com/shopping.cfm?pID=269View catalogwww.e_buy.com/shopping.cfm?pID=269&item1=102030405www.e_buy.com/checkout.cfm?pID=269&item1=102030405Check outSelect itemStore session information in URL; easily read on networkslide 7Bad Idea: Encoding State in URLUnstable, frequently changing URLsVulnerable to eavesdroppingThere is no guarantee that URL is private•Early versions of Opera used to send entire browsing history, including all visited URLs, to Googleslide 8Storing State in Hidden FormsDansie Shopping Cart (2006)•“A premium, comprehensive, Perl shopping cart. Increase your web sales by making it easier for your web store customers to order.”<FORM METHOD=POST ACTION="http://www.dansie.net/cgi-bin/scripts/cart.pl"> Black Leather purse with leather straps<BR>Price: $20.00<BR> <INPUT TYPE=HIDDEN NAME=name VALUE="Black leather purse"> <INPUT TYPE=HIDDEN NAME=price VALUE="20.00"> <INPUT TYPE=HIDDEN NAME=sh VALUE="1"> <INPUT TYPE=HIDDEN NAME=img VALUE="purse.jpg"> <INPUT TYPE=HIDDEN NAME=custom1 VALUE="Black leather purse with leather straps"> <INPUT TYPE=SUBMIT NAME="add" VALUE="Put in Shopping Cart"></FORM>Change this to 2.00Bargain shopping!slide 9Shopping Cart Form TamperingMany Web-based shopping cart applications use hidden fields in HTML forms to hold parameters for items in an online store. These parameters can include the item's name, weight, quantity, product ID, and price. Any application that bases price on a hidden field in an HTML form is vulnerable to price changing by a remote user. A remote user can change the price of a particular item they intend to buy, by changing the value for the hidden HTML tag that specifies the price, to purchase products at any price they choose. Platforms affected:•3D3.COM Pty Ltd: ShopFactory 5.8 and earlier @Retail Corporation: @Retail Any version •Adgrafix: Check It Out Any version Baron Consulting Group: WebSite Tool Any version •ComCity Corporation: SalesCart Any version Crested Butte Software: EasyCart Any version •Dansie.net: Dansie Shopping Cart Any version Intelligent Vending Systems: Intellivend Any version •Make-a-Store: Make-a-Store OrderPage Any version McMurtrey/Whitaker & Associates: Cart32 2.6 •McMurtrey/Whitaker & Associates: Cart32 3.0 [email protected]: CartMan 1.04 •Rich Media Technologies: JustAddCommerce 5.0 SmartCart: SmartCart Any version •Web Express: Shoptron 1.2 http://xforce.iss.net/xforce/xfdb/4621slide 10Other Risks of Hidden FormsEstonian bank’s Web server…HTML source reveals a hidden variable that points to a file nameChange file name to password fileServer displays contents of password file•Bank was not using shadow password files!Standard cracking program took 15 minutes to crack root password[From “The Art of Intrusion”]Session Tokens (Identifiers)Browser WebsiteGET /index.htmlset anonymous session tokenGET /opencontent.htmlanonymous session tokenPOST /do-loginUsername and passwordset logged-in session tokenPOST /checkoutlogged-in session tokencheck credentialsvalidatetokenslide 11Generating Session Tokens (1)Option #1: minimal client stateToken = random, unpredictable string•No data embedded in token•Server stores all data associated with the session: user id, login status, login time, etc.Potential server overhead•With multiple sessions, lots of database lookups to retrieve session stateslide 12Generating Session Tokens (2)Option #2: more client-side stateToken = [ user ID, expiration time, access rights, user info … ]How to prevent client from tampering with his session token?•HMAC(server key, token)Server must still maintain some user state•For example, logout status (check on every request) to prevent usage of unexpired tokens after logoutslide 13slide 14FatBrain.com circa 1999User logs into website with his password, authenticator token is generated, user is given a special URL containing the token•With special URL, user doesn’t need to re-authenticate–Reasoning: user could not have not known the special URL without authenticating first. That’s true, BUT…Tokens are global sequence numbers•Easy to guess sequence number for another user•Fix: use random session


View Full Document

UT CS 361s - Web Authentication and Session Management

Download Web Authentication and Session Management
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Web Authentication and Session Management and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Web Authentication and Session Management 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?