1 / 0

Understanding HTTP Referer Headers and Referral Issues in Web Security

This content explores the HTTP referer (originally spelled "referrer") header, which indicates the source page from which a user navigates to another page. Understanding referer issues is crucial for web security, as it can be used to limit access to sensitive areas, such as login pages, and can be exploited for unwanted referrals. Implementing strategies for referral management can enhance security, ensure proper resource access, and prevent unauthorized usage, making it essential for website administrators and developers.

dieter
Télécharger la présentation

Understanding HTTP Referer Headers and Referral Issues in Web Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web Security (cont.)

  2. Referral issues HTTP referer (originally referrer) – HTTP header that designates calling resource Page on which a link is clicked Page that shows an image Usage Pay for referral Limit access to certain pages (e.g. login pages) Limit deep linking (e.g. bypassing advertising) Limit CSRF Risks: Spam (if referral is rewarded) and spoofing Sensitive information (i.e. session ID) in query string
  3. Redirection HTTP uses redirection for Similar domain names Moved sites Referral masking – before leaving site, redirect through less sensitive page Implementation: several methods Usually, 3xx HTTP status (e.g. 301 or 302) followed by location tag Malicious uses Phishing Ad clicking and other malicious sites
  4. XSS Cross Site Scripting Attacker, target, web server scenario Target executes client-side script crafted by attacker Types Reflected – browser to server to same browser Stored – browser to server to any browser DOM – do not necessarily reach web browser Delivery – reflected or stored. DOM is typically reflected.
  5. XSS DOM DOM – Document Object Model Objects in page Examples document.URL document.location document.cookie document.referrer Javascript can access and manipulate these objects and properties Problems: HTML page can be static (independent of parameters) Script in page runs on DOM objects
  6. XSS DOM (cont.) The XSS attack may not reach the server Server side filtering won’t detect attack URL format HTTP://domain/path?query#fragment Fragment does not reach server
  7. Example – DOM XSS I Welcome page < HTML>< TITLE>Welcome!</TITLE>Hi< SCRIPT>varpos=document.URL.indexOf("name=")+5;document.write(document.URL.substring(pos,document.URL.length));< /SCRIPT>< BR>Welcome to our system…< /HTML>
  8. Example – DOM XSS II Attack that doesn’t go through server www.vulnerable.site/welcome.html#name=<script>alert(document.cookie)</script> What happens if the Javascript checks that all characters in name are alphanumeric? Here is an attack http://www.vulnerable.site/welcome.html?notname=<script>alert(document.cookie)<script>&name=Joe Defenses Manipulate objects in server side scripts and sanitize them. Or, sanitize carefully in client-side script.
  9. Browser separation model Separation from OS Scripts cannot manipulate data and processes outside the browser context, e.g. local files Same origin policy Separation of domains Suppose two pages interact If the host name matches, i.e. www.cse.bgu.ac.il (possibly other matches such as port number) then the pages interact Page can set document.domain to higher domain, e.g. bgu.ac.il Two pages with the same domain can interact (but all others with the same domain can also interact)
  10. More on same origin Behavior on high level domains (.com) not defined Behavior on file:// not defined Depending on browser(e.g. all IE versions), local files may access other local file Same-origin for cookies Based on identical host name May be changed by DOMAIN or PATH headers There are similar same origin requirements for Flash, Java and other technologies What’s not same origin Multimedia - <IMG SRC="..."> or <BGSOUND SRC="..."> Remote scripts

  11. SQL Injection

  12. SQL Common database language Database organized in schema Data is organized in tables Tables organized in rows of data fields SQL enables Table creation, data insertion, deletion Queries to the database Implementation issues and checks outside the scope of the language
  13. Tidbits of SQL syntax Table creation CREATE TABLE users( UserNameVARCHAR(50), CreditCard VARCHAR(30), ExpirationDate VARCHAR(8), PRIMARY KEY (username); Row insertion INSERT INTO users (UserName, CreditCard) VALUES (‘Bob', ‘6510….');
  14. More syntax Deletion Delete users WHERE UserName = ‘Bob’; DROP users;
  15. SQL queries SELECT UserName , CreditCard FROM users WHERE UserName = ‘Bob’; WHERE evaluates a logical statement to true or false SELECT UserName , CreditCard FROM users WHERE UserName = ‘Bob’ AND ExpirationDate < $date;
  16. More queries Queries can be prepared in statements, which are executed by parameter statement = "SELECT UserName , CreditCard FROM users WHERE name = '" + userName + "';“
  17. Usage scenario in web server E-commerce web server stores user data in SQL database Registration process User enters name and credit card number Database adds row to database Shopping process User authenticates to web server (e.g. TLS and HTTP authentication) User selects products Database retrieves user data and web server shows it to user User clicks “buy” and process ends
  18. Example continued Username passed by browser in http://www.site.com/store/username.asp?username=Bob Attack http://www.site.com/store/username.asp?username=‘or '1'='1 SQL interprets as SELECT UserName , CreditCard FROM users WHERE UserName = ‘‘or '1'='1’; WHERE evaluates to true.
More Related