cookies coen 351 e-commerce security. client / session identification http headers client ip address...
TRANSCRIPT
![Page 1: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/1.jpg)
Cookies
COEN 351 E-commerce Security
![Page 2: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/2.jpg)
Client / Session Identification
HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies
![Page 3: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/3.jpg)
Client / Session Identification
HTTP Header fields: “From”
User’s email address, request. Could be used by all browsers, but are only
used for web-bots gathering data.
“User-Agent” User’s browser software, request.
“Referer” (Sic) Page user came from by following link
![Page 4: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/4.jpg)
Client / Session Identification
HTTP Header fields: “Authorization”
User name and password “Client-ip” “X-Forwarded-For”
Client-ip “Cookie”
![Page 5: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/5.jpg)
Client / Session Identification
User-Agent Gives the server information about
the browser.
![Page 6: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/6.jpg)
Client / Session Identification
Client IP Address Not part of the HTTP header Available from the package Easily spoofed Changed by NATs and Proxies
![Page 7: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/7.jpg)
Client / Session Identification HTTP login based on WWW-
Authenticate and Authorization headers.
1. Browser requests page with GET2. Server anwsers with: 401 Login Required,
WWW-authenticate: Basic realm=“joe”3. Browser resends GET request, adds
Authorization: Basic am98re454. Server fulfills request.5. Browser now will resend stored user-name
with every request.
![Page 8: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/8.jpg)
Client / Session Identification Fat URL
Maintain state information in the URL Server generates a session id. Server adds session id to all URLs requested
from the hyperlink. Amazon.com uses this technique.
http://www.amazon.com/exec/obidos/subst/home/home.html/103-6082309-4209430
http://www.amazon.com/exec/obidos/ASIN/0439784549/ref=s9_ts_r/103-6082309-4209430
http://www.amazon.com/gp/cart/view.html/ref=ord_cart_shr/103-6082309-4209430
![Page 9: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/9.jpg)
Cookies
Cookies: ASCI strings stored at the browser. Submitted with each request to a
target website.
![Page 10: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/10.jpg)
Cookies
Cookies: Session cookies
Stored only for the duration of a web-session.
Persistent cookies Remain stored until they expire.
![Page 11: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/11.jpg)
Cookies
Cookie-Jar Client-side state storage Netscape / Firefox store cookies in a
single text file called cookies.txt MS IE stores cookies in the cache.
![Page 12: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/12.jpg)
Cookies
Server specifies optional domain. Cookie gets sent with all requests to
this domain. Server specifies optional expiration
date Server can specify “secure” option:
Cookie is only sent when using SSL.
![Page 13: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/13.jpg)
Cookies
Version 0 cookies (Netscape cookies)Set-Cookie: name=value [;expires=date]
[;path=path] [;domain-name = value] [;secure]
Set-Cookie: customer=Mary; expires Wednesday, 09-September-2006 24:00:01 GMT; domain=“scu.edu”; path=/soe; secure
![Page 14: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/14.jpg)
Cookies
Version 1 cookies (RFC 296) Less-used Provides a number of extensions
![Page 15: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/15.jpg)
Cookies
Privacy risk Can be controlled by web-browser. Used to track consumer behavior.
Harder, but possible to track an individual user.
![Page 16: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/16.jpg)
Cookies
Security Risk Users can change cookies before
continuing to browse. Counter-measure: strong encryption
Users could swap / steal cookies. E.g. when used for authentication
Session Hijacking
![Page 17: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/17.jpg)
Cookies
Session Hijacking Counter measure:
Server needs to send a new cookie after every change in state and verify that a request comes with a valid cookie.
For example, by appending a MAC of session state to the cookie after each change of state.
![Page 18: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/18.jpg)
Cookies Poor practices:
Poor encryption of cookies. Web-based email uses a cookie for
authentication. Cookie contains the user name encrypted by
XOR-ing with a secret string. Attacker can crack the cookie encryption by
creating fake accounts. Attacker can now craft a cookie useful for
authentication. Something similar happened to hotmail
and yahoo early on.
![Page 19: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/19.jpg)
Cookies
Poor practices: Poor encryption of cookies.
Shopping cart encoded in cookie. Cookie contained shopping cart details in plain
text. Attacker changed prices of items.
Relying on cookie for authentication Cookie is sniffed from the net. Cookie is stolen by impersonating a web-
site.
![Page 20: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/20.jpg)
Cookie Alternative: Web Bugs
Used to track viewers of web-sites. HTML page contains a request to
download a resource from a “counting” site.
The resource is so small that the viewer does not notice the download.
Counting site receives the request and adds IP address to its user database.
![Page 21: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/21.jpg)
Cookie Alternative: Web Bugs Examples:
Found by Privacy Foundation on Intuit’s home page for Quicken.com several years ago.
<img src=“http://ad.doubleclick.net/ad/pixel./quicken/NEW” width=1 height=1 border=0>
<IMG WIDTH=1 HEIGHT=1 border=0
SRC=“http://media.preferences.com/ping?ML_SD=IntuitTE_Intuit_1x1_RunOfSite_Any&db_acfr=4B31-C2FB-10E2&event=reghome&group=register&time=1999.10.27.20.5 6.37”>
![Page 22: Cookies COEN 351 E-commerce Security. Client / Session Identification HTTP Headers Client IP Address HTTP User Login FAT URLs Cookies](https://reader036.vdocument.in/reader036/viewer/2022062515/56649f575503460f94c7c36c/html5/thumbnails/22.jpg)
Cookie Alternative: Web Bugs
Can be embedded in any html code. User profiles written in html. Email messages.
But only when read with a client that can display HTML messages and with a computer connected to the internet.
Usenet messages.