Skip to main content

Internet Security

Internet Threat Models

  • The attacker isn't in control of the network
  • Attacker hasn't got access to the target OS

Cookies

  • HTTP is a stateless protocol
  • Most of what we do online is stateful
  • Cookies are small text files used to provide persistence
  • Servers can provide cookies during HTTP responses, using Set-Cookie
  • Browsers will return any cookies for a given domain in GET and POST request

Types

  • Session - Deleted when the browser exists, contain no expiration date
  • Persistent - Expire at a given time
  • Secure - Can only be used over HTTPS
  • HTTPOnly - Inaccessible from JS
  • Also have 3rd party cookies - which are associated with other websites

Vulnerabilities

Cookie stealing/hijacking - Gaining access to the information stored in a cookie, allowing them to impersonate the user and potentially gain unauthorised access to accounts or data

Cookie poisoning - Modifying or tampering with a cookie, often to inject malicious code or data, which can lead to a variety of security vulnerabilities.

Cross-site Scripting (XSS)

  • Type of injection attack, similar in many ways to an SQL injection
  • HTML is read by a browser, and is a combination of content(text) and structure(html tags)
  • Can inject html structures into the content of a website, the browser will simply execute these - e.g. <script> tags

Reflected XSS - Malicious URL that inserts an exploit directly into the page returned by a server Persistent XSS - Any website that doesn't properly sanitise html tags from user input is vulnerable. Blog posts with comment sections are obvious targets.

Preventing XSS

Websites must aggressively escape HTML characters from any user input/output

Forgery (XSRF)

  • When a user puts in an HTTP request, they will also send any relevant session cookies e.g. SID from having logged in
  • If the user has already authenticated, a malicious URL can then perform some action on their account
  • Can use synchroniser tokens to prevent these kinds of attacks. Each website form has a one-time token that the server validates when the form is submitted