Web Technologies

Computer Security

Lecture 9

Tom Chothia

Transport Layer Security (TLS)

The core protocol goes:

1. C S : NC

2. S C : NS , CertS

3. C S : ES(K_seed), SignC(Hash1), {Hash2}KCS

4. S C : {Hash3}KCS

Hash 1 = #(NC,NS, ES(K_seed))

Hash 2 = #(NC,NS, ES(K_seed), SignC(Hash1) )

Hash 3 = #(NC,NS, ES(K_seed), SignC(Hash1), {Hash2}KCS )

Transport Layer Security (TLS)

The core protocol goes:

1. C S : NC

2. S C : NS , CertS

3. C S : ES(K_seed), SignC(Hash1), {Hash2}KCS

4. S C : {Hash3}KCS

Hash 1 = #(NC,NS, ES(K_seed))

Hash 2 = #(NC,NS, ES(K_seed), SignC(Hash1) )

Hash 3 = #(NC,NS, ES(K_seed), SignC(Hash1), {Hash2}KCS )

TLS with no Authentication• Create a SSLServerSocketFactory using sockFact=SSLServerSocketFactory.getDefault();

• Create a SSLServerSocket:secSock=sockFact.createServerSocket(portNo)

• Set the Ciphers:secSocket.setEnabledCipherSuites(ciphers);

• Listen on the socket for an encrypted connection:socket = (Socket) secSocket.accept();

Cipher Suites

Cipher Suites with encryptions and authentication:

SSL_RSA_WITH_3DES_EDE_CBC_SHA

SSL_RSA_WITH_DES_CBC_SHA

SSL_RSA_WITH_RC4_128_MD5

SSL_RSA_WITH_RC4_128_SHA

TLS_DHE_DSS_WITH_AES_128_CBC_SHA

TLS_DHE_DSS_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_KRB5_EXPORT_WITH_DES_CBC_40_MD5

TLS_KRB5_EXPORT_WITH_DES_CBC_40_SHA

...

Cipher Suites with just authentication:

SSL_RSA_WITH_NULL_MD5

SSL_RSA_WITH_NULL_SHA

Cipher Suites with just encryptions:

SSL_DH_anon_EXPORT_WITH_DES40_CBC_SHA

SSL_DH_anon_EXPORT_WITH_RC4_40_MD5

SSL_DH_anon_WITH_3DES_EDE_CBC_SHA

SSL_DH_anon_WITH_DES_CBC_SHA

SSL_DH_anon_WITH_RC4_128_MD5

TLS_DH_anon_WITH_AES_128_CBC_SHA

TLS_DH_anon_WITH_AES_256_CBC_SHA

Encryption Demo

Public key infrastructure (PKI)

X.509 certificates are an example of a PKI. Bad point: you need to pay a trusted third party.

Another system is known as “web of trust”

This lets you sign the public keys of any of your friends.

Then anyone that trusts you learns all of your friend’s keys.

This Lecture

Some basic building blocks of the web:

• HTTP: HyperText Transfer Protocol

• HTML: HyperText Markup Language

• JavaScript

• JSP: Java Server Pages

• SQL: Structured Query Language

Uniform Resource Locators

Protocol Host FilePath

Query String

http://www.cs.bham.ac.uk/index.html?field1=valuea&field2=value2

HTTP

• HyperText Transfer Protocol

• Used to request and deliver webpages.

• Includes:• Set of basic commands• Header fields• Status codes

GET and POST

Key HTTP commands:

• GET: requests a resource, e.g. a webpage in HTTP

• POST: submits data to the server. e.g. from a form on a webpage.

Get demo on www.cs.bham.ac.uk

Example

laptop:~ laptop$ telnet www.cs.bham.ac.uk 80

Trying 147.188.192.42...

Connected to www.cs.bham.ac.uk.

Escape character is '^]'.

GET /index.php

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="en">

<head>

The burp Proxy

The burp Proxy lets you monitor and pause an Internet connection.

http://portswigger.net/burp/proxy.html

Use it to look at your clients HTTP messages:1. Run proxy (it opens port 8080),

2. Tell web client to use the proxy

3. See the messages

Demo with proxy

Note the header fields

Headers fields

These provide extra information, e.g.

Host: <host name> is compulsory for HTTP 1.1,

GET /index.php HTTP/1.1

Host: www.cs.bham.ac.uk

Other

Headers

Fields

Cookie: gives a “cookie”

Accept: data types client can handle, e.g. Accept: text/plain

Content-Length: length of message in bytes.

Full list at: http://en.wikipedia.org/wiki/List_of_HTTP_headers

Cookies

• Cookies let you store a string on the client.

• This can be used to– Identify the user, – (cookie given out after login)

– Store user name, preferences etc.

– Track the user: time of last visit, etc.

How many cookies are in your browser?

Headers and Bodies

HTTP responses are made up of a header and a body:

• The header includes a reply code to tell the client what has happened.

• The body is the resource, e.g. the webpage

Status Codes

• 2--: Success• 200 OK: the request worked• 201 Created: request worked and server

has created a new resource• 204 No Context: request worked but

there is nothing to return.• …

Status Codes

• 3--: Redirection• 301 Moved Permanently: Website has

moved

• 4--: Client Error• 400 Bad Request: syntax error• 401 Unauthorized: needs a cookie?• 403 Forbidden: No access allowed

Status Codes

• 5--: Server Error• 500 Internal Server Error: general

error message• 501 Not Implemented: command not

supported

Full list of status codes at:

http://en.wikipedia.org/wiki/List_of_HTTP_status_codes

Examplelaptop:~ laptop$ telnet www.google.co.uk 80

Trying 173.194.37.104...

Connected to www.l.google.com.

Escape character is '^]'.

GET / HTTP/1.1

Host:www.google.co.uk

HTTP/1.1 200 OK

Date: Wed, 03 Nov 2010 13:07:18 GMT

Expires: -1

Cache-Control: private, max-age=0

Content-Type: text/html; charset=ISO-8859-1

Set-Cookie: PREF=ID=e5e59d5c56d4f722:FF=0:TM=1288789638:LM=1288789638:S=qb0MGMEGVmqC7eu0; expires=Fri, 02-Nov-2012 13:07:18 GMT; path=/; domain=.google.co.uk

OTHER COMMANDS

HEAD like GET but only gets header

PUT uploads resource to server

DELETE deletes resource from server

TRACE echoes back message

OPTION returns supported HTTP

CONNECT used for tunnelling TCP

PATCH partially modify resource

Hypertext Markup LanguageHTML

Tags tell browser how to display text:

<b>hello</b> bob = hello bob

Links: <a href=“url”>link</a>

Web Pages

Server

HTMLfile

HTTP GET

HTML HTTP file

Client

HTML

Display

HTML Forms

<form action=”http://site.com/index.jsp” method=”GET”>

Email: <input type="text" name="email”>

<input type="submit" value="Submit">

</form>

http://site.com/index.jsp?email=x@y.com

JavaScript

JavaScript is a language for web pages, that will run on the client.

It can be added to any HTML file.

When the client loads the HTML it executes the JavaScript.

It’s not Java, but is kind of like it.

Why Use JavaScript?

Shift computation onto the client.

Personalise web pages to the reader.

Form validation

Keeping track of users: cookies.

Pop-up, alerts, new windows ....

Hello World in JavaScript:

• Put the JavaScript in a HTML web page.

• Put JavaScript between the HTML tags <script> ... </script>

• The print command in JavaScript is: document.write(<String>);

• HTML between the <noscript> ... </noscript> will be run if JavaScript is not enabled.

JavaScript examples

w3Schools

Client

JavaScript

Server

HTML +J.S. file

HTTP GET

HTML&JS HTML&JSHTTP file

Display

JS interpreter

JavaServer Pages (JSP)

JavaServer Pages lets you write dynamic webpages using Java.

You can put the Java in a HTML file.

The Java code will be run on the server every time a page is requested.

To run JSP you need to use a compatible webserver, e.g. Tomcat, Glassfish.

JSP

JSP files end with .jsp

Info bar at top with imports etc.

Place Java code inside <% %>

All other code is normal HTML

Only runs in a container• (easy with Netbeans)

JSP Hello world

JSP

Server HTTP GET

HTMLHTTP file

Java code “Servlet”

HTML +Java file

Client

HTML

Display

JSP random number page in netbeans(WebApp3)

SQL

• To store data about users and content, most website will use a SQL database.

• This is a standard database format, which you should know.

• See e.g.: http://www.w3schools.com/

sql/default.asp

Some Key SQL Commands

SELECT LastName FROM namesTable

WHERE FirstName=‘Fred’

INSERT INTO namesTable VALUES

(‘John’,‘Smith’)

DROP TABLE namesTable

SQL with JSP

Show exercise code e.g. contact.jsp

A typical web set up

Server HTTP GET cookieHTMLHTTP file

Java code “Servlet”

JSP

Client

HTML

Display

SQL

Typical Web Setup

HTTP website:<form action=”http://site.com/index.jsp” method=”GET”>

Email: <input type="text" name="email”>

<input type="submit" value="Submit">

</form>

http://site.com/index.jsp?email=x@y.com

Users browser:

Typical Web Setup

http://site.com/index.jsp?email=x@y.com

JSP page reads and processes:

…email=request.getParameter(”email");

stmt.execute(“INSERT INTO table

VALUE(‘“+id+”’,‘“+email+”’);

%>

<b>Your e-mail has been added</b>

Other Popular Web Technologies

PHP: plays a similar role to JSP

CGI: like JSP but with Perl instead of Java

ASP: Microsoft’s version of JSP

AJAX: Asynchronous Javascript And XML

Next 2 lectures:

Next 2 lectures:

How this all goes wrong.

Next 2 lectures:

How this all goes wrong.

In particular: • Stealing cookies,

• SQL injection,

• Cross site scripting attacks (XSS),

• Cross-site request forgery (CSRF).