introduction to network security
play

Introduction to Network Security Chapter 10 Web Security Dr. Doug - PowerPoint PPT Presentation

Jan 11, 2024 •332 likes •1.09k views

Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics WWW HTTP: Hyper Text Transfer Protocol HTTP Security HTML Protocol HTML Security

  1. Introduction to Network Security Chapter 10 Web Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009

  2. Topics • WWW • HTTP: Hyper Text Transfer Protocol • HTTP Security • HTML Protocol • HTML Security • Server Side Security • Client Side security • General Countermeasures Dr. Doug Jacobson - Introduction to 2 Network Security - 2009

  3. World Wide Web World Wide Web Link to another Document URL URL (Document Location) Dr. Doug Jacobson - Introduction to 3 Network Security - 2009

  4. 4 World Wide Web Dr. Doug Jacobson - Introduction to Network Security - 2009

  5. 5 Web Client/Server Dr. Doug Jacobson - Introduction to Network Security - 2009

  6. HTTP • Hypertext Transfer Protocol • Simple command/response protocol • ASCII based commands • Typically a new connection for each command/response exchange • Server runs on port 80 default Dr. Doug Jacobson - Introduction to 6 Network Security - 2009

  7. 7 HTTP Request & Response Dr. Doug Jacobson - Introduction to Network Security - 2009

  8. HTTP Requests • Three parts: – Request line – Headers – Blank line – Body (optional) • Request line looks like this: Request type <sp> URL <sp> HTTP version Example: GET http://www.ibm.com HTTP/1.1 More on request types later Dr. Doug Jacobson - Introduction to 8 Network Security - 2009

  9. URL • Uniform Resource Locator • A URL follows this format: method://host:port/path • The host can be a machine name or IP address • The port must be specified if the server is running on a port other than 80. • The path is the directory where data is stored Dr. Doug Jacobson - Introduction to 9 Network Security - 2009

  10. Request Types • GET Many of these types can pose • HEAD security problems, since they • POST involve modifying or deleting • PUT data. • PATCH • COPY Most servers only implement • MOVE the first three types: GET, • DELETE HEAD, POST • LINK • UNLINK • OPTION Dr. Doug Jacobson - Introduction to 10 Network Security - 2009

  11. Request Types Type Action GET Retrieve a document specified by the URL. HEAD Retrieve the headers from the document specified by the URL. (Response does not contain the body.) POST Provide data to the server. PUT Provide new or replacement document specified by the URL. (Disabled) PATCH Provide differences to document specified by the URL in order to change the document. (Disabled) COPY Copy the document specified by the URL to the file specified in the header. (Disabled) MOVE Move the document specified by the URL to the file specified in the header. (Disabled) DELETE Delete the document specified by the URL. (Disabled) LINK Create a link to the document specified in the URL. The name of the link is specified in the header. (Disabled) UNLINK Remove the link specified in the URL. (Disabled) OPTION Ask the server what options are available. Dr. Doug Jacobson - Introduction to 11 Network Security - 2009

  12. Response Message • Four parts: – Status line – Headers – Blank line – Body • The status line looks like this: HTTP version <sp> status code <sp> status phrase Examples: HTTP/1.1 404 File not found HTTP/1.1 200 OK Dr. Doug Jacobson - Introduction to 12 Network Security - 2009

  13. Response Status Codes • Status codes follow a similar format to FTP and SMTP status codes • 3 digit ASCII – 1xx informational – 2xx success – 3xx redirection – 4xx client error – 5xx server error Dr. Doug Jacobson - Introduction to 13 Network Security - 2009

  14. Example Response Codes Code Phrase Meaning 100 Continue First part of the request has been received. The client can continue. 200 OK Successful request 204 No Content The body contains no content 302 Moved permanently The document specified by the URL is no longer on the server. 304 Moved temporarily The document specified by the URL has temporarily moved. 400 Bad request The request contained a syntax error. 401 Unauthorized The authentication failed for the requested document. 403 Forbidden The service requested is not allowed. 404 Not found The document requested is not found. 405 Method not allowed The method requested in the URL is not allowed. 500 Internal server error The server failed. 501 Not implemented The requested action can not be preformed by the server. 503 Service unavailable The request cannot be accomplished right now, try again later. Dr. Doug Jacobson - Introduction to 14 Network Security - 2009

  15. 15 HTTP Headers Dr. Doug Jacobson - Introduction to Network Security - 2009

  16. HTTP Headers • Headers have three parts: – General header – Request or response header, depending on whether the header precedes a request or a response – Entity header • The general header contains the following fields: Header Function Cache-control Used to specify information about the client side cache. Connection Indicates whether the connection should be closed. Date Provides the current date. MIME-version Indicated the MIME version being used. Connection Use to determine connection type. Keep-Alive Used to manage keep-alive connection. Dr. Doug Jacobson - Introduction to 16 Network Security - 2009

  17. HTTP Headers • The Request header may contain the following fields (all are optional): Header Function Accept Indicates which data formats the browser can accept. Accept-charset Indicates the character set(s) the browser can accept. Accept-encoding Indicates what encoding methods the browser can process. Accept-language Indicates what language the browser can accept. From Provides the e-mail of the user on the browser. Host Provides the host and ephemeral port of the browser. Referrer Provides the URL of the linked document. User-agent Provides information about the browser software. Dr. Doug Jacobson - Introduction to 17 Network Security - 2009

  18. HTTP Headers • The response header may contain the following fields Header Function Accept-range Indicates the server accepts the range requested by the browser. Retry-after Indicates the date when the server will be available. Server Provides the server application name and version. Dr. Doug Jacobson - Introduction to 18 Network Security - 2009

  19. HTTP Headers • The entity header may contain the following fields: Header Function Allow Provides a list of methods allowed for the URL. Content-encoding Indicates the encoding method for the document. Content-language Indicates the language of the document. Content-length Indicates the length of the document. Content-location Real name of the document requested. Content-type Indicates the media type of the document. Etag Provides a tag for the document. Last-modified The date the document was last modified. Dr. Doug Jacobson - Introduction to 19 Network Security - 2009

  20. HTTP Summary • Request: • Response: Request line Status line General Header General header Request Header Request header Entity header Entity header Blank line Blank line Optional Body Body • Note: the entity header does not always appear in the request Dr. Doug Jacobson - Introduction to 20 Network Security - 2009

  21. 21 HTTP Protocol Exchange Dr. Doug Jacobson - Introduction to Network Security - 2009

  22. HTTP Request Dr. Doug Jacobson - Introduction to 22 Network Security - 2009

  23. HTTP Response Dr. Doug Jacobson - Introduction to 23 Network Security - 2009

  24. HTTP Request Dr. Doug Jacobson - Introduction to 24 Network Security - 2009

  25. HTTP Response Dr. Doug Jacobson - Introduction to 25 Network Security - 2009

  26. HTTP Request Dr. Doug Jacobson - Introduction to 26 Network Security - 2009

  27. HTTP Response Dr. Doug Jacobson - Introduction to 27 Network Security - 2009

  28. Header Based • Buffer overflow problems • Server can pass HTTP requests to back-end servers and applications so header problems are not just with the WEB server • Some header-based attacks facilitate authentication-based attacks • Accessing hidden pages Dr. Doug Jacobson - Introduction to 28 Network Security - 2009

  29. Protocol Based • Not many protocol based attacks since it is a command/response protocol Dr. Doug Jacobson - Introduction to 29 Network Security - 2009

  30. Authentication Based • This is the most common method of attack in the WEB. • The web server uses HTTP to request user credentials. • Authentication can also be directly with the server side application (to be discussed later) • Authentication is used to access pages within a directory on the server Dr. Doug Jacobson - Introduction to 30 Network Security - 2009

  31. WEB Authentication • Server challenge: – WWW-Authenticate: Basic realm=“Text String" • Client Challenge: – user-ID and password, separated by a single colon (":") character, within a base64 encoded string. For example: – Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== Dr. Doug Jacobson - Introduction to 31 Network Security - 2009

  32. 32 HTTP Authentication Dr. Doug Jacobson - Introduction to Network Security - 2009

  33. 33 HTTP Authentication Dr. Doug Jacobson - Introduction to Network Security - 2009

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Introduction to Network Security Security Chapter 5 Physical Network Layer Dr. Doug Jacobson -

Introduction to Network Security Security Chapter 5 Physical Network Layer Dr. Doug Jacobson -

Introduction to Network Security Security Chapter 5 Physical Network Layer Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Lower Layer Security Physical Layer Overview Common attack methods Ethernet

966 views • 40 slides
Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Network Security Model Header attacks Protocol Attacks

597 views • 25 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
Introduction to Network Security Chapter 5 Physical Network Layer Dr. Doug Jacobson -

Introduction to Network Security Chapter 5 Physical Network Layer Dr. Doug Jacobson -

Introduction to Network Security Chapter 5 Physical Network Layer Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Lower Layer Security Physical Layer Overview Common attack methods Ethernet

1.01k views • 80 slides
Introduction to Network Security Chapter 1 Network Architecture Dr. Doug Jacobson -

Introduction to Network Security Chapter 1 Network Architecture Dr. Doug Jacobson -

Introduction to Network Security Chapter 1 Network Architecture Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Chapter Topics Introduction Layered architecture Key terms Protocol Functions OSI model

743 views • 38 slides
Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug

Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug

Introduction to Network Security Security Chapter 7 Transport Layer Protocols Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics TCP Layer Responsible for reliable end-to-end transfer of application data.

632 views • 32 slides
Introduction to Network Security Chapter 6 Network Layer Protocols Dr. Doug Jacobson -

Introduction to Network Security Chapter 6 Network Layer Protocols Dr. Doug Jacobson -

Introduction to Network Security Chapter 6 Network Layer Protocols Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics The network layer IP V4 BOOTP &amp; DHCP IP V6 Common IP countermeasures Dr.

1.88k views • 152 slides
Introduction to Network Security Security Chapter 1 Network Architecture Dr. Doug Jacobson -

Introduction to Network Security Security Chapter 1 Network Architecture Dr. Doug Jacobson -

Introduction to Network Security Security Chapter 1 Network Architecture Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Chapter Topics Introduction Layered architecture Key terms Key terms Protocol

464 views • 19 slides
Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson -

Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson -

Introduction to Network Security Chapter 11 Remote Access Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Remote Access Telnet Rlogin X-Windows FTP General Countermeasures

1.48k views • 104 slides
Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson

Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson

Introduction to Network Security Security Chapter 11 Remote Access Security Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Remote Access Telnet Rlogin X-Windows X-Windows FTP General

765 views • 52 slides
INTRODUCTION COMPUTER &amp; NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER &amp; NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is

INTRODUCTION COMPUTER &amp; NETWORK SECURITY CMSC 414 JAN 25 2018 TODAY What is security? Why is it so hard to achieve? Administrative The security mindset Analyzing a systems security 1. Summarize the system 2.

801 views • 43 slides
Introduction to Network Security Chapter 3 The Internet Dr. Doug Jacobson - Introduction to 1

Introduction to Network Security Chapter 3 The Internet Dr. Doug Jacobson - Introduction to 1

Introduction to Network Security Chapter 3 The Internet Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics The Internet Addressing Client Server Routing Dr. Doug Jacobson - Introduction to 2 Network

940 views • 24 slides
Introduction CMSC 414: Computer and Network Security Spring 2016 What is computer &amp; network

Introduction CMSC 414: Computer and Network Security Spring 2016 What is computer &amp; network

Introduction CMSC 414: Computer and Network Security Spring 2016 What is computer &amp; network security? Normally, we are concerned with correctness Does the software achieve the desired behavior? Security is a form of correctness

682 views • 47 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Toward SVOPME: A Scalable Virtual Organization Privileges Management Environment Nanbor Wang

Toward SVOPME: A Scalable Virtual Organization Privileges Management Environment Nanbor Wang

Toward SVOPME: A Scalable Virtual Organization Privileges Management Environment Nanbor Wang &lt;nanbor@txcorp.com&gt; Gabriele Garzoglio &lt;garzoglio@fnal.gov&gt; Balamurali Ananthan &lt;bala@txcorp.com&gt; Steven Timm &lt;timm@fnal.gov&gt; Tanya

861 views • 21 slides
CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 03: File System &amp; FUSE Rahmat M.

CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 03: File System &amp; FUSE Rahmat M.

CSGE602055 Operating Systems CSF2600505 Sistem Operasi Week 03: File System &amp; FUSE Rahmat M. Samik-Ibrahim (ed.) University of Indonesia https://os.vlsm.org/ Always check for the latest revision! REV254 27-Oct-2020 Rahmat M.

933 views • 27 slides
Semantic Matching of Interaction Rules (Semantischer Abgleich von Interaktionsregeln) Thesis of

Semantic Matching of Interaction Rules (Semantischer Abgleich von Interaktionsregeln) Thesis of

Semantic Matching of Interaction Rules (Semantischer Abgleich von Interaktionsregeln) Thesis of Matthias Ferdinand 08.07.2002 Structuring Problem Situation Goals and Proceeding B2B E-Commerce with RosettaNet Semantic Web

378 views • 16 slides
Chapter 1 Introduction to Multimedia 1.1 What is Multimedia? 1.2 Multimedia and Hypermedia 1.3

Chapter 1 Introduction to Multimedia 1.1 What is Multimedia? 1.2 Multimedia and Hypermedia 1.3

Fundamentals of Multimedia, Chapter 1 Chapter 1 Introduction to Multimedia 1.1 What is Multimedia? 1.2 Multimedia and Hypermedia 1.3 World Wide Web 1.4 Overview of Multimedia Software Tools 1.5 Further Exploration 1 Li &amp; Drew c

388 views • 18 slides
XML and Databases Chapter 1: XML Syntax Prof. Dr. Stefan Brass Martin-Luther-Universit at

XML and Databases Chapter 1: XML Syntax Prof. Dr. Stefan Brass Martin-Luther-Universit at

Introduction XML Documents DTDs DOCTYPE Decl. XML and Databases Chapter 1: XML Syntax Prof. Dr. Stefan Brass Martin-Luther-Universit at Halle-Wittenberg Winter 2019/20 http://www.informatik.uni-halle.de/brass/xml19/ Stefan Brass: XML

1.16k views • 87 slides
L11 June 30, 2017 1 Lecture 11: Interacting with the filesystem CSCI 1360E: Foundations for

L11 June 30, 2017 1 Lecture 11: Interacting with the filesystem CSCI 1360E: Foundations for

L11 June 30, 2017 1 Lecture 11: Interacting with the filesystem CSCI 1360E: Foundations for Informatics and Analytics 1.1 Overview and Objectives So far, all the data weve worked with have either been manually instantiated as NumPy arrays

308 views • 9 slides
Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a

Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a

Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a free and open-source content management system based on PHP and MySQL. It uses a plugin architecture and a template system. It is most

367 views • 17 slides
GN3 eduCONF current status - open issues Rui Ribeiro (FCCN) GN3 eduCONF - TERENA NRENum.net Joint

GN3 eduCONF current status - open issues Rui Ribeiro (FCCN) GN3 eduCONF - TERENA NRENum.net Joint

GN3 eduCONF current status - open issues Rui Ribeiro (FCCN) GN3 eduCONF - TERENA NRENum.net Joint Workshop Amsterdam 19 th March 2013 connect communicate collaborate Videoconference Tipical Situation I need to setup a VC meeting! What

698 views • 25 slides

More recommend