CIS551 notes for March 29
by Huiqing Wen
What security concerns are there on the web
leaking personal information
integrity: getting data/software from the web
Web scripts, web pages can modify local data
SQL injection/XSS/format string vulnerabilities
Cookies (DOS attack, encode state in the URL/cookie, run server code through
URL, cookie has no any authentication, edit the cookies to cheat the server
because some web sites
do not maintain status of the client)
to talk about
in the later courses
Build a firewall for the cookie (put cookie in your machine to track your private
P3P: feedback about what the server p
age your browser is looking at.
Agent is option.
Web server’s security options:
1) It has a
ccess control to the web page.
will make sure the request from the allowed browser.
also scans the IP.
To sum up, s
urity requirements are
inconsistent in different situations, and it is
satisfy all of them
, because of different script, browsers and servers.
Hook could be added to different Tags of the HTML.
DOM read the
, and parse
e document structure
and text. It
anchors, links or forms in the Web page document. DOM works as the browser to some
t is easy
information from the DOM.
er Object Model), which could even a
sk for the
window size through the interface provided by the browser.
A mechanism to maintain
the state of browser and information sent to server
he browser send
the URL to serve
hen the server get
states and parameters from URL and maintain
the state of the browser.
(Security issue: history record of the URL with secret data)
Browser visits a web server. The related cookies will be sent back to the server. Then th
server could maintain the state of the client.
which make the security issues harder.
Whether to send cookies a
with specific directory or doc tree on the serv
only with the domain.
What could go wrong?
Phishing site checks your cookie and gets your privacy. Information of those web sites
that do not maintain client states in their local database is easy to be attacked.
It prohibits web sites from different domains from interacting with another except in very
coexist on the user’s browser without interfering w
ith each other.