Bits and Bytes of Web Security
The Internet is simply a network of networks. But several components are glued together to make the internet work. Let’s take a look at these components.
Protocols
Protocols are well-defined rules that cater to different requirements. For example, think of a scenario where two people meet and talk. To understand each other they must speak a language that both understand. In computer networking, it is the same. To communicate between devices, they must agree to a set of rules; protocols. There are many protocols that facilitate various requirements.
IP (Internet Protocol)
Internet Protocol (IP) is a set of rules that governs how computers send data packets to each other.
TCP (Transmission Control Protocol)
TCP is a reliable, connection-oriented protocol that establishes and maintains a network conversation where web applications exchange data. TCP achieves error detection and correction through three tools; checksum, acknowledgment, and time-out. TCP works with IP in internet communication and is used in HyperText Transfer Protocol (HTTP), File Transfer Protocol (FTP), Simple Mail Transfer Protocol (SMTP).
UDP (User Datagram Protocol)
UDP is a connection-less protocol. It is used in Domain Name System (DNS), Trivial File Transfer Protocol (TFTP), Dynamic Host Configuration Protocol (DHCP).
IP Address and Port Numbers
IP addresses are the addresses on the internet to identify devices. These can be either in a private or public space. The IP address is followed by a port number. Think IP address points to your house. Ports are similar to the doors in your home. Applications in different hosts use them to communicate with each other. Typically, one application uses a single port at a given time. Below are port number allocations.
- Well known ports (0–1023)
- Registered ports (1024–49151)
- Dynamic, private, or ephemeral ports (49152–65535)
Domain Name System (DNS)
DNS protocol is used to find the IP address of a domain name. In simpler terms, it enables internet users to find websites through human-readable hostnames rather than using numeric IP addresses. Let’s look at this process in more detail through the diagram below.
The client uses a port number higher than 49152 (One of the dynamic ports). The client sends a message to the DNS server asking for the IP of google.com. Communication with the DNS server is done through UDP. Then the DNS gets the matching IP and sends it back to the Client. The client uses the IP address to make a GET request to the google web server. Web servers typically run on either port 80(HTTP) or 443(HTTPS).
Hypertext Transfer Protocol (HTTP)
HTTP is an application-level protocol that was standardized by IETF (Internet Engineering Task Force) and W3C to transfer or exchange Hypertext. It runs on top of TCP and functions as a request-response protocol. HTTP is stateless and uses the Uniform Resource Identifier (URI) to identify HTTP resources. Using HTTP, the client sends requests and the server listens to those requests. HTTP is stateless meaning each request is executed independently, without any understanding of the requests that were executed before it.
HTTP Methods :-
GET : Request a resource
HEAD : Similar to get but without the response body
POST : Used to send data. E.g. - via forms. Request the server to accept the data enclosed in the POST request
PUT : Request the server to store a web resource
DELETE : Deletes a specified resource
TRACE : Echoes back a received request. The client can see the modifications to the request by intermediate servers
OPTIONS : Returns set of HTTP methods which server supports for the specified URL
Security Issues in HTTP Methods
Safe Methods
HEAD, GET, TRACE, and OPTIONS are defined as safe. These methods are intended only for information retrieval. Hence, they should not change the server state. However, these methods can be used to get information about the server.
Idempotent Methods
Idempotent methods are HTTP methods that can be called many times without any difference in the outcome. GET, HEAD, OPTIONS, PUT, DELETE methods are idempotent. POST is not idempotent.
Web cookies
To understand hijacking session cookies let’s deep dive into the HTTP state management. A web application maintains an ephemeral state. The server produces a state and sends it to the client. The client returns the state in each request. The state is managed through hidden fields or cookies. Using hidden fields is not recommended since it can be changed by the user. On the other hand, managing hidden fields are difficult since there can be many web pages and there is a need to start over again if the browser was closed.
The second method is achieving statefulness with cookies. Cookies are key-value pairs. The server maintains a trusted state and denotes it using a cookie. Then the cookie is sent to the client. The client stores the cookie and uses the cookie manager to view stored cookies. The client sends the cookie along with subsequent queries to the server. Cookie act as a session identifier. It (session cookie) is used to track authenticated users. This cookie contains logged in user’s information. This information contains the users’ capabilities and access rights. Therefore, the user does not need to authenticate each time the client sends a request. Cookies have properties such as cookie name, content, domain, path, and expiry(optional). Stealing these cookies allow the intruder to impersonate a legitimate user; Session Hijacking. An attacker can steal the cookies by compromising the client or server, through network sniffing, predicting the cookie using available information, and DNS Cache poisoning (Tricking the user into thinking the attacker is the legitimate server and grabbing the cookie user sends).
Prevention:-
• GET : Only non-state changing (ok to just use session cookie)
• POST, PUT, DELETE : State changing (use tokens in addition to session cookie)
