# Lecture 03: Web Security

HTTP headers from the client are set as environmental variables in the server's Common Gateway Interface (CGI)

## Cookies

Session IDs are typically implemented via **cookies**. These are data values stored on the client in key-value format, with access control based on the server domain. Cookies are useful as they are persistent, meaning that they survive when the browser tab is closed

Cookies storing session info can be stolen, leading to stolen sessions. Cookies may also be used for cross-site tracking

There are additional types of cookies:

- non-persistent: only stored in the browser session memory
- secure: only transmitted over SSL connections
- cookies that include the IP address: break the session if the client IP changes

Session cookies may be protected via the following methods:

- deploy an application on TLS only
- use secure cookies to prevent clear text transmission
- use HTTP only cookies to prevent script access

**Session hijacking/fixation**: allows an attacker to gain control of a user's session

- hijacking: steals a user's session ID
- fixation: forces a user to use an ID known to the attacker

## SQL Injection

A major issue within web security is the handling of user input, as input validation cannot be done on the client

Database servers handle input via their management systems (DBMSs), which controls data interaction with the user. Relational databases link different data sets together

**SQL injection**: user enters a ' character to break an SQL statement and insert their code

- frequently found on user/password combinations entered by the user
- database schema may be learned via returned error messages (blind SQL injection)

**Second-order SQL injection**: code is injected into the database that will be executed at a later time

- developers don't sanitize inputs from the database itself
- first order: store code in the database
- second order: database data is retrieved for usage by the program later, where the code is then executed

Secure coding practices

- developers must never allow client-supplied data to modify SQL statements
- required SQL statements should be stored procedures in the database server
- use prepared statements

## JavaScript

Embedded into web pages to support client-side behavior 

**Same origin policy**: code can only talk to its parent domain

### Cross-Site Scripting (XSS)

Attacker injects malicious scripts into a web page visited by the victim. This bypasses the same origin policy

There are two types of XSS attacks:

- stored: code is stored on the target server
- reflected: code is added to a URL, delivered to the client, and is executed immediately

Information may be exfiltrated via **form redirection**, which involves redirecting the target to a form controlled by the attacker

Content Security Policy v2 ensures that only valid scripts are run. Provides script nonces and hashes for inline scripts

Other defenses include application-level firewalls, browser filters, input escaping, and static code analysis

Vulnerabilities may also come from third parties and other members of the **software supply chain**:

- packages, third-party authentication mechanisms, imported code, advertisements etc. 

### Cross-Site Request Forgery (CSRF)

Attacker sends arbitrary HTTP requests on behalf of the victim

Attack scenario: 

- user is authenticated with site A and is logged in
- malicious site B tricks the user into submitting a malicious request to site A

Example: CSRF against a home router. This attack can add names to a DNS, disable wireless authentication, disable firewalls, set new passwords etc.

Countermeasures:

- server-side: generate token as part of the form and validation upon reception (e.g., use unique IDs, hashes etc.)
- client-side: cookie flag "samesite=strict" prevents the browser from attaching cookies to third party requests