Review Videos for Lecture 13: Intro to Web + Cookies

• Summer 2020 Slides (Intro to Web)
• Summer 2020 Slides (Cookies)
• Playlist (length: 1:48:20)

Intro to Web

HTTP

Where are the arguments for a GET request placed? What about the arguments for a POST request?

For a GET request: the parameters in the URL.

For a POST request: in the body of the HTTP request.

Webpage Elements

(True/False) The web server sends HTML, CSS, and Javascript to the browser using HTTP.

True. HTTP is the networking protocol that lets the browser send and receive data from the web server.

HTML, CSS, and Javascript are data formats that the browser interprets to display a webpage to the user (see the next video for more details). You could use HTTP to send unformatted text files if you wanted, but HTML, CSS, and Javascript are file formats that make webpages look nicer.

Webpage Rendering

Javascript

(True/False) Javascript code is executed on the web server.

False. Javascript is executed in your browser.

Frames

Is there an example of a frame anywhere on this webpage? What does frame isolation mean for the frame(s) on this webpage?

The Youtube lecture videos are embedded using frames. Frame isolation means that CS161 course staff can’t change what the Youtube frame displays, and the Youtube frame can’t change the outer CS161 page.

Intro to Web Security

Does TLS/HTTPS guarantee confidentiality and integrity of your computer or your information on other websites?

No. TLS/HTTPS is end-to-end secure, which means that it guarantees confidentiality and integrity between you and the web server. However, it doesn’t do anything to protect you against a malicious web server.

Same-Origin Policy

(True/False) Suppose https://wikipedia.org loads a child frame https://google.com. Under the same-origin policy, the parent frame can modify the contents of the child frame.

False. The child frame still has the origin of https://google.com, which is not the same origin as https://wikipedia.org.

Intro to Cookies

Why do we need cookies to maintain state across multiple HTTP requests?

HTTP is a stateless protocol, which means each request has no knowledge of any other requests.

Viewing Cookies

What stateful information might the cookies on cnn.com be storing in cookies?

Some possible answers: time zone, personal settings (such as dark mode), tracking data for advertising.

For example, if you change the website to dark mode and load an article, the cookie that gets sent to the server will tell the server to load the article in dark mode.

Cookie Scopes

Why do we need to define domain and path scopes for each cookie, instead of sending every cookie in the browser on every request?

Some cookies may have sensitive data that shouldn’t be sent to all websites.

Setting Cookie Scope

Note: These videos cover cookie scope/cookie policy in more detail than you need to know for this semester.

Why might we want to let mail.google.com set a cookie for google.com?

There may be many shared services under one domain, like maps.google.com, mail.google.com, etc. The policy for setting cookies allows any one of these services to set a cookie for all Google services.

This could have security vulnerabilities if different subdomains are run by different organizations, such as eecs.berkeley.edu and math.berkeley.edu.

Scope for Sending Cookies

If Cookie 1’s path was changed to /user, which of the three domains would it be sent to?

None. All three domains have path /, and /user is not a prefix of /.

Examples of Setting and Sending Cookies

Modifying Cookies in Browser

Cookie Policy vs. Same-Origin Policy

Bypassing Same-Origin Policy with Cookies

What difference between the same-origin policy and cookie policy causes this vulnerability?

(Fill in the blanks: Same-origin policy thinks that financial.example.com and blog.example.com are controlled by ___ (the same/different) organization(s) because ___, but cookie policy thinks they are controlled by ___ (the same/different) organization(s) because ___.)

Same-origin policy thinks that financial.example.com and blog.example.com are controlled by different organizations because their domains are different, but cookie policy thinks they are controlled by the same organization because both can set a cookie for example.com.

Session Management with HTTP Auth

Session Token Analogy

Session Tokens

Storing Session Tokens

When could a man-in-the-middle attacker on the network steal a user’s session token?

All three options for storing a session token are at the application layer, so the MITM attacker just needs to be able to see the application layer payload to steal the session token.

If the request is sent over HTTP, the MITM attacker can always steal the session token. If the request is sent over HTTPS, the MITM attacker can’t steal the session token.