CIS 4615 meeting -*- Outline -*-

* Magic URLs, Predictable Cookies, Hidden Form Fields

** overview/description
*** magic URLs
------------------------------------------
          MAGIC URLs

def: a *magic URL* is one that 


example:
     ex.com?id=TXkkZWNyZStwQSQkdzByRA==


------------------------------------------
        ... contains sensitive information or could lead to such information

        Q: What's going on in that URL?
        It's a base 64 encoding of "My$ecre+pA$$w0rD"

*** predictable cookies
------------------------------------------
       PREDICTABLE COOKIES

Using a value that is not


E.g., incrementing the value
      after authentication
------------------------------------------
      ... random (i.e., is predictable)

*** hidden form fields
------------------------------------------
        HIDDEN FORM FIELDS

Putting important data in a 
  "hidden" form field

Can clients see it?

Can clients change it?


------------------------------------------
        ... yes!
        ... yes!

*** Summary
------------------------------------------
       WHAT'S THE COMMON PROBLEM?



Pattern:

 1. sensitive information taken from a
     cookie,
     HTTP header,
     form, or
     URL

 2. Data is used in security decisions

 3. Data is sent over an insecure channel


How would an attacker exploit this?

 1. Gather information from web pages
    using 

 2. Create altered versions of that info

 3. Send that back to the server

------------------------------------------
      ... Integrity!

      ... view source (for example)

      Q: What other attacks could happen?
      Attacker reads the data
      Attacker replays the data
      
 ** Prevention
------------------------------------------
              PREVENTION

Use code review

   Look for requests
     (Java: getRequest() and 
            request.GetParameter())

   Hidden form fields
      type="hidden"

Testing tools:
     TamperIE
     firefox Web Developer
     fiddler2
------------------------------------------