Preventing Session Hijacking Using Encrypted One-Time-Cookies
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Release 2.2.1 Kenneth Reitz
Requests Documentation Release 2.2.1 Kenneth Reitz January 15, 2016 Contents 1 Testimonials 3 2 Feature Support 5 3 User Guide 7 3.1 Introduction...............................................7 3.2 Installation................................................8 3.3 Quickstart................................................9 3.4 Advanced Usage............................................. 15 3.5 Authentication.............................................. 25 4 Community Guide 29 4.1 Frequently Asked Questions....................................... 29 4.2 Integrations................................................ 30 4.3 Articles & Talks............................................. 30 4.4 Support.................................................. 30 4.5 Community Updates........................................... 31 4.6 Software Updates............................................. 31 5 API Documentation 49 5.1 Developer Interface........................................... 49 6 Contributor Guide 69 6.1 Development Philosophy......................................... 69 6.2 How to Help............................................... 70 6.3 Authors.................................................. 71 Python Module Index 77 i ii Requests Documentation, Release 2.2.1 Release v2.2.1. (Installation) Requests is an Apache2 Licensed HTTP library, written in Python, for human beings. Python’s standard urllib2 module provides most of the HTTP capabilities you need, but the API is thoroughly broken. It was built for a different time — and a different web. -
The Web Never Forgets: Persistent Tracking Mechanisms in the Wild
The Web Never Forgets: Persistent Tracking Mechanisms in the Wild Gunes Acar1, Christian Eubank2, Steven Englehardt2, Marc Juarez1 Arvind Narayanan2, Claudia Diaz1 1KU Leuven, ESAT/COSIC and iMinds, Leuven, Belgium {name.surname}@esat.kuleuven.be 2Princeton University {cge,ste,arvindn}@cs.princeton.edu ABSTRACT 1. INTRODUCTION We present the first large-scale studies of three advanced web tracking mechanisms — canvas fingerprinting, evercookies A 1999 New York Times article called cookies compre and use of “cookie syncing” in conjunction with evercookies. hensive privacy invaders and described them as “surveillance Canvas fingerprinting, a recently developed form of browser files that many marketers implant in the personal computers fingerprinting, has not previously been reported in the wild; of people.” Ten years later, the stealth and sophistication of our results show that over 5% of the top 100,000 websites tracking techniques had advanced to the point that Edward employ it. We then present the first automated study of Felten wrote “If You’re Going to Track Me, Please Use Cook evercookies and respawning and the discovery of a new ev ies” [18]. Indeed, online tracking has often been described ercookie vector, IndexedDB. Turning to cookie syncing, we as an “arms race” [47], and in this work we study the latest present novel techniques for detection and analysing ID flows advances in that race. and we quantify the amplification of privacy-intrusive track The tracking mechanisms we study are advanced in that ing practices due to cookie syncing. they are hard to control, hard to detect and resilient Our evaluation of the defensive techniques used by to blocking or removing. -
Protecting Encrypted Cookies from Compression Side-Channel Attacks
Protecting encrypted cookies from compression side-channel attacks Janaka Alawatugoda1, Douglas Stebila1;2, and Colin Boyd3 1 School of Electrical Engineering and Computer Science, 2 School of Mathematical Sciences 1;2 Queensland University of Technology, Brisbane, Australia [email protected],[email protected] 3 Department of Telematics, Norwegian University of Science and Technology, Trondheim, Norway [email protected] December 28, 2014 Abstract Compression is desirable for network applications as it saves bandwidth; however, when data is compressed before being encrypted, the amount of compression leaks information about the amount of redundancy in the plaintext. This side channel has led to successful CRIME and BREACH attacks on web traffic protected by the Transport Layer Security (TLS) protocol. The general guidance in light of these attacks has been to disable compression, preserving confidentiality but sacrificing bandwidth. In this paper, we examine two techniques|heuristic separation of secrets and fixed-dictionary compression|for enabling compression while protecting high-value secrets, such as cookies, from attack. We model the security offered by these techniques and report on the amount of compressibility that they can achieve. 1This is the full version of a paper published in the Proceedings of the 19th International Conference on Financial Cryptography and Data Security (FC 2015) in San Juan, Puerto Rico, USA, January 26{30, 2015, organized by the International Financial Cryptography Association in cooperation with IACR. 1 Contents 1 Introduction 3 2 Definitions 6 2.1 Encryption and compression schemes.........................6 2.2 Existing security notions................................7 2.3 New security notions..................................7 2.4 Relations and separations between security notions.................8 3 Technique 1: Separating secrets from user inputs9 3.1 The scheme.......................................9 3.2 CCI security of basic separating-secrets technique................. -
HTTP Cookie - Wikipedia, the Free Encyclopedia 14/05/2014
HTTP cookie - Wikipedia, the free encyclopedia 14/05/2014 Create account Log in Article Talk Read Edit View history Search HTTP cookie From Wikipedia, the free encyclopedia Navigation A cookie, also known as an HTTP cookie, web cookie, or browser HTTP Main page cookie, is a small piece of data sent from a website and stored in a Persistence · Compression · HTTPS · Contents user's web browser while the user is browsing that website. Every time Request methods Featured content the user loads the website, the browser sends the cookie back to the OPTIONS · GET · HEAD · POST · PUT · Current events server to notify the website of the user's previous activity.[1] Cookies DELETE · TRACE · CONNECT · PATCH · Random article Donate to Wikipedia were designed to be a reliable mechanism for websites to remember Header fields Wikimedia Shop stateful information (such as items in a shopping cart) or to record the Cookie · ETag · Location · HTTP referer · DNT user's browsing activity (including clicking particular buttons, logging in, · X-Forwarded-For · Interaction or recording which pages were visited by the user as far back as months Status codes or years ago). 301 Moved Permanently · 302 Found · Help 303 See Other · 403 Forbidden · About Wikipedia Although cookies cannot carry viruses, and cannot install malware on 404 Not Found · [2] Community portal the host computer, tracking cookies and especially third-party v · t · e · Recent changes tracking cookies are commonly used as ways to compile long-term Contact page records of individuals' browsing histories—a potential privacy concern that prompted European[3] and U.S. -
Security and Privacy Concerns of Internet Single Sign-On"
Security and Privacy Concerns of Internet Single Sign-On Risks and Issues as They Pertain to Liberty Alliance Version 1.0 Specifications Authors: Gary Ellison, Jeff Hodges, Susan Landau Date: 6 Sep 2002 Introduction As noted in ‘‘A Brief Introduction to Liberty,’’ for the man on the street, the lawyer in her office, the shopper or investor at home, identity on the Internet is a burdensome and off-putting process. There is one sign-on and password for the online book merchant, another for the corporate network and for each of its pieces --- the client’s private pages, the outsourced human resources office, the online travel agency --- yet another pair for accessing Lands End, still another for Bank of America. The same holds for business-to-business interactions. The result is a cumbersome user experience. The first challenge of Web services is a simple and secure identity mechanism, the second, and equally important, concern is privacy protection. Single sign-on and federated network identity (a system for binding multiple accounts for a given user) are key to solving these issues. A federated system allows businesses to manage their own resources including customer data. Federated network identity enables customers to retain some control over which companies have access to their own information [INTRO]. The Liberty Alliance was formed to deliver and support a federated network identity solution for the Internet, enabling single sign-on for consumers as well as business users in an open, federated way. The Liberty Alliance version 1.0 specifications (referred to as the Liberty Specifications or Liberty protocols throughout this document) clear the way for a user to have a seamless Internet experience and simplify the business of conducting business with multiple Web sites. -
SESSION RIDING a Widespread Vulnerability in Today's Web Applications
Whitepaper SESSION RIDING A Widespread Vulnerability in Today's Web Applications Thomas Schreiber, SecureNet GmbH, Dec 2004 SecureNet GmbH - Münchner Technologiezentrum - Frankfurter Ring 193a - D-80807 München www.securenet.de - [email protected] - Phone +49/89/32133-600 Whitepaper – Session Riding SecureNet GmbH – 2 T ABLE OF C ONTENTS 1 Abstract .............................................................................................................................3 2 What is Session Riding?.......................................................................................................3 3 How Session Riding Works ..................................................................................................4 3.1 How Cookies and Session IDs work................................................................4 3.2 The Threat............................................................................................................5 3.3 Where is the Vulnerability? ................................................................................6 3.4 Non-form-based Authentication Methods......................................................6 3.5 Summary ...............................................................................................................7 4 What makes things even worse...........................................................................................7 4.1 Vulnerable GET-Requests .................................................................................7 4.1.1 The IMG-Tag ............................................................................................7 -
A Deep Dive Into the Technology of Corporate Surveillance
Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance Author: Bennett Cyphers and Gennie Gebhart A publication of the Electronic Frontier Foundation, 2019. “Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance” is released under a Creative Commons Attribution 4.0 International License (CC BY 4.0). View this report online: https://www.eff.org/wp/behind-the-one-way-mirror ELECTRONIC FRONTIER FOUNDATION 1 Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance Behind the One-Way Mirror A Deep Dive Into the Technology of Corporate Surveillance BENNETT CYPHERS AND GENNIE GEBHART December 2, 2019 ELECTRONIC FRONTIER FOUNDATION 2 Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance Introduction 4 First-party vs. third-party tracking 4 What do they know? 5 Part 1: Whose Data is it Anyway: How Do Trackers Tie Data to People? 6 Identifiers on the Web 8 Identifiers on mobile devices 17 Real-world identifiers 20 Linking identifiers over time 22 Part 2: From bits to Big Data: What do tracking networks look like? 22 Tracking in software: Websites and Apps 23 Passive, real-world tracking 27 Tracking and corporate power 31 Part 3: Data sharing: Targeting, brokers, and real-time bidding 33 Real-time bidding 34 Group targeting and look-alike audiences 39 Data brokers 39 Data consumers 41 Part 4: Fighting back 43 On the web 43 On mobile phones 45 IRL 46 In the legislature 46 ELECTRONIC FRONTIER FOUNDATION 3 Behind the One-Way Mirror: A Deep Dive Into the Technology of Corporate Surveillance Introduction Trackers are hiding in nearly every corner of today’s Internet, which is to say nearly every corner of modern life. -
Server Side Protection Against Cross Site Request Forgery Using CSRF
ol chn ogy Te & Gupta and Gola, J Inform Tech Softw Eng 2016, 6:3 n S o o ti ft a w a m r r e o f DOI: 10.4173/2165-7866.1000182 E Journal of n n I g f i o n l e a e n r r i n u g o J ISSN: 2165-7866 Information Technology & Software Engineering Research Article Open Access Server Side Protection against Cross Site Request Forgery using CSRF Gateway Jaya Gupta* and Suneeta Gola College of Science & Engineering, Department of Computer Engineering, India Abstract The E-Commerce and Social Media has become the new identity for millions of users across the globe. Ease of services for Shopping, Travel, Internet Banking, Social Media, chat and collaboration Apps etc. have become part of one’s life where these identities have name, media content, confidential notes, business projects and credit cards. Convenience and connections brings the ease of connectivity and services so does come the concerns related to unauthorized usage and fraudulent transactions that could be lead to loss of money, time, emotions and even life. Web defacement, fake accounts, account hijacking, account lock and unavailability of services has become a common online news and distress for many. There are different Web Attacks and exploits that have sprung up with time and usage for different type of illegal actions performed everyday online. Cross Site Request Forgery Attack is one of the Web top 10 exploited attacks for the past 5 years (Source OSWAP) which can maliciously exploit online services, where unauthorized actions are performed by the fraudulent user on behalf of a trusted and authenticated account for website. -
Web Tracking: Mechanisms, Implications, and Defenses Tomasz Bujlow, Member, IEEE, Valentín Carela-Español, Josep Solé-Pareta, and Pere Barlet-Ros
ARXIV.ORG DIGITAL LIBRARY 1 Web Tracking: Mechanisms, Implications, and Defenses Tomasz Bujlow, Member, IEEE, Valentín Carela-Español, Josep Solé-Pareta, and Pere Barlet-Ros Abstract—This articles surveys the existing literature on the of ads [1], [2], price discrimination [3], [4], assessing our methods currently used by web services to track the user online as health and mental condition [5], [6], or assessing financial well as their purposes, implications, and possible user’s defenses. credibility [7]–[9]. Apart from that, the data can be accessed A significant majority of reviewed articles and web resources are from years 2012 – 2014. Privacy seems to be the Achilles’ by government agencies and identity thieves. Some affiliate heel of today’s web. Web services make continuous efforts to programs (e.g., pay-per-sale [10]) require tracking to follow obtain as much information as they can about the things we the user from the website where the advertisement is placed search, the sites we visit, the people with who we contact, to the website where the actual purchase is made [11]. and the products we buy. Tracking is usually performed for Personal information in the web can be voluntarily given commercial purposes. We present 5 main groups of methods used for user tracking, which are based on sessions, client by the user (e.g., by filling web forms) or it can be collected storage, client cache, fingerprinting, or yet other approaches. indirectly without their knowledge through the analysis of the A special focus is placed on mechanisms that use web caches, IP headers, HTTP requests, queries in search engines, or even operational caches, and fingerprinting, as they are usually very by using JavaScript and Flash programs embedded in web rich in terms of using various creative methodologies. -
On the Security of RC4 in TLS and WPA∗
A preliminary version of this paper appears in the proceedings of the USENIX Security Symposium 2013. This is the full version. On the Security of RC4 in TLS and WPA∗ Nadhem J. AlFardan1 Daniel J. Bernstein2 Kenneth G. Paterson1 Bertram Poettering1 Jacob C. N. Schuldt1 1 Information Security Group Royal Holloway, University of London 2 University of Illinois at Chicago and Technische Universiteit Eindhoven July 8th 2013 Abstract The Transport Layer Security (TLS) protocol aims to provide confidentiality and in- tegrity of data in transit across untrusted networks. TLS has become the de facto protocol standard for secured Internet and mobile applications. TLS supports several symmetric encryption options, including a scheme based on the RC4 stream cipher. In this paper, we present ciphertext-only plaintext recovery attacks against TLS when RC4 is selected for encryption. Variants of these attacks also apply to WPA, a prominent IEEE standard for wireless network encryption. Our attacks build on recent advances in the statistical analysis of RC4, and on new findings announced in this paper. Our results are supported by an experimental evaluation of the feasibility of the attacks. We also discuss countermeasures. 1 Introduction TLS is arguably the most widely used secure communications protocol on the Internet today. Starting life as SSL, the protocol was adopted by the IETF and specified as an RFC standard under the name of TLS 1.0 [7]. It has since evolved through TLS 1.1 [8] to the current version TLS 1.2 [9]. Various other RFCs define additional TLS cryptographic algorithms and extensions. TLS is now used for securing a wide variety of application-level traffic: It serves, for example, as the basis of the HTTPS protocol for encrypted web browsing, it is used in conjunction with IMAP or SMTP to cryptographically protect email traffic, and it is a popular tool to secure communication with embedded systems, mobile devices, and in payment systems. -
A Secure Framework for Iot Smart Home by Resolving Session
Global Journal of Computer Science and Technology: G Interdisciplinary Volume 20 Issue 2 Version 1.0 Year 2020 Type: Double Blind Peer Reviewed International Research Journal Publisher: Global Journals Online ISSN: 0975-4172 & Print ISSN: 0975-4350 A Secure Framework for IoT Smart Home by Resolving Session Hijacking By Fozilatoon Humaira, Md Sanju Islam, Sanjida Akter Luva & Md Bayazid Rahman Notre Dame University Abstract- IoT is a blessing in the field of information and technology. It is developing and deploying day by day. It is working for our betterment in the section of home, environment, retail, security, factory, industry, agriculture, education, energy, healthcare, and so on. In the Smart Home section, there are a numerous inventions. Vast analysis and working can be possible if needed. We have worked with session hijacking and implement it in our Smart Home Prototype. This paper represents the basic concept of IoT in Smart Home with Security like Session Hijacking. Keywords: IoT, internet of things, smart home, session regeneration, security, session hijacking. GJCST-G Classification: K.6.5 ASecureFrameworkforIoTSmartHomebyResolvingSessionHijacking Strictly as per the compliance and regulations of: © 2020. Fozilatoon Humaira, Md Sanju Islam, Sanjida Akter Luva & Md Bayazid Rahman. This is a research/review paper, distributed under the terms of the Creative Commons Attribution-Noncommercial 3.0 Unported License http://creativecommons.org/licenses/by-nc/3.0/), permitting all non-commercial use, distribution, and reproduction in any medium, provided the original work is properly cited. A Secure Framework for IoT Smart Home by Resolving Session Hijacking Fozilatoon Humaira α, Md Sanju Islam σ, Sanjida Akter Luva ρ & Md Bayazid Rahman Ѡ Abstract- IoT is a blessing in the field of information and Table 1: Internet of Things Applications Ranking [7] technology. -
Goodies About New Wireshark and Packet Analysis for HTTP
SharkFest ‘16 Wireshark 2.0 Tips for HTTP 1/2 Analysis: Goodies about New Wireshark and Packet Analysis for HTTP Megumi Takeshita Packet Otaku | ikeriri network service co.,ltd SharkFest ‘16 • Computer History Museum • June 13-16, 2016 Megumi Takeshita, ikeriri network service a.k.a. packet otaku since first Sharkfest • Founder, ikeriri network service co.,ltd • Wrote 10+ books of Wireshark and capturing and network analysis. • Reseller of Riverbed Technology ( former CACE technologies ) and Metageek, Dualcomm etc. in Japan • Attending all Sharkfest 9 times • and translator of QT Wireshark into Japanese SharkFest ‘16 • Computer History Museum • June 13-16, 2016 2 21 Wireshark 2.0 Tips for HTTP 1/2 Analysis: Goodies about New Wireshark and Packet Analysis for HTTP •This session contains TIPS and TRICKs for HTTP 1 / 2 using Wireshark 2.0, and also includes HTTP and HTTP2 analysis for packet analysis beginners. •Limited English skills, so please ask me if you have some question. SharkFest ‘16 • Computer History Museum • June 13-16, 2016 3 sample trace files in the session you can download Download: http://www.ikeriri.ne.jp/wireshark/traces/ At first, open the homepage.pcap The trace file is just open the simple website http://www.ikeriri.ne.jp/sample.html SharkFest ‘16 • Computer History Museum • June 13-16, 2016 TIPS #1 first, check arrows and colors of the frame and the intelligent scroll bar •New Wireshark tell you traffic with arrow and color of the scroll bar. It tells us the traffic DNS TCP Color of the scroll bar SharkFest ‘16 • Computer History Museum • June 13-16, 2016 TIPS #2 Generated fields and links tell us the important information •There are two kinds of fields in Wireshark header, the actual field like Web Server ( http.server) in HTTP header, the generated field ( easily to find [ generated field name ] ) that Wireshark created for understanding the packet.