Curriculum
Course: Cyber Security
Login

Curriculum

Cyber Security

Text lesson

Sessions & State

HTTP lacks a built-in method for servers to recognize returning visitors. To identify users, a secret value must be sent between the client and server with each request. This is commonly done using cookies in headers, though other methods like GET and POST parameters or custom headers are also used. However, passing state via GET parameters is discouraged since they can be logged by the server or intermediaries like proxies.

session and state

Here are some common examples of cookies that allow a web server application to manage sessions and state:

  • PHPSESSID
  • JSESSIONID
  • ASP.NET_SessionID

These values represent a specific state on the server, often referred to as a session. This state typically includes information such as:

  • The user you are logged in as
  • Privileges and authorizations

It is crucial that session values sent to the client are not easily guessable or identifiable by others. If they are, an attacker could impersonate other users on the web application.

State can also be stored on the client side, where the server transmits all state information to the client, which must then return all items. This approach relies on encryption to verify the integrity of the claimed state. Examples of such implementations include:

  • JWT (JSON Web Tokens)
  • ASP.NET ViewState

You are using cookies to participate in this class! You can view these cookies in your web browser by opening the developer tools. This can be done by pressing F12, which opens the developer tools window. Within this window, you should find the section where your cookies are stored.

Virtual Hosts

A single web server can manage multiple applications through Virtual Hosts, often referred to as Vhosts. To enable access to different Virtual Hosts, the web server typically examines the Host header of the client request and, based on this value, directs the request to the appropriate application.

virtual host

URL Encoding

To securely transfer content between the server and client, certain characters must be encoded to prevent them from interfering with the protocol. URL encoding is utilized to maintain the integrity of the communication.

URL encoding substitutes unsafe characters with a percent sign (%) followed by two hexadecimal digits. For instance:

  • Percentage is replaced with %25
  • Space is replaced with %20
  • Quote is replaced with %22

A great tool for text analysis and operations like URL decoding is CyberChef. You can access it in your browser here:https://gchq.github.io/CyberChef/

Note: Try using CyberChef to decode the following URL-encoded message:

 

%48 %65 %6c %6c %6f %20 %64 %65 %61 %72 %20 %77 %33 %73 %63 %68 %6f %6f %6c %73 %20 %73 %74 %75 %64 %65 %6e %74 %2e %20 %48 %6f %70 %65 %20 %79 %6f %75 %20 %61 %72 %65 %20 %6c %65 %61 %72 %6e %69 %6e %67 %20 %73 %6f %6d %65 %74 %68 %69 %6e %67 %20 %74 %6f %64 %61 %79 %21

 

See what it reveals!

JavaScript

To enable dynamic content, browsers utilize the scripting language JavaScript. This allows developers to create solutions that run on the client side, resulting in more interactive and “alive” web content.

However, JavaScript is also involved in various attacks against web applications and client-side applications like browsers.

Encryption with TLS

The HTTP protocol does not provide encryption for data in transit, so an additional layer is added for encryption support, denoted by an “S” following HTTP, resulting in HTTPS.

Originally, SSL (Secure Sockets Layer) was used for encryption, but it has been deprecated. Nowadays, TLS (Transport Layer Security) is the standard protocol employed to ensure encryption.