2.1.web-security-1 - 1 Web Security Part 1 CS 161 Computer Security Profs Vern Paxson& David Wagner TAs John Bethencourt Erika Chin Matthew

Info iconThis preview shows pages 1–9. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 1 Web Security, Part 1 CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ Feb 1, 2010 Web Server Threats • What can happen? – Compromise – Defacement – Gateway to attacking clients – Disclosure – (not mutually exclusive) • And what makes the problem particularly tricky? – Public access – Mission creep 2 3 4 5 6 7 13 Attacking Via HTTP URLs: Global identifiers of network-retrievable resources http:// user:pass@ berkeley.edu :81 /class?name=cs161 #homework Protocol Username Password Host Port Path Query Fragment Simple Service Example • Allow users to search the local phonebook for any entries that match a regular expression • Invoked via URL like: http://harmless.com/phonebook.cgi?regex=<pattern > • So for example: http://harmless.com/phonebook.cgi?regex=daw|vern searches phonebook for any entries with “daw” or “vern” in them • (Note: web surfer doesn’t enter this URL themselves; an HTML form constructs it from what they type) 8 Simple Service Example, con’t • Assume our server has some “glue” that parses URLs to extract parameters into C variables – and returns stdout to the user • Simple version of code to implement search: /* print any employees whose name * matches the given regex */ void find_employee(char *regex) { char cmd[512]; sprintf(cmd, "grep %s phonebook.txt", regex); system(cmd); } Simple Service Example, con’t • Assume our server has some “glue” that parses URLs to...
View Full Document

This note was uploaded on 04/14/2010 for the course CS 161 taught by Professor Wagner during the Spring '10 term at University of Central Arkansas.

Page1 / 16

2.1.web-security-1 - 1 Web Security Part 1 CS 161 Computer Security Profs Vern Paxson& David Wagner TAs John Bethencourt Erika Chin Matthew

This preview shows document pages 1 - 9. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online