Get all the writeups from Day 1 to 11, Click Here

Or

Github: Click Here

Hello Everyone, This is Ayush if you haven’t read the previous blog then please read it by clicking on above link in which we have discussed important concepts which is necessary for further blogs.

In our previous blog, we talked about HTTP Protocol, all about http request and http response, now in this blog we’ll talk about some security controls which is used while communication between client and server, so let’s start.

SECURITY CONTROLS

Till now we talked about all about DNS, HTTP Req and Response so you have an idea what happens when you enter any address like google.com , but whatever information we sent from client and server it goes in the normal form or you can say plain text.

So whatever information we sent will be visible to third person if he/she intercepts the request.

To overcome this issue some security controls are used , one by one will talk about that :

Content Encoding :

Encoding Defn: Encoding is the process of converting the data or a given sequence of characters, symbols, alphabets etc., into a specified format, for the secured transmission of data.

Decoding Defn: Decoding is the reverse process of encoding which is to extract the information from the converted format.

Whatever data is sent in HTTP Request is sent in plain text if there is no encoding at place. To encode the message or data we use some encoding methods to prevent data corruption. Let’s see:

Base64 encoding: Base64 encoding is one of the process of encoding characters or string whatever you are sending to the server or receiving from the server.

Encoded string of “Hello” is: SGVsbG8gV29ybGQ=

Base64 encoding’s character set includes the uppercase alphabet characters A to Z, the lowercase alphabet characters a to z, the number characters 0 to 9, the characters + and /, and finally, the = character for padding.

Why Padding ?

In Base64 encoding, the length of an input String must be a multiple of three. If not then encoder adds one or two padding characters (=) at the end of the output as needed in order to meet this requirement. Upon decoding, the decoder discards these extra padding characters.

Example:

I encode as: SQ==

Am encode as: QW0=

Tim encode as: VGlt

Here you can see input string whose length is not multiple of three then one or two padding character is added.

Go on this website to encode or decode any string: https://www.base64encode.org/

Next we’ll talk about Hex Encoding or Hexadecimal Encoding.

Hexadecimal Encoding: Hexadecimal encoding is also one of the process of encoding and this encoding represents characters in base 16 format which means characters range from 0 to F.

Encoded string of “Hello” in Hex or base16 is: 48656C6C6F

Here you can see one character is taking 2 bytes but in base 64 for one character, 3 bytes of space were being used.

URL Encoding: URL encoding is the process of encode URLs or we can say converting URL characters into specified format based on ASCII character set.

In this URLs characters like ‘:’ encode as %3A and ‘/’ encode as %2F.

https://google.com will encode as https%3A%2F%2Fgoogle.com

Read more about URL encoding here: https://www.w3schools.com/tags/ref_urlencode.ASP

You can use this website to encode decode URL characters: https://www.urlencoder.org/

Session and Cookies:

Now let’s talk about session and cookies which are used in many websites, so have you ever wondered whenever you open your facebook account in your pc and do login after that you don’t log out and after two days again when you open your browser and enter facebook.com then you are redirected to your account page without entering your credentials again. So how is this possible, this is possible because of session and cookies which has been stored by facebook in your browser.

Website like facebook or any maintains a session for each logged in user and a new session starts when user log in to the website.

After login the server maintains the session ID for your browser that serves as a proof of identity. Now this session ID is sent by the server to the user browser. Now this session id is called cookies which is used when you login again to verify you on that website and also it is sent with every http request on that website.

Finally when user log out then session also terminates and cookie will be deleted or will not work.

In the above image you can see, John log in with username and password and then session id is created with parameters (SessionId, Username, CreateDate, Expiry Date, lastAccess Data) and then this session id is returned to the user.

After that whenever user tries to login then cookies are provided by the browser then server validates that cookie , if cookie is valid then john get the access of content.

source: webf

I hope with this image cookies part are clear set-cookie header is used to set cookie and cookie to send value of cookie to server.

Token Based Authentication

Previously we were login using session if or cookies and then that cookie were verified by the server, but in token based authentication, whenever we log in to the website a unique token is issued to the user and then with the help of that token user can login in to the website without entering the credentials but the case is that , what if token is leaked then anyone with that token can access that website but for this issue that token is encoded or encrypted using some encryption techniques or by signing the token with the secret key and verifying the token signature when it arrives at the server.

Signatures can only be generated using the secret key , if anyone tampers with the token and when token reaches the destination and if value of original signature doesn’t match with received signature then token referred as invalid one.

An authentication token is formed of three key components: the header, payload, and signature.

Header

The header defines the token type being used, as well as the signing algorithm involved.

Payload

The payload is responsible for defining the token issuer and the token’s expiration details. It also provides information about the user plus other metadata.

Signature

The signature verifies the authenticity of a message and that a message has not changed while in transit.

Token-based authentication works through this five-step process:

Request: The user logs in to a service using their login credentials, which issues an access request to a server or protected resource.Verification: The server verifies the login information to determine that the user should have access. This involves checking the password entered against the username provided.Token submission: The server generates a secure, signed authentication token for the user using digital signature algorithm for a specific period of time.Storage: The token is transmitted back to the user’s browser, which stores it for access to future website visits. When the user moves on to access a new website, the authentication token is decoded and verified. If there is a match, the user will be allowed to proceed.Expiration: The token will remain active until the user logs out or closes the server.Source: okta developer

Read more about token based authentication here: https://www.okta.com/identity-101/what-is-token-based-authentication/

Read more about digital signature algorithm: https://www.includehelp.com/cryptography/digital-signature-algorithm-dsa.aspx

The Same-Origin Policy

The Same-Origin-Policy is a rule that restricts to communicate to websites of different origin with each other.

Same origin policy basically from where website is originating, what’s the exact address of that website.

SOP is identified based upon , protocol://hostname.com:port

Let’s understand with example:

Suppose one website is: https://abc.com:443

Now this website protocol is: https

hostname is: abc

port is: 443

There is another website http://abc.com:80

Now this website is using http so it’s not originating from same origin of 1st one.

Or any website like https://def.com , this is not originating from same origin.

I hope you got the concept, if two tabs are open in your browser and both are two different websites then they can communicate with each other or you can script of one website can run on another if SOP is there.

source: research gate

Learn more about SOP here: https://www.acunetix.com/blog/web-security-zone/what-is-same-origin-policy/

Now I hope all the concept is clear to you !

Thank you for your time for reading this, if you have any doubt then please respond on this blog , will meet in next one !

Thank You and Happy Hacking !

Day 12 Internet Security Controls #100DaysofHacking was originally published in InfoSec Write-ups on Medium, where people are continuing the conversation by highlighting and responding to this story.