 All right in a shocking turn of events. We're gonna get started on time. I think go this way go this way go this way Okay, what do that? Same thing I guess Okay All right, we have a wait, let's we're getting started All right today as you can see we'll have a very special presentation by everybody in the front of the room So they will be going in order I'm just kidding you can stay there if anybody else wants coffee feel free there should be plenty for everyone Feel free to come up for a refill. I promise. I won't make you present anything Okay first things first Important things. I'll try to announce this and remind you about this in discord. There's evals that happen I'm shocked that 8% of you have already 16% of you. What is that right? No 8% have already filled this out. That's actually insane Although the number is the same and that's weird to me why that seems wrong, right? That shouldn't be the same among both classes Yeah, but why would it be exactly the same? Exactly that seems weird. They're not technically in the classes. I actually don't know what you'll see on your side with the two instructors So It's the same. It's the same. Okay, dude, then just fill it out do whatever you're gonna do The point is just to do it. That's the important thing. I don't know. We read this stuff It's not like it gets ignored. So feel free to tell us what you think And we will take that into consideration This has to be a total 27 across both classes. That's the only thing that makes sense Happens to be what if I refresh it do you think somebody's taking it in this meantime? No, that'd be cool. Okay And I'll be bugging you about this you have until the 30th to do this. So please do it Other thing anybody care about grades? Oh, they don't care about grades. All right, let's move on So I announced this on discord important things a Check your grade I added in all the extra credit and for A helpfulness and memes as it was so that should never go down It should only ever go up for you as that happens from now until the end of the semester Obviously, I have zero because I'm very unhelpful and I make no means so So if you if you think you should have something here and you have nothing, what does that probably mean? You didn't link your discord exactly so that's where you go over here this identity tab or actually the Setup tab the setup tab and you didn't follow all these you don't have all these five things So we don't know who you are on discord so we can't give you any extra credit for anything you do on discord Some of you that's what you want That's also totally fine the one thing that absolutely has to happen if you want a grade everyone actually want a grade I mean, it's that or a zero you either get the grade that you earned or you get a zero So those are the only two options The important thing to look at here is this second one So if you if this isn't second thing is not a green check mark That means we don't know what your phone college username is and we haven't been able to match that with our ASU student ID Some people I've already seen have put in their like their email style ID like their email handle at asu.edu as their ID So if that's you go over to identity double check that your ID is here Otherwise, what's gonna happen is I'm going to have to reach out to you and it's gonna be super annoying for me So I probably won't do it so you'll get an E in the class and then you'll have to Talk to me and then we'll have to do a grade change petition and it's like really annoying So don't be in that situation. I think there's only like Ten of you or less somewhere around there, but let's make it zero Good cool, okay any class related questions before we finish up And then I think I maybe I mentioned on Monday, but I'm out of town next week So Conor is gonna be teaching the final two classes Yeah, but I'll be on discord, but at weird European hours. So, okay, nobody go get coffee while I go refill Any questions on the course Well, I pour this we are and nobody's raising my hand Cool, we are going to Close out web security. So we've been talking about the differences between origin. So somebody remind us How does a browser? What's defined as the same origin? What three pieces of information are used to determine if one origin is the same as another? What was it before port is one? What's else? Was it? No, no It's all about the URL the uri parts of the uri was it The domain. Yeah, let me So the host the port and what else The scheme. Yeah, thank you So those three make the three tuple of the origin and this is what your browser allow uses to say When fetching this page, can I make another request to that same to that to that uri and this is done Very simply literally. This is an exact matching check for these things. So we looked at that So we can this is why if we're on page HTTP colon slash-example.com which has the origin of HTTP example.com and 80 if we try to if we are That page makes a request to fetch cats.gif It succeeds because that has exactly the same three tuple the scheme the host and the port But even if it's the exact same host and port actually the port This is incorrect. The port is different here before four three, but Even if it was the same port the fact that the scheme is different means that the origin will be different and the browser Will block that and not allow those requests for most of us Cool. So these are all examples. We can have the same scheme Similar. This is even a sub domain. So this is cats.example.com is not the same origin as example.com So that still will be a different origin Okay, cool But there are cases where we do want to send requests in across origins As we saw like image tags will cause a request to be issued cross origin So that we can fetch those things and these are the allowed methods and headers that can be made As you notice, this is very restrained than what a normal request So you can't request a get and specify you want a content type of JSON that just straight up does not work And we can always also read the responses. So And there's actually a lot of this is again, we're going in overview of web security. You can get crazy in depth Image tags. So like I said, you can fetch a cross domain image But within JavaScript, you actually can't read the content of that image of what it looks like because that came from a different Origin and so your browser's engine blocks that because people before they did that people used to be able to leak data from other websites because you'd be logged in getting that image and You wouldn't want the JavaScript on another origin to be able to infer information about that There's actually a lot of cool interesting tricks that you can do it here So these are some of the ways where you can cause the browser to fetch different things and Now we're going to get in and talk a little bit about domain names. So the domain names So Everybody when we talks about networking What was the purpose of ARP? Yeah, what was the purpose of ARP the address resolution protocol in networking? Not quite. It's not matching. It's mapping it to something else. Yeah Close mapping an IP address to something else at a lower layer of the IP stack of the networking stack The MAC address. Yeah, exactly. So ARP is a way to say, hey, I want to talk to this I Want to talk to this IP address who has this IP address on my local network? And so then people will have an ARP reply that says, oh, I'm that IP address and this is my MAC address And that's how you did ARP spoofing in the intercepting communication challenge Because nobody verifies that so you were able to say hey, no, no I'm that IP address and you got the traffic that was destined for that other machine. So similarly Even though we know networking works based on IP addresses, right? We talked about how data packets get from one machine on the network and how they hop through but Remembering IP addresses is incredibly annoying, right? We actually have a whole system so that humans can use this and so that's where DNS is the domain name system. So that's where domain names come in This is a way that this maps this human readable name www.example.com You can read into we're not getting into the specifics of DNS You can read into how it works to translate that to an IP address that your machine then uses to start a TCP IP connection to that IP address But your browser also needs to know this to understand what constitutes the same site and essentially the same entity And it has to do when it sends cookies on requests and not and how you can control that so So typically the way DNS works if you control if I control let's say example.com I can make subdomains like I can make a subdomain www.example.com I can even go further by adding more dots. I can set it up and go food.bar.www.example.com I can do that as much as I want and you can see that here with these two examples So we have Pone.college. There's also a DNS entry for dojo.pone.college So that's called a subdomain because dojo.pone.college is a subdomain of Pone.college and so for all these examples when we talk about the top level domain that's kind of the Essentially the root of the DNS entry, but we don't need to get into those that level of details Those are things on the far you can think of it as the far right So we have com so we have example.com the top level domain is calm But we have kind of a problem here. Has anybody gone to a UK site before? Like this you have google.co.uk. Which part is the part that Google owns? Yeah, they actually control the Google part. They don't even control the co.uk because there's actually a ton of co.uk I don't know actually why this is done, and I don't know if there's other blah.uk's as if anyone's British and knows Please say something I was like 25 people on Twitch, I guess that's because all you are here So while this is the top level domain, there's actually this problem that we need to know well, which parts of the domain is Essentially special and owned by that entity so that I could say okay Pone.college and is dojo.pone.college a Subdomain of Pone.college or is it just this college part which doesn't make sense because it's not enough dots Anyways, this allows you and there's a list here. Actually, can we go look at this? Why would I want to validate this? I would just like to go Visit my link, please Yeah, so this is a list that you can use. It's a public open source thing that has all of the domain names that are Top level domains. Oh, let's actually let's look at this great Co.uk. So now we can look at this. We can see ac.uk, gov.uk, ltd.uk, me.uk, net anyways All of these are different Top level domains Yeah, so that's uh Let's look at that Yeah, so github.io. This is a way of github saying hey We don't actually control like whatever whoever has that subdomain Pone.college.github.io That's a different site than adamdupe.github.io Even though it's the same subdomain of github.io. Yeah You mean like a .college like this or a custom tld You have to buy those and they cost a lot of money and I think they would end up on this list So if you controlled it, I think it would just be like If we get oh wow, we're all the way in the githubs Yeah, so like here like uk so all of everything that's blah.uk would be different except for Like these ones. So if you bought one it would show up on here um And so this is what your browser uses to determine what is the same site and unfortunately It's very confusing because site and origin are not the same thing So the site is the effective top level domain plus one So this means example.com is a site google.com is a site google.co.uk Pone college is a site and that way dojo.pone.college So this means that kind of you can think of it as a controlling entity So if I control pone.college, then I control dojo.pone.college mail.pone.college Anything.anything.anything.anything.anything.pone.college is considered the same site And that's what's interesting is having things like github.io Now as we'll see you can actually kind of Tell the browser and the browser knows that those are different sites Um Is that actually a site? It is right. Yeah, we have a redirect but I don't think that works That works. So yeah, anyways cool and so As a web developer you can actually control what happens and when cookies That are that your Web application asks the browser to set when they are sent to different cross sites So not cross domains cross or cross origins cross origins dictates how we can make requests, but Specifically if cookies are sent in those requests. So this is the same site. So this is an attribute on cookies. Let's look Let's look at exactly what that looks like yeah, so here is a Cookie so this is an hgp response header. So the server sends that in an hgp response You know exactly what an hgp response looks like and what a header looks like So here we're setting a cookie the cookie is the name is id equals to the value And then attributes are separated with a Semi colon So this has an attribute of expires where the website says at what time this cookie is expired and the browser should no longer use it Um, but we can do lax Yeah, so the same site attribute is what we're looking at So we can for sure get an example here no We're yeah, there we go. So these are all examples of attributes of the same site So this is how the web application would set that And so the applications have different ways of doing this. So the default which is the standard is um Yeah, so strict is as it sounds like the most strict where the cookie is not sent in cross site requests So this means even if we make a request or the browser Uh Even if we try to make a request, it's not going to send it. None is the opposite where it will basically send it to um None of the other sites so you would You would want none if you're trying to share it among your subdomain So you set a cookie on like google.com and that way www.google.com other The same sites would be able to access it lax is slightly uh Confusing because it has to deal with navigation. So navigation is when you're typing a url into your browser So same site lax would be the cookie is not being sent Uh It's only sent as part of that. So it's kind of in between none and strict We can also specify actually other domains. So As part of the attributes of the cookie, we can specify. Hey, send this cookie whenever you visit food.com even though that's not considered the same site But I as the web applications say that I want you to share that cookie um And subdomains you can use a star or a wild card to specify these things um The path so the path is an attribute that you can set on a cookie to say Only send it to this path or this sub path this way you can Modify state and cookies based on what part of the application the user is interacting with And of course there are times when we want to actually break this so we may want to create a site or a web application That we want people to make cross origin requests to our website because let's say we offer some api functionality That they want to access from javascript So this is with uh this Series of techniques of headers and browser support of cores. So this is cross origin resource sharing I'm gonna drink a lot of coffee today. I just realized um Where the browser when it's making a request for something It asks the other server with this options And if the server supports and cores is allowed It specifies and the web application can specify different access control policies of oh, yeah You can request these specific methods. So I could say you only can do get requests. You can't do post requests headers that have to be set and this way Then um Yeah, so then by responding with that the web or this is sorry The request is what the browser is trying to do and the allow is if the web application or web server actually wants to allow this content And if everything checks out then the request can actually go through and so uh, I don't know for like a silly example not a silly example, but This came up when we were doing a hosting def con ctf So we had a json file that specified the state of our game that all the teams could access And some of the teams actually wanted to fetch that Inside of their own web applications So they were making their own GUIs and their own like views of the scoreboard And so they asked us if we could implement cores so that that way they could from javascript that was running on their own interface Fetch our json file so that they could include it in javascript and use that to populate their interface so This is like The initial drop in the bucket of how insane The web is if you think about so we've talked about Just in this module. We've talked about uh urls Http html We didn't talk about css, but that's definitely in there and there could be problems with even style sheets We talked about javascript. We talked about sequel Uh, we talked about what's the other one? commands command injections uh Cookies how cookies actually work. There's a whole rfc of a document about how cookies actually work. Um, and this stuff is just Very complicated. Oh origins. We talked about origins. We talked about sites It's like 10 different technologies that you could really dig into any of them And you could have a whole class just on web security and how this stuff can break Cool Web questions. I'm gonna do something and see if this works Let's