From a5e8d5f43f1306a7166c77662b6e8ba5ec96df89 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 6 Aug 2024 18:30:28 +0000 Subject: [PATCH 1/4] Bump rexml from 3.3.2 to 3.3.3 Bumps [rexml](https://github.com/ruby/rexml) from 3.3.2 to 3.3.3. - [Release notes](https://github.com/ruby/rexml/releases) - [Changelog](https://github.com/ruby/rexml/blob/master/NEWS.md) - [Commits](https://github.com/ruby/rexml/compare/v3.3.2...v3.3.3) --- updated-dependencies: - dependency-name: rexml dependency-type: indirect ... Signed-off-by: dependabot[bot] --- Gemfile.lock | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile.lock b/Gemfile.lock index 0dff405..a1fa0ab 100644 --- a/Gemfile.lock +++ b/Gemfile.lock @@ -237,7 +237,7 @@ GEM rb-fsevent (0.11.2) rb-inotify (0.10.1) ffi (~> 1.0) - rexml (3.3.2) + rexml (3.3.3) strscan rouge (3.26.0) ruby2_keywords (0.0.5) From 8539640059f17fe3f1e7a8479fbd41959159a5e4 Mon Sep 17 00:00:00 2001 From: Ashley Chiu Date: Sun, 1 Sep 2024 22:37:03 -0700 Subject: [PATCH 2/4] [accessibility] update color schemes, interactive link spacing --- _config.yml | 3 +- _sass/color_schemes/custom.scss | 1 - _sass/color_schemes/dark_wider.scss | 157 ++++++++++++++++++++++++++++ _sass/color_schemes/wider.scss | 129 +++++++++++++++++++++++ _sass/custom/custom.scss | 73 +++++-------- assets/css/just-the-docs-dark.scss | 3 + index.md | 2 +- memory-safety/mitigations.md | 2 +- memory-safety/vulnerabilities.md | 18 ++-- memory-safety/x86.md | 4 +- network/dns.md | 12 +-- network/dnssec.md | 18 ++-- web/cookies.md | 2 +- web/intro.md | 30 +++--- web/sqli.md | 50 ++++----- web/xss.md | 4 +- 16 files changed, 389 insertions(+), 119 deletions(-) delete mode 100644 _sass/color_schemes/custom.scss create mode 100644 _sass/color_schemes/dark_wider.scss create mode 100644 _sass/color_schemes/wider.scss create mode 100644 assets/css/just-the-docs-dark.scss diff --git a/_config.yml b/_config.yml index 131f954..4014aaf 100644 --- a/_config.yml +++ b/_config.yml @@ -28,8 +28,7 @@ url: "" # the base hostname & protocol for your site, e.g. http://example.com # Build settings remote_theme: pmarsceill/just-the-docs -color_scheme: custom - +color_scheme: wider aux_links: "CS 161": - "https://cs161.org" diff --git a/_sass/color_schemes/custom.scss b/_sass/color_schemes/custom.scss deleted file mode 100644 index 7b083f2..0000000 --- a/_sass/color_schemes/custom.scss +++ /dev/null @@ -1 +0,0 @@ -$link-color: #699e73; diff --git a/_sass/color_schemes/dark_wider.scss b/_sass/color_schemes/dark_wider.scss new file mode 100644 index 0000000..a1ed132 --- /dev/null +++ b/_sass/color_schemes/dark_wider.scss @@ -0,0 +1,157 @@ +@import "./color_schemes/dark"; + +$content-width: 68.75rem; +$nav-width: 18.75rem; + +$media-queries: ( + xs: 320px, + sm: 500px, + md: $content-width, + lg: $content-width + $nav-width, + xl: 1400px, +); + +// Change bottom-left "generated by JTD" text color to be darker (thanks a lot department of justice) +$grey-dk-000: #E6E1E8 !important; + +// Pygments monokai, from https://github.com/richleland/pygments-css/blob/master/monokai.css +.highlight .hll { background-color: #49483e } +.highlight { background: #272822; color: #f8f8f2 } +.highlight .c { color: #acdfa2 } /* Comment (manually changed) */ +.highlight .err { color: #FF75BF; background-color: #1e0010 } /* Error (manually changed) */ +.highlight .k { color: #66d9ef } /* Keyword */ +.highlight .l { color: #D7C2FF } /* Literal (manually changed) */ +.highlight .n { color: #f8f8f2 } /* Name */ +.highlight .o { color: #FCA1C3 } /* Operator (manually changed) */ +.highlight .p { color: #f8f8f2 } /* Punctuation */ +.highlight .ch { color: #C3BFB6 } /* Comment.Hashbang (manually changed) */ +.highlight .cm { color: #C3BFB6 } /* Comment.Multiline (manually changed) */ +.highlight .cp { color: #C3BFB6 } /* Comment.Preproc (manually changed) */ +.highlight .cpf { color: #C3BFB6 } /* Comment.PreprocFile v*/ +.highlight .c1 { color: #C3BFB6 } /* Comment.Single (manually changed) */ +.highlight .cs { color: #C3BFB6 } /* Comment.Special (manually changed) */ +.highlight .gd { color: #FCABC9 } /* Generic.Deleted (manually changed) */ +.highlight .ge { font-style: italic } /* Generic.Emph */ +.highlight .gi { color: #a6e22e } /* Generic.Inserted */ +.highlight .gs { font-weight: bold } /* Generic.Strong */ +.highlight .gu { color: #C3BFB6 } /* Generic.Subheading (manually changed) */ +.highlight .kc { color: #66d9ef } /* Keyword.Constant */ +.highlight .kd { color: #66d9ef } /* Keyword.Declaration */ +.highlight .kn { color: #FCA6C6 } /* Keyword.Namespace (manually changed) */ +.highlight .kp { color: #66d9ef } /* Keyword.Pseudo */ +.highlight .kr { color: #66d9ef } /* Keyword.Reserved */ +.highlight .kt { color: #66d9ef } /* Keyword.Type */ +.highlight .ld { color: #e6db74 } /* Literal.Date */ +.highlight .m { color: #D7C2FF } /* Literal.Number (manually changed) */ +.highlight .s { color: #e6db74 } /* Literal.String */ +.highlight .na { color: #a6e22e } /* Name.Attribute */ +.highlight .nb { color: #f8f8f2 } /* Name.Builtin */ +.highlight .nc { color: #a6e22e } /* Name.Class */ +.highlight .no { color: #66d9ef } /* Name.Constant */ +.highlight .nd { color: #a6e22e } /* Name.Decorator */ +.highlight .ni { color: #f8f8f2 } /* Name.Entity */ +.highlight .ne { color: #a6e22e } /* Name.Exception */ +.highlight .nf { color: #a6e22e } /* Name.Function */ +.highlight .nl { color: #f8f8f2 } /* Name.Label */ +.highlight .nn { color: #f8f8f2 } /* Name.Namespace */ +.highlight .nx { color: #a6e22e } /* Name.Other */ +.highlight .py { color: #f8f8f2 } /* Name.Property */ +.highlight .nt { color: #FCA6C6 } /* Name.Tag (manually changed) */ +.highlight .nv { color: #f8f8f2 } /* Name.Variable */ +.highlight .ow { color: #FCA6C6 } /* Operator.Word (manually changed) */ +.highlight .w { color: #f8f8f2 } /* Text.Whitespace */ +.highlight .mb { color: #D7C2FF } /* Literal.Number.Bin (manually changed) */ +.highlight .mf { color: #D7C2FF } /* Literal.Number.Float (manually changed) */ +.highlight .mh { color: #D7C2FF } /* Literal.Number.Hex (manually changed) */ +.highlight .mi { color: #D7C2FF } /* Literal.Number.Integer (manually changed) */ +.highlight .mo { color: #D7C2FF } /* Literal.Number.Oct (manually changed) */ +.highlight .sa { color: #e6db74 } /* Literal.String.Affix */ +.highlight .sb { color: #e6db74 } /* Literal.String.Backtick */ +.highlight .sc { color: #e6db74 } /* Literal.String.Char */ +.highlight .dl { color: #e6db74 } /* Literal.String.Delimiter */ +.highlight .sd { color: #e6db74 } /* Literal.String.Doc */ +.highlight .s2 { color: #e6db74 } /* Literal.String.Double */ +.highlight .se { color: #D7C2FF } /* Literal.String.Escape (manually changed) */ +.highlight .sh { color: #e6db74 } /* Literal.String.Heredoc */ +.highlight .si { color: #e6db74 } /* Literal.String.Interpol */ +.highlight .sx { color: #e6db74 } /* Literal.String.Other */ +.highlight .sr { color: #e6db74 } /* Literal.String.Regex */ +.highlight .s1 { color: #e6db74 } /* Literal.String.Single */ +.highlight .ss { color: #e6db74 } /* Literal.String.Symbol */ +.highlight .bp { color: #f8f8f2 } /* Name.Builtin.Pseudo */ +.highlight .fm { color: #a6e22e } /* Name.Function.Magic */ +.highlight .vc { color: #f8f8f2 } /* Name.Variable.Class */ +.highlight .vg { color: #f8f8f2 } /* Name.Variable.Global */ +.highlight .vi { color: #f8f8f2 } /* Name.Variable.Instance */ +.highlight .vm { color: #f8f8f2 } /* Name.Variable.Magic */ +.highlight .il { color: #D7C2FF } /* Literal.Number.Integer.Long (manually changed) */ + + +.code-blue { color: #66d9ef; font-weight: bold } +.code-red { color: #FCA6C6; font-weight: bold } +.code-green { color: #a6e22e; font-weight: bold } +.cell-highlight td { background-color: #212024; position: relative; } + +.story::before, +.example::before, +a, +.icon, +.nav-list .nav-list-item .nav-list-expander, +.main-content .anchor-heading svg, +.search-input:focus + .search-label .search-icon, +.search-result-doc .search-result-icon, +a.skip-to-main:focus, a.skip-to-main:active { + color: #A0CFEE !important; +} + +.story, .example { + border-left: 4px solid #A0CFEE !important; +} + +.question::before { + color: #91FF0A !important; +} + +.question { + border-left: 4px solid #91FF0A !important; +} + +p.warning { + border-left: 4px solid #FCE9B0 !important; +} + +p.warning::before { + color: #FCE9B0 !important; +} + +.site-title { + color: #f5f6fa !important; +} + +.fc-time-grid .fc-slats td { + color: #ffffff !important; +} + +span.blue { + color: #00D3EB; +} + +span.red { + color: #FFB3B3; +} + +span.green { + color: #79DB00; +} + +body { + color: #E6E1E8 !important; +} + +.highlight, pre.highlight { + color: #dee2f7 !important; +} + +img { + filter: invert(100%) brightness(100%) hue-rotate(175deg) saturate(100%); +} \ No newline at end of file diff --git a/_sass/color_schemes/wider.scss b/_sass/color_schemes/wider.scss new file mode 100644 index 0000000..e4cb8f5 --- /dev/null +++ b/_sass/color_schemes/wider.scss @@ -0,0 +1,129 @@ +@import "./color_schemes/light"; + +$content-width: 68.75rem; +$nav-width: 18.75rem; + +$media-queries: ( + xs: 320px, + sm: 500px, + md: $content-width, + lg: $content-width + $nav-width, + xl: 1400px, +); + +table { + td.is-even { + background-color: #F5F6FA; + } +} + +// Change bottom-left "generated by JTD" text color to be darker (thanks a lot department of justice) +$grey-dk-000: #4A464E; + +// Pygments default, from https://github.com/richleland/pygments-css/blob/master/default.css +// Some manual changes made (and labeled as such) to meet WCAG AA (weird that default Pygment doesn't) +.highlight .hll { background-color: #ffffcc } +.highlight { background: #f8f8f8; } +.highlight .c { color: #265A5A; font-style: italic } /* Comment (manually changed) */ +.highlight .err { border: 1px solid #FF0000 } /* Error */ +.highlight .k { color: #005700; font-weight: bold } /* Keyword (manually changed) */ +.highlight .o { color: #4A4A4A } /* Operator (manually changed) */ +.highlight .ch { color: #265A5A; font-style: italic } /* Comment.Hashbang (manually changed) */ +.highlight .cm { color: #265A5A; font-style: italic } /* Comment.Multiline (manually changed) */ +.highlight .cp { color: #704900 } /* Comment.Preproc (manually changed) */ +.highlight .cpf { color: #265A5A; font-style: italic } /* Comment.PreprocFile (manually changed) */ +.highlight .c1 { color: #265A5A; font-style: italic } /* Comment.Single (manually changed) */ +.highlight .cs { color: #265A5A; font-style: italic } /* Comment.Special (manually changed) */ +.highlight .gd { color: #A00000 } /* Generic.Deleted */ +.highlight .ge { font-style: italic } /* Generic.Emph */ +.highlight .gr { color: #AD0000 } /* Generic.Error (manually changed) */ +.highlight .gh { color: #000080; font-weight: bold } /* Generic.Heading */ +.highlight .gi { color: #006100 } /* Generic.Inserted (manually changed) */ +.highlight .go { color: #525252 } /* Generic.Output (manually changed) */ +.highlight .gp { color: #000080; font-weight: bold } /* Generic.Prompt */ +.highlight .gs { font-weight: bold } /* Generic.Strong */ +.highlight .gu { color: #800080; font-weight: bold } /* Generic.Subheading */ +.highlight .gt { color: #003DCC } /* Generic.Traceback (manually changed) */ +.highlight .kc { color: #006100; font-weight: bold } /* Keyword.Constant (manually changed) */ +.highlight .kd { color: #006100; font-weight: bold } /* Keyword.Declaration (manually changed) */ +.highlight .kn { color: #006100; font-weight: bold } /* Keyword.Namespace (manually changed) */ +.highlight .kp { color: #006100 } /* Keyword.Pseudo (manually changed) */ +.highlight .kr { color: #006100; font-weight: bold } /* Keyword.Reserved (manually changed) */ +.highlight .kt { color: #A3003C } /* Keyword.Type (manually changed) */ +.highlight .m { color: #4D4D4D } /* Literal.Number (manually changed) */ +.highlight .s { color: #981B1B } /* Literal.String (manually changed) */ +.highlight .na { color: #4D561A } /* Name.Attribute (manually changed) */ +.highlight .nb { color: #005C00 } /* Name.Builtin (manually changed) */ +.highlight .nc { color: #0000FF; font-weight: bold } /* Name.Class */ +.highlight .no { color: #880000 } /* Name.Constant */ +.highlight .nd { color: #7509B9 } /* Name.Decorator (manually changed) */ +.highlight .ni { color: #4A4A4A; font-weight: bold } /* Name.Entity (manually changed) */ +.highlight .ne { color: #912721; font-weight: bold } /* Name.Exception (manually changed) */ +.highlight .nf { color: #0000FF } /* Name.Function */ +.highlight .nl { color: #A0A000 } /* Name.Label */ +.highlight .nn { color: #0000FF; font-weight: bold } /* Name.Namespace */ +.highlight .nt { color: #006100; font-weight: bold } /* Name.Tag (manually changed) */ +.highlight .nv { color: #19177C } /* Name.Variable */ +.highlight .ow { color: #7509B9; font-weight: bold } /* Operator.Word (manually changed) */ +.highlight .w { color: #545454 } /* Text.Whitespace (manually changed) */ +.highlight .mb { color: #4A4A4A } /* Literal.Number.Bin (manually changed) */ +.highlight .mf { color: #4A4A4A } /* Literal.Number.Float (manually changed) */ +.highlight .mh { color: #4A4A4A } /* Literal.Number.Hex (manually changed) */ +.highlight .mi { color: #4A4A4A } /* Literal.Number.Integer (manually changed) */ +.highlight .mo { color: #4A4A4A } /* Literal.Number.Oct (manually changed) */ +.highlight .sa { color: #9C1C1C } /* Literal.String.Affix (manually changed) */ +.highlight .sb { color: #9C1C1C } /* Literal.String.Backtick (manually changed) */ +.highlight .sc { color: #9C1C1C } /* Literal.String.Char (manually changed) */ +.highlight .dl { color: #9C1C1C } /* Literal.String.Delimiter (manually changed) */ +.highlight .sd { color: #9C1C1C; font-style: italic } /* Literal.String.Doc (manually changed) */ +.highlight .s2 { color: #9C1C1C } /* Literal.String.Double (manually changed) */ +.highlight .se { color: #703E15; font-weight: bold } /* Literal.String.Escape */ +.highlight .sh { color: #9C1C1C } /* Literal.String.Heredoc (manually changed) */ +.highlight .si { color: #7F3955; font-weight: bold } /* Literal.String.Interpol (manually changed) */ +.highlight .sx { color: #006100 } /* Literal.String.Other (manually changed) */ +.highlight .sr { color: #7F3955 } /* Literal.String.Regex (manually changed) */ +.highlight .s1 { color: #9C1C1C } /* Literal.String.Single (manually changed) */ +.highlight .ss { color: #19177C } /* Literal.String.Symbol */ +.highlight .bp { color: #006100 } /* Name.Builtin.Pseudo (manually changed) */ +.highlight .fm { color: #0000FF } /* Name.Function.Magic */ +.highlight .vc { color: #19177C } /* Name.Variable.Class */ +.highlight .vg { color: #19177C } /* Name.Variable.Global */ +.highlight .vi { color: #19177C } /* Name.Variable.Instance */ +.highlight .vm { color: #19177C } /* Name.Variable.Magic */ +.highlight .il { color: #4A4A4A } /* Literal.Number.Integer.Long (manually changed) */ + +.cell-highlight td { background-color: #ebeef6; position: relative; } + +a, +.icon, +.nav-list .nav-list-item .nav-list-expander, +.main-content .anchor-heading svg, +.search-input:focus + .search-label .search-icon, +.search-result-doc .search-result-icon, +a.skip-to-main:focus, a.skip-to-main:active { + color: #3B18D8 !important; +} + +.site-title { + color: #27262b !important; +} + +span.blue { + color: blue; +} + +span.red { + color: #AD0000; +} + +span.green { + color: #005200; +} + +body, .site-footer { + color: #4A464E !important; +} + +.highlight, pre.highlight { + color: #4D4B53 !important; +} diff --git a/_sass/custom/custom.scss b/_sass/custom/custom.scss index ab6f869..53f013e 100644 --- a/_sass/custom/custom.scss +++ b/_sass/custom/custom.scss @@ -8,51 +8,6 @@ margin-bottom: 0; } -:root { - --blue-color-light: blue; - --blue-color-dark: #00CAE0; - --green-color-light: green; - --green-color-dark: #70CC00; - --red-color-light: red; - --red-color-dark: #FF9999; -} - -[data-theme="default"] { - --blue-color: var(--blue-color-light); - --green-color: var(--green-color-light); - --red-color: var(--red-color-light); - - a { - color: #136719; - } - - .site-title { - color: #27262B; - } -} - -[data-theme="dark"] { - a { - color: #7EBDE7 !important; - } - - .site-title { - color: #f5f6fa !important; - } - - --blue-color: var(--blue-color-dark); - --green-color: var(--green-color-dark); - --red-color: var(--red-color-dark); - - img { - filter: invert(100%) brightness(100%) hue-rotate(175deg) saturate(100%); - } - - .site-title { - color: #f5f6fa; - } -} - span code { color: var(--blue-color); color: var(--green-color); @@ -135,4 +90,32 @@ code[style*="color: red"] { .main-header { width: $content-width; } +} + +.nav-list .nav-list-item .nav-list-link { + padding-top: 0.65rem !important; + padding-bottom: 0.65rem !important; + text-decoration: none; +} + +.nav-list-expander .btn-reset, +.nav-list .nav-list-item .nav-list-expander { + padding: 0.85rem !important; + min-height: 2.75rem !important; + min-width: 2.75rem !important; +} + +td a, +li a, +.padded-link { + padding-top: 0.75rem !important; + padding-bottom: 0.75rem !important; + text-decoration: none; + min-width: 2.75rem !important; + min-height: 2.75rem !important; +} + +h2.text-delta + ul a, #markdown-toc a { + padding: 0.75rem !important; + text-decoration: none; } \ No newline at end of file diff --git a/assets/css/just-the-docs-dark.scss b/assets/css/just-the-docs-dark.scss new file mode 100644 index 0000000..4cd35a1 --- /dev/null +++ b/assets/css/just-the-docs-dark.scss @@ -0,0 +1,3 @@ +--- +--- +{% include css/just-the-docs.scss.liquid color_scheme="dark_wider" %} diff --git a/index.md b/index.md index 03dd8fd..e5d768a 100644 --- a/index.md +++ b/index.md @@ -13,7 +13,7 @@ This is the textbook for [CS 161: Computer Security](https://cs161.org/) at [UC ## Corrections -As of the Summer 2024 semester, this textbook is still being actively maintained and updated. +As of the Fall 2024 semester, this textbook is still being actively maintained and updated. If you see any parts that needs to be corrected, please open a Github issue [here](https://github.com/cs161-staff/textbook/issues). diff --git a/memory-safety/mitigations.md b/memory-safety/mitigations.md index a994a64..b5a4651 100644 --- a/memory-safety/mitigations.md +++ b/memory-safety/mitigations.md @@ -52,7 +52,7 @@ Some of these library functions may take arguments. For example, `execv` takes a We can take this idea of returning to already-loaded code and extend it further to now execute arbitrary code. Return-oriented programming is a technique that overwrites a chain of return addresses starting at the RIP in order to execute a series of "ROP gadgets" which are equivalent to the desired malicious code. Essentially, we are constructing a custom shellcode using pieces of code that already exist in memory. Instead of executing an existing function, like we did in "Return to libc", with ROP you can execute your own code by simply executing different pieces of different code. For example, imagine we want to add 4 to the value currently in the EDX register as part of a larger program. In loaded memory, we have the following functions: -``` +```shell foo: ... 0x4005a1 mov %edx, %eax diff --git a/memory-safety/vulnerabilities.md b/memory-safety/vulnerabilities.md index 60b26c1..696ca98 100644 --- a/memory-safety/vulnerabilities.md +++ b/memory-safety/vulnerabilities.md @@ -16,7 +16,7 @@ It is through this absence of automatic bounds-checking that buffer overflows ta Let us start with a simple example. -``` +```c char buf[8]; void vulnerable() { gets(buf); @@ -33,7 +33,7 @@ Note that `char buf[8]` is defined outside of the function, so it is located in To illustrate some of the dangers that this bug can cause, let's slightly modify the example: -``` +```c char buf[8]; int authenticated = 0; void vulnerable() { @@ -53,7 +53,7 @@ The program above allows that to happen, because the `gets` function does no bou Now consider another variation: -``` +```c char buf[8]; int (*fnptr)(); void vulnerable() { @@ -87,7 +87,7 @@ _Stack smashing_ attacks exploit the x86 function call convention. See [Chapter Suppose the code looks like this: -``` +```c void vulnerable() { char buf[8]; gets(buf); @@ -155,7 +155,7 @@ The bottom line is this: _If your program has a buffer overflow bug, you should Let's begin this section by walking through a normal printf call. Suppose we had the following piece of code: -``` +```c void not_vulnerable() { char buf[8]; if (fgets(buf, sizeof(buf), stdin) == NULL) @@ -206,7 +206,7 @@ The bottom line: _If your program has a format string vulnerability, assume that What's wrong with this code? -``` +```c char buf[8]; void vulnerable() { int len = read_int_from_network(); @@ -221,13 +221,13 @@ void vulnerable() { Here's a hint. The function definition for `memcpy()` is: -``` +```c void *memcpy(void *dest, const void *src, size_t n); ``` And the definition of `size_t` is: -``` +```c typedef unsigned int size_t; ``` @@ -237,7 +237,7 @@ Note that the C compiler won't warn about the type mismatch between `signed int` Here is another example. What's wrong with this code? -``` +```c void vulnerable() { size_t len; char *buf; diff --git a/memory-safety/x86.md b/memory-safety/x86.md index 0911b45..58e6592 100644 --- a/memory-safety/x86.md +++ b/memory-safety/x86.md @@ -192,7 +192,7 @@ You might notice that we saved the old values of eip and ebp during the function Consider the following C code: -``` +```c int main(void) { foo(1, 2); } @@ -204,7 +204,7 @@ void foo(int a, int b) { The compiler would turn the `foo` function call into the following assembly instructions: -``` +```shell main: # Step 1. Push arguments on the stack in reverse order push $2 diff --git a/network/dns.md b/network/dns.md index 3902edb..bf346cd 100644 --- a/network/dns.md +++ b/network/dns.md @@ -86,7 +86,7 @@ Every DNS query begins with the root server. For redundancy, there are actually The first root server has domain `a.root-servers.net` and IP address `198.41.0.4`. We can use `dig` to send a DNS request to this address, asking for the IP address of `eecs.berkeley.edu`. -``` +```shell $ dig +norecurse eecs.berkeley.edu @198.41.0.4 ;; Got answer: @@ -125,7 +125,7 @@ For completeness: `172800` is the TTL (time-to-live) for each record, set at 172 Sanity check: What name server do we query next? How do we know where that name server is located? What do we query that name server for?[^2] -``` +```shell $$ dig +norecurse eecs.berkeley.edu @192.5.6.30 ;; Got answer: @@ -149,7 +149,7 @@ adns3.berkeley.edu. 172800 IN A 192.107.102.142 The next query also has an empty answer section, with `NS` records in the authority section and `A` records in the additional section which give us the domains and IP addresses of name servers responsible for the `berkeley.edu` zone. -``` +```shell $ dig +norecurse eecs.berkeley.edu @128.32.136.3 ;; Got answer: @@ -173,7 +173,7 @@ DNS is insecure against a malicious name server. For example, if a `berkeley.edu However, a more dangerous exploit is using the additional section to poison the cache with even more malicious IP addresses. For example, this malicious DNS response would cause the resolver to associate `google.com` with an attacker-owned IP address `6.6.6.6`. -``` +```shell $ dig +norecurse eecs.berkeley.edu @192.5.6.30 ... @@ -197,7 +197,7 @@ The Kaminsky attack relies on querying for nonexistent domains. Remember that th An attacker can now include malicious additional records in the fake response for the nonexistent `fake161.berkeley.edu`: -``` +```shell $$ dig fake161.berkeley.edu ;; Got answer: @@ -215,7 +215,7 @@ If the fake response arrives first, the resolver will cache the malicious additi Now that the attacker can try as many times as they want, all that's left is to force a victim to make thousands of DNS queries for nonexistent domains. This can be achieved by tricking the victim into visiting a website that tries to load lots of nonexistent domains: -``` +```shell diff --git a/network/dnssec.md b/network/dnssec.md index e4f7df8..4f804ef 100644 --- a/network/dnssec.md +++ b/network/dnssec.md @@ -72,7 +72,7 @@ All DNSSEC cryptographic records additionally include some (uninteresting) metad You might have noticed that the number of additional records is always 1 more than the actual number of additional records that appear in the response. For example, consider the final query in our regular DNS query walkthrough: -``` +```shell $ dig +norecurse eecs.berkeley.edu @128.32.136.3 ;; Got answer: @@ -132,7 +132,7 @@ Now we're ready to see a full DNSSEC query in action. As before, you can try thi First, we query the root server for its public keys. Recall that the root's IP address, `198.41.0.4`, is publicly-known and hardcoded. -``` +```shell $ dig +norecurse +dnssec DNSKEY . @198.41.0.4 ;; Got answer: @@ -157,7 +157,7 @@ Because we implicitly trust the root's KSK (trust anchor), and the root's KSK si Next, we query the root server for the IP address of `eecs.berkeley.edu`. -``` +```shell $ dig +norecurse +dnssec eecs.berkeley.edu @198.41.0.4 ;; Got answer: @@ -188,7 +188,7 @@ DNSSEC doesn't remove any records compared to regular DNS--the question, answer Next, we query the `.edu` name server for its public keys. -``` +```shell $ dig +norecurse +dnssec DNSKEY edu. @192.5.6.30 ;; Got answer: @@ -213,7 +213,7 @@ Because we trust the `.edu` name server's KSK (from the previous step), and the Next, we query the `.edu` name server for the IP address of `eecs.berkeley.edu`. -``` +```shell $ dig +norecurse +dnssec eecs.berkeley.edu @192.5.6.30 ;; Got answer: @@ -245,7 +245,7 @@ In addition, the response has a `DS` type record and an `RRSIG` signature on the Next, we query the `berkeley.edu` name server for its public keys. -``` +```shell $ dig +norecurse +dnssec DNSKEY berkeley.edu @128.32.136.3 ;; Got answer: @@ -270,7 +270,7 @@ Because we trust the `berkeley.edu` name server's KSK (from the previous step), Finally, we query the `berkeley.edu` name server for the IP address of `eecs.berkeley.edu`. -``` +```shell $ dig +norecurse +dnssec eecs.berkeley.edu @128.32.136.3 ;; Got answer: @@ -297,7 +297,7 @@ Offline signing works fine for existing domains, but what if we receive a reques DNSSEC has a clever solution to this problem--instead of signing individual nonexistent domains, name servers pre-compute signatures on _ranges_ of nonexistent domains. Suppose we have a website with three subdomains: -``` +```shell b.example.com l.example.com q.example.com @@ -317,7 +317,7 @@ NSEC records have a slight vulnerability - notice that every time we query for a Some argue that this is not really a vulnerability, because hiding a domain name like `admin.example.com` is relying on security through obscurity. Nevertheless, an attempt to fix this was implemented as **NSEC3**, which simply uses the hashes of every domain name instead of the actual domain name. -``` +```shell 372fbe338b9f3bb6f857352bc4c6a49721d6066f (l.example.com) 6898bc7daf3054daae05e8763153ee1506e809d5 (q.example.com) f96a6ec2fb6efbe43002f4cbf124f90879424d79 (b.example.com) diff --git a/web/cookies.md b/web/cookies.md index 50ba4d1..34ac902 100644 --- a/web/cookies.md +++ b/web/cookies.md @@ -25,7 +25,7 @@ For security and functionality reasons, we don't want the browser to send every The browser sends a cookie to a given URL if the cookie's `Domain` attribute is a domain-suffix of the URL domain, and the cookie's `Path` attribute is a prefix of the URL path. In other words, the URL domain should end in the cookie's `Domain` attribute, and the URL path should begin with the cookie's `Path` attribute. -For example, a cookie with Domain=example.com and Path=/some/path will be included on a request to http://foo.example.com/some/path/index.html, because the URL domain ends in the cookie domain, and the URL path begins with the cookie path. +For example, a cookie with Domain=example.com and Path=/some/path will be included on a request to http://foo.example.com/some/path/index.html, because the URL domain ends in the cookie domain, and the URL path begins with the cookie path. Note that cookie policy uses a different set of rules than the same origin policy. This has caused problems in the past. {% comment %} Nick wrote: "has caused problems in the path." typo? -peyrin {% endcomment %} diff --git a/web/intro.md b/web/intro.md index d970df1..db5c096 100644 --- a/web/intro.md +++ b/web/intro.md @@ -12,19 +12,19 @@ Every resource (webpage, image, PDF, etc.) on the web is identified by a URL (Un

- http://www.example.com/index.html + http://www.example.com/index.html

-The first mandatory part is the _protocol_, located before in the URL. In the example above, the protocol is http. The protocol tells your browser how to retrieve the resource. In this class, the only two protocols you need to know are HTTP, which we will cover in the next section, and HTTPS, which is a secure version of HTTP using TLS (refer to the networking unit for more details). Other protocols include `git+ssh://`, which fetches a git archive over an encrypted tunnel using `ssh`, or `ftp://`, which uses the old FTP (File Transfer Protocol) to fetch data. +The first mandatory part is the _protocol_, located before in the URL. In the example above, the protocol is http. The protocol tells your browser how to retrieve the resource. In this class, the only two protocols you need to know are HTTP, which we will cover in the next section, and HTTPS, which is a secure version of HTTP using TLS (refer to the networking unit for more details). Other protocols include `git+ssh://`, which fetches a git archive over an encrypted tunnel using `ssh`, or `ftp://`, which uses the old FTP (File Transfer Protocol) to fetch data. -The second mandatory part is the _location_, located after but before the next forward slash in the URL. In the example above, the location is www.example.com. This tells your browser which web server to contact to retrieve the resource. +The second mandatory part is the _location_, located after but before the next forward slash in the URL. In the example above, the location is www.example.com. This tells your browser which web server to contact to retrieve the resource. -Optionally, the location may contain an optional _username_, which is followed by an `@` character if present. For example, evanbot@www.example.com is a location with a username `evanbot`. All locations must include a computer identifier. This is usually a domain name such as www.example.com. Sometimes the location will also include a port number, such as www.example.com:81, to distinguish between different applications running on the same web server. We will discuss ports a bit more when we talk about TCP during the networking section. +Optionally, the location may contain an optional _username_, which is followed by an `@` character if present. For example, evanbot@www.example.com is a location with a username `evanbot`. All locations must include a computer identifier. This is usually a domain name such as www.example.com. Sometimes the location will also include a port number, such as www.example.com:81, to distinguish between different applications running on the same web server. We will discuss ports a bit more when we talk about TCP during the networking section. -The third mandatory part is the _path_, located after the first single forward slash in the URL. In the example above, the path is /index.html. The path tells your browser which resource on the web server to request. The web server uses the path to determine which page or resource should be returned to you. +The third mandatory part is the _path_, located after the first single forward slash in the URL. In the example above, the path is /index.html. The path tells your browser which resource on the web server to request. The web server uses the path to determine which page or resource should be returned to you. One way to think about paths is to imagine a filesystem on the web server you're contacting. The web server can use the path as a filepath to locate a specific page or resource. The path must at least consist of `/`, which is known as the "root"[^1] of the filesystem for the remote web site. @@ -38,17 +38,17 @@ In summary, a URL with all elements present may look like this:

- http://evanbot@www.cs161.org:161/whoami?k1=v1&k2=v2#anchor + http://evanbot@www.cs161.org:161/whoami?k1=v1&k2=v2#anchor

-where http is the protocol, evanbot is the username, www.cs161.org is the computer location (domain), 161 is the port, /whoami is the path, k1=v1&k2=v2 are the URL arguments, and anchor is the anchor. +where http is the protocol, evanbot is the username, www.cs161.org is the computer location (domain), 161 is the port, /whoami is the path, k1=v1&k2=v2 are the URL arguments, and anchor is the anchor. _Further reading:_ [What is a URL?](https://developer.mozilla.org/en-US/docs/Learn/Common_questions/What_is_a_URL) diff --git a/web/sqli.md b/web/sqli.md index 01e6661..716958c 100644 --- a/web/sqli.md +++ b/web/sqli.md @@ -10,18 +10,18 @@ nav_order: 1 SQL injection is a special case of a more broad category of attacks called code injections. -As an example, consider a calculator website that accepts user input and calls `eval` in Python in the server backend to perform the calculation. For example, if a user types 2+3 into the website, the server will run eval('2+3') and return the result to the user. +As an example, consider a calculator website that accepts user input and calls `eval` in Python in the server backend to perform the calculation. For example, if a user types 2+3 into the website, the server will run eval('2+3') and return the result to the user. If the web server is not careful about checking user input, an attacker could provide a malicious input like

- 2+3"); os.system("rm -rf / + 2+3"); os.system("rm -rf /

When the web server plugs this into the `eval` function, the result looks like

- eval("2+3"); os.system("rm *.*") + eval("2+3"); os.system("rm *.*")

If interpreted as code, this statement causes the web server to delete all its files! @@ -44,7 +44,7 @@ A user can make an HTTP GET request for a course rating through a URL:

- http://www.berkeley.edu/evals?course=cs61a

@@ -53,7 +53,7 @@ To process this request, the server performs a SQL query to look up the rating c

- SELECT rating FROM evals WHERE course = '

@@ -61,7 +61,7 @@ To process this request, the server performs a SQL query to look up the rating c Just like the code injection example, if the server does not properly check user input, an attacker could create a special input that allows arbitrary SQL code to be run. Consider the following malicious input:

- + garbage'; SELECT password FROM passwords WHERE username = 'admin

@@ -70,7 +70,7 @@ When the web server plugs this into the SQL query, the resulting query looks lik

- SELECT rating FROM evals WHERE course = '

@@ -92,8 +92,8 @@ When the web server receives a login request, it creates a SQL query by plugging

- SELECT username FROM users WHERE username = 'alice' AND password = 'password123' + SELECT username FROM users WHERE username = 'alice' AND password = 'password123'

@@ -106,8 +106,8 @@ First, in the username field, we should add a dummy username and a quote to end

SELECT username FROM users WHERE username = - 'alice'' AND password = - 'password123' + 'alice'' AND password = + 'password123'

@@ -116,8 +116,8 @@ Next, we need to add some SQL syntax so that this query returns more than 0 rows

SELECT username FROM users WHERE username = - 'alice' OR 1=1' AND password = - '_____' + 'alice' OR 1=1' AND password = + '_____'

@@ -126,9 +126,9 @@ Next, we have to add some SQL so that the rest of the query doesn't throw a synt

SELECT username FROM users WHERE username = - 'alice' OR 1=1; SELECT username FROM users WHERE username = 'alice' AND password = '_____' + >' AND password = '_____'

@@ -137,9 +137,9 @@ The second query might not return anything, but the first query will return a no

SELECT username FROM users WHERE username = - 'alice' OR 1=1; SELECT username FROM users WHERE username = 'alice' AND password = 'garbage' + >' AND password = 'garbage'

@@ -148,11 +148,11 @@ Thus, our malicious username and password should be

username = - + alice' OR 1=1; SELECT username FROM users WHERE username = 'alice
- password = garbage + password = garbage

@@ -163,9 +163,9 @@ In our previous example, we can instead start a comment to ignore parts of the q

SELECT username FROM users WHERE username = - 'alice' OR 1=1--alice' OR 1=1--' AND password = 'garbage'' AND password = 'garbage'

@@ -174,9 +174,9 @@ Thus, another malicious username and password is

- username = alice' OR 1=1-- + username = alice' OR 1=1--
- password = garbage + password = garbage

@@ -195,8 +195,8 @@ For example, in the previous exploit, if the server replaces all instances of th

SELECT username FROM users WHERE username = - 'alice\' OR 1=1\-\-' AND password = - 'garbage' + 'alice\' OR 1=1\-\-' AND password = + 'garbage'

diff --git a/web/xss.md b/web/xss.md index d012474..56eba41 100644 --- a/web/xss.md +++ b/web/xss.md @@ -33,7 +33,7 @@ In a reflected XSS attack, the attacker finds a vulnerable webpage where the ser A classic example of reflected XSS is a Google search. When you make an HTTP GET request for a Google search, such as `https://www.google.com/search?&q=cs161`, the returned webpage with search results will include something like

- You searched for: cs161 + You searched for: cs161

If Google does not properly check user input, an attacker could create a malicious URL `https://www.google.com/search?&q=`. When the victim loads this URL, Google will return @@ -41,7 +41,7 @@ If Google does not properly check user input, an attacker could create a malicio

You searched for: - <script>alert("XSS attack!")</script> From 6e6160f4e0d41cb1f34229cf701655012513dc17 Mon Sep 17 00:00:00 2001 From: Ashley Chiu Date: Sun, 1 Sep 2024 22:40:59 -0700 Subject: [PATCH 3/4] remove excess css unneeded for the textbook --- _sass/color_schemes/dark_wider.scss | 28 +--------------------------- _sass/color_schemes/wider.scss | 8 +------- 2 files changed, 2 insertions(+), 34 deletions(-) diff --git a/_sass/color_schemes/dark_wider.scss b/_sass/color_schemes/dark_wider.scss index a1ed132..bf83d03 100644 --- a/_sass/color_schemes/dark_wider.scss +++ b/_sass/color_schemes/dark_wider.scss @@ -11,7 +11,7 @@ $media-queries: ( xl: 1400px, ); -// Change bottom-left "generated by JTD" text color to be darker (thanks a lot department of justice) +// Change bottom-left "generated by JTD" text color to be darker $grey-dk-000: #E6E1E8 !important; // Pygments monokai, from https://github.com/richleland/pygments-css/blob/master/monokai.css @@ -92,8 +92,6 @@ $grey-dk-000: #E6E1E8 !important; .code-green { color: #a6e22e; font-weight: bold } .cell-highlight td { background-color: #212024; position: relative; } -.story::before, -.example::before, a, .icon, .nav-list .nav-list-item .nav-list-expander, @@ -104,34 +102,10 @@ a.skip-to-main:focus, a.skip-to-main:active { color: #A0CFEE !important; } -.story, .example { - border-left: 4px solid #A0CFEE !important; -} - -.question::before { - color: #91FF0A !important; -} - -.question { - border-left: 4px solid #91FF0A !important; -} - -p.warning { - border-left: 4px solid #FCE9B0 !important; -} - -p.warning::before { - color: #FCE9B0 !important; -} - .site-title { color: #f5f6fa !important; } -.fc-time-grid .fc-slats td { - color: #ffffff !important; -} - span.blue { color: #00D3EB; } diff --git a/_sass/color_schemes/wider.scss b/_sass/color_schemes/wider.scss index e4cb8f5..8e7278f 100644 --- a/_sass/color_schemes/wider.scss +++ b/_sass/color_schemes/wider.scss @@ -11,13 +11,7 @@ $media-queries: ( xl: 1400px, ); -table { - td.is-even { - background-color: #F5F6FA; - } -} - -// Change bottom-left "generated by JTD" text color to be darker (thanks a lot department of justice) +// Change bottom-left "generated by JTD" text color to be darker $grey-dk-000: #4A464E; // Pygments default, from https://github.com/richleland/pygments-css/blob/master/default.css From 2d314c005b3d936895cd9196166dd7823875bcb5 Mon Sep 17 00:00:00 2001 From: Ashley Chiu Date: Sun, 1 Sep 2024 23:24:32 -0700 Subject: [PATCH 4/4] restore textbook dark green link color but with >7:1 contrast --- _sass/color_schemes/wider.scss | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_sass/color_schemes/wider.scss b/_sass/color_schemes/wider.scss index 8e7278f..cef3ee6 100644 --- a/_sass/color_schemes/wider.scss +++ b/_sass/color_schemes/wider.scss @@ -95,7 +95,7 @@ a, .search-input:focus + .search-label .search-icon, .search-result-doc .search-result-icon, a.skip-to-main:focus, a.skip-to-main:active { - color: #3B18D8 !important; + color: #305A37 !important; } .site-title {