cl clien ient side side sec ecurity urity ri risk sks s
play

Cl Clien ient-side side sec ecurity urity ri risk sks s esp. - PowerPoint PPT Presentation

Feb 16, 2024 •162 likes •844 views

Web b Securi urity ty Cl Clien ient-side side sec ecurity urity ri risk sks s esp. . HTML TML injection jection and nd XSS SS (Cross oss Si Site te Sc Scripting ipting) 1 Last week malicious input brow owser ser web

  1. Web b Securi urity ty Cl Clien ient-side side sec ecurity urity ri risk sks s esp. . HTML TML injection jection and nd XSS SS (Cross oss Si Site te Sc Scripting ipting) 1

  2. Last week malicious input brow owser ser web server er 2

  3. This week malicious input browser owser 3

  4. attacking browser or user malicious input brow owser ser 4

  5. Client-side complexity Most of the complexity of the web comes together in the browser These complexities include dynamic web pages , • with JavaScript executing in the browser, using the DOM API content from multiple origins • • growing complexity of HTML5 & Web APIs – eg possibilities to access web cam, microphone, location information, go full- screen, … from the browser interaction of the browser with the rest of the OS • with browser launching other apps (eg via plug-ins) or other apps launching the browser (eg by clicking links in email) 5

  6. 1) using a malicious webserver malicious input a brow owser ser youcantrustme.com with eg. phishing emails to lure people there 6

  7. 2) via a benign webserver malicious input web b a brow owser ser server er brightspace.ru.nl brow owser ser 7

  8. Attack possibilities 1. Fake/malicious website with link in phishing email, ad, web forum, to lure victims there • 2. Malicious content in a genuine web page a. via 3 rd party content (ads, maps, social media like buttons, …) b. via 1 st party content supplied by users (eg facebook or brightspace posts) 3. Genuine content on a fake/malicious web page • This is a variant of 1 and the exact opposite of 2 4. Malicious link to the genuine website eg. malicious parameters in a link • This can cause a problem server-side, but the response can • cause a problem client-side 8

  9. Attacker goals Attacks on availability • – DoS-ing the client or the server – or the user • Some of the malicious postings in the Brightspace forum are DoS attacks Attacks on confidentiality • – Obtaining confidential information from the browser or, via the browser, from the server – Tracking the user, i.e. attacks on privacy & anonymity • discussed in more detail in two weeks Attacks on integrity • – Corrupting information client-side or server-side – Doing malicious actions, on behalf of the user Attacks can abuse browser bugs or browser features 9

  10. Example browser bug: client-side DoS vulnerability 10

  11. Example browser bug: IE image crash Image with huge size used to crash Internet Explorer and freeze the • whole Windows machine Malicious payload for this <HTML><BODY> <img src =”a.jpg” width =”999999999” height=”999999999”></ img> </BODY><HTML> Such a payload is easy to enter in a Brightspace forum … 11

  12. Browser bugs Browser bugs may allow more than just Denial of Service Worst of all: execute arbitrary code • Exploiting the kind of bugs discussed in Hacking in C • Drive-by-downloads where just visiting a webpage can install malware by exploiting security holes in browser, graphics libraries, media players, ... Eg many vulnerabilities in WebKit rendering engine • https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=webkit can cause crashes, remote code execution (RCE), memory corruption, overwriting cookies, spoofing address bar, … But even without any such vulnerabilities, things can go wrong, as explained in rest of this lecture. • These are not bugs but features! 12

  13. Overview Preliminaries • The power of JavaScript & the DOM • The client-side attack surface: 1 st vs 3 rd party content • Same-Origin Policy (SOP) as general protection • mechanism against malicious 3 rd party content, esp. 3 rd party scripts • Client-side attacks • esp. HTML injection and XSS Countermeasures against XSS • Input validation & output sanitisation • Sandboxing in the browser: • plug-ins, Content Security Policy (CSP) & sandboxed iframes Next week : more client-side security problems 13

  14. Dynamic webpages: The power of JavaScript & the DOM 14

  15. Recall: dynamic web pages Most web pages do not just contain static HTML, but are dynamic: ie they contain executable content. execution aka processing thanks to client-side scripting web web server browser 15

  16. Languages for Dynamic Content JavaScript part of HTML5 standard • WebAssembly • Flash • Silverlight • require browser add-on, ActiveX • slowly becoming extinct Java • .... • JavaScript is by far the most widespread: nearly all web pages include JavaScript CSS (Cascading Style Sheets) defines layout and colours of web page, headers, links, etc. CSS is also part of HTML5 • Not quite execution, but can be abused • – JavaScript is Turing-complete, CSS graphical effects are not 16

  17. JavaScript JavaScript is the leading language used in client-side scripting  embedded in web page & executed in the user's web browser  reacting on events (eg keyboard) and interacting with webpage  JavaScript has NOTHING to do with Java • Typical uses: • – User interaction with the web page Eg opening & closing menus, providing a client-side editor for input, ... JavaScript code can completely rewrite the contents of an HTML page without connecting to the web server! – Client-side input validation Eg has the user entered a correct date, valid s-number, syntactically correct email address or credit card number, or strong enough password? NB such validation should not be security-critical, because malicious client can trivially by-pass it! 17

  18. JavaScript Scripting language interpreted by browser • <script type="text/javascript"> ... </script> optional Built-in functions eg to change content of the window • <script> alert("Hello World!"); </script> You can define additional functions • <script> function hi(){alert("Hi!");}</script> Built-in event handlers for reacting to user actions • <img src="pic.jpg" onMouseOver="javascript:hi()"> Code can be inline, as in examples above, or in external file specified • by URL <script src="http://a.com/base.js"></script> Read HTML5 specs to see what should happen if you include both, eg in <script src="js/base.js"> alert("hi") </script> Example: http://www.cs.ru.nl/~erikpoll/websec/demo/demo_javascript.html NB try out the example on this page & look at the code (also for the exam). 18

  19. DOM (Document Object Model) DOM is representation of the content of a webpage, in OO • style • Webpage is a document object with various properties, such as document.URL, document.referer, document.cookie, document.title … and with all elements of the page as sub-objects 19

  20. DOM (Document Object Model) JavaScript can interact with the DOM API provided by the browser to access or change parts of the current webpage incl. text, the URL, cookies, .... This gives JavaScript its real power! Eg it allows scripts to change layout and content of the webpage, open and menus in the webpage, open new tabs, change content in those tabs, ... Examples: http://www.cs.ru.nl/~erikpoll/websec/demo/demo_DOM.html http://www.cs.ru.nl/~erikpoll/websec/demo/demo_DOM2.html NB try out this example & look at the code for exam. 20

  21. Example use of Java Script: session replays JavaScript can be used to record all user activity on a site, so that the entire session can be observed and replayed server-side. Example replay using FullStory https://freedom-to-tinker.com/2017/11/15/no-boundaries-exfiltration-of-personal-data-by-session-replay- scripts/ 21

  22. Running downloaded code is a security risk! Why would running JavaScript not be? 22

  23. Security measures for JavaScript 1 2 sandbox for sandbox for facebook.com ad.com Browser sandbox 1. Browser sandbox for webpage as a whole 2. Same Origin Policy (SOP): One sandbox per origin (facebook.com, ad.com , …) 23

  24. Security measures for JavaScript Two levels of protection against malicious or buggy JavaScript built into the browser: 1. Sandbox provided by the browser This protects the browser from JavaScript code in webpages JavaScript code can change anything in a webpage, but cannot • access other functionality of the browser, e.g. changing the address bar, accessing the file system, etc. 2. Same-Origin-Policy (SOP) This prevents code from one origin from messing with content from another origin (origin = protocol + domain + port, https://ru.nl:80) 24

  25. 1 st and 3 rd party content st party content rd party content 1 st 3 rd maps.google.com from same origin , from different origins here facebook.com advertising.com st party map 1 st other ad user’s user- user- user- content supplied JavaScript supplied supplied facebook content content content content facebook websec 25

  26. Confusion for user and web server What’s happening in maps.google.com my browser? And who am I advertising.com interacting with? Do these HTTP requests really come map from our customer? ad other user’s user- user- user- content supplied supplied supplied content facebook content content content facebook This confusion be abused, if user or server mistakenly trust the other party websec 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Sa Safe fety ty an and S d Sec ecurity urity Pr Proj oject ect Upd pdat ate Ralph

Sa Safe fety ty an and S d Sec ecurity urity Pr Proj oject ect Upd pdat ate Ralph

Sa Safe fety ty an and S d Sec ecurity urity Pr Proj oject ect Upd pdat ate Ralph McKinney Chief Safety and Security Officer Saf afety ety an and S d Sec ecur urity ity Req equi uire remen ments ts fo for Ma Majo jor r

255 views • 12 slides
ALWAYS BY YOUR SIDE Always by your side. to prevent, control and mitigate all kinds of

ALWAYS BY YOUR SIDE Always by your side. to prevent, control and mitigate all kinds of

ALWAYS BY YOUR SIDE Always by your side. to prevent, control and mitigate all kinds of property damage 1 Always by your side. WATER FIRE CLIMATE All crucial for human life. At the same time posing an unpredictable threat to valuable

829 views • 57 slides
SCHISM numerical formulation Joseph Zhang Horizontal grid: hybrid 2 3 Side 2 4 3 Side 1

SCHISM numerical formulation Joseph Zhang Horizontal grid: hybrid 2 3 Side 2 4 3 Side 1

1 SCHISM numerical formulation Joseph Zhang Horizontal grid: hybrid 2 3 Side 2 4 3 Side 1 Side 2 Side 1 Side 3 Side 4 1 2 2 1 Side 3 3 2 1 Counter-clockwise convention 1 2 3 3 y s 2 2 x s 1 2 i i 1 N i 1 2 N i i

647 views • 53 slides
PROFILE OF Always By Your Side. A WORLD LEADER 1 Always By Your Side. All crucial for human

PROFILE OF Always By Your Side. A WORLD LEADER 1 Always By Your Side. All crucial for human

PROFILE OF Always By Your Side. A WORLD LEADER 1 Always By Your Side. All crucial for human life. At the same time posing an unpredictable threat to valuable property. Water Fire Climate 2 Always By Your Side. Enter Polygon. We

678 views • 48 slides
Best Practices in Credit Portfolio Risk Management for Buy-side Managers Moody's Analytics Risk

Best Practices in Credit Portfolio Risk Management for Buy-side Managers Moody's Analytics Risk

Best Practices in Credit Portfolio Risk Management for Buy-side Managers Moody's Analytics Risk Practitioner Conference October 17 th , 2012 David Latour Caisse de dpt et placement du Qubec Senior Adviser, Quantitative Risk Analysis

716 views • 30 slides
Types of Cooperation Episodes in Side-by-Side Program m ing Lutz Prechelt, Ulrich Strk, Stephan

Types of Cooperation Episodes in Side-by-Side Program m ing Lutz Prechelt, Ulrich Strk, Stephan

Types of Cooperation Episodes in Side-by-Side Program m ing Lutz Prechelt, Ulrich Strk, Stephan Salinger Institut fr Informatik Freie Universitt Berlin What is side-by-side prog.? Study setup And why are we interested?

667 views • 40 slides
EAST SIDE! STRONG SIDE! 2018-2019 August 23, 2018 Trojan Pride Call: East Side Response:

EAST SIDE! STRONG SIDE! 2018-2019 August 23, 2018 Trojan Pride Call: East Side Response:

EAST SIDE! STRONG SIDE! 2018-2019 August 23, 2018 Trojan Pride Call: East Side Response: Strong Side WCPSS Core Beliefs #1- Every student is uniquely capable and deserves to be challenged and engaged in relevant, rigorous , and meaningful

1.11k views • 31 slides
Please sit: Sit on the left side or as close to the front on the right side of the room as

Please sit: Sit on the left side or as close to the front on the right side of the room as

Please sit: Sit on the left side or as close to the front on the right side of the room as you can. We are excited that you are here: Start your computer and get ready for our first class session. CSSE 220 Object-Oriented

389 views • 20 slides
Reporting medicines side effects The Yellow Card Scheme Worried about side effects? If you are

Reporting medicines side effects The Yellow Card Scheme Worried about side effects? If you are

Reporting medicines side effects The Yellow Card Scheme Worried about side effects? If you are worried about a symptom you think may be a side effect: 1. Check the leaflet supplied with the medicine. It lists known side effects and advises you

592 views • 11 slides
1 2 Rockstead has a unique advantage of being positioned on both the buy side and sell side of

1 2 Rockstead has a unique advantage of being positioned on both the buy side and sell side of

1 2 Rockstead has a unique advantage of being positioned on both the buy side and sell side of loan trades and today I am going to share with you some insights into the challenges and the opportunities that the market presents. Before that a

382 views • 9 slides
East Side Adult Education 2008-2009 East Side Adult Education Mission Statement The East Side

East Side Adult Education 2008-2009 East Side Adult Education Mission Statement The East Side

East Side Adult Education 2008-2009 East Side Adult Education Mission Statement The East Side Adult Education Program will provide a learning environment which fosters student success, encourages life-long education, and meets changing

622 views • 21 slides
Please do not sit in the back row Please sit: Sit on the right side or as close to the

Please do not sit in the back row Please sit: Sit on the right side or as close to the

Please do not sit in the back row Please sit: Sit on the right side or as close to the front on the left side of the room as you can. We are excited that you are here: Start your computer and get ready for our first class

1.13k views • 21 slides
INVE ST ME NT MARKE T RE VIE W J. Sc o tt Ada ms , CCI M Re g io na l Pre side nt, Mid

INVE ST ME NT MARKE T RE VIE W J. Sc o tt Ada ms , CCI M Re g io na l Pre side nt, Mid

INVE ST ME NT MARKE T RE VIE W J. Sc o tt Ada ms , CCI M Re g io na l Pre side nt, Mid -So uth Re g io n Da vid Ma c hupa Vic e Pre side nt RE T AI L PROPE RT I E S Commercial Investment Market Review AGENDA National

651 views • 15 slides
COVID 19 UPDATE 4-2-2020 How to use the Side Panel How do I see the screen under the side

COVID 19 UPDATE 4-2-2020 How to use the Side Panel How do I see the screen under the side

COVID 19 UPDATE 4-2-2020 How to use the Side Panel How do I see the screen under the side panel? The orange arrow closes and opens the side panel. How can I make my screen bigger? To have a bigger view of the screen, select the square

406 views • 18 slides
COVID 19 UPDATE 4-9-2020 How to use the Side Panel How do I see the screen under the side

COVID 19 UPDATE 4-9-2020 How to use the Side Panel How do I see the screen under the side

COVID 19 UPDATE 4-9-2020 How to use the Side Panel How do I see the screen under the side panel? The orange arrow closes and opens the side panel. How can I make my screen bigger? To have a bigger view of the screen, select the square

381 views • 20 slides
T RANSI T I ON 2 PRACT I CE Na po le o n B. Hig g ins, Jr., MD CE O a nd Pre side nt, Ba y

T RANSI T I ON 2 PRACT I CE Na po le o n B. Hig g ins, Jr., MD CE O a nd Pre side nt, Ba y

T RANSI T I ON 2 PRACT I CE Na po le o n B. Hig g ins, Jr., MD CE O a nd Pre side nt, Ba y Po inte Be ha vio ra l He a lth Se rvic e , I nc . Pre side nt, Ca uc us o f Bla c k Psyc hia trists, APA PHYSI CI AN, K NOW T HYSE L F

400 views • 14 slides
Client-side web dev without Javascript ...with Scala.js! http://tinyurl.com/scalajs Who am I?

Client-side web dev without Javascript ...with Scala.js! http://tinyurl.com/scalajs Who am I?

Client-side web dev without Javascript ...with Scala.js! http://tinyurl.com/scalajs Who am I? - Li Haoyi - Used to write Coffeescript at Dropbox web-infra - Now working on Server Platform team - Early contributor, users of Scala.js -

748 views • 29 slides
Web Technologies and Publishing On the Web Applications Publishing information on the WWW is an

Web Technologies and Publishing On the Web Applications Publishing information on the WWW is an

Web Technologies and Publishing On the Web Applications Publishing information on the WWW is an activity that involves three major steps: Winter 2001 1. Create a document CMPUT 499: HTML and Beyond HTML with any text editor Dr. Osmar

436 views • 17 slides
HTTP, HTML, URL, Java Socket Agenda 1. Architecture overview 2. URL 3. HTTP 4. HTML 5. Java

HTTP, HTML, URL, Java Socket Agenda 1. Architecture overview 2. URL 3. HTTP 4. HTML 5. Java

HTTP, HTML, URL, Java Socket Agenda 1. Architecture overview 2. URL 3. HTTP 4. HTML 5. Java Socket 1. Architectur al Overview (1) (a) A Web page (b) The page reached by clicking on Department of Animal Psychology. 1. Architectural

507 views • 25 slides
The Rise and Rise of Content Distribution Networks Geoff Huston APNIC WIE December 2017 Our

The Rise and Rise of Content Distribution Networks Geoff Huston APNIC WIE December 2017 Our

The Rise and Rise of Content Distribution Networks Geoff Huston APNIC WIE December 2017 Our Heritage Our Heritage The Telephone Network: Connected handset to handset Intentionally transparent network Peer-to-peer service construct

348 views • 14 slides
Feb 11, 2016 Session 10:00am 12 Noon Agenda Topic Presenter / Facilitator Timeframe Welcome

Feb 11, 2016 Session 10:00am 12 Noon Agenda Topic Presenter / Facilitator Timeframe Welcome

Feb 11, 2016 Session 10:00am 12 Noon Agenda Topic Presenter / Facilitator Timeframe Welcome Michael Chen 2 min. Web Accessibility Patrick Johnson 30 min. New Accessibility Mandates David Escobar 25 min. State Template

430 views • 22 slides
Color Presented by Anirban Sinha (Ani) 1 Focus Area Importance of luminance &amp;

Color Presented by Anirban Sinha (Ani) 1 Focus Area Importance of luminance &amp;

Two papers on Color Presented by Anirban Sinha (Ani) 1 Focus Area Importance of luminance &amp; luminance contrast in color maps for visualizing human recognizable elements in photos. Design of a technique to use mans complex

671 views • 26 slides
An Exploration of Search Visualization Strategies 6/4/2020 1 Introduction Me: Daniel Worley

An Exploration of Search Visualization Strategies 6/4/2020 1 Introduction Me: Daniel Worley

An Exploration of Search Visualization Strategies 6/4/2020 1 Introduction Me: Daniel Worley Who I work for: Opensource Connections What do I do: Search Relevance Strategist 2 Overview Transparent Boosting (Radar) Histogram Facets

219 views • 21 slides
Layered Depth Images for Multi-View Coding Vincent Jantet ENS-Cachan, Antenne de Bretagne,

Layered Depth Images for Multi-View Coding Vincent Jantet ENS-Cachan, Antenne de Bretagne,

Layered Depth Images for Multi-View Coding Vincent Jantet ENS-Cachan, Antenne de Bretagne, Campus de Ker Lann, 35170 Bruz France INRIA Rennes, Bretagne Atlantique, Campus de Beaulieu, 35042 Rennes France Ph.D. Thesis defense, Rennes,

629 views • 52 slides

More recommend