cli lient nt side side attac tacks s con onti tinued ued
play

Cli lient nt-side side attac tacks s con onti tinued ued 1 - PowerPoint PPT Presentation

Oct 30, 2022 •256 likes •915 views

Cli lient nt-side side attac tacks s con onti tinued ued 1 Last week: security provided by SOP trusted content mafia.org <iframe src="http://mafia.org/a.html"> </iframe> bank.com SOP protects against malicious

  1. Cli lient nt-side side attac tacks s con onti tinued ued 1

  2. Last week: security provided by SOP trusted content mafia.org <iframe src="http://mafia.org/a.html"> </iframe> bank.com SOP protects against malicious content (eg advertisement) from another origin 2

  3. Last week: security provided by SOP trusted content mafia.org a.html bank.com SOP protects against malicious content (eg advertisement) from another origin 3

  4. Last week: security provided by SOP trusted content mafia.org <iframe src="http://mafia.org/a.html"> </iframe> a.html bank.com (JavaScript in) a.html cannot observe or interfere with surrounding webpage, thanks to SOP 4

  5. SOP examples For example of the SOP in action, experiment with http://www.cs.ru.nl/~erikpoll/websec/demo/test_SOP .html and look at the HTML code 5

  6. Last week: by-passing SOP with HTML-injection trusted content malicious html fragment bank.com Contents included with HTML injection (incl. XSS) (reflected, stored, or via DOM) is counted as coming from the same origin 6

  7. SOP & XSS Can SOP prevent or mitigate XSS? • eg a malicious Brightspace forum post with XSS NO NO, as XSS scripts come from the same origin – e.g. an attack script stored in Brightspace forum is 1 st party content, and comes from the same origin as legitimate scripts from Brightspace YES YES, , if you design your website to use multiple origins if uploaded content is hosted on a different domain • say untrusted_student_content.ru.nl instead of brightspace.ru.nl uploaded scripts cannot access brightspace.ru.nl Eg gmail uses googleusercontent.com for this purpose • Brightspace could also use this trick, for Defense in Depth • 7

  8. CORS (Cross-Origin Resource Sharing) SOP is too strict in many settings • Using CORS, a website can relax the SOP policy to allow some • cross-origin requests For example Access-Control-Allow-Origin: * allows any cross-origin requests Access-Control-Allow-Origin: https://trusted.com allows cross-origin requests from a specific origin We won’t go into the gory details of CORS in this course 8

  9. SOP problems Modern browsers are very complex, and SOP is complex Hence: some implementations screw things up See CVEs about this https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Same%20Origin%20Policy 9

  10. Bug: SOP bypass in Internet Explorer 6 & 7 The DOM provides the .domain property for the domain part of a document’s origin. A bug in Internet Explorer allowed any JavaScript to set this property So a malicious script could include <script> var document; document = {}; document.domain = ’bank.com’; // now we can access bank.com content ... </script> 10

  11. Bug: SOP bypass in Android WebView [CVE 2014-6041] WebView is a web rendering engine for Android i.e. it renders (aka displays) a piece of HTML • A null character before JavaScript would by-pass the SOP ... onclick="window.open('\u0000 javascript:alert(..)) This bug affected 42 out of the top 100 apps in the Google Playstore with ‘Browser’ in their name 11

  12. Alternative: supply chain attack trusted content b.com <script scr =”http://b.com/lib.js”> bank.com Confusingly, 3 rd party JavaScript included in 1 st party HTML source is counted as same origin, so SOP does not impose access restrictions on lib.js 12

  13. Alternative: use a malicious website Malicious site could phish for logins & passwords. It could also include malicious links to the attacked website, eg abusing CSRF 13

  14. Or: malicious website with genuine iframe content SOP protects against malicious site from observing or messing with trusted content but, as we will see, user can still be misled • 14

  15. More e attac tacks s on clients ients, , esp. . the e user URL L obfu fusca scation, tion, Clic ick-jac jacking/ ing/UI UI redressing essing, , CSR SRF 15

  16. Securing the last 30 centimeter... 1000 of miles 30 cm We can secure connections between computers 1000s of miles apart, eg using TLS, but the remaining 30 cm between user and laptop remain a problem websec 16

  17. Would you trust these URLs? • https://www.paypal.com:get_request%2Eupdate&id=234782& Recall that a URL has the form https://username:password@host/.... So what is the domain we are accessing? • https://www.paypal.com How do you know that the first p is not a Cyrillic character? websec 17

  18. URL obfuscation Attacker tries to confuse the user (in e.g. phishing attack) by including a username before the domain name • https://www.visa:com@%32%32%30%2E%36%38%2E%32%31%34%2E... which translates to the IP address 220.68.214.213 using strange Unicode characters in a homograph attacks • https://paypal.com with a Cyrillic p Browser bugs may offer more opportunities to confuse the user. In a famous Internet Explorer bug, a URL with a null character, e.g. http://paypal.com%00@mafia.com, would not display properly... Countermeasures: 1. Punycode which encodes Unicode as ASCII to reveal funny characters www.xn-pypal-4ve.com 2. Domain highlighting to make it clear which part of URL is the domain name websec 18

  19. Browser warnings – use of strange character sets websec 19

  20. Highlighting domain name in address bar websec 20

  21. Newer homograph attack [2017] Some browsers display https://xn--80ak6aa92e.com as apple.com Problem: some browsers only use puny encoding if URL mixes several characters sets, not if all characters are from one (misleading) character set See https://www.xudongz.com/blog/2017/idn-phishing/ Attack still works in Firefox, not In Chrome & Edge? websec 21

  22. Latest UI confusion on mobile phones [2019] Chrome on mobile phone hides URL bar when you scroll down. Attacker can abuse this feature to display a fake URL bar. See https://jameshfisher.com/2019/04/27/the-inception-bar-a-new-phishing- method/ 22

  23. UI confusion on desktops [2019] Is this pop-up window legit? It has an https-link to facebook.com • This is not pop-up window displayed by your browser, but a fake pop-up rendered inside a malicious phishing webpage How can you tell? • – You can move this ‘pop - up window’ but you cannot drag it outside of the confines of the webpage See https://myki.com/blog/facebook-login-phishing-campaign and check the video there https://youtu.be/nq1gnvYC144 23

  24. Click-jacking & UI redressing 24

  25. Click-jacking & UI redressing These attacks try to confuse the user into unintentionally • doing something that the attacker wants, such as – clicking some link – supplying text input in fields • These attacks abuse trust that users have in a webpage and their browser – ie. the trust that users have in what they see – What you see may not be what it looks like! Clickjacking UI redressing XSS attack web web server browser 25

  26. Click-jacking & UI redressing Terminology is very messy Click-jacking and UI redressing sometimes regarded as synonyms; • Some people regard click-jacking as an ingredient for UI redressing • To add to the confusion, these attacks often come in combination with CSRF or XSS 26

  27. Basic click-jacking Make the victim unintentionally click on some link <a onMouseUp=window.open("http://mafia.org/") href="http://www.police.nl">Trust me, it is safe to click here, you will simply go to police.nl</a> See demo http://www.cs.ru.nl/~erikpoll/websec/demo/clickjack_basic.html Why? Some unwanted side-effect of clicking the link • Especially if the user is automatically authenticated by the target website (thanks to cookie) • Click fraud 27

  28. Business model for click jacking: click fraud Web sites that publish ads are paid for the number of click- • throughs (ie, number of visitors that click on these ads) Click fraud: attacker tries to generate lots of clicks on ads, • that are not from genuinely interested visitors Motivations for attacker • 1. generate revenue for web site hosting the ad 2. generate cost for a competitor who pays for these clicks 28

  29. Click fraud Other forms of click fraud (apart from click-jacking) Click farms (hiring individuals to manually click ads) • Pay-to-click sites (pyramid schemes created by publishers) • Click bots (hijacked computers in botnet, running software to • automate clicking) 29

  30. Example: website with age confirmation check 30

  31. Example: website with age confirmation check Inspecting HTML source to see what you are actually clicking Inspecting content of these Amazon S3 buckets leads to https://mobile.facebook.com/v2.6/dialog/share?app_id=283197842324324 &href=https://example.com&in_iframe=1&locale=en_US&mobile_iframe=1 31

  32. Example: website with age confirmation check Clicking age confirmation bucket shares a post of Facebook Such clickjacking can get you many likes or shares! Attack only worked in the Facebook mobile app, not in a normal browser NB the Facebook app is/contains a web-browser • Read the description at https://malfind.com/index.php/2018/12/21/how-i-accidentaly-found-clickjacking-in- facebook/ 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Using U Unikernels to E o Enhan ance t the Attac ack- Resistance of S of Spire, a Ne a

Using U Unikernels to E o Enhan ance t the Attac ack- Resistance of S of Spire, a Ne a

Using U Unikernels to E o Enhan ance t the Attac ack- Resistance of S of Spire, a Ne a Network work-A -Attac ack-R -Resili lient t Intr In trus usion on-Tole olerant S SCADA f for or th the P Powe ower Gr r Grid Brad

677 views • 30 slides
ALWAYS BY YOUR SIDE Always by your side. to prevent, control and mitigate all kinds of

ALWAYS BY YOUR SIDE Always by your side. to prevent, control and mitigate all kinds of

ALWAYS BY YOUR SIDE Always by your side. to prevent, control and mitigate all kinds of property damage 1 Always by your side. WATER FIRE CLIMATE All crucial for human life. At the same time posing an unpredictable threat to valuable

829 views • 57 slides
SCHISM numerical formulation Joseph Zhang Horizontal grid: hybrid 2 3 Side 2 4 3 Side 1

SCHISM numerical formulation Joseph Zhang Horizontal grid: hybrid 2 3 Side 2 4 3 Side 1

1 SCHISM numerical formulation Joseph Zhang Horizontal grid: hybrid 2 3 Side 2 4 3 Side 1 Side 2 Side 1 Side 3 Side 4 1 2 2 1 Side 3 3 2 1 Counter-clockwise convention 1 2 3 3 y s 2 2 x s 1 2 i i 1 N i 1 2 N i i

647 views • 53 slides
PROFILE OF Always By Your Side. A WORLD LEADER 1 Always By Your Side. All crucial for human

PROFILE OF Always By Your Side. A WORLD LEADER 1 Always By Your Side. All crucial for human

PROFILE OF Always By Your Side. A WORLD LEADER 1 Always By Your Side. All crucial for human life. At the same time posing an unpredictable threat to valuable property. Water Fire Climate 2 Always By Your Side. Enter Polygon. We

678 views • 48 slides
Types of Cooperation Episodes in Side-by-Side Program m ing Lutz Prechelt, Ulrich Strk, Stephan

Types of Cooperation Episodes in Side-by-Side Program m ing Lutz Prechelt, Ulrich Strk, Stephan

Types of Cooperation Episodes in Side-by-Side Program m ing Lutz Prechelt, Ulrich Strk, Stephan Salinger Institut fr Informatik Freie Universitt Berlin What is side-by-side prog.? Study setup And why are we interested?

667 views • 40 slides
EAST SIDE! STRONG SIDE! 2018-2019 August 23, 2018 Trojan Pride Call: East Side Response:

EAST SIDE! STRONG SIDE! 2018-2019 August 23, 2018 Trojan Pride Call: East Side Response:

EAST SIDE! STRONG SIDE! 2018-2019 August 23, 2018 Trojan Pride Call: East Side Response: Strong Side WCPSS Core Beliefs #1- Every student is uniquely capable and deserves to be challenged and engaged in relevant, rigorous , and meaningful

1.11k views • 31 slides
Please sit: Sit on the left side or as close to the front on the right side of the room as

Please sit: Sit on the left side or as close to the front on the right side of the room as

Please sit: Sit on the left side or as close to the front on the right side of the room as you can. We are excited that you are here: Start your computer and get ready for our first class session. CSSE 220 Object-Oriented

389 views • 20 slides
Reporting medicines side effects The Yellow Card Scheme Worried about side effects? If you are

Reporting medicines side effects The Yellow Card Scheme Worried about side effects? If you are

Reporting medicines side effects The Yellow Card Scheme Worried about side effects? If you are worried about a symptom you think may be a side effect: 1. Check the leaflet supplied with the medicine. It lists known side effects and advises you

592 views • 11 slides
1 2 Rockstead has a unique advantage of being positioned on both the buy side and sell side of

1 2 Rockstead has a unique advantage of being positioned on both the buy side and sell side of

1 2 Rockstead has a unique advantage of being positioned on both the buy side and sell side of loan trades and today I am going to share with you some insights into the challenges and the opportunities that the market presents. Before that a

382 views • 9 slides
East Side Adult Education 2008-2009 East Side Adult Education Mission Statement The East Side

East Side Adult Education 2008-2009 East Side Adult Education Mission Statement The East Side

East Side Adult Education 2008-2009 East Side Adult Education Mission Statement The East Side Adult Education Program will provide a learning environment which fosters student success, encourages life-long education, and meets changing

622 views • 21 slides
INVE ST ME NT MARKE T RE VIE W J. Sc o tt Ada ms , CCI M Re g io na l Pre side nt, Mid

INVE ST ME NT MARKE T RE VIE W J. Sc o tt Ada ms , CCI M Re g io na l Pre side nt, Mid

INVE ST ME NT MARKE T RE VIE W J. Sc o tt Ada ms , CCI M Re g io na l Pre side nt, Mid -So uth Re g io n Da vid Ma c hupa Vic e Pre side nt RE T AI L PROPE RT I E S Commercial Investment Market Review AGENDA National

651 views • 15 slides
Please do not sit in the back row Please sit: Sit on the right side or as close to the

Please do not sit in the back row Please sit: Sit on the right side or as close to the

Please do not sit in the back row Please sit: Sit on the right side or as close to the front on the left side of the room as you can. We are excited that you are here: Start your computer and get ready for our first class

1.13k views • 21 slides
COVID 19 UPDATE 4-2-2020 How to use the Side Panel How do I see the screen under the side

COVID 19 UPDATE 4-2-2020 How to use the Side Panel How do I see the screen under the side

COVID 19 UPDATE 4-2-2020 How to use the Side Panel How do I see the screen under the side panel? The orange arrow closes and opens the side panel. How can I make my screen bigger? To have a bigger view of the screen, select the square

406 views • 18 slides
COVID 19 UPDATE 4-9-2020 How to use the Side Panel How do I see the screen under the side

COVID 19 UPDATE 4-9-2020 How to use the Side Panel How do I see the screen under the side

COVID 19 UPDATE 4-9-2020 How to use the Side Panel How do I see the screen under the side panel? The orange arrow closes and opens the side panel. How can I make my screen bigger? To have a bigger view of the screen, select the square

381 views • 20 slides
T RANSI T I ON 2 PRACT I CE Na po le o n B. Hig g ins, Jr., MD CE O a nd Pre side nt, Ba y

T RANSI T I ON 2 PRACT I CE Na po le o n B. Hig g ins, Jr., MD CE O a nd Pre side nt, Ba y

T RANSI T I ON 2 PRACT I CE Na po le o n B. Hig g ins, Jr., MD CE O a nd Pre side nt, Ba y Po inte Be ha vio ra l He a lth Se rvic e , I nc . Pre side nt, Ca uc us o f Bla c k Psyc hia trists, APA PHYSI CI AN, K NOW T HYSE L F

400 views • 14 slides
COVID 19 UPDATE 5-11-2020 How to use the Side Panel How do I see the screen under the side

COVID 19 UPDATE 5-11-2020 How to use the Side Panel How do I see the screen under the side

COVID 19 UPDATE 5-11-2020 How to use the Side Panel How do I see the screen under the side panel? The orange arrow closes and opens the side panel. How can I make my screen bigger? To have a bigger view of the screen, select the

144 views • 10 slides
What I Wish Id Known When I Started Erick Hitter @ethitter https://ethitter.com/ FIRST

What I Wish Id Known When I Started Erick Hitter @ethitter https://ethitter.com/ FIRST

What I Wish Id Known When I Started Erick Hitter @ethitter https://ethitter.com/ FIRST Cant check if the users logged in until init May work before because WPs trying to protect you Dont try to conditionally load

501 views • 26 slides
1 2 3 4 5 6 7 8 9 10 11 12 13 Question from the Audience: Q: I'm curious about your

1 2 3 4 5 6 7 8 9 10 11 12 13 Question from the Audience: Q: I'm curious about your

1 2 3 4 5 6 7 8 9 10 11 12 13 Question from the Audience: Q: I'm curious about your expense figures, i.e. 100 dogs per year with $100,00 in expense = $1,000/dog/year. Seems low to me based on my experience. How did you determine the

835 views • 42 slides
No-Regret Learning CMPUT 654: Modelling Human Strategic Behaviour Hart &amp; Mas-Colell (2000)

No-Regret Learning CMPUT 654: Modelling Human Strategic Behaviour Hart &amp; Mas-Colell (2000)

No-Regret Learning CMPUT 654: Modelling Human Strategic Behaviour Hart &amp; Mas-Colell (2000) Nekipolov, Syrgkanis, and Tardos (2015) Lecture Outline 1. Recap 2. Hart &amp; Mas-Colell (2000) 3. Coarse Correlated Equilibrium 4.

429 views • 16 slides
PERFORMANCE METRICS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of

PERFORMANCE METRICS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of

PERFORMANCE METRICS Mahdi Nazm Bojnordi Assistant Professor School of Computing University of Utah CS/ECE 6810: Computer Architecture Overview Announcement Aug. 28 th : Homework 1 release (due on Sept. 4 th ) n Verify your uploaded files

784 views • 29 slides
TDD ist fr Trumer, nicht fr Praktiker, oder? Sven Amann academicscode.com

TDD ist fr Trumer, nicht fr Praktiker, oder? Sven Amann academicscode.com

TDD ist fr Trumer, nicht fr Praktiker, oder? Sven Amann academicscode.com letsdeveloper.com @svamann artwork by Sven Amann - CC BY-SA 4.0 Why TDD (discussions)? Why do I talk about TDD? Sven Amann artwork by Sven Amann - CC BY-SA

931 views • 43 slides
DLMF Content Dictionaries Special Function Catalog The Next Iteration DLMF Content

DLMF Content Dictionaries Special Function Catalog The Next Iteration DLMF Content

DLMF Content Dictionaries The Next Iteration Bruce R. Miller NIST Background DLMF Content Dictionaries Special Function Catalog The Next Iteration DLMF Content Dictionaries Conclusion Bruce R. Miller NIST August 10, 2018 DLMF Content

241 views • 20 slides
Control of Robots Clemens Frahnow Friedrich Horschig Permalink:

Control of Robots Clemens Frahnow Friedrich Horschig Permalink:

Wireless and Hands-Free Control of Robots Clemens Frahnow Friedrich Horschig Permalink: https://docs.google.com/presentation/d/1CQkJI7dA9LlaVybScDeZg2zobSO6oGk4vqdn2FOGjCs Agenda 1. What works? 2. What was hard to get working? 3. What will

410 views • 10 slides
sweep applications P. Kacsuk MTA SZTAKI 1 The EDGI/EDGeS projects receive(d) Community research

sweep applications P. Kacsuk MTA SZTAKI 1 The EDGI/EDGeS projects receive(d) Community research

Extending gLite VOs with volunteer and institutional BOINC-based desktop grids to execute parameter sweep applications P. Kacsuk MTA SZTAKI 1 The EDGI/EDGeS projects receive(d) Community research funding Source: http://europa.eu/volunteering

739 views • 31 slides

More recommend