co 445h
play

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS - PowerPoint PPT Presentation

Sep 19, 2022 •216 likes •840 views

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits British Airw rways Hack 2 BA last week admitted that personal and payment card info for 380,000 customers had been swiped from

  1. CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits

  2. British Airw rways Hack 2  BA last week admitted that personal and payment card info for 380,000 customers had been swiped from its site between 21 August and 5 September. The airline said on Friday that an unnamed security partner detected the breach, which has already been resolved.  Security researcher Mustafa Al-Bassam said BA had switched around the third-party JavaScript code loaded onto its website in response to a privacy complaint he'd initiated. These changes – only applied in the month running up to the breach – related to running third-party ads and trackers (including LinkedIn, Twitter and DoubleClick) on a booking page. https://www.theregister.co.uk/2018/09/11/british_airways_website_scripts/

  3. British Airw rways Hack 3  Security experts are debating the cause of the British Airways mega- breach, with external scripts on its payment systems emerging as a prime suspect in the hack.  BA has said little related to the cause of the breach, much less who might have carried it out. Security vendor RiskIQ has advanced the theory that malicious code was planted on the airline’s payments page, via a modified version of the Modernizr JavaScript library. To carry out the attack in this way, hackers would have had to modify JavaScript files without hobbling its core functionality.

  4. rd party Magecart – 3 rd 4  Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible.  While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial.

  5. Dissassembling This 5

  6. Dissassembling This 6

  7. Se Security Researchers Dis iscussing on Twitter 7

  8. Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice

  9. Network Security Network Attacker Intercepts and controls network communication Alice

  10. Web Malware Attacker Malware Attacker Escapes the browser to wreak havoc on Alice’s machine Alice

  11. Web Threat Models  Web attacker  Control https://attacker.com  Can obtain SSL/TLS certificate for https://attacker.com  User visits attacker.com ◼ Or: runs attacker’s Facebook app, etc. This is what connects the world of web attacks to low-level  Network attacker memory-based exploitation  Passive: Wireless eavesdropper we’ve seen so far  Active: Evil router, DNS poisoning  Malware attacker  Attacker escapes browser is isola olation mec echanisms and run separately under control of OS

  12. Cookies: Client State 12

  13. Cookies: Browser State POST … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; If expires=NULL: expires = (when expires) ; this session only secure = (only over SSL) Browser POST … Server Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state

  14. Cookie-Based Authentication Browser Web Server Auth server POST login.cgi Username & pwd Validate user auth=val Set-cookie: auth=val Store val GET restricted.html restricted.html Cookie: auth=val auth=val Check val If YES, YES/NO restricted.html

  15. Cookie Security Policy  Uses:  User authentication  Personalization  User tracking: e.g. Doubleclick (3 rd party cookies)  Browser will store:  At most 20 cookies/site, 3 KB / cookie  Origin is the tuple <domain, path>  Can set cookies valid across a domain suffix

  16. Cookies From www.marketplace.org 16 16

  17. Secure Cookies GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; Secure=true  Provides confidentiality against network attacker  Browser will only send cookie back over HTTPS  No integrity  Can rewrite secure cookies over HTTP  Network attacker can rewrite secure cookie  Can log user into attacker’s account

  18. A Real Secure Set-Cookie Request 18 18

  19. httpOnly Cookies GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; httpOnly  Cookie sent over HTTP(s), but not ot ac accessib ible le to scripts  cannot be read via document.cookie  Helps prevent cookie theft via XSS  … but does not stop most other risks of XSS bugs

  20. Frame and Content Is Isolation

  21. Frame and IFRAME  Window may contain frames from different sources  Frame: rigid division as part of frameset  iFrame: flo floati ting inline frame  iFrame example < iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </ iframe >  Why use frames?  Delegate screen area to content from another source  Browser provides isolation based on frames  Parent may work even if frame is broken

  22. Floating IFRAME s 22 22

  23. Windows In Interact. What? 23

  24. Web vs. OS: An Analogy Operating system Web browser Primitives Primitives   Document object model (DOM)  System calls  Frames  Processes  Cookies / localStorage  Disk  Principals: “Origins”  Principals: Users Mandatory access control   Discretionary access control  Application-level vulnerabilities  Cross-site scripting  Low-level vulnerabilities  Cross-site request forgery  Buffer overflow  SQL injection  Other memory issues etc.  

  25. Policy Goals  Safe to visit a potentially evil web site  Safe to visit two pages at the same time  Address bar distinguishes them  Allow safe delegation

  26. Browser Security Mechanism A B A A B  Each frame of a page has an origin  Origin = <pr protocol://host:port>  Frame can access its own origin  Network access, Read/write DOM, Storage (cookies)  Frame cannot access data associated with a different origin

  27. Origin Determination: http://www.example.com 27 27

  28. Components of f Browser Security Poli licy  Frame-Frame relationships  canScript(A,B) ◼ Can Frame A execute a script that manipulates arbitrary/nontrivial DOM elements of Frame B?  canNavigate(A,B) ◼ Can Frame A change the origin of content for Frame B?  Frame-principal relationships  readCookie(A,S), writeCookie(A,S) ◼ Can Frame A read/write cookies from site S? See https://code.google.com/p/browsersec/wiki/Part1 https://code.google.com/p/browsersec/wiki/Part2

  29. Library ry Im Import Excluded From SOP <script src=https://seal.verisign.com/getseal?host_name=a.com></script> VeriSign Script has privileges of im imported page, NOT source server. • Can script other pages in this origin, load more scripts • Other forms of importing •

  30. Domain Relaxation www.facebook.com chat.facebook.com www.facebook.com facebook.com chat.facebook.com facebook.com www.facebook.com  Origin: scheme, host, (port), hasSetDomain  Try document.domain = document.domain

  31. Additional Mechanisms Server : CORS (Cross-origin network requests) Access-Control-Allow- Site B Site A Origin: <list of domains> Access-Control-Allow- Origin: * Client : Cross-origin client side communication Client-side messaging via navigation (old browsers) Site A context Site B context postMessage (modern browsers)

  32. if iframes  Embed HTML documents in other documents <iframe name=“ myframe ” src =“http://www.google.com/”> This text is ignored by most browsers. </iframe>

  33. Frame Busting  Goal: prevent web page from loading in a frame  example: opening login page in a frame will display correct passmark image  Frame busting: if (top != self) top.location.href = location.href

  34. Better Frame Busting  Problem: Javascript OnUnload event <body onUnload="javascript: cause_an_abort;)">  Try this instead: if (top != self) top.location.href = location.href else { … code of page here …}

  35. Frame Busting via Headers 35 35 Set X-Frame-Options to DENY or SAMEORIGIN dfd  $ npm install busted var busted = require('busted'); var URL = 'http://www.bbc.co.uk'; busted.headersTest(URL, function(url, passed) { console.log(url + (passed ? ' passed ' : ' failed ') + 'the headers test.'); });

  36. CSP an CORS

  37. CSP: Content Security Policy 37 37  Example le 1:  A server wants all content to come from its own domain: X-Content-Security-Policy: default-src 'self‘  Example le 2:  An auction site wants to allow images from an anywhere, plugin content from a list of tr trusted media providers including a content distribution network, and scr scripts only from a server under its control hosting sanitized JavaScript: X-Content-Security-Policy: default-src 'self'; img-src *; object-src media1.example.com media2.example.com *.cdn.example.com; script-src trustedscripts.example.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
CO 445H BLOCKCHAIN SECURITY Dr. Benjamin Livshits Apps Stealing Your Data 2 What are they

CO 445H BLOCKCHAIN SECURITY Dr. Benjamin Livshits Apps Stealing Your Data 2 What are they

CO 445H BLOCKCHAIN SECURITY Dr. Benjamin Livshits Apps Stealing Your Data 2 What are they doing with this data? We dont know what is happening with this data once it is collected. Its conceivable that this information could be analysed

959 views • 59 slides
CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits

CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits

CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits Some Survey Responses 2 Sunsetting Google+ 3 https://www.blog.google/technology/safety-security/project-strobe/ Details 4 Notifications 5

1.12k views • 64 slides
CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International Data Tracking 2 http://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found Two Main Attack

986 views • 63 slides
COURSE IN INTRODUCT CTION SECURITY PROPERTIES SECURE DESIG IGN Dr. Ben Livshits High-Level

COURSE IN INTRODUCT CTION SECURITY PROPERTIES SECURE DESIG IGN Dr. Ben Livshits High-Level

CO 445H COURSE IN INTRODUCT CTION SECURITY PROPERTIES SECURE DESIG IGN Dr. Ben Livshits High-Level Course Logistics 2 https:/ ://www.doc.ic ic.ac.uk/~liv livshit its/cla lasses/CO445H/ / Course Logistics 3 Monday: 2-hour time

874 views • 53 slides
WHiZard/OMega Tutorial Jrgen Reuter Carleton University, Ottawa University of Freiburg

WHiZard/OMega Tutorial Jrgen Reuter Carleton University, Ottawa University of Freiburg

J. Reuter WHiZard/OMega Tutorial MSU + Carleton, 16./19.3.2007 WHiZard/OMega Tutorial Jrgen Reuter Carleton University, Ottawa University of Freiburg W. Kilian, T. Ohl, JR, 1998-20xx, always in progress MSU, East

512 views • 28 slides
Computer Networks - Xarxes de Computadors Teacher: Lloren Cerd Slides:

Computer Networks - Xarxes de Computadors Teacher: Lloren Cerd Slides:

Grau en enginyeria informtica - Xarxes de Computadors (XC-grau) Computer Networks - Xarxes de Computadors Teacher: Lloren Cerd Slides: http://studies.ac.upc.edu/FIB/grau/XC Outline Course Syllabus Unit 1: Introduction Unit 2. IP Networks

257 views • 24 slides
Minor Aside MIPS manual posted: check it out http:// www-cse.ucsd.edu/classes/fa08/cse141/docs /

Minor Aside MIPS manual posted: check it out http:// www-cse.ucsd.edu/classes/fa08/cse141/docs /

Minor Aside MIPS manual posted: check it out http:// www-cse.ucsd.edu/classes/fa08/cse141/docs / 1 Measuring Performance: Chapter 4! Or My computer is faster than your computer with thanks to Larry Carter, UCSD 2 Performance Marches On

430 views • 29 slides
CS 1550: Introduction to Operating Systems Prof. Ahmed Amer amer@cs.pitt.edu

CS 1550: Introduction to Operating Systems Prof. Ahmed Amer amer@cs.pitt.edu

CS 1550: Introduction to Operating Systems Prof. Ahmed Amer amer@cs.pitt.edu http://www.cs.pitt.edu/~amer/cs1550 Chapter 1 Class outline Introduction, concepts, review &amp; historical perspective Processes Synchronization

485 views • 33 slides
Cloudifornication Indiscriminate Information Intercourse Involving Internet Infrastructure Hoff

Cloudifornication Indiscriminate Information Intercourse Involving Internet Infrastructure Hoff

Cloudifornication Indiscriminate Information Intercourse Involving Internet Infrastructure Hoff (@Beaker) - FIRST 2010 Cloud Security Doesnt Matter When Is NetWareCloud Shipping? ::Setting Some Context The Internet is a remarkably frail

1.35k views • 100 slides
Midterm review CSCI 466: Networks Keith Vertanen

Midterm review CSCI 466: Networks Keith Vertanen

Midterm review CSCI 466: Networks Keith Vertanen Network architecture 2 Encapsula8on High-level messages encapsulated in low-level messages

1.25k views • 111 slides
Background Concepts Review Some of this material is covered in a MasteringAstronomy practice

Background Concepts Review Some of this material is covered in a MasteringAstronomy practice

Background Concepts Review Some of this material is covered in a MasteringAstronomy practice assignment called Math Review. The Metric System We will use the metric system almost exclusively. (English units are entirely evil.) Mass unit:

732 views • 29 slides
DNS Tutorial @ IETF-63 lafur Gudmundsson OGUD consulting Peter Koch DENIC 1 2005/07/31 DNS

DNS Tutorial @ IETF-63 lafur Gudmundsson OGUD consulting Peter Koch DENIC 1 2005/07/31 DNS

DNS Tutorial @ IETF-63 lafur Gudmundsson OGUD consulting Peter Koch DENIC 1 2005/07/31 DNS Tutorial @ IETF-63 ogud@ogud.com &amp; pk@denic.de Tutorial Overview Goal: Give the audience basic understanding of DNS to be able to

653 views • 47 slides
Linux File Systems Adrien schischi Schildknecht July 18, 2014 Why FS matters Linux File

Linux File Systems Adrien schischi Schildknecht July 18, 2014 Why FS matters Linux File

Linux File Systems Adrien schischi Schildknecht Linux File Systems Adrien schischi Schildknecht July 18, 2014 Why FS matters Linux File Systems Adrien schischi Schildknecht Overhead: non-volatile memory is often the

621 views • 42 slides
CMPS 111: Introduction to Operating Systems Professor Scott A. Brandt sb rand t@cs .ucsc

CMPS 111: Introduction to Operating Systems Professor Scott A. Brandt sb rand t@cs .ucsc

CMPS 111: Introduction to Operating Systems Professor Scott A. Brandt sb rand t@cs .ucsc .edu h t tp : / /www.cse .ucsc .edu /~sb randt / 111 Chapter 1 Class outline Introduction, concepts, review &amp; historical

490 views • 33 slides
L5 June 14, 2017 1 Lecture 5: Advanced Data Structures CSCI 1360E: Foundations for Informatics

L5 June 14, 2017 1 Lecture 5: Advanced Data Structures CSCI 1360E: Foundations for Informatics

L5 June 14, 2017 1 Lecture 5: Advanced Data Structures CSCI 1360E: Foundations for Informatics and Analytics 1.1 Overview and Objectives Weve covered list, tuples, sets, and dictionaries. These are the foundational data structures in

376 views • 9 slides
Prr s Prrs

Prr s Prrs

Prr s Prrs tt r t t tr tst

1.84k views • 159 slides
UNIX michael.fink@uibk.ac.at 2017 Overview History Practicalities User Interface Shell

UNIX michael.fink@uibk.ac.at 2017 Overview History Practicalities User Interface Shell

UNIX michael.fink@uibk.ac.at 2017 Overview History Practicalities User Interface Shell Toolbox Processes Users, Groups File System Development System Cluster Computing UNIX / Linux History 1969 UNIX at Bell Labs (antithesis to

1.4k views • 112 slides
Why is Microsoft investing in Functional Programming? Don Syme With thanks to Leon Bambrick,

Why is Microsoft investing in Functional Programming? Don Syme With thanks to Leon Bambrick,

Why is Microsoft investing in Functional Programming? Don Syme With thanks to Leon Bambrick, Chris Smith and the puppies All opinions are those of the author and not necessarily those of Microsoft Simplicity Economics Fun What Investments?

719 views • 45 slides
Internet Control Plane Security Yongdae Kim KAIST Two Planes Data Plane: Actual data

Internet Control Plane Security Yongdae Kim KAIST Two Planes Data Plane: Actual data

Internet Control Plane Security Yongdae Kim KAIST Two Planes Data Plane: Actual data delivery Control Plane To support data delivery (efficiently, reliably, and etc.) Routing information exchange In some sense, every protocol

396 views • 39 slides
The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself

The iLab Experience a blended learning hands-on course concept you set the focus Do It Yourself - Hardware YE - Topic Outline May 29, 2018 10.4. Kick Off, IPv6 1 IPv6 BGP 17.4. 2 Minilab 1 2 mini labs Advanced Wireless Playground BGP

1.64k views • 125 slides
Numerical Python Hans Petter Langtangen Intro to Python programming Simula Research Laboratory

Numerical Python Hans Petter Langtangen Intro to Python programming Simula Research Laboratory

Numerical Python Hans Petter Langtangen Intro to Python programming Simula Research Laboratory Dept. of Informatics, Univ. of Oslo March 2008 Numerical Python p. 1 Intro to Python programming p. 2 Make sure you have the software

816 views • 58 slides
30000BC Palaeolithic peoples in central Europe and France record numbers on bones.

30000BC Palaeolithic peoples in central Europe and France record numbers on bones.

30000BC Palaeolithic peoples in central Europe and France record numbers on bones. 5000BC A decimal number system is in use in Egypt. 4000BC Babylonian and Egyptian calendars in use. 3400BC The first symbols for numbers,

1.12k views • 110 slides
2. Integers std::cout &lt;&lt; &quot;Compute a^8 for a = ?&quot;; std::cin &gt;&gt; a; r = a

2. Integers std::cout &lt;&lt; &quot;Compute a^8 for a = ?&quot;; std::cin &gt;&gt; a; r = a

Example: power8.cpp int a; // Input int r; // Result 2. Integers std::cout &lt;&lt; &quot;Compute a^8 for a = ?&quot;; std::cin &gt;&gt; a; r = a a; // r = a^2 Evaluation of Arithmetic Expressions, Associativity and Precedence, r = r

430 views • 13 slides

More recommend