cse484 cse584
play

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Is - PowerPoint PPT Presentation

Mar 08, 2023 •177 likes •787 views

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Is Isolation Frame and IFRAME Window may contain frames from different sources Frame: rigid division as part of frameset iFrame: flo floati ting inline frame iFrame

  1. CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits

  2. Is Isolation

  3. Frame and IFRAME  Window may contain frames from different sources  Frame: rigid division as part of frameset  iFrame: flo floati ting inline frame  iFrame example < iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </ iframe >  Why use frames?  Delegate screen area to content from another source  Browser provides isolation based on frames  Parent may work even if frame is broken

  4. Floating IFRAME s 4

  5. At Least A Handful of IFRAMEs is Common 5

  6. Windows Interact 6

  7. Web vs. OS: An Analogy Operating system Web browser  Primitives  Primitives  System calls  Document object model (DOM)  Processes  Frames  Disk  Cookies / localStorage  Principals: Users  Principals: “Origins”  Low-level vulnerabilities  Application-level vulnerabilities  Buffer overflow  Cross-site scripting  Other memory issues  Cross-site request forgery  SQL injection  etc.

  8. Side-by-Side vs. Embedded in a Page 8  Two independent  Interesting windows interactions  …or frames  …or browser instances

  9. Frame Embedding 9

  10. Browser Security Mechanism A B A A B  Each frame of a page has an origin  Origin = <pr protocol://host:port>  Frame can access its own origin  Network access, Read/write DOM, Storage (cookies)  Frame cannot access data associated with a different origin

  11. Origin Determination: http://www.example.com 11 11

  12. SOP For the DOM 12 12 With no additional qualifiers, the term 2) Any page may set document.domain "same-origin policy" most commonly refers parameter to a right-hand, fully-qualified to a mechanism that governs the ability for fragment of its current host name (e.g., JavaScript and other scripting languages to foo.bar.example.com may set it to access DOM properties and methods across example.com, but not apple.com). If two domains (reference). In essence, the model pages explicitly and mutually set their boils down to this three-step decision respective document.domain parameters process to the same value, and the remaining same- origin checks are satisfied, access is granted. 1) If protocol , host name , port number for two interacting pages match , access is 3) If neither of the above conditions is granted with no further checks satisfied, access is denied.

  13. Domain Relaxation www.facebook.com chat.facebook.com www.facebook.com facebook.com facebook.com chat.facebook.com www.facebook.com  Origin: <scheme, host, (port), hasSetDomain>  Try document.domain = document.domain

  14. SOP Policy For Cookies: It’s Complicated 14 14 https://code.google.com/p/browsersec/wiki/Part2

  15. Script Inclusion Excluded From SOP www.example.com:  Why is this a good idea? <script src =“ http://ajax.aspnetcdn.c om/ajax/jquery.validate/1.11 .0/jquery.validate.min.js”>  Why is this a bad idea? </script> Script has privileges of imported • page, NOT source server. Can script other pages in this • origin, load more scripts Other forms of importing •

  16. SOP: More Details 16 16  Same-origin policy for DOM access  Same-origin policy for XMLHttpRequest  Same-origin policy for cookies  Same-origin policy for Flash  Same-origin policy for Java  Same-origin policy for Silverlight  Same-origin policy for Gears  Origin inheritance rules

  17. Remote Scrip iptin ing and Cross-Domain Access

  18. Site B Site A Additional Mechanisms Cross-origin network requests Site A context Site B context Access-Control-Allow-Origin: <list of domains> Access-Control-Allow-Origin: * Cross-origin client side communication Client-side messaging via navigation (old browsers) postMessage (modern browsers)

  19. Cross-Domain Request 19 19  For example, suppose web content on domain http://foo.example.com wishes to invoke content on domain http://bar.other.com  Code of this sort might be used within JavaScript deployed on http://foo.example.com

  20. Cross-Domain GET Request 20 20 Firefox headers sent out as part of the request the resource can be accessed by any domain in a cross-site manner

  21. Pre-Flighting 21 21 Allows to pre-flight cross- domain requests to see if they are allowed Which methods are supported by the domain

  22. Communication

  23. Client-Side window.postMessage API 23 23  Client-side communication between principals (domains) that don’t necessarily trust each other Add a contact Share contacts

  24. Syntax of postMessage frames[0].postMessage("Attack at dawn!", "http://b.com/"); window.addEventListener("message", function (e) { if (e.origin == "http://a.com") { ... e.data ... } }, false); Attack at dawn!

  25. Why Include “ targetOrigin ”?  What goes wrong? frames[0].postMessage("Attack at dawn!");  Messages sent to frames , not principals  When would this happen? 25

  26. Summary  Http  Rendering content  Cookies  Isolation  Communication  Navigation  Security User Interface  Frames and frame busting

  27. Break… 27 27 Source : http://xkcd.com/327/

  28. Web Application Scenario 28 28 HTTP REQUEST HTTP RESPONSE client server

  29. Memory Exploits and Web App Vulnerabilities Compared 29 29  Format t str trin ing  SQL in inje jection vu vuln lnerabiliti ties  Generally, better, more restrictive APIs are enough  Generally, better, more restrictive APIs are enough  Simple static tools help  Simple static tools help  Buffer overruns  Cross-site scrip ipting  Stack-based  XSS-0, -1, -2, -3  Return-to-libc, etc.  Requires careful  Heap-based programming  Heap spraying attacks  Requires careful programming or memory-safe languages

  30. SQL Injection Attacks 30 30  Attacks a particular sit site, not (usually) a particular user  Affect applications that use untrusted input as part of an SQL query to a back-end database  Specific case of a more general problem: using untrusted input in commands

  31. SQL Injection: Example 31 31  Consider a browser form, e.g.:  When the user enters a number and clicks the button, this generates an http request like https://www.pizza.com/show_orders?month=10

  32. Example Continued … 32 32  Upon receiving the request, a Java program might produce an SQL query as follows: sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND order_month= " + request.getParameter("month") ;  A normal query would look like: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=10

  33. Example Continued … 33 33  What if the user makes a modified http request: https://www.pizza.com/show_orders?month=0%20OR%201%3D1  (Parameters transferred in URL-encoded form, where meta-characters are encoded in ASCII)  This has the effect of setting request.getParameter (“month”) equal to the string 0 OR 1=1

  34. Example Continued 34 34  So the script generates the following SQL query: SELECT pizza, quantity, order_day FROM orders ( WHERE userid=4123 ) AND order_month=0 OR 1=1  Since AND takes precedence over OR, the above always evaluates to TRUE  The attacker gets every entry in the database!

  35. Even Worse … 35 35  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 OR 1=0 UNION SELECT cardholder, number, exp_date FROM creditcards  Attacker gets the entire credit card database as well!

  36. More Damage … 36 36  SQL queries can encode multiple commands, separated by ‘;’  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 ; DROP TABLE creditcards  Credit card table deleted!  DoS attack

  37. More Damage … 37 37  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 ; INSERT INTO admin VALUES (‘hacker’, ...)  User (with chosen password) entered as an administrator!  Database owned!

  38. May Need to be More Clever … 38 38  Consider the following script for text queries: sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND topping= ‘ " + request.getParameter (“topping") + “’”  Previous attacks will not work directly, since the commands will be quoted  But easy to deal with this…

  39. Example Continued … 39 39  Craft an http request where request.getParameter (“topping”) is set to abc ’; DROP TABLE creditcards; --  The effect is to generate the SQL query: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND toppings=‘ abc ’; DROP TABLE creditcards ; -- ’  (‘ -- ’ represents an SQL comment)

  40. Mitigation? Solutions? 40 40  Blacklisting  Whitelisting  Encoding routines  Prepared statements/bind variables  Mitigate the impact of SQL injection

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2 XSS-0 : client-side XSS-1 : reflective XSS-2 : persistent XSS Is Exceedingly Common 3 Web Hacking Incident Database (1999 -

887 views • 44 slides
CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Final Project 2 How many of you have

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Final Project 2 How many of you have

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Final Project 2 How many of you have your teams fully formed How many of you are still looking for a team? How many of you have a copy of A Bug Hunters Diary book? How many

537 views • 30 slides
CSE484/CSE584 MOBILE PLATFORM SECURITY Dr. Benjamin Livshits Two Main Attack Vectors Web

CSE484/CSE584 MOBILE PLATFORM SECURITY Dr. Benjamin Livshits Two Main Attack Vectors Web

CSE484/CSE584 MOBILE PLATFORM SECURITY Dr. Benjamin Livshits Two Main Attack Vectors Web browser Installed apps Both types of threats increasing in prevalence and sophistication source:

861 views • 31 slides
CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Homework, Labs, and Project 2 Please

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Homework, Labs, and Project 2 Please

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Homework, Labs, and Project 2 Please be ready to give HW-3 due Friday a short 2-minute pitch Lab-3 due Tuesday about your strategy We want to give you Ask more questions

792 views • 21 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
CSE484/CSE584 MEMORY-(UN)SAFETY Dr. Benjamin Livshits FUD About Shellshock 2 CVE-2014-6271

CSE484/CSE584 MEMORY-(UN)SAFETY Dr. Benjamin Livshits FUD About Shellshock 2 CVE-2014-6271

CSE484/CSE584 MEMORY-(UN)SAFETY Dr. Benjamin Livshits FUD About Shellshock 2 CVE-2014-6271 Announcement 3 How Systems Fail il Systems may fail for many reasons, including Reliability deals with accidental failures Usability deals

778 views • 62 slides
CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice Network Security Network Attacker Intercepts and controls network communication

907 views • 44 slides
COURSE IN INTRODUCT CTION Dr. Benjamin Livshits High-Level Course Logistics 2 https:/

COURSE IN INTRODUCT CTION Dr. Benjamin Livshits High-Level Course Logistics 2 https:/

CSE484/CSE584 COURSE IN INTRODUCT CTION Dr. Benjamin Livshits High-Level Course Logistics 2 https:/ ://courses.c .cs.washin ington.e .edu/courses/cse484/14au Course Logistics 3 Office hours: Tuesday after class Office hours: Mon

826 views • 59 slides
Mathematical foundations of Statistics were laid in the 17th century with the development of

Mathematical foundations of Statistics were laid in the 17th century with the development of

Mathematical foundations of Statistics were laid in the 17th century with the development of probability theory. By the 18th century, the term statistics referred to the collection of demographic and economic data. Nowadays,

316 views • 10 slides
1 Context The semantic gap Control-theoretical aspects Compilation aspects C code production 2

1 Context The semantic gap Control-theoretical aspects Compilation aspects C code production 2

1 Context The semantic gap Control-theoretical aspects Compilation aspects C code production 2 From real to floats Example of linear invariant system Numerical precision problems Machine representation of real numbers Alteration of constants

559 views • 30 slides
t tr rr r

t tr rr r

t tr rr r rtt t rst srss

729 views • 30 slides
Global Roundings of Sequences Benjamin Doerr July 8, 2004 Abstract For a given sequence a = (

Global Roundings of Sequences Benjamin Doerr July 8, 2004 Abstract For a given sequence a = (

Global Roundings of Sequences Benjamin Doerr July 8, 2004 Abstract For a given sequence a = ( a 1 , . . . , a n ) of numbers, a global round- ing is an integer sequence b = ( b 1 , . . . , b n ) such that the rounding error | i I ( a i

223 views • 7 slides
1. Vectors and the dot product v in R 3 is an arrow. It has a direction and a length (aka A vector

1. Vectors and the dot product v in R 3 is an arrow. It has a direction and a length (aka A vector

1. Vectors and the dot product v in R 3 is an arrow. It has a direction and a length (aka A vector the magnitude), but the position is not important. Given a coordinate axis, where the x -axis points out of the board, a little towards the left,

239 views • 6 slides
Breaking the Rules of Game Design: when to go against Autonomy, Competence, and Relatedness

Breaking the Rules of Game Design: when to go against Autonomy, Competence, and Relatedness

Breaking the Rules of Game Design: when to go against Autonomy, Competence, and Relatedness Kaitlyn Burnell Programmer, Naughty Dog (ideas for this talk developed at CCP) Spoiler Warning Glossary Autonomy Competence Relatedness Why

1.9k views • 126 slides
The Postulates What is a postulate? 1 suggest or assume the existence, fact, or truth of

The Postulates What is a postulate? 1 suggest or assume the existence, fact, or truth of

The Postulates What is a postulate? 1 suggest or assume the existence, fact, or truth of (something) as a basis for reasoning, discussion, or belief. a theory postulated by a respected scientist synonyms: suggest, advance, posit,

583 views • 25 slides
May 3: Trust and Hybrid Models Trust models Chinese Wall model Aggressive Chinese Wall

May 3: Trust and Hybrid Models Trust models Chinese Wall model Aggressive Chinese Wall

May 3: Trust and Hybrid Models Trust models Chinese Wall model Aggressive Chinese Wall model May 3, 2017 ECS 235B Spring Quarter 2017 Slide #1 Types of Trust Models Policy-based trust management Recommendation-based trust

714 views • 37 slides
Wireless Usage Measurement: Research Needs and Support for National Policy and Rule Making Dr.

Wireless Usage Measurement: Research Needs and Support for National Policy and Rule Making Dr.

Wireless Usage Measurement: Research Needs and Support for National Policy and Rule Making Dr. Rangam Subramanian, MBA Office of Spectrum Management Chief Technology and Spectrum Policy Strategist National Telecommunication Information

601 views • 8 slides
Learning to Format Coq Code Using Language Models Pengyu Nie 1 , Karl Palmskog 2 , Junyi Jessy Li

Learning to Format Coq Code Using Language Models Pengyu Nie 1 , Karl Palmskog 2 , Junyi Jessy Li

Learning to Format Coq Code Using Language Models Pengyu Nie 1 , Karl Palmskog 2 , Junyi Jessy Li 1 , and Milos Gligoric 1 The Coq Workshop 2020 1 The University of Texas at Austin 2 KTH Royal Institute of Technology Background: Coq is a

487 views • 24 slides
Learning to Format Coq Code Using Language Models Pengyu Nie 1 , Karl Palmskog 2 , Junyi Jessy Li

Learning to Format Coq Code Using Language Models Pengyu Nie 1 , Karl Palmskog 2 , Junyi Jessy Li

Learning to Format Coq Code Using Language Models Pengyu Nie 1 , Karl Palmskog 2 , Junyi Jessy Li 1 , and Milos Gligoric 1 The Coq Workshop 2020 1 The University of Texas at Austin 2 KTH Royal Institute of Technology Background: Coq is a

630 views • 25 slides
Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Hoare logic separation logic. We looked at the concepts separation logic is based on, the new

Introduction In the previous lecture, we saw how reasoning about pointers in Hoare logic was problematic, which motivated introducing Hoare logic separation logic. We looked at the concepts separation logic is based on, the new assertions that

396 views • 14 slides
Typed Closure Conversion for the Calculus of Constructions William J. Bowman , Amal Ahmed

Typed Closure Conversion for the Calculus of Constructions William J. Bowman , Amal Ahmed

Typed Closure Conversion for the Calculus of Constructions William J. Bowman , Amal Ahmed Typed Closure Conversion for the Calculus of Constructions Core calculus on which Coq is built Dependent types And high-assurance

1.23k views • 89 slides
Webinar agenda Welcoming Economies: Immigrants are key to Inclusive Economic Growth 1)

Webinar agenda Welcoming Economies: Immigrants are key to Inclusive Economic Growth 1)

Webinar agenda Welcoming Economies: Immigrants are key to Inclusive Economic Growth 1) Presentation by Steve Tobocman, Director, Global Detroit 2) Interview by Sarah Wayland, Project Lead, Global Hamilton at the City of Hamilton in Conversation

1.01k views • 40 slides
Starting Rust from a Scripting Background Run Rust Deploy, Write, and Improve Rust Write Rust

Starting Rust from a Scripting Background Run Rust Deploy, Write, and Improve Rust Write Rust

http://talks.edunham.net/scale15x Rust 101 E. Dunham @qedunham Intro Starting Rust from a Scripting Background Run Rust Deploy, Write, and Improve Rust Write Rust Improve Rust E. Dunham @qedunham March 5, 2017

865 views • 75 slides
Introduction to rust and its memory safety Lukas Prokop 2020-09-18 for IAIK About me

Introduction to rust and its memory safety Lukas Prokop 2020-09-18 for IAIK About me

Introduction to rust and its memory safety Lukas Prokop 2020-09-18 for IAIK About me Sofuware developer PhD student in post-quantum cryptography at IAIK 1 Speaker at RustGraz (twitter @RustGraz) What is rust? What is rust?

1.47k views • 82 slides

More recommend