forced forceful browsing
play

Forced/forceful browsing sws2 1 Forced browsing (not in book!) - PowerPoint PPT Presentation

Feb 19, 2023 •764 likes •1.16k views

Software and Web Security 2 Forced/forceful browsing sws2 1 Forced browsing (not in book!) Supplying a URL directly (forcing the URL) rather than by accessing it by following links from other pages Modify (numerical) value in known

  1. Software and Web Security 2 Forced/forceful browsing sws2 1

  2. Forced browsing (not in book!) • Supplying a URL directly (forcing the URL) rather than by accessing it by following links from other pages • Modify (numerical) value in known URL – September 2011: miljoenennota leaked before Prinsjesdag (miljoenennota.prinsjesdag2010.nl, change 2010 in 2011) – December 2012: Christmas speech queen Beatrix leaked by manipulating URL of speech in 2011 • Modify query parameters in known URL – Use brute force search sws2 2

  3. Forced browsing (not in book!) • Client ‘attack’ on server (with intention to access restricted/hidden resources) • OWASP top 10: – Failure to restrict URL access (2010) – Missing function level access control (2013) sws2 3

  4. Failure to restrict URL access • Attacker notices the URL indicates his role https://www.onlinebank.com/user/getAccounts https://www.onlinebank.com/user/getAccounts /user/getAccounts • Attacker modifies role /admin/getAccounts, or /manager/getAccounts sws2 4

  5. Defenses against forced browsing • Avoid ‘sensitive’ information in URL (GET vs POST) • Access control at server-side – Restrict access to authenticated users (if not public) by user-based or role-based permissions – Configure server to disallow requests for unauthorized file types (eg., config files, log files, source files, etc.) Movie on brute-force forceful browsing at http://www.secure-abap.de/wiki/Movies sws2 5

  6. Software and Web Security 2 More attacks on Clients: Clickjacking/UI redressing, CSRF (Section 7.2.3 on Clickjacking; Section 7.2.7 on CSRF) sws2 6

  7. Clickjacking & UI redressing sws2 7

  8. Click jacking & UI redressing • Click jacking and UI redressing – try to confuse the user into unintentionally doing something that the attacker wants (typically clicking some link but sometimes also supplying text input in fields or just moving mouse) – abuse the trust that the user has in a webpage and in his browser (ie. the implicit trust the user has in what he sees) • Some people treat click jacking and UI redressing as synonyms; others regard click jacking as a simple form of UI redressing, or as an ingredient for UI redressing • To add to the confusion, these attacks are often in combination with CSRF or XSS sws2 8

  9. Basic click-jacking Make the victim unintentionally click on some link <a onMouseUp=window.open('http://mafia.org/') href="http://www.overheid.nl">Trust me, it is safe to click here, you will simply go to overheid.nl</a> Demo: see http://www.cs.ru.nl/~erikpoll/sws2/demo/clickjack_basic.html Why? • click fraud Here instead of mafia.org, the link being click jacked would be a link for an advertisement. • some unwanted side-effect of clicking the link, esp. if the user is automatically authenticated by the target website (eg. with a cookie) Here instead of mafia.org, the link being click jacked would be a link to a genuine website the attacker wants to target. sws2 9

  10. Click fraud • In online advertising, web sites that publish ads are paid for the number of click-throughs, ie. number of their visitors that click on these ads • Click fraud: attacker tries to generate lots of clicks on ads that are not from genuinely interesting visitors • Motivations for attacker 1. generating revenue for the web site hosting the ad, or 2. generating cost for a competitor who pays for these clicks (Does that really happen, or is that simply a claim by Google to make click fraud seem morally wrong?) Other forms of click fraud, apart from click jacking: • Click farms (hiring individuals to manually click ads) • Pay-to-click sites (pyramid schemes created by publishers) • Click bots (software to automate clicking) • Botnets (hijacked computers utilized by click bots) sws2 10

  11. UI (user interface) redressing (not in book!) Attacker creates a malicious web page that includes elements of a target website • typically using iframes (inline frames) A frame is a part of a web page, a sub-window in the browser window. An internal frame - iframe - allows more flexible nesting and overlapping • possibly including transparent layers, to make elements invisible – this is not needed when the attackers “steals” buttons with non - specific text from the target website, such as Demos - http://www.cs.ru.nl/~erikpoll/sws2/demo/clickjack_some_button.html - http://www.cs.ru.nl/~erikpoll/sws2/demo/clickjack_some_button_transparent.html - http://www.cs.ru.nl/~erikpoll/sws2/demo/clickjack_radboudnet_using_UI_redressing.html sws2 11

  12. UI redressing sws2 12

  13. UI redressing sws2 13

  14. Clickjacking and UI redressing • These attacks try to abuse the trust that the user has in a web page – in what user sees in his browser • These attacks also abuse the trust that the web server has in the browsers – namely, the web server implicitly trusts all actions from the web browser are actions that the user willingly & intentionally performed sws2 14

  15. Variations of clickjacking • Likejacking and sharejacking • cookiejacking – in old versions of Internet Explorer • filejacking – unintentional uploads in Google Chrome • eventjacking • cursorjacking • classjacking • double clickjacking • content extraction • pop-up blocker bypassing • strokejacking • event recycling • svg masking • tapjacking on Android phones • ... sws2 15

  16. Countermeasures against Clickjacking & UI redressing sws2 16

  17. Frame busting A website can take countermeasures to prevent being used in frames. This is called frame busting: the website tries to bust any frames it is included in, typically using JavaScript Example JavaScript code for frame busting, using the DOM if (top!=self){ top.location.href = self.location.href } top in DOM is for the top or outer window, self is the current window. Lots of variations are possible. Some frame busting code is more robust than others. For an example, you can try the Blackboard webpage, which uses JavaScript to bust frames, eg http://www.cs.ru.nl/~erikpoll/sws2/demo/clickjack_bb_using_UI_redressing.html sws2 17

  18. X-Frame options • Introduced by Microsoft in 2008 • X-Frame-Options in HTTP response header indicate if page can be loaded as frame inside another page • Possible values – DENY never allowed – SAMEORIGIN only allowed if other page has same origin – ALLOW-FROM uri only allowed for specific URI (Only ?) • Advantage over frame busting: no JavaScript required sws2 18

  19. Browser protection against UI redressing The Firefox extension NoScript extension has a ClearClick option, that warns when clicking or typing on hidden elements sws2 19

  20. CSRF (formerly also called XSRF) sws2 20

  21. Recall: reflected (non-persistent) XSS malicious URL web server HTML containing malicious output sws2 21

  22. Recall: stored (persistent) XSS malicious input attacker storing malicious content on website data web server base HTML containing malicious output another user of the same website sws2 22

  23. XSS vs CSRF • XSS exploits the user’s trust of a specific website – user/client trusts the server • CSRF exploits the website’s trust of a specific user – server trusts the user/client XSS: HTML containing malicious output web server CSRF: user tricked into malicious request sws2 23

  24. CSRF (Cross-Site Request Forgery) A malicious website causes a visitor to unwittingly issue a HTTP request on another website, that trusts this user (eg. due to cookie) In the simplest form, this can be done with just a link, eg. <a href =“http://bank.com/transferMoney?amount=1000 &toAccount =52.12.57.762”> malicious web site naive bank.com sws2 24

  25. CSRF Ingredients • malicious link or javascript on attacker’s website • abusing automatic authentication by cookie at targeted website Attacker only has to lure victims to his site while they are logged on Requirements • the victim must have a valid cookie for the attacked website • that site must have actions which only require a single HTTP request It’s a bit like click -jacking, except that it can be more than just a link, and it does not involve UI redressing sws2 25

  26. CSRF illustrated Attacker sets trap on some website (or simply via an e-mail) Application with CSRF vulnerability Hidden <img> tag contains attack against vulnerable Communication Bus. Functions Administration site Transactions E-Commerce Knowledge Accounts Finance Mgmt While logged into vulnerable site, victim views attacker site Custom Code Vulnerable site sees legitimate request from victim <img> tag loaded by browser – sends GET and performs the request (including action requested credentials) to vulnerable site sws2 26

  27. CSRF on GET vs POST requests Action on the targeted website might need a POST or GET request. Recall: GET parameters in URL, POST parameters in body. • For action with a GET request: Easy! The attacker can even use an image tag <img..> to execute the request <img scr =“http://bank.com/transfer?amount=1000 &toAccount =52.12.57.762”> • For action with a POST request: Trickier. The attacker cannot append data in the URL. Instead, the attacker can use JavaScript on his web site to make a form which then results in a POST request to the target website. sws2 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Models for Models for Retrieval and Browsing Retrieval and Browsing - Structural Models and

Models for Models for Retrieval and Browsing Retrieval and Browsing - Structural Models and

Models for Models for Retrieval and Browsing Retrieval and Browsing - Structural Models and Browsing Berlin Chen 2004 Reference : 1. Modern Information Retrieval , chapter 2 Taxonomy of Classic IR Models Set Theoretic Fuzzy Extended Boolean

837 views • 29 slides
Performance Metrics for Web Browsing draft fan ippm web metrics 00 Peng Fan

Performance Metrics for Web Browsing draft fan ippm web metrics 00 Peng Fan

Performance Metrics for Web Browsing draft fan ippm web metrics 00 Peng Fan Motivation Web browsing is a basic internet service, with a large population of users and proportion of traffic Understanding web browsing

578 views • 10 slides
Models for Models for Retrieval and Browsing Retrieval and Browsing - Fuzzy Set, Extended

Models for Models for Retrieval and Browsing Retrieval and Browsing - Fuzzy Set, Extended

Models for Models for Retrieval and Browsing Retrieval and Browsing - Fuzzy Set, Extended Boolean, Generalized Vector Space Models Berlin Chen 2004 Reference: 1. Modern Information Retrieval . Chapter 2 Taxonomy of Classic IR Models Set

511 views • 30 slides
Forceful Stewardship of Climate Risk Howard Covington Raj

Forceful Stewardship of Climate Risk Howard Covington Raj

Forceful Stewardship of Climate Risk Howard Covington Raj Thamotheram LSE March 2015 1 Three QuesEons Why do investors neglect big

613 views • 29 slides
Secure Browsing and Email Web Browsing with HTTPS Secure Email with OpenPGP Organised by Steven

Secure Browsing and Email Web Browsing with HTTPS Secure Email with OpenPGP Organised by Steven

Free Technology Workshop Secure Browsing and Email Web Browsing with HTTPS Secure Email with OpenPGP Organised by Steven Gordon Room RS309 9am - 12noon Friday 27 June 2014 http://ict.siit.tu.ac.th/moodle/ Adresses Local copies of

667 views • 19 slides
What is forced labour? ILO Forced Labour Convention, 1930 (No. 29) All work or service that

What is forced labour? ILO Forced Labour Convention, 1930 (No. 29) All work or service that

What is forced labour? ILO Forced Labour Convention, 1930 (No. 29) All work or service that is exacted from any person under the menace of any penalty and for which the said person has not offered himself voluntarily Roger Plant ILO

73 views • 5 slides
Web Browsing Topics Physical Exchange of Web Web Browsing 101 Technology Information

Web Browsing Topics Physical Exchange of Web Web Browsing 101 Technology Information

10/24/2011 Web Browsing Topics Physical Exchange of Web Web Browsing 101 Technology Information Browsers Web Evolution of Applications Technology NAGTRI Webinar Series NCJRL / NAAG NAGTRI Webinar Series NCJRL / NAAG Personal

267 views • 12 slides
UCognito: Private Browsing without Tears Meng Xu, Yeongjin Yang, Xinyu Xing, Taesoo Kim, Wenke

UCognito: Private Browsing without Tears Meng Xu, Yeongjin Yang, Xinyu Xing, Taesoo Kim, Wenke

UCognito: Private Browsing without Tears Meng Xu, Yeongjin Yang, Xinyu Xing, Taesoo Kim, Wenke Lee Georgia Institute of Technology 1 Private Browsing Mode Private Browsing Incognito Mode Guest Mode InPrivate Private Window 2 Private

645 views • 46 slides
Math 211 Math 211 Lecture #34 Forced Harmonic Motion November 14, 2003 2 Forced Harmonic

Math 211 Math 211 Lecture #34 Forced Harmonic Motion November 14, 2003 2 Forced Harmonic

1 Math 211 Math 211 Lecture #34 Forced Harmonic Motion November 14, 2003 2 Forced Harmonic Motion Forced Harmonic Motion Assume an oscillatory forcing term: y + 2 cy + 2 0 y = A cos t A is the forcing amplitude is

315 views • 16 slides
Math 211 Math 211 Lecture #35 Forced Harmonic Motion November 19, 2001 2 Forced Harmonic

Math 211 Math 211 Lecture #35 Forced Harmonic Motion November 19, 2001 2 Forced Harmonic

1 Math 211 Math 211 Lecture #35 Forced Harmonic Motion November 19, 2001 2 Forced Harmonic Motion Forced Harmonic Motion Assume an oscillatory forcing term: y + 2 cy + 2 0 y = A cos t A is the forcing amplitude is

498 views • 15 slides
Math 211 Math 211 Lecture #35 Forced Harmonic Motion November 18, 2002 2 Forced Harmonic

Math 211 Math 211 Lecture #35 Forced Harmonic Motion November 18, 2002 2 Forced Harmonic

1 Math 211 Math 211 Lecture #35 Forced Harmonic Motion November 18, 2002 2 Forced Harmonic Motion Forced Harmonic Motion Assume an oscillatory forcing term: y + 2 cy + 2 0 y = A cos t A is the forcing amplitude is

372 views • 5 slides
Math 211 Math 211 Lecture #35 Forced Harmonic Motion April 16, 2001 2 Forced Harmonic Motion

Math 211 Math 211 Lecture #35 Forced Harmonic Motion April 16, 2001 2 Forced Harmonic Motion

1 Math 211 Math 211 Lecture #35 Forced Harmonic Motion April 16, 2001 2 Forced Harmonic Motion Forced Harmonic Motion Assume an oscillatory forcing term: y + 2 cy + 2 0 y = A cos t A is the forcing amplitude is

561 views • 17 slides
Diferential Equations Forced vibrations ITI 26/03/2020 ITI Forced Vibrations Forced

Diferential Equations Forced vibrations ITI 26/03/2020 ITI Forced Vibrations Forced

Forced vibrations with damping Forced vibrations without damping Diferential Equations Forced vibrations ITI 26/03/2020 ITI Forced Vibrations Forced vibrations with damping Forced vibrations without damping Forced vibrations with damping

1.56k views • 27 slides
Agenda CPSC 533C Information Visualization Project Update Motivation: Exploratory browsing?

Agenda CPSC 533C Information Visualization Project Update Motivation: Exploratory browsing?

Agenda CPSC 533C Information Visualization Project Update Motivation: Exploratory browsing? Exploratory Browsing in The ideal infovis solution: what should it be? Music Space Related work: displaying query-based results

473 views • 6 slides
Image search through browsing using NN k networks Daniel Heesch, Marcus Pickering, Stefan Rger,

Image search through browsing using NN k networks Daniel Heesch, Marcus Pickering, Stefan Rger,

Image search through browsing using NN k networks Daniel Heesch, Marcus Pickering, Stefan Rger, Alexei Yavlinsky TRECVID 2003 Overview Image and Collection Preprocessing Search and Relevance Feedback Temporal Browsing and NN k

508 views • 36 slides
Practical Cryptography for a Peer-to-Peer Web Browsing System A. Pokluda Cheriton School of

Practical Cryptography for a Peer-to-Peer Web Browsing System A. Pokluda Cheriton School of

Introduction Cryptography in P2P Systems A P2P Web Browsing System Comparison of Implementations in C Summary Practical Cryptography for a Peer-to-Peer Web Browsing System A. Pokluda Cheriton School of Computer Science University of

462 views • 21 slides
Lesson 2.2: Thinking more deeply about your search How do you go from idea to understanding?

Lesson 2.2: Thinking more deeply about your search How do you go from idea to understanding?

Lesson 2.2: Thinking more deeply about your search How do you go from idea to understanding? Key idea: Make sure you understand what youre seeing Dont skip words you dont know You can look up these new terms ... and then

399 views • 3 slides
A Linked Data Competency Framework for Educators and Learners Marcia Lei Zeng Kent State

A Linked Data Competency Framework for Educators and Learners Marcia Lei Zeng Kent State

Webinar, DCMI, ASIS&amp;T May 10, 2018 A Linked Data Competency Framework for Educators and Learners Marcia Lei Zeng Kent State University, USA On behalf of LD4PE (Linked Data for Professional Education) Project Team 2 Outline Part I.

908 views • 45 slides
CSE 6240 Web Search and Text Mining Spring 2020 Instructor: Prof. Srijan Kumar Teaching

CSE 6240 Web Search and Text Mining Spring 2020 Instructor: Prof. Srijan Kumar Teaching

CSE 6240 Web Search and Text Mining Spring 2020 Instructor: Prof. Srijan Kumar Teaching Assistants: Roshan Pati, Arindum Roy 1 Srijan Kumar, Georgia Tech, CSE6240 Spring 2020: Web Search and Text Mining Web is a platform for everyone 2

731 views • 33 slides
Agency Technology Training University From Chubb PowerPoint 2010 How to Advance Slides

Agency Technology Training University From Chubb PowerPoint 2010 How to Advance Slides

Agency Technology Training University From Chubb PowerPoint 2010 How to Advance Slides Automatically Did You Know? D id you know that you can create a self-running presentation, or one that your do not need to advance via a mouse click?

157 views • 4 slides
On the Effectiveness of Risk Prediction Based on Users Browsing Behavior Davide Canali* *, ,

On the Effectiveness of Risk Prediction Based on Users Browsing Behavior Davide Canali* *, ,

On the Effectiveness of Risk Prediction Based on Users Browsing Behavior Davide Canali* *, , Leyla Bilge Leyla Bilge, , Davide Balzarotti Davide Balzarotti Davide Canali EURECOM Software and System Security Group, France EURECOM Software

493 views • 24 slides
Your Secrets Are Safe : How Browsers Explanations Impact Misconceptions About Private Browsing

Your Secrets Are Safe : How Browsers Explanations Impact Misconceptions About Private Browsing

Your Secrets Are Safe : How Browsers Explanations Impact Misconceptions About Private Browsing Mode Yuxi Wu, Panya Gupta, Miranda Wei, Yasemin Acar, Sascha Fahl, Blase Ur https://FancyWines.com 2 Yuxi Wu, Miranda Wei | Your Secrets Are

851 views • 51 slides
Browser as Renderer W3C Paris, 2013 Adam Hyde Book Sprint Facilitator, Platform Designer

Browser as Renderer W3C Paris, 2013 Adam Hyde Book Sprint Facilitator, Platform Designer

Browser as Renderer W3C Paris, 2013 Adam Hyde Book Sprint Facilitator, Platform Designer www.adamhyde.net www.adamhyde.net Browser as Renderer www.adamhyde.net Browser as Renderer Book Sprints, zero to book in 3-5 days

225 views • 9 slides
The Multi-Principal OS Construction of the Gazelle Web Browser Helen J. Wang, Chris Grier, Alex

The Multi-Principal OS Construction of the Gazelle Web Browser Helen J. Wang, Chris Grier, Alex

The Multi-Principal OS Construction of the Gazelle Web Browser Helen J. Wang, Chris Grier, Alex Moshchuk, Sam King, Piali Choudhury, Herman Venter Browser as an application platform Single stop for many computing needs banking,

850 views • 30 slides

More recommend