modern web security
play

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS - PowerPoint PPT Presentation

Nov 02, 2023 •234 likes •619 views

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser assumes that clicks and keystrokes = clear indication of what the user wants to do Constitutes part of the users trusted path Attacker can

  1. MODERN 
 WEB SECURITY GRAD SEC SEP 21 2017

  2. TODAY’S PAPERS

  3. Misleading users • Browser assumes that clicks and keystrokes = clear indication of what the user wants to do • Constitutes part of the user’s trusted path • Attacker can meddle with integrity of this relationship in all sorts of ways

  4. Misleading users • Browser assumes that clicks and keystrokes = clear indication of what the user wants to do • Constitutes part of the user’s trusted path • Attacker can meddle with integrity of this relationship in all sorts of ways • Recall the power of Javascript Alter page contents (dynamically) • Track events (mouse clicks, motion, keystrokes) • • Read/set cookies • Issue web requests, read replies

  5. Using JS to Steal Facebook Likes Claim Bait and switch User tries to claim their free iPad, but 
 you want them to click your Like button (Many of these attacks are similar to TOCTTOU vulnerabilities)

  6. Using JS to Steal Facebook Likes Claim User intent Bait and switch User tries to claim their free iPad, but 
 you want them to click your Like button (Many of these attacks are similar to TOCTTOU vulnerabilities)

  7. Using JS to Steal Facebook Likes Claim Actual outcome User intent Bait and switch User tries to claim their free iPad, but 
 you want them to click your Like button (Many of these attacks are similar to TOCTTOU vulnerabilities)

  8. Clickjacking When one principal tricks the user into 
 interacting with UI elements of another principal An attack application (script) compromises the context integrity 
 of another application’s User Interface when the user acts on the UI

  9. Clickjacking When one principal tricks the user into 
 interacting with UI elements of another principal An attack application (script) compromises the context integrity 
 of another application’s User Interface when the user acts on the UI 1. Visual context : what a user should see right befor the sensitive action. Ensuring this = the sensitive Context UI element and the cursor are both visible Integrity 2. Temporal context : the timing of a user action. Ensuring this = the user action at a particular time is what 
 the user intended

  10. Compromising visual integrity of the target • Hide the target element • CSS lets you set the opacity of an element to zero (clear)

  11. Compromising visual integrity of the target • Partially overlay the target • Hide the target element • CSS lets you set the opacity • Or crop the parts you don’t want to show of an element to zero (clear) To: Bad guy Pay From: Victim Amount: $1000

  12. Compromising visual integrity of the target • Partially overlay the target • Hide the target element • CSS lets you set the opacity • Or crop the parts you don’t want to show of an element to zero (clear) To: Bad guy To: Charity Pay From: Victim From: Nice person Amount: $1000 Amount: $10

  13. Compromising visual integrity of the pointer Claim Actual cursor • Manipulating cursor feedback

  14. Compromising visual integrity of the pointer Claim Displayed cursor Actual cursor • Manipulating cursor feedback

  15. Compromising visual integrity of the pointer Claim Displayed cursor Actual cursor • Manipulating cursor feedback

  16. Clickjacking to access a user’s webcam

  17. Some clickjacking defenses • Require confirmation for actions • Annoys users • Frame-busting : Website ensures that its “vulnerable” pages can’t be included as a frame inside another browser frame • So user can’t be looking at it with something invisible overlaid on top… • …nor have the site invisible above something else

  18. The attacker implements this by placing Twitter’s page in a “Frame” inside their own page, otherwise they wouldn’t overlap

  19. Some clickjacking defenses • Require confirmation for actions • Annoys users • Frame-busting : Website ensures that its “vulnerable” pages can’t be included as a frame inside another browser frame • So user can’t be looking at it with something invisible overlaid on top… • …nor have the site invisible above something else • Conceptually implemented with Javascript like 
 if(top.location != self.location) 
 top.location = self.location; 
 (actually, it’s quite tricky to get this right) • Current research considers more general approaches

  20. InContext Defense (recent research) • A set of techniques to ensure context integrity for user actions • Servers opt-in • Let the websites indicate their sensitive UIs • Let browsers enforce context integrity when users act on the sensitive UIs

  21. Ensuring visual integrity of pointer • Remove cursor customization • Attack success: 43% -> 16%

  22. Ensuring visual integrity of pointer • Lightbox effect around target on pointer entry • Attack success (freezing + lightbox): 2%

  23. Enforcing temporal integrity • UI delay: after visual changes on target or pointer, invalidate clicks for a few milliseconds • Pointer re-entry: after visual changes on target, invalidate clicks until pointer re-enters target

  24. Other forms of UI sneakiness • Along with stealing events, attackers can use the power of Javascript customization and dynamic changes to mess with the user’s mind • For example, the user may not be paying attention, so you can swap tabs on them • Or they may find themselves “eclipsed”

  25. Browser in browser

  26. WHAT IS UNTRUSTWORTHY HERE?

  28. WHAT IS UNTRUSTWORTHY HERE?

  32. CLICKJACKING: EXPERIMENTS • Mechanical Turks • $0.25 per participant to “follow the on-screen instructions and complete an interactive task.” • Simulated attacks, simulated defenses • 3251 participants • Note: You must control for sloppy participation • Excluded 370 repeat-participants

  33. CLICKJACKING: EXPERIMENTS • Control group 1 • “Skip ad” button • No attack to trick the user • Purpose: To determine the click rate we would hope a defense could achieve in countering an attack • 38% didn’t skip the ad • Control group 2 • “Allow” button to skip ad • Purpose: An attempt to persuade users to grant access without tricking them • 8% allowed (statistically indistinguishable from group 1)

  34. CLICKJACKING: EXPERIMENTS

  35. CLICKJACKING: EXPERIMENTS

  36. CLICKJACKING: EXPERIMENTS

  37. CLICKJACKING: EXPERIMENTS

  38. YOUR THOUGHTS: CLICKJACKING • I liked the very thorough and systematic approach this paper took to defining and sub-classifying clickjacking attacks. • Shortcomings: • it requires websites to identify sensitive elements • does not defend against attacks where visibility and temporality are maintained • Much of their approach in defending against clickjacking seems like overkill • Evaluation with Mechanical Turks • most fascinating portion of the paper… [MT] seems perfect for recruiting many users to participate in a lightweight study • touched nicely on the overlap between technical and user problems in security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security

Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security

Cyber Security A Modern Tale of a Dissonant Relationship BTB Security and me BTB Security Founded in 2006 Technical security services, MDR Me Ron Schlecht German word for BAD Ron.Schlecht@btbsecurity.com

432 views • 8 slides
MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise

MODERN 1 MODERN 2 MODERN 3 MODERN 4 MODERN A peep at some distant orb has power to raise and purify our thoughts like a strain picture, or a passage from the grander poets. It always does one good. 5 MODERN 6 MODERN 7 MODERN 8

524 views • 24 slides
Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security

Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security

Security in modern CPU Guillaume Bouffard ( guillaume.bouffard@ssi.gouv.fr ) Hardware Security Labs National Cybersecurity Agency of France (ANSSI) DIENS, ENS, CNRS, PSL University Workshop SILM 21 November 2019 Who am I? Me Expert in

1.18k views • 80 slides
Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology

Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology

Modern Web Security Patterns Chad Hollman Analyst, County of Sacramento Department of Technology Current Issues of Web Development Security Subresource Integrity Checking Content Security Policies HTTP Public Key Pinning Certificate

1.05k views • 61 slides
Building a Modern Security Engineering Team zane@signalsciences.com @zanelackey Who is this guy

Building a Modern Security Engineering Team zane@signalsciences.com @zanelackey Who is this guy

Building a Modern Security Engineering Team zane@signalsciences.com @zanelackey Who is this guy anyway? Built and led the Etsy Security Team Spoiler alert: what this presentation is about Co-founded Signal Sciences This talk is

814 views • 70 slides
Modern Game Console Exploitation Eric DeBusschere, Mike McCambridge March 26, 2012 Console

Modern Game Console Exploitation Eric DeBusschere, Mike McCambridge March 26, 2012 Console

Modern Game Console Exploitation Eric DeBusschere, Mike McCambridge March 26, 2012 Console Security Overview Most modern consoles acheive complete software security by only running signed code, encrypting memory, and utilizing firmware updates

588 views • 37 slides
An Introduction to Modern Security Market Pricing of Interest Rate Derivatives Models Term-

An Introduction to Modern Security Market Pricing of Interest Rate Derivatives Models Term-

An Introduction to Modern Pricing of Interest Rate Derivatives School of Education, Culture and Communication Division of Applied Mathematics Introduction Interest Rates An Introduction to Modern Security Market Pricing of Interest Rate

1.11k views • 88 slides
Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019

Security on the Line: Modern Curve-based Cryptography Joost Renes SCA Workshop 18 June 2019 Modern curve-based cryptography Modern curve-based cryptography 1 / 11 Modern curve-based cryptography Internet of Things Size & speed

1.39k views • 97 slides
Demystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher

Demystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher

Demystifying Modern Windows Rootkits Bill Demirkapi Independent Security Researcher Demystifying Modern Windows Rootkits Black Hat USA 2020 1 Who Am I? 18 years old Sophomore at the Rochester Institute of Technology Windows

847 views • 73 slides
Modern PHP security sec4dev 2020, Vienna 27th February 2020 Synacktiv Thomas Chauchefoin &

Modern PHP security sec4dev 2020, Vienna 27th February 2020 Synacktiv Thomas Chauchefoin &

Modern PHP security sec4dev 2020, Vienna 27th February 2020 Synacktiv Thomas Chauchefoin & Lena David Summary 1 Introduction 2 Modern vulnerabilities Engine bugs 3 Hardening 4 Conclusion 5 Who are we? Lena (@_lemeda) and Thomas

1.55k views • 120 slides
iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 14ss 1 Outline Cryptography

780 views • 54 slides
iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr

iLab Modern cryptography for communications security Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 15ws 1 / 72 Outline Cryptography

903 views • 88 slides
Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October

Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets October 22, 2016 October 22, 2016 Deeg & Klostermeier | Hacktivity 2016 1 Who am I? Dipl.-Inf. Matthias Deeg Expert IT Security Consultant CISSP, CISA, OSCP, OSCE

1.09k views • 81 slides
Modern Digital Security John Dmytrasz - Senior Network Administrator Mike Ali - Network

Modern Digital Security John Dmytrasz - Senior Network Administrator Mike Ali - Network

Modern Digital Security John Dmytrasz - Senior Network Administrator Mike Ali - Network Administrator What are the threats facing you in your digital life? The biggest threat to computer security is you and your employees Social

571 views • 23 slides
iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de

iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de

iLab Modern cryptography for communications security a fast rush Benjamin Hof hof@in.tum.de Lehrstuhl fr Netzarchitekturen und Netzdienste Fakultt fr Informatik Technische Universitt Mnchen Cryptography 16ss 1 / 38 Outline

504 views • 46 slides
Security II: Cryptography Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography

Security II: Cryptography Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography

Related textbooks Main reference: Security II: Cryptography Jonathan Katz, Yehuda Lindell: Introduction to Modern Cryptography Chapman & Hall/CRC, 2nd ed., 2014 Further reading: Markus Kuhn Christof Paar, Jan Pelzl: Understanding

794 views • 27 slides
Outline More web risks Confidentiality and privacy CSci 5271 Announcements intermission

Outline More web risks Confidentiality and privacy CSci 5271 Announcements intermission

Outline More web risks Confidentiality and privacy CSci 5271 Announcements intermission Introduction to Computer Security Web/crypto/middleboxes combined slides More crypto protocols More causes of crypto failure Stephen McCamant

440 views • 10 slides
Session #2 Landing Page Mastery and Conversion Rate Optimization Todays Training Will Help

Session #2 Landing Page Mastery and Conversion Rate Optimization Todays Training Will Help

Session #2 Landing Page Mastery and Conversion Rate Optimization Todays Training Will Help You Tr Training Overview 1. Why Conversion Rate Optimization (CRO) / Landing Pages Matter 2. 6 Costly Conversion Mistakes Agencies Make 3. 7

1.02k views • 57 slides
Using JS to Steal Facebook Likes Claim your FREE iPad Bait-and-switch Note: many of these

Using JS to Steal Facebook Likes Claim your FREE iPad Bait-and-switch Note: many of these

Using JS to Steal Facebook Likes Claim your FREE iPad Bait-and-switch Note: many of these attacks are similar to TOCTTOU (Time of Check to Time of Use) vulnerabilities From Clickjacking: Attacks and Defenses , by Lin-Shung Huang et al,

376 views • 14 slides
SharePoint Security Advanced SharePoint Security Tips and Tools 05 Oct 2010 Presen sented ted

SharePoint Security Advanced SharePoint Security Tips and Tools 05 Oct 2010 Presen sented ted

SharePoint Security Advanced SharePoint Security Tips and Tools 05 Oct 2010 Presen sented ted by: Francis Brown Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W Brief f Intro o to o SharePoint ePoint Overview of

490 views • 45 slides
Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This

Cache-timing attacks http://cr.yp.to/papers.html #cachetiming , 2005: D. J. Bernstein This paper reports successful Thanks to: extraction of a complete AES key University of Illinois at Chicago from a network server NSF CCR9983950 on

1.28k views • 91 slides
Ethical Considerations Cameron Kidd First social network site SixDegrees.com launched in

Ethical Considerations Cameron Kidd First social network site SixDegrees.com launched in

Ethical Considerations Cameron Kidd First social network site SixDegrees.com launched in 1997 Friendster, the first fairly successful SNS with around 300,000 users, but was plagued by technical issues among other things MySpace was

116 views • 10 slides
How to turn your website into a Kick-Ass, Customer-Winning Marketing Machine! The 3 Ms

How to turn your website into a Kick-Ass, Customer-Winning Marketing Machine! The 3 Ms

How to turn your website into a Kick-Ass, Customer-Winning Marketing Machine! The 3 Ms Market Message Media (In this order) The 3 Ws Who are you? What do you do? Whats in it for me? What is SEO?

441 views • 30 slides
THE DIGITAL REVOLUTION AND BEYOND THE DIGITAL REVOLUTION AND BEYOND Apple Computer: The first

THE DIGITAL REVOLUTION AND BEYOND THE DIGITAL REVOLUTION AND BEYOND Apple Computer: The first

THE DIGITAL REVOLUTION AND BEYOND THE DIGITAL REVOLUTION AND BEYOND Apple Computer: The first computer with a Graphical User Interface (GUI) Apple Computer: The first computer with a Graphical User Interface (GUI) Macintosh 128k,1984 Apple

957 views • 47 slides

More recommend