the problem s with the browser
play

The Problem(s) with the Browser Collin Jackson - PowerPoint PPT Presentation

Jun 09, 2023 •29 likes •509 views

The Problem(s) with the Browser Collin Jackson collin.jackson@sv.cmu.edu Web: The OS of the Future? Ubiquitous Dynamic Instant updates Interactive Programs Pages Web Applications Remote code? Are you crazy?? Integrity Compromise

  1. The Problem(s) with the Browser Collin Jackson collin.jackson@sv.cmu.edu

  2. Web: The OS of the Future? Ubiquitous Dynamic Instant updates Interactive Programs Pages Web Applications

  3. Remote code? Are you crazy?? • Integrity – Compromise your machine – Install a malware rootkit – Buy stuff with your credit card • Confidentiality – Steal passwords – Read your email

  4. Browser Sandbox • Goal – Run remote web applications safely – Limit access to OS, network, and browser data • Approach – Isolate sites in different security contexts – Browser manages resources, like an OS

  5. What the Sandbox Can't Stop Clickjacking Cross-Site Scripting (XSS) Network Attacks (Firesheep, etc.) Cross-Site Request Forgery (CSRF)

  6. WEB BUILDING BLOCKS 6

  7. Safe to Type My Password? • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  8. URLs Global identifiers of network-retrievable documents • Example: • http:// sv.cmu.edu :81/class?name=browsersec #homework Protocol Fragment Hostname Path Port Query

  9. HTTP Request Method File HTTP version Headers GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats Blank line Data – none for GET GET : no side effect POST : possible side effect

  10. HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Data Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: … Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML>

  11. Network Primitives • Navigation <a href="http://www.a.com">Click here</a> ● • Import ● <script src="prototype.js"></script> ● <link rel="stylesheet" href="base.css"> • Export ● <form action="login.cgi"> ● postMessage('hello world', '*'); ● XMLHttpRequest

  12. Same-Origin Access • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level Origin = Scheme, host, port Full DOM access 12

  13. Cross-Origin Access • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level http://www.google.com != http://petscaravan.com Navigation, import, export only

  14. Domain Relaxation www.facebook.com chat.facebook.com www.facebook.com facebook.com facebook.com chat.facebook.com www.facebook.com Origin: scheme, host, (port), hasSetDomain • Try document.domain = document.domain •

  15. Site B Site A Newer forms of Import/Export Cross-origin network requests Site A context Site B context Access-Control-Allow-Origin: <list of domains> Access-Control-Allow-Origin: * Cross-origin client side communication Client-side messaging via navigation (older browsers) postMessage (newer browsers)

  16. SESSION MANAGEMENT 16

  17. URL-based Session Management • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  18. Limitations of URL-based Session Management • Shoulder surfing • Screenshots • HTML Sharing • Printing • Referrer leaking • Accidental sharing • Cache • Bookmark theft

  19. Alternatives • HTTP Authentication • HTTPS Mutual Authentication • Cookies – Expiration – Wildcard sharing – Logout – Recovery – Minimizing server state

  20. Cookies • Used to store state on user’s machine POST … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; If expires=NULL: this session only secure = (only over SSL) Browser POST … Server Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state

  21. Cookie-based Session Management Browser Web Server POST login.cgi Username & pwd Set-cookie: auth=val GET restricted.html Cookie: auth=val If YES, restricted.html

  22. Cookie Security Policy • Uses: – User authentication – Personalization – User tracking: e.g. Doubleclick (3rd party cookies) • Browser will store: – At most 20 cookies/site, 3 KB / cookie • Origin is the tuple <domain, path> – Can set cookies valid across a domain suffix

  23. History • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  24. httpOnly Cookies GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; httpOnly • Cookie sent over HTTP(s), but not accessible to scripts • cannot be read via document.cookie • Helps prevent cookie theft via XSS … but does not stop most other risks of XSS bugs

  25. SESSION INTEGRITY

  26. Threat Models • Web Attacker – https://www.attacker.com – Free user visit • Sibling Domain Attacker – attacker.appspot.com • Network Attacker – Eavesdrop (Firesheep) – Corrupt network traffic – Present fake certificates

  27. Cross-Site Request Forgery

  28. Login CSRF

  29. Payments Login CSRF

  30. Payments Login CSRF

  31. Payments Login CSRF

  32. Payments Login CSRF

  33. Another login CSRF problem

  34. Common CSRF Defense • Secret Validation Token <input type=hidden value=23a3af01b> • Referer Validation Referer: http://www.facebook.com/home.php • Custom HTTP Header X-Requested-By: XMLHttpRequest

  35. What have we lost? • Shoulder surfing • Screenshots • HTML Sharing • Printing • Referrer leaking • Accidental sharing • Cache • Bookmark theft

  36. Alternatives • Referer Validation / Origin Validation Referer: http://www.facebook.com/home.php • Custom HTTP Header X-Requested-By: XMLHttpRequest

  37. Cross-Subdomain Overwriting Click to edit Master text styles • – Second level Shopping cart • modification Third level – Fourth level • Login CSRF • – Fifth level Session fixation •

  38. Network Attacker • Eavesdrop or corrupt network traffic – Wireless networks – ISP – Pharming • Defense: HTTPS – Protects passwords – Use “Secure” cookies to protect session

  39. Secure Cookie Overwriting • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  40. Secure Cookie Overwriting • Click to edit Master text styles – Second level – Third level Hidden • Fourth level http://mail.google.com – Fifth level iframe

  41. SSL Rebinding • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  42. SSL Rebinding • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  43. Is there any hope?

  44. What we want Unforgeability + Integrity + Persistence = Session integrity

  45. Suggestion Courtesy of Adam Barth, Andrew Bortz, and Alexei Czeskis • Existing browsers: Custom HTTP Header X-Session-T oken: 62DV2f323t23 – Use LocalStorage for integrity • Future browsers: Send it automatically Cake: 62DV2f323t23 – Doesn't solve confused deputy problems – Still need CSRF defenses

  46. Strict Transport Security Collaborators: Adam Barth (UC Berkeley), Jeff Hodges (PayPal), Sid Stamm (Mozilla), VeriSig – HTTPS is rarely used securely SSL stripping – Mixed content – Certificate error override – – Help browsers identify high-security servers – Reduces burden on user – Extensible – Backwards compatible

  47. Browserscope.org • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  48. Thanks! http://websec.sv.cmu.edu/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cascading Style Sheets (CSS) Mendel Rosenblum CS142 Lecture Notes - CSS 1 Driving problem

Cascading Style Sheets (CSS) Mendel Rosenblum CS142 Lecture Notes - CSS 1 Driving problem

Cascading Style Sheets (CSS) Mendel Rosenblum CS142 Lecture Notes - CSS 1 Driving problem behind CSS How what font type and size does &lt;h1&gt;Introduction&lt;/h1&gt; generate? Answer: Some default from the browser (HTML tells what browser how

517 views • 19 slides
Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network Security Hardware Alexandra (Sasha) Boldyreva Browser sends requests May reveal private information (in forms, cookies) Web security.

517 views • 7 slides
RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS One global namespace Often inline JS code embedded directly in HTML Many &lt;script&gt; tags with hidden ordering dependencies Very

362 views • 15 slides
Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does

Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does

Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does Standard Tor is easy to block GetTor helps you get Tor Browser GetTor helps you get Tor Browser Tor Browser ships with default

567 views • 24 slides
THE BROWSER IS DEAD Dan North Dan North &amp; Associates LONG LIVE THE BROWSER! Dan North

THE BROWSER IS DEAD Dan North Dan North &amp; Associates LONG LIVE THE BROWSER! Dan North

THE BROWSER IS DEAD Dan North Dan North &amp; Associates LONG LIVE THE BROWSER! Dan North Dan North &amp; Associates The gangs 1990: Tim Berners-Lee - (WorldWideWeb) 1993: NCSA Mosaic 1994: Netscape - Navigator 1995: Microsoft -

971 views • 21 slides
CS371m - Mobile Computing WebView and Web Services Using Built In Browser App To use the

CS371m - Mobile Computing WebView and Web Services Using Built In Browser App To use the

CS371m - Mobile Computing WebView and Web Services Using Built In Browser App To use the built in browser create an Intent and start the Activity 2 WebView A View that display web pages basis for creating your own web browser OR

1.28k views • 54 slides
GWT-Gears The Browser is the Platform The Browser is the Platform Didier Girard

GWT-Gears The Browser is the Platform The Browser is the Platform Didier Girard

GWT-Gears The Browser is the Platform The Browser is the Platform Didier Girard girard.d@sfeir.com Sfeir CTO Member of OSSGTP Before starting, some questions Who knows javascript ? Who is a javascript expert ? Who knows java ?

1.57k views • 93 slides
Google Chrome The Invisible Browser Ben Goodger Tech Lead, User Interface Google Inc.

Google Chrome The Invisible Browser Ben Goodger Tech Lead, User Interface Google Inc.

Google Chrome The Invisible Browser Ben Goodger Tech Lead, User Interface Google Inc. Beginnings A new browser... a new opportunity A modern platform for web applications Objective: An Invisible Browser Deliver a transparent experience:

557 views • 9 slides
WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp; Defenses 2 Server-side woes Browser mechanisms: Same origin SQL injection Cross-domain request XSS overview Content

738 views • 50 slides
Browser UX in VR Is The Web Accessible at All in VR? Oculus Overview Virtual Desktop &amp;

Browser UX in VR Is The Web Accessible at All in VR? Oculus Overview Virtual Desktop &amp;

Oculus Browser UX in VR Is The Web Accessible at All in VR? Oculus Overview Virtual Desktop &amp; Browser VR Apps Have Long Engagement Times How? Did they do something special? Uncomfortable Yet Still Compelling Content High

362 views • 6 slides
If you are viewing this presentation in a PDF, please stop and open the slides in browser (slides

If you are viewing this presentation in a PDF, please stop and open the slides in browser (slides

If you are viewing this presentation in a PDF, please stop and open the slides in browser (slides in the browser look way better): https://switowski.github.io/functional-css-talk/ 1 1 Maintainable CSS with visual regression testing and

850 views • 37 slides
Download for PC The most accessible web browser available. Download Step 1:

Download for PC The most accessible web browser available. Download Step 1:

Download for PC The most accessible web browser available. Download Step 1: https://www.google.com/intl/en/chrome/browser/ Step 2: Accept Terms of Service Download Step 3: Double Click on Download Step 4: Run Installation Download Select

496 views • 14 slides
How to protect your browser 0-day Codenamed #IRONSQUIRREL TS//SI//FVEY FOUO//SI//FVEY Zoltan

How to protect your browser 0-day Codenamed #IRONSQUIRREL TS//SI//FVEY FOUO//SI//FVEY Zoltan

How to protect your browser 0-day Codenamed #IRONSQUIRREL TS//SI//FVEY FOUO//SI//FVEY Zoltan Balazs MRG Effitas 2017 November Whoami? Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack HWFW Bypass tool Idea later(?)

711 views • 55 slides
Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June

Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June

Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June 2010 Jason Milletary Topics What is a Man-in-the-Browser Attack? How are they used? How can I identify and mitigate when they are

207 views • 18 slides
L2: Browser/HTML/Accessibility Web Engineering 188.951 2VU SS20 Jrgen Cito L2:

L2: Browser/HTML/Accessibility Web Engineering 188.951 2VU SS20 Jrgen Cito L2:

L2: Browser/HTML/Accessibility Web Engineering 188.951 2VU SS20 Jrgen Cito L2: Browser/HTML/Accessibility Browser Overview Semantic HTML Accessibility for the Web Web Accessibility Initiative (WAI) Learning Goals

513 views • 34 slides
Browser testing via Selenium What is Selenium? Browser framework - automating user-level

Browser testing via Selenium What is Selenium? Browser framework - automating user-level

Browser testing via Selenium What is Selenium? Browser framework - automating user-level testing Has a method for saving scripts - but its not very good Good for testing behaviour that cant be tested any other way - e.g.

743 views • 9 slides
Quality Control - part 1 Crowdsourcing and Human Computation Instructor: Chris Callison-Burch

Quality Control - part 1 Crowdsourcing and Human Computation Instructor: Chris Callison-Burch

Quality Control - part 1 Crowdsourcing and Human Computation Instructor: Chris Callison-Burch Website: crowdsourcing-class.org Classification System for Human Computation Motivation Quality Control Aggregation Human Skill

944 views • 58 slides
Pleiotropic focused anticancer approach of dihydropyridines, dihydropyrimidines and heteroaromatic

Pleiotropic focused anticancer approach of dihydropyridines, dihydropyrimidines and heteroaromatic

Pleiotropic focused anticancer approach of dihydropyridines, dihydropyrimidines and heteroaromatic compounds G. Duburs,* B. Vigante, E. Bisenieks, A. Krauze, A. Plotniece,A. Sobolev I. Domracheva, R. Smits, K. Pajuste Latvian Institute of

231 views • 21 slides
Conservative surgery in early-stage cervical cancer Dr Marie Plante Gynecologic Oncologist Full

Conservative surgery in early-stage cervical cancer Dr Marie Plante Gynecologic Oncologist Full

Gynecologic Cancer InterGroup Cervix Cancer Research Network Conservative surgery in early-stage cervical cancer Dr Marie Plante Gynecologic Oncologist Full Professor LHtel -Dieu de Qubec Universit Laval, Canada Cervix Cancer

620 views • 42 slides
Network-based stratification of tumor mutations Matan Hofree Goal Tumor stratification: to

Network-based stratification of tumor mutations Matan Hofree Goal Tumor stratification: to

Network-based stratification of tumor mutations Matan Hofree Goal Tumor stratification: to divide a heterogeneous population into clinically and biologically meaningful subtypes based on molecular profiles Previous attempts

368 views • 15 slides
Genome Visualization with Circos INTRODUCTION TO CIRCOS MARTIN KRZYWINSKI Michael Smith Genome

Genome Visualization with Circos INTRODUCTION TO CIRCOS MARTIN KRZYWINSKI Michael Smith Genome

Genome Visualization with Circos INTRODUCTION TO CIRCOS MARTIN KRZYWINSKI Michael Smith Genome Sciences Center BC Cancer Research Center Vancouver, Canada EMBO PRACTICAL COURSE: BIOINFORMATICS AND COMPARATIVE GENOME ANALYSES Stazione

598 views • 40 slides
Phylogenetics: Recovering Evolutionary History COMP 571 - Spring 2015 Luay Nakhleh, Rice

Phylogenetics: Recovering Evolutionary History COMP 571 - Spring 2015 Luay Nakhleh, Rice

Phylogenetics: Recovering Evolutionary History COMP 571 - Spring 2015 Luay Nakhleh, Rice University The Structure and Interpretation of Phylogenetic Trees unrooted, binary species tree rooted, binary species tree speciation (direction of

494 views • 28 slides
behaviour: What we can learn from mans best friend Juliane Friedrich Pam Wiener Marie

behaviour: What we can learn from mans best friend Juliane Friedrich Pam Wiener Marie

Assessing the genetic contribution to behaviour: What we can learn from mans best friend Juliane Friedrich Pam Wiener Marie Haskell Domestication of the dog: a long -term selection experiment Belyaevs Farm fox experiment:

252 views • 22 slides
loops continued and coding efficiently Genome 559: Introduction to Statistical and Computational

loops continued and coding efficiently Genome 559: Introduction to Statistical and Computational

loops continued and coding efficiently Genome 559: Introduction to Statistical and Computational Genomics Prof. James H. Thomas Review Increment operator x += y # adds the value of y to the value of x x *= y # multiplies x by y x

552 views • 20 slides

More recommend