web security 1 ui based attacks 2 tracking on the web
play

Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: - PowerPoint PPT Presentation

Mar 28, 2023 •1k likes •2.06k views

Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: Computer Security Prof. Raluca Ada Popa November 15, 2016 Contains new slides, slides from past CS 161 offerings and slides from Dan Boneh Announcements Last core lecture,

  1. Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: Computer Security Prof. Raluca Ada Popa November 15, 2016 Contains new slides, slides from past CS 161 offerings and slides from Dan Boneh

  2. Announcements • Last core lecture, misc topics next • High level ideas of misc topics on final • Proj 3 due, Thur 17 th Nov

  3. Clickjacking attacks • Exploitation where a user’s mouse click is used in a way that was not intended by the user

  4. Talk to your partner • How can a user’s click be used in a way different than intended?

  5. Simple example <a <a onMouseDown onMouseDown=window.open window.open(http http://www.evil.com ://www.evil.com) href=http://www.google.com href http://www.google.com/> /> Go to Google</a> Go to Google</a> What does it do? • Opens a window to the attacker site Why include href to Google? • Browser status bar shows URL when hovering over as a means of protection

  6. Recall: Frames • A frame is used to embed another document within the current HTML document • Any site can frame another site • The <iframe> tag specifies an inline frame

  7. Example HTML page <iframe src=“http://www.google.com/”> </iframe> UI rendering framing page/ framed page/ outer page inner page 7

  8. Frames • Outer page can set frame width, height • But then, only framed site can draw in its own rectangle • Modularity – Brings together code from different sources

  9. What happens in this case? Funny cats website JavaScript secret secret

  10. Frames: same-origin policy • Frame inherits origin of its URL • Same-origin policy: if frame and outer page have different origins, they cannot access each other – In particular, malicious JS on outer page cannot access resources of inner page

  11. How to bypass same-origin policy for frames? Clickjacking

  12. Clickjacking using frames Evil site frames good site Evil site covers good site by putting dialogue boxes or other elements on top of parts of framed site to create a different effect Inner site now looks different to user

  13. Compromise visual integrity – target • Hiding the target • Partial overlays $0.15 $0.15 Click

  14. UI Subversion: Clickjacking • An attack application (script) compromises the context integrity of another application’s User Interface when the user acts on the UI Visual integrity Context integrity consists of Target is visible visual integrity + temporal integrity Pointer is visible 1. Target checked 2. Initiate click 3. Target clicked Temporal integrity Target clicked = Target checked Pointer clicked = Pointer checked

  15. Compromise visual integrity – target • Hiding the target • Partial overlays $0.15 $0.15 Click

  16. Compromise visual integrity – pointer: cursorjacking • Can customize cursor! CSS example: #mycursor { cursor: none; width: 97px; height: 137px; background: url("images/custom-cursor.jpg") } • Javascript can keep updating cursor, can display shifted cursor Fake cursor, but more Real cursor visible

  17. Compromise visual integrity – pointer: cursorjacking Cursorjacking deceives a user by using a custom cursor image, where the pointer was displayed with an offset Download .exe Fake, but more visible real

  18. Clickjacking to Access the User’s Webcam Fake cursor Real cursor

  19. Defeating sitekeys • Some sites use/used a secret image to identify site to user (e.g., Bank of America) • only good site should know the secret image • user should check that they receive the correct image Invented by Berkeley grad student! Not really used much now, not • What is it aimed to protect against? considered effective mostly • phishing attacks because users ignore these images and don’t remember what the image was for each site

  20. How can clickjacking subvert sitekeys? • Phishing sites frame login page to get correct image to appear • Overlay input box from outer frame at the same location as the password box for the inner frame • User types password accessible to attacker now

  21. How can we defend against clickjacking? Discuss with a partner 21

  22. Defenses • User confirmation - Good site pops dialogue box with information on the action it is about to make and asks for user confirmation - Degrades user experience • UI randomization - good site embeds dialogues at random locations so it is hard to overlay - Difficult & unreliable (e.g. multi-click attacks)

  23. Defense 3: Framebusting Web site includes code on a page that prevents other pages from framing it

  24. What is framebusting? Framebusting code is often made up of • a conditional statement and • a counter action Common method: if (top != self) { top.location = self.location; }

  25. A Survey Framebusting is very common at the Alexa Top 500 sites [global traffic rank of a website] Sites Framebusting Top 10 60% Top 100 37% Top 500 14% credit: Gustav Rydstedt

  26. Many framebusting methods Conditional Statements if (top != self) if (top.location != self.location) if (top.location != location) if (parent.frames.length > 0) if (window != top) if (window.top !== window.self) if (window.self != window.top) if (parent && parent != window) if (parent && parent.frames && parent.frames.length>0) if((self.parent && !(self.parent===self)) && (self.parent.frames.length!=0))

  27. Many framebusting methods Counter-Action Statements top.location = self.location top.location.href = document.location.href top.location.href = self.location.href top.location.replace(self.location) top.location.href = window.location.href top.location.replace(document.location) top.location.href = window.location.href top.location.href = "URL" document.write(’’) top.location = location top.location.replace(document.location) top.location.replace(’URL’) top.location.href = document.location

  28. Most current framebusting can be defeated

  29. Easy bugs Goal: bank.com wants only bank.com’s sites to frame it Bank runs this code to protect itself: if (top.location != location) { if (document.referrer && document.referrer.indexOf(”bank.com") == -1) { top.location.replace(document.location.href); } } Problem: http:// badguy.com?q=bank.com

  30. Abusing the XSS filter IE8 reflective XSS filters: On a browser request containing script: http://www.victim.com?var=<script> alert(‘xss’) … </script> Server responds Brower checks If <script> alert(‘xss’); appears in rendered page, the IE8 filter will replace it with <sc#pt> alert(‘xss’) … </sc#pt> How can attacker abuse this?

  31. Abusing the XSS filter Attacker figures out the framebusting code of victim site (easy to do, just go to victim site in attacker’s browser and view the source code) <script> if(top.location != self.location) //framebust </script> Framing page does: <iframe src=“http://www.victim.com?var= <script> if (top … “ > XSS filter modifies framebusting script to: <sc#pt> if(top.location != self.location) XSS filter disables legitimate framebusting code!!

  32. Defense: Ensuring visual integrity of pointer • Remove cursor customization – Attack success: 43% -> 16%

  33. Ensuring visual integrity of pointer • Freeze screen outside of the target display area when the real pointer enters the target – Attack success: 43% -> 15% – Attack success (margin=10px): 12% – Attack success (margin=20px): 4% (baseline:5%) Margin=10px Margin=20px

  34. Ensuring visual integrity of pointer • Lightbox effect around target on pointer entry – Attack success (Freezing + lightbox): 2%

  35. How about a temporal integrity attack example?

  36. Enforcing temporal integrity • UI delay: after visual changes on target or pointer, invalidate clicks for X ms – Attack success (delay=250ms): 47% -> 2% (2/91) – Attack success (delay=500ms): 1% (1/89)

  37. Enforcing temporal integrity • Pointer re-entry: after visual changes on target, invalidate clicks until pointer re-enters target – Attack success: 0% (0/88 ) 37

  38. Other Forms of UI Sneakiness • Users might find themselves living in The Matrix …

  39. “ Browser in Browser ” Apparent browser is just a fully interactive image generated by Javascript running in real browser!

  40. Discussion • So, how do these lessons apply to desktop applications? • Compare the security model for desktop apps: – Are desktop apps safer against these attacks? – Are desktop apps riskier against these attacks?

  41. Is there any hope?

  42. Other defense: X-Frames- Options (IE8, Safari, FF3.7) • Web server attaches HTTP header to response • Two possible values: DENY and SAMEORIGIN • DENY: browser will not render page in framed context • SAMEORIGIN: browser will only render if top frame is same origin as page giving directive • Good defense … but poor adoption by sites (4 of top 10,000) • Coarse policies: no whitelisting of partner sites, which should be allowed to frame our site

  43. Summary • Clickjacking is an attack on our perception of a page based on the UI • Framebusting is tricky to get right • All currently deployed code can be defeated • Use X-Frame-Options

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Web Security: Authentication &amp; UI-based attacks CS 161: Computer Security Prof. Raluca Ada

Web Security: Authentication &amp; UI-based attacks CS 161: Computer Security Prof. Raluca Ada

Web Security: Authentication &amp; UI-based attacks CS 161: Computer Security Prof. Raluca Ada Popa April 12, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Authentication &amp;

1.11k views • 73 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Network Security Model Header attacks Protocol Attacks

597 views • 25 slides
Software Security Explorative Lecture A brief history of security problems attacks on

Software Security Explorative Lecture A brief history of security problems attacks on

1/30/2020 Software Security Explorative Lecture A brief history of security problems attacks on multi-user UNIX systems for fun viruses &amp; worms attacking operating systems due to buffer overflow, format string attacks, integer

477 views • 37 slides
FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic

FAROS: Illuminating In-Memory Injection Attacks via Provenance-based Whole System Dynamic Information Flow Tracking Meisam Navaki Arefi , Geoffrey Alexander, Hooman Rokham, Aokun Chen, Michalis Faloutsos, Xuetao Wei, Daniela Seabra Oliveira and

588 views • 32 slides
Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security:

Course outline 1. Language-Based Security: motivation 2. Language-Based Information-Flow Security: the big picture 3. Dimensions and principles of declassification 4. Dynamic vs. static security enforcement 5. Tracking information flow in web

641 views • 30 slides
Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu

Networking Attacks: Link-, IP-, and TCP-layer attacks Network Security Prof. Haojin Zhu Materials adopted from Prof. David Wagner 2019 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication

876 views • 60 slides
Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to

Wireless Security Wireless Network Attacks Access control attacks These attacks attempt to penetrate a network by using wireless or evading WLAN access control measures, like AP MAC filters and 802.1X port access controls. Type of Attack

184 views • 7 slides
Security of GPS/INS based On-road Location Tracking Systems Sashank Narain, Aanjhan Ranganathan,

Security of GPS/INS based On-road Location Tracking Systems Sashank Narain, Aanjhan Ranganathan,

Security of GPS/INS based On-road Location Tracking Systems Sashank Narain, Aanjhan Ranganathan, Guevara Noubir Northeastern University 2 3 No constraints Route Estimate with Road Constraints 4 Given a roadmap and assuming inertial sensor data is

216 views • 21 slides
Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner

Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner

Networking Attacks: Link-, IP-, and TCP-layer attacks CS 161: Computer Security Prof. David Wagner February 28, 2013 General Communication Security Goals: CIA Confidentiality: No one can read our data / communication unless we want

1.03k views • 58 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Tracking on the Web CS 161: Computer Security Prof. David Wagner April 28, 2013 Tracking Your Web

Tracking on the Web CS 161: Computer Security Prof. David Wagner April 28, 2013 Tracking Your Web

Tracking on the Web CS 161: Computer Security Prof. David Wagner April 28, 2013 Tracking Your Web Surfing The sites you visit learn: The URLs youre interested in Google/Bing also learns what youre searching for Your IP

741 views • 45 slides
1 Cryptography basics Secret-key encryption Algorithms (E, D) are widely known Also

1 Cryptography basics Secret-key encryption Algorithms (E, D) are widely known Also

Security The security environment Basics of cryptography User authentication Chapter 9: Security Attacks from inside the system Attacks from outside the system Protection mechanisms Trusted systems CS 1550, cs.pitt.edu

538 views • 11 slides
Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of

ITS335 DoS Attacks DoS Attacks Classic DoS Flooding &amp; DDoS Denial of Service Attacks Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 13 August 2013

409 views • 26 slides
Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site

Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site

Noncespaces: Using Randomization to Enforce Information Flow Tracking and Thwart Cross-Site Scripting Attacks Matthew Van Gundy and Hao Chen University of California, Davis 16th Annual Network &amp; Distributed System Security Symposium

1.08k views • 80 slides
BGP A route too far Michael Silvin Fredrik Sderquist Contents Background

BGP A route too far Michael Silvin Fredrik Sderquist Contents Background

BGP A route too far Michael Silvin Fredrik Sderquist Contents Background GigaSunet Mechanics Security ASN Interconnecting iBGP Politics Route Reflection Policies Confederation

771 views • 60 slides
An Analysis of Facebooks Archive of Ads With Political Content Laura Edelson 1 , Shikhar

An Analysis of Facebooks Archive of Ads With Political Content Laura Edelson 1 , Shikhar

An Analysis of Facebooks Archive of Ads With Political Content Laura Edelson 1 , Shikhar Sakhuja 1 , and Damon McCoy 1 1 New York University ABSTRACT Facebook launched their searchable archive of U.S. advertisements with political content on

1.03k views • 8 slides
Doing Bluetooth Low Energy on Linux Szymon Janc szymon.janc@codecoup.pl OpenIoT Summit Europe,

Doing Bluetooth Low Energy on Linux Szymon Janc szymon.janc@codecoup.pl OpenIoT Summit Europe,

Doing Bluetooth Low Energy on Linux Szymon Janc szymon.janc@codecoup.pl OpenIoT Summit Europe, Berlin, 2016 Agenda Introduction Bluetooth Low Energy technology recap Linux Bluetooth stack architecture Linux kernel

800 views • 26 slides
Network Layer: Control Plane Part II Routing in the Internet: Intra vs. Inter-AS Routing

Network Layer: Control Plane Part II Routing in the Internet: Intra vs. Inter-AS Routing

Network Layer: Control Plane Part II Routing in the Internet: Intra vs. Inter-AS Routing Intra-AS: RIP and OSPF (quick recap) Inter-AS: BGP and Policy Routing Internet Control Message Protocol: ICMP network management

888 views • 61 slides
Whats happened to the world of networking hardware offloads? Jesse Brandeburg Anjali Singhai

Whats happened to the world of networking hardware offloads? Jesse Brandeburg Anjali Singhai

Whats happened to the world of networking hardware offloads? Jesse Brandeburg Anjali Singhai Jain 1 Agenda Introductions A Brief History of Offloads Hardware Offloads Future Look Proposals 2 Photo by Gozha Net on Unsplash

376 views • 16 slides
Distributed Event Routing in Routing in Publish/Subscribe Systems Roberto Baldoni Sapienza

Distributed Event Routing in Routing in Publish/Subscribe Systems Roberto Baldoni Sapienza

Universit di Roma La Sapienza MIDLAB Middleware Laboratory Dipartimento di Informatica e Sistemistica Distributed Event Routing in Routing in Publish/Subscribe Systems Roberto Baldoni Sapienza University of Rome Sapienza

1.34k views • 111 slides
Introduction Recommender Systems What is this lecture about? What is the purpose of a

Introduction Recommender Systems What is this lecture about? What is the purpose of a

Introduction Recommender Systems What is this lecture about? What is the purpose of a recommender system? What are the key features? Alban Galland How does it work? What are the main challenges? INRIA-Saclay When to use it?

681 views • 11 slides
News and Media Literacy: Building Critical Consumers and Creators Jeff Mao @jmao121

News and Media Literacy: Building Critical Consumers and Creators Jeff Mao @jmao121

News and Media Literacy: Building Critical Consumers and Creators Jeff Mao @jmao121 August 22, 2017 Jeff Mao @jmao121 jeff.mao@makewonder.com Senior Strategic Education Outreach Manager Wonder Workshop Senior Director, Education

267 views • 22 slides

More recommend