web security background
play

Web Security: Background CS 161: Computer Security Prof. Vern Paxson - PowerPoint PPT Presentation

Oct 06, 2023 •270 likes •753 views

Web Security: Background CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca

  1. Web Security: Background CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca Portnoff, Nate Wang http://inst.eecs.berkeley.edu/~cs161 / January 31, 2017

  2. What is the Web? A platform for deploying applications and sharing information, portably and securely (?) web server client browser

  3. HTTP (Hypertext Transfer Protocol) A common data communication protocol on the web CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: Alice GET /account.html HTTP/1.1 Smith Host: www.safebank.com Accounts Bill Pay Mail Transfers HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . . . </HTML>

  4. URLs Global identifiers of network-retrievable resources Example: http://safebank.com:81/account?id=10#statement Protocol Hostname Query Fragment Port Path

  5. HTTP CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: Alice GET /account.html HTTP/1.1 Smith Host: www.safebank.com Accounts Bill Pay Mail Transfers HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . . . </HTML>

  6. HTTP Request Method Path HTTP version Headers GET: no side effect GET /index.html HTTP/1.1 GET /index.html HTTP/1.1 Accept: Accept: image/gif, image/x-bitmap, image/gif, image/x-bitmap, (supposedly) image/jpeg, */* image/jpeg, */* Accept-Language: en Accept-Language: en Connection: Connection: Keep-Alive Keep-Alive User-Agent: Chrome/21.0.1180.75 (Macintosh; User-Agent: Chrome/21.0.1180.75 (Macintosh; POST: Intel Mac OS X 10_7_4) Intel Mac OS X 10_7_4) Host: www.safebank.com Host: www.safebank.com possible Referer Referer: : http:// http://www.google.com?q www.google.com?q=dingbats =dingbats side effect, includes Blank line additional Data – none for GET data

  7. HTTP CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: Alice GET /account.html HTTP/1.1 Smith Host: www.safebank.com Accounts Bill Pay Mail Transfers HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . . . </HTML>

  8. HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK HTTP/1.0 200 OK Date: Date: Sun, 12 Aug 2012 02:20:42 GMT Sun, 12 Aug 2012 02:20:42 GMT Server: Server: Microsoft-Internet-Information-Server/ Microsoft-Internet-Information-Server/ 5.0 5.0 “Cookie” – state Connection: Connection: keep-alive keep-alive Data that server asks Content-Type: Content-Type: text/html text/html Last-Modified: Thu, 9 Aug 2012 17:39:05 GMT Last-Modified: Thu, 9 Aug 2012 17:39:05 GMT client to store, and Set-Cookie: session=44ebc991 Set-Cookie: return in the future Content-Length: Content-Length: 2543 2543 (discussed later) <HTML> This is web content formatted using <HTML> This is web content formatted using html </HTML> html </HTML> Can be a webpage, image, audio, executable ...

  9. Web page HTML web page CSS Javascript

  10. HTML A language to create structured documents One can embed images, objects, or create interactive forms index.html <html> <body> <div> foo <a href="http://google.com">Go to Google!</a> </div> <form> <input type="text" /> <input type="radio" /> <input type="checkbox" /> </form> </body> </html>

  11. CSS (Cascading Style Sheets) Language used for describing the presentation of a document index.css p.serif { font-family: "Times New Roman", Times, serif; } p.sansserif { font-family: Arial, Helvetica, sans-serif; }

  12. Javascript Programming language used to manipulate web pages. It is a high-level, untyped and interpreted language with support for objects. Supported by all web browsers <script> function myFunction() { document.getElementById("demo").innerHTML = ”Text changed."; } </script> Very powerful!

  13. HTTP CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: Alice GET /account.html HTTP/1.1 Smith Host: www.safebank.com Accounts Bill Pay Mail Transfers HTTP RESPONSE: HTTP/1.1 200 OK <HTML> . . . </HTML> webpage

  14. Page rendering HTML HTML Parser DOM CSS CSS Parser page modifications to Javascript the DOM JS Engine Painter bitmap

  15. DOM (Document Object Model) Cross-platform model for representing and interacting with objects in HTML HTML <html> DOM Tree <body> <div> |-> Document foo |-> Element (<html>) </div> |-> Element (<body>) <form> |-> Element (<div>) <input type="text” /> |-> text node <input type=”radio” /> |-> Form <input type=”checkbox” /> |-> Text-box </form> |-> Radio Button </body> |-> Check Box </html>

  16. The power of Javascript Get familiarized with it so that you can think of all the attacks one can do with it.

  17. What can you do with Javascript? Almost anything you want to the DOM ! A JS script embedded on a page can modify in almost arbitrary ways the DOM of the page . The same happens if an attacker manages to get you load a script into your page . w 3 schools . com has nice interactive tutorials

  18. Example of what Javascript can do … Can change HTML content: <p id="demo">JavaScript can change HTML content.</p> <button type="button" onclick="document.getElementById('demo').innerHTML = 'Hello JavaScript!'"> Click Me!</button> DEMO from � http :// www . w 3 schools . com / js / js_examples . asp

  19. Other examples Can change images Can chance style of elements Can hide elements Can unhide elements Can change cursor

  20. Another example: can access cookies � Read cookie with JS : var x = document.cookie; Change cookie with JS : document.cookie = "username=John Smith; expires=Thu, 18 Dec 2013 12:00:00 UTC; path=/";

  21. Frames

  22. Frames • Enable embedding a page within a page <iframe src=" URL "></iframe> src = google.com/… name = awglogin outer page inner page

  23. Frames src = 7.gmodules.com/... name = remote_iframe_7 • Modularity – Brings together content from multiple sources – Client-side aggregation • Delegation – Frame can draw only inside its own rectangle

  24. Frames • Outer page can specify only sizing and placement of the frame in the outer page • Frame isolation: Outer page cannot change contents of inner page; inner page cannot change contents of outer page

  25. Thinking About Web Security

  26. Desirable security goals • Integrity: malicious web sites should not be able to tamper with integrity of our computers or our information on other web sites • Confidentiality: malicious web sites should not be able to learn confidential information from our computers or other web sites • Privacy: malicious web sites should not be able to spy on us or our online activities • Availability: malicious parties should not be able to keep us from accessing our web resources

  27. 5 Minute Break Questions Before We Proceed?

  28. Security on the web • Risk #1: we don’t want a malicious site to be able to trash files/programs on our computers – Browsing to awesomevids.com (or evil.com ) should not infect our computers with malware, read or write files on our computers, etc.

  29. Security on the web • Risk #1: we don’t want a malicious site to be able to trash files/programs on our computers – Browsing to awesomevids.com (or evil.com ) should not infect our computers with malware, read or write files on our computers, etc. • Defenses: Javascript is sandboxed; try to avoid security bugs in browser code; privilege separation; automatic updates.

  30. Security on the web • Risk #2: we don’t want a malicious site to be able to spy on or tamper with our information or interactions with other websites – Browsing to evil.com should not let evil.com spy on our emails in Gmail or buy stuff with our Amazon accounts

  31. Security on the web • Risk #2: we don’t want a malicious site to be able to spy on or tamper with our information or interactions with other websites – Browsing to evil.com should not let evil.com spy on our emails in Gmail or buy stuff with our Amazon accounts • Defense: the same-origin policy – A security policy grafted on after-the-fact, and enforced by web browsers

  32. Security on the web • Risk #3: we want data stored on a web server to be protected from unauthorized access

  33. Security on the web • Risk #3: we want data stored on a web server to be protected from unauthorized access • Defense: server-side security

  34. Same-origin policy

  35. Same-origin policy • Each site in the browser is isolated from all others browser: security barrier wikipedia.org bankofamerica.com

  36. Same-origin policy • Multiple pages from the same site are not isolated browser: No security wikipedia.org barrier wikipedia.org

  37. Origin • Granularity of protection for same origin policy • Origin = protocol + hostname + port http://coolsite.com:81/tools/info.html protocol port hostname • Determined using string matching ! If these match, it is same origin; else it is not. Even though in some cases, it is logically the same origin, if there is no string match, it is not.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

A New Future for Social Security Consultation on Social Security in Scotland Background Why is

A New Future for Social Security Consultation on Social Security in Scotland Background Why is

A New Future for Social Security Consultation on Social Security in Scotland Background Why is the Scottish Government Consulting? The Scotland Act 2016 makes provision for the transfer of responsibility for a number of social security

318 views • 17 slides
Response to Cyber Security Threat NIEs Approach to Information Security Background

Response to Cyber Security Threat NIEs Approach to Information Security Background

Response to Cyber Security Threat NIEs Approach to Information Security Background NTU / NIE is corporatized in April 2006 (Not requires to comply with IM8) Mission - To provide effective ICT resources, services and

841 views • 6 slides
Orchestrating Security Tooling With AWS Step Functions 1 Background Jules Denardou Justin

Orchestrating Security Tooling With AWS Step Functions 1 Background Jules Denardou Justin

Orchestrating Security Tooling With AWS Step Functions 1 Background Jules Denardou Justin Massey @Pod_Sec @jmassey09 @JulesDT @th3r3p0 Security Engineers at Datadog Product Security team Improve security of product without

1.2k views • 84 slides
NFC (RFID) Security Prof. Gildas Avoine Universit e catholique de Louvain, Belgium

NFC (RFID) Security Prof. Gildas Avoine Universit e catholique de Louvain, Belgium

NFC (RFID) Security Prof. Gildas Avoine Universit e catholique de Louvain, Belgium Information Security Group SUMMARY Technological Background Security Threats Examples Conclusion TECHNOLOGICAL BACKGROUND Technological Background

370 views • 19 slides
Network Security: Background CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen,

Network Security: Background CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen,

Network Security: Background CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca

1.03k views • 67 slides
The Future of Security Standards John Kelsey, NIST, Dec 2016 1 Overview My background

The Future of Security Standards John Kelsey, NIST, Dec 2016 1 Overview My background

The Future of Security Standards John Kelsey, NIST, Dec 2016 1 Overview My background Security standards are different How to fail Designing better security standards Building public confidence in standards Wrapup 2 My

681 views • 31 slides
Wallet Security 35th Chaos Communication Congre, Leipzig, Germany Stephan Verbcheln December

Wallet Security 35th Chaos Communication Congre, Leipzig, Germany Stephan Verbcheln December

Wallet Security 35th Chaos Communication Congre, Leipzig, Germany Stephan Verbcheln December 28, 2018 1 My Background Professional Background Diplominformatiker (eq. masters degree in CS) Security Analyst (cnlab security ag,

633 views • 30 slides
DevSecBioLawOps and the current State of Information Security Ren Lynx Pfeifger, DeepSec

DevSecBioLawOps and the current State of Information Security Ren Lynx Pfeifger, DeepSec

DevSecBioLawOps and the current State of Information Security Ren Lynx Pfeifger, DeepSec In-Depth Security Conference 2020 Background Background First a bit of History History continued 1960s : Organisation use passwords 1970s :

364 views • 22 slides
So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security

So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security

So You Want to Be an Information Security Officer? Presented by: Art Bakke Information Security Officer Background Personal Starion Bank Arts Goals Highlight the typical responsibilities of an Information Security Officer from

778 views • 22 slides
David Parter Background: Threats and Security Policies Tools and Defenses: University of

David Parter Background: Threats and Security Policies Tools and Defenses: University of

Network Security Topics David Parter Background: Threats and Security Policies Tools and Defenses: University of Wisconsin Firewalls Computer Sciences Department Virtual Private Networks Computer Systems Lab Network

659 views • 30 slides
Mobile networks security Markus Peuhkuri 2005-03-08 Lecture topics Historical background

Mobile networks security Markus Peuhkuri 2005-03-08 Lecture topics Historical background

Mobile networks security Markus Peuhkuri 2005-03-08 Lecture topics Historical background Structure of security Smart cards GSM UMTS History of mobile phones Radio-telephone (0G)

379 views • 9 slides
SECURITY IN THE SMART GRID R E B E C C A VA N DY K E MY BACKGROUND Masters student in ECE

SECURITY IN THE SMART GRID R E B E C C A VA N DY K E MY BACKGROUND Masters student in ECE

SECURITY IN THE SMART GRID R E B E C C A VA N DY K E MY BACKGROUND Masters student in ECE department with focus in Communication Systems BS in Electrical and Computer Engineering with a minor in Computer Science Completed two

125 views • 12 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Data Science Joshua Neil Security Analytics Leader Advanced Security Center EY

Security Data Science Joshua Neil Security Analytics Leader Advanced Security Center EY

Security Data Science Joshua Neil Security Analytics Leader Advanced Security Center EY Powered by Agenda A Background, LANL and the EY/LANL Alliance Traditional Security and Operational Security Data B Science Advanced Analytics:

558 views • 24 slides
Europe and Central Asia Background, Status and Next Challenges Safety and Security Coordination

Europe and Central Asia Background, Status and Next Challenges Safety and Security Coordination

Development of Safety Network in Europe and Central Asia Background, Status and Next Challenges Safety and Security Coordination Section Department of Nuclear Safety &amp; Security Content 1. IAEA, Nuclear Safety and the GNSSN 2. Regional

592 views • 24 slides
Long Term Exploitation Baseband security? 4Get about it. Background: 2G GSM

Long Term Exploitation Baseband security? 4Get about it. Background: 2G GSM

Long Term Exploitation Baseband security? 4Get about it. Background: 2G GSM specification started in 1982 Standardized by GSMA First commercial launch 1992 TDMA based, circuit- switched 2.5G: GPRS (packet- switched)

1.29k views • 64 slides
Responsive Design for Web Applications SWEN-444 Credit: Matt Griffin What is the Problem?

Responsive Design for Web Applications SWEN-444 Credit: Matt Griffin What is the Problem?

Responsive Design for Web Applications SWEN-444 Credit: Matt Griffin What is the Problem? Mobile web access is ubiquitous We know that one interface design does not fit all screens for optimal user interaction So why not make

549 views • 16 slides
Introduction to Javascript ATLS 3020 - Digital Media 2 Week 2 - Day 2 Overview 1. What is

Introduction to Javascript ATLS 3020 - Digital Media 2 Week 2 - Day 2 Overview 1. What is

Introduction to Javascript ATLS 3020 - Digital Media 2 Week 2 - Day 2 Overview 1. What is javascript? 2. Output 3. Variables 4. Comments 5. Input 6. Putting it all together What is javascript? Output Variables Comments Input Putting

485 views • 20 slides
F l u x &amp; R e a c t F l u x &amp; R e a c t We b A p p l i c a t

F l u x &amp; R e a c t F l u x &amp; R e a c t We b A p p l i c a t

F l u x &amp; R e a c t F l u x &amp; R e a c t We b A p p l i c a t i o n D e v e l o p me n t Ma r k R e p k a T o p i c s C o v e r e d I n t r o d u c t i o n t o

508 views • 23 slides
A Tree Logic... ... and an Application for the Analysis of Cascading Style Sheets Pierre Genevs

A Tree Logic... ... and an Application for the Analysis of Cascading Style Sheets Pierre Genevs

A Tree Logic... ... and an Application for the Analysis of Cascading Style Sheets Pierre Genevs CNRS Tyrex team pierre.geneves@inria.fr Toccata seminar, LRI Feb. 22 nd , 2013 1 / 27 Outline 1 Insights on the L Tree Logic 2

892 views • 39 slides
Development of Web Applications Principles and Practice Vincent Simonet, 2013-2014 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2013-2014 Universit

Development of Web Applications Principles and Practice Vincent Simonet, 2013-2014 Universit Pierre et Marie Curie, Master Informatique, Spcialit STL 4 Client Technologies Vincent Simonet, 2013-2014 Universit Pierre et Marie Curie,

691 views • 44 slides
2.744 Dreamweaver Tutorial Sangmok Han sangmok@mit.edu Feb 24, 2010 Overview We will go over

2.744 Dreamweaver Tutorial Sangmok Han sangmok@mit.edu Feb 24, 2010 Overview We will go over

2.744 Dreamweaver Tutorial Sangmok Han sangmok@mit.edu Feb 24, 2010 Overview We will go over the steps for creating the below page using Dreamweaver: http://web.mit.edu/2.744/www/Results/studentSubmissions/humanUseAnalysis/sa

491 views • 30 slides
Scalable Vector (Images and) Graphics: SVG CO2016 Multimedia and Computer Graphics Roy Crole:

Scalable Vector (Images and) Graphics: SVG CO2016 Multimedia and Computer Graphics Roy Crole:

Scalable Vector (Images and) Graphics: SVG CO2016 Multimedia and Computer Graphics Roy Crole: Scalable Vector Graphics (CO2016, 2014/2015) p. 1 Overview What is SVG? Why SVG and not FLASH Creating simple shapes Introduction to

503 views • 29 slides
I nternet , intranet and W eb L ecture III C ascading S tyle S heets , and S erver S ide W eb T

I nternet , intranet and W eb L ecture III C ascading S tyle S heets , and S erver S ide W eb T

I nternet , intranet and W eb L ecture III C ascading S tyle S heets , and S erver S ide W eb T echnologies Marco Solieri marco.solieri@lipn.univ-paris13.fr Dpartement dInformatique, Institut Galile, Universit Paris Nord November 7 th,

951 views • 68 slides

More recommend