web security big picture browser and network
play

Web Security! Big Picture: Browser and Network request website - PowerPoint PPT Presentation

May 12, 2023 •675 likes •1.29k views

CSE 484 / CSE M 584: Computer Security and Privacy CSRF and XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell,

  1. CSE 484 / CSE M 584: Computer Security and Privacy CSRF and XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Web Security! Big Picture: Browser and Network request website Browser reply OS Network Hardware The browser renders or executes arbitrary HTML, CSS, and Javascript send by hosts on the Internet. 11/7/16 CSE 484 / CSE M 584 - Fall 2016 2

  3. Where Does the Attacker Live? request website Browser Network reply attacker Web attacker OS Network Malware attacker Hardware 11/7/16 CSE 484 / CSE M 584 - Fall 2016 3

  4. All of These Should Be Safe • Safe to visit an evil website • Safe to visit two pages at the same time • Safe delegation 11/7/16 CSE 484 / CSE M 584 - Fall 2016 4

  5. Two Sides of Web Security • Web browser – Responsible for securely confining Web content presented by visited websites • Web applications – Online merchants, banks, blogs, Google Apps … – Mix of server-side and client-side code • Server-side code written in PHP, Ruby, ASP, JSP… runs on the Web server • Client-side code written in JavaScript… runs in the Web browser – Many potential bugs: XSS, XSRF, SQL injection 11/7/16 CSE 484 / CSE M 584 - Fall 2016 5

  6. Javascript, or, Software Security for the Web! Browser receives content, <html> displays HTML and executes scripts … <p> The script on this page is totally trustworthy <script> www.attacker.com doSomethingEvil() </script> … A potentially malicious webpage gets to </html> execute some code on user’s machine! 11/7/16 CSE 484 / CSE M 584 - Fall 2016 6

  7. A Strawperson Attack www.attacker.com www.bank.com (e.g., balance: $500) www.attacker.com (the parent) cannot access HTML elements in the iframe (and vice versa). 11/7/16 CSE 484 / CSE M 584 - Fall 2016 7

  8. Same-Origin Policy: DOM Only code from same origin can access HTML elements on another site (or in an iframe). www.example.com www.evil.com www.example.co www.example.co m/iframe.html m/iframe.html www.example.com (the www.evil.com (the parent) parent) can access HTML cannot access HTML elements in the iframe elements in the iframe (and vice versa). (and vice versa). 11/7/16 CSE 484 / CSE M 584 - Fall 2016 8

  9. DOM: Document Object Model • Hierarchical interface (e.g., to Javascript) to the elements of a webpage <html> <meta> <body> <div> <img> <iframe> … 11/7/16 CSE 484 / CSE M 584 - Fall 2016 9

  10. DOM: Document Object Model 11/7/16 CSE 484 / CSE M 584 - Fall 2016 10

  11. Same-Origin Policy Website origin = (scheme, domain, port) [Example thanks to Wikipedia.] 11/7/16 CSE 484 / CSE M 584 - Fall 2016 11

  12. Cross-Origin Communication? www.example.com • Websites can embed scripts, images, etc. from other origins. www.example.com • For example, on example.com… <img src=“imgur.com/cat.png”> is allowed <script src=“jquery.com/jquery.js”> is allowed 11/7/16 CSE 484 / CSE M 584 - Fall 2016 12

  13. Cross-Origin Communication? • Websites can embed scripts, images, etc. from other origins. • But: AJAX requests (aka XMLHttpRequests) are not allowed across origins. On example.com: <script> var xhr = new XMLHttpRequest(); xhr.onreadystatechange = handleStateChange; // Elsewhere xhr.open("GET", “https://bank.com/account_info”, true); xhr.send(); </script> 11/7/16 CSE 484 / CSE M 584 - Fall 2016 13

  14. AJAX requests • Requests made in Javascript dynamically for data (e.g., to get new emails in a webmail clients var image = get( http://www.imgur.com/cat.jpg) 11/7/16 CSE 484 / CSE M 584 - Fall 2016 14

  15. Cross-Origin Communication? • Websites can embed scripts, images, etc. from other origins. • But: AJAX requests (aka XMLHttpRequests) are not allowed across origins. • Why not? • Browser automatically includes cookies with requests (i.e., user credentials are sent) • Caller can read returned data (clear SOP violation) 11/7/16 CSE 484 / CSE M 584 - Fall 2016 15

  16. Allowing Cross-Origin Communication • Domain relaxation – If two frames each set document.domain to the same value, then they can communicate • E.g. www.facebook.com, facebook.com, and chat.facebook.com • Must be a suffix of the actual domain • Access-Control-Allow-Origin: <list of domains> – Specifies one or more domains that may access DOM – Typical usage: Access-Control-Allow-Origin: * • HTML5 postMessage – Lets frames send messages to each other in controlled fashion – Unfortunately, many bugs in how frames check sender’s origin 11/7/16 CSE 484 / CSE M 584 - Fall 2016 16

  17. What about Browser Plugins? • Examples: Flash, Silverlight, Java, PDF reader • Goal: enable functionality that requires transcending the browser sandbox • Increases browser’s attack surface • Good news: plugin sandboxing improving, and need for plugins decreasing (due to HTML5 and extensions) 11/7/16 CSE 484 / CSE M 584 - Fall 2016 17

  18. What about Browser Extensions? • Most things you use today are probably extensions • Examples: AdBlock, Ghostery, Mailvelope • Goal: Extend the functionality of the browser • (Chrome:) Carefully designed security model to protect from malicious websites – Privilege separation: extensions consist of multiple components with well-defined communication – Least privilege: extensions request permissions 11/7/16 CSE 484 / CSE M 584 - Fall 2016 18

  19. What about Browser Extensions? • But be wary of malicious extensions: not subject to the same-origin policy – can inject code into any webpage! 11/7/16 CSE 484 / CSE M 584 - Fall 2016 19

  20. Web Applications • Big trend: software as a Web-based service – Online banking, shopping, government, bill payment, tax prep, customer relationship management, etc. – Cloud computing • Applications hosted on Web servers – Written in a mixture of PHP, Ruby, Java, Perl, ASP • Security is rarely the main concern – Poorly written scripts with inadequate input validation – Sensitive data stored in world-readable files 11/7/16 CSE 484 / CSE M 584 - Fall 2016 20

  21. Dynamic Web Application GET / HTTP/1.1 Browser Web server HTTP/1.1 200 OK index.php Database server 11/7/16 CSE 484 / CSE M 584 - Fall 2016 21

  22. http://www.owasp.org OWASP Top 10 Web Vulnerabilities 1. Injection 2. Broken Authentication & Session Management 3. Cross-Site Scripting 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery 9. Using Known Vulnerable Components 10. Unvalidated Redirects and Forwards 11/7/16 CSE 484 / CSE M 584 - Fall 2016 22

  23. Cross-Site Request Forgery (CSRF/XSRF) 11/7/16 CSE 484 / CSE M 584 - Fall 2016 23

  24. “Confused Deputy” • The browser is deputized to act as Alice – it sends Alice’s cookies with her requests to bank.com • Attackers can cause the browser to make malicious requests to bank.com, which it will perform automatically using Alice’s cookies! 11/7/16 CSE 484 / CSE M 584 - Fall 2016 24

  25. Cookie-Based Authentication Redux Browser Server POST/login.cgi r o t a c t i n e h u t a : e k i o o c - e t S GET… Cookie: authenticator e s n o p s e r 11/7/16 CSE 484 / CSE M 584 - Fall 2016 25

  26. Browser Sandbox Redux • Based on the same origin policy (SOP) • Active content (scripts) can send anywhere! – For example, can submit a POST request – Some ports inaccessible -- e.g., SMTP (email) • Can only read response from the same origin – … but you can do a lot with just sending! 11/7/16 CSE 484 / CSE M 584 - Fall 2016 26

  27. Cross-Site Request Forgery • Users logs into bank.com, forgets to sign off – Session cookie remains in browser state • User then visits a malicious website containing <form name=BillPayForm action=http://bank.com/BillPay.php> <input name=recipient value=badguy> … <script> document.BillPayForm.submit(); </script> • Browser sends cookie, payment request fulfilled! • Lesson: cookie authentication is not sufficient when side effects can happen 11/7/16 CSE 484 / CSE M 584 - Fall 2016 27

  28. Cookies in Forged Requests Cookie: SessionID=523FA4cd2E User credentials automatically sent by browser 11/7/16 CSE 484 / CSE M 584 - Fall 2016 28

  29. Sending a Cross-Domain POST <form <form method="POST" method="POST" action=http:// action=http://othersite.com othersite.com/action /action > ... ... </form> </form> submit post <script>document.forms <script> document.forms[0].submit()</script> [0].submit()</script> • Hidden iframe can do this in the background • User visits a malicious page, browser submits form on behalf of the user – Hijack any ongoing session (if no protection) • Netflix: change account settings, Gmail: steal contacts, Amazon: one-click purchase – Reprogram the user’s home router – Many other attacks possible 11/7/16 CSE 484 / CSE M 584 - Fall 2016 29

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network Security Hardware Alexandra (Sasha) Boldyreva Browser sends requests May reveal private information (in forms, cookies) Web security.

517 views • 7 slides
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 17: Web Security Slide credits:

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 17: Web Security Slide credits:

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 17: Web Security Slide credits: Prof. Vitaly Shmatikov, UT-Austin. Browser and Network request website Browser reply Network OS Hardware February 12, 2002 Microsoft Issues

834 views • 62 slides
What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Certificates CS 142 Lecture Notes: Network Security Slide 1 SSL/TLS Overview Browser Server

Certificates CS 142 Lecture Notes: Network Security Slide 1 SSL/TLS Overview Browser Server

Certificates CS 142 Lecture Notes: Network Security Slide 1 SSL/TLS Overview Browser Server client-hello server-hello + {server-cert}SK CA Key exchange (several options) Random client-key-exchange: {K}PK server key K K {HTTP data}K Most

392 views • 6 slides
WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp; Defenses 2 Server-side woes Browser mechanisms: Same origin SQL injection Cross-domain request XSS overview Content

738 views • 50 slides
Security in My Rear-View Mirror Marcus J. Ranum works for Tenable Network Security, Inc.

Security in My Rear-View Mirror Marcus J. Ranum works for Tenable Network Security, Inc.

Security in My Rear-View Mirror Marcus J. Ranum works for Tenable Network Security, Inc. Trajectory Optimism We can do this! Firewalls Browser active content Cloud Malware Cloud 1989 1997 2008 IoT Current Trends Management:

605 views • 44 slides
CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser Security Model Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser Security Model Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser Security Model Prof. Nadim Kobeissi Defining 4.1a Browser Security Goals Also before we start: Practical Assignment 2 is now online . 2 CSCI-UA.9480: Introduction to

520 views • 28 slides
Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner

Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

810 views • 24 slides
Web Security [SSL/TLS and Browser Security Model] Fall 2017 Franziska (Franzi) Roesner

Web Security [SSL/TLS and Browser Security Model] Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security [SSL/TLS and Browser Security Model] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

570 views • 43 slides
CIS 6930 - Cellular and Mobile Network Security: Cellular Networking Professor Patrick Traynor

CIS 6930 - Cellular and Mobile Network Security: Cellular Networking Professor Patrick Traynor

CIS 6930 - Cellular and Mobile Network Security: Cellular Networking Professor Patrick Traynor 9/18/2018 Florida Institute for Cybersecurity (FICS) Research The Big Picture Details create the big picture. -Sanford I. Weill Florida Institute

1.13k views • 40 slides
CS-527 Software Security Browser Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Browser Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Browser Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Web Environment Table of Contents Web

434 views • 16 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Lecture 26 Browser Security Stephen Checkoway Oberlin College Some slides from Bailey's ECE

Lecture 26 Browser Security Stephen Checkoway Oberlin College Some slides from Bailey's ECE

Lecture 26 Browser Security Stephen Checkoway Oberlin College Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised of - HTML - JavaScript - Style sheets (CSS) - Images - Sounds - Movies -

1.74k views • 129 slides
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised of - HTML - JavaScript - Style

1.67k views • 129 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
Web Attacks, cont CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin

Web Attacks, cont CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin

Web Attacks, cont CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed &amp; Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 24, 2011 Announcements Guest lecture a week from Thursday (March

777 views • 51 slides
The rd NS v Sim ulator W orkshop br ought to you by Kevin F all La

The rd NS v Sim ulator W orkshop br ought to you by Kevin F all La

The rd NS v Sim ulator W orkshop br ought to you by Kevin F all La wrence Berk eley National Lab oratory kfal le elblgov httpwwwnr ge elblgovkfal l AND Kannan V aradhan

935 views • 72 slides
Rule Set Based Access Control (RSBAC) Amon Ott &lt;ao@rsbac.org&gt; Contents: 1 Introduction

Rule Set Based Access Control (RSBAC) Amon Ott &lt;ao@rsbac.org&gt; Contents: 1 Introduction

Rule Set Based Access Control (RSBAC) Amon Ott &lt;ao@rsbac.org&gt; Contents: 1 Introduction 1.1 History 1.2 Motivation 1.3 Design Goals 1.4 Overview of RSBAC 2 Architecture and Implementation of the Framework 2.1 Subjects, Objects and

553 views • 39 slides
MMUSIC WG 47th IETF 30 March 2000 - Adelaide 30 March 2000 MMUSIC WG 1 MMUSIC Agenda 1530

MMUSIC WG 47th IETF 30 March 2000 - Adelaide 30 March 2000 MMUSIC WG 1 MMUSIC Agenda 1530

MMUSIC WG 47th IETF 30 March 2000 - Adelaide 30 March 2000 MMUSIC WG 1 MMUSIC Agenda 1530 Agenda Bashing &amp; Status Update (chair, 5) 1535 SAPv2 Review -06 (Perkins, 15) draft-ietf-mmusic-sap-v2-06.txt 1550 Issue: SAP Server Access

106 views • 8 slides
CSE543 - Computer and Network Security Module: Web Security Professor Trent Jaeger Fall 2010 1

CSE543 - Computer and Network Security Module: Web Security Professor Trent Jaeger Fall 2010 1

978 views • 41 slides
HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes

HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes

HoneySpider Network Fighting client side threats Piotr Kijewski (NASK/CERT Polska) Carol Overes (GOVCERT.NL) Rogier Spoor (SURFnet) 20th Annual FIRST Conference on Computer Security Incident Handling, June 22-27, Vancouver Goals

501 views • 36 slides
Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov

Can You Trust Your Encrypted Cloud? An Assessment of SpiderOakONEs Security Anders Dalskov Claudio Orlandi Aarhus University RWC 2018 Agenda I A Threat Model for Encrypted Cloud Storage (ECS). I A high-level look into a modern ECS service

770 views • 47 slides
Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant

Untangling the code An overview of techniques to reverse engineer malicious software Prashant Gupta Security Architect, McAfee Inc. June 3, 2013 McAfee Confidential Internal Use Only Abstract Reverse engineering and analysis of binary code

381 views • 20 slides

More recommend