web security
play

Web Security CS 161: Computer Security Prof. Raluca Ada Popa March - PowerPoint PPT Presentation

Oct 05, 2023 •313 likes •790 views

Web Security CS 161: Computer Security Prof. Raluca Ada Popa March 15, 2018 Some content adapted from materials by David Wagner or Dan Boneh What is the Web? A platform for deploying applications and sharing information, portably and securely

  1. Web Security CS 161: Computer Security Prof. Raluca Ada Popa March 15, 2018 Some content adapted from materials by David Wagner or Dan Boneh

  2. What is the Web? A platform for deploying applications and sharing information, portably and securely web server client browser

  3. HTTP (Hypertext Transfer Protocol) A common data communication protocol on the web CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: SAFEBAN Alice GET /account.html HTTP/1.1 K Smith Host: www.safebank.com Account s Bill Pay Mail Transfe rs HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . . . </HTML>

  4. URLs Global identifiers of network-retrievable resources Example: http://safebank.com:81/account?id=10#statement Protoc Hostname Query ol Fragment Port Path

  5. HTTP CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: SAFEBAN Alice GET /account.html HTTP/1.1 K Smith Host: www.safebank.com Account s Bill Pay Mail Transfe rs HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . . . </HTML>

  6. HTTP Request Method Path HTTP version GET: no Headers side effect GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, POST: image/jpeg, */* Accept-Language: en possible Connection: Keep-Alive User-Agent: Chrome/21.0.1180.75 (Macintosh; side effect Intel Mac OS X 10_7_4) Host: www.safebank.com Referer: http://www.google.com?q=dingbats Blank line Data – none for GET

  7. HTTP CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: SAFEBAN Alice GET /account.html HTTP/1.1 K Smith Host: www.safebank.com Account s Bill Pay Mail Transfe rs HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . . . </HTML>

  8. HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 12 Aug 2012 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Data Content-Type: text/html Last-Modified: Thu, 9 Aug 2012 17:39:05 GMT Set-Cookie: … Content-Length: 2543 <HTML> This is web content formatted using html </HTML> Can be a webpage

  9. Web page HTML web page CSS Javascript

  10. HTML A language to create structured documents One can embed images, objects, or create interactive forms index.html <html> <body> <div> foo <a href="http://google.com">Go to Google!</a> </div> <form> <input type="text” /> <input type=”radio” /> <input type=”checkbox” /> </form> </body> </html>

  11. CSS (Cascading Style Sheets) Style sheet language used for describing the presentation of a document index.css p.serif { font-family: "Times New Roman", Times, serif; } p.sansserif { font-family: Arial, Helvetica, sans-serif; }

  12. Javascript Programming language used to manipulate web pages. It is a high-level, untyped and interpreted language with support for objects. Supported by all web browsers <script> function myFunction() { document.getElementById("demo").innerHTML = ”Text changed."; } </script> Very powerful!

  13. HTTP CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: SAFEBAN Alice GET /account.html HTTP/1.1 K Smith Host: www.safebank.com Account s Bill Pay Mail Transfe rs HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . . . </HTML> webpage

  14. Page rendering HTML HTML Parser DOM CSS CSS Parser page modifications to the DOM Javascript JS Engine Painter bitmap

  15. DOM (Document Object Model) a cross-platform model for representing and interacting with objects in HTML HTML <html> DOM Tree <body> <div> |-> Document foo |-> Element (<html>) </div> |-> Element (<body>) <form> |-> Element (<div>) <input type="text” /> |-> text node <input type=”radio” /> |-> Form <input type=”checkbox” /> |-> Text-box </form> |-> Radio Button </body> |-> Check Box </html>

  16. Web & HTTP 101 CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: SAFEBAN Alice GET /account.html HTTP/1.1 K Smith Host: www.safebank.com Account s Bill Pay Mail Transfe rs HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . . . </HTML>

  17. The power of Javascript Get familiarized with it so that you can think of all the attacks one can do with it

  18. What can you do with Javascript? Almost anything you want to the DOM ! A JS script embedded on a page can modify in almost arbitrary ways the DOM of the page. The same happens if an attacker manages to get you load a script into your page. w3schools.com has nice interactive tutorials: https://www.w3schools.com/w3css/tryit.asp

  19. Example of what Javascript can do… Can change HTML content: <p id="demo">JavaScript can change HTML content.</p> <button type="button" onclick="document.getElementById('demo').innerHTML = 'Hello JavaScript!'"> Click Me!</button> DEMO from w3schools.com

  20. Other examples Can change images Can chance style of elements Can hide elements Can unhide elements Can change cursor

  21. Other example: can access cookies Will learn later that cookies are useful for authentication. JS can read cookie: var x = document.cookie; Change cookie with JS: document.cookie = "username=John Smith; expires=Thu, 18 Dec 2013 12:00:00 UTC; path=/";

  22. Frames

  23. Frames • Enable embedding a page within a page <iframe src=" URL "></iframe> src = google.com/… name = awglogin outer page inner page

  24. Frames src = 7.gmodules.com/... name = remote_iframe_7 • Modularity – Brings together content from multiple sources – Client-side aggregation • Delegation – Frame can draw only on its own rectangle Slide from Dan Boneh

  25. Frames • Outer page can specify only sizing and placement of the frame in the outer page • demo • Frame isolation: Our page cannot change contents of inner page, inner page cannot change contents of outer page

  26. Web security

  27. A historical perspective • The web is an example of “bolt-on security” • Originally, the web was invented to allow physicists to share their research papers – Only textual web pages + links to other pages; no security model to speak of

  28. The web became complex and adversarial quickly • Then we added embedded images – Crucial decision: a page can embed images loaded from another web server • Then, Javascript, dynamic HTML, AJAX, CSS, frames, audio, video, … • Today, a web site is a distributed application • Attackers have various motivations Web security is a challenge!

  29. Desirable security goals • Integrity: malicious web sites should not be able to tamper with integrity of my computer or my information on other web sites • Confidentiality: malicious web sites should not be able to learn confidential information from my computer or other web sites • Privacy: malicious web sites should not be able to spy on me or my activities online • Availability : attacker cannot make site unavailable

  30. Security on the web • Risk #1: we don’t want a malicious site to be able to trash my files/programs on my computer – Browsing to awesomevids.com (or evil.com ) should not infect my computer with malware, read or write files on my computer, etc.

  31. Security on the web • Risk #1: we don’t want a malicious site to be able to trash my files/programs on my computer – Browsing to awesomevids.com (or evil.com ) should not infect my computer with malware, read or write files on my computer, etc. • Defense: Javascript is sandboxed; try to avoid security bugs in browser code; privilege separation; automatic updates; etc.

  32. Security on the web • Risk #2: we don’t want a malicious site to be able to spy on or tamper with my information or interactions with other websites – Browsing to evil.com should not let evil.com spy on my emails in Gmail or buy stuff with my Amazon account

  33. Security on the web • Risk #2: we don’t want a malicious site to be able to spy on or tamper with my information or interactions with other websites – Browsing to evil.com should not let evil.com spy on my emails in Gmail or buy stuff with my Amazon account • Defense: the same-origin policy – A security policy grafted on after-the-fact, and enforced by web browsers

  34. Security on the web • Risk #3: we want data stored on a web server to be protected from unauthorized access

  35. Security on the web • Risk #3: we want data stored on a web server to be protected from unauthorized access • Defense: server-side security

  36. Same-origin policy

  37. Same-origin policy • Each site in the browser is isolated from all others browser: security barrier wikipedia.org mozilla.org

  38. Same-origin policy • Multiple pages from the same site are not isolated browser: No security wikipedia.org barrier wikipedia.org

  39. Origin • Granularity of protection for same origin policy • Origin = protocol + hostname + port http://coolsite.com:81/tools/info.html protocol port hostname • It is string matching ! If these match, it is same origin, else it is not. Even though in some cases, it is logically the same origin, if there is no match, it is not

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Security Security as term, Possible Security violations Authentication Criteria for

Security Security as term, Possible Security violations Authentication Criteria for

BS1 WS19/20 topic-based slides Security Security as term, Possible Security violations Authentication Criteria for Trust in Computer Systems Three hearts of Windows Security DACLs A Look at Security System is secure if

988 views • 20 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security

Biometrics and Security Biometrics and Security Biometrics and Security Biometrics and Security WS 06/07 Seminar Prof. Dr.-Ing. Jana Dittmann &amp; Dr.-Ing. Claus Vielhauer with support from Tobias Scheidat

419 views • 16 slides
1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

1 X.800 Security Services X.800 Security Services X.800 Security Services Data integrity

Course Overview Course Requirements EECS 498-7/8 Cryptography and Network Security: www.citi.umich.edu/u/honey/security Principles and Practice (Third Edition) Computer Security Monday &amp; Friday, 9:00 10:30 William Stallings

670 views • 19 slides
A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security

A (re)introduction to Spring Security Agenda Before Spring Security: Acegi security Introducing Spring Security View layer security Whats coming in Spring Security 3 E-mail: craig@habuma.com Blog: http://www.springloaded.info

452 views • 19 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CSCE Intro to Computer Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies Security

472 views • 20 slides
SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY

SECURITY TESTING Towards a safer web world AGENDA 1. 3 WS OF SECURITY TESTING 2. SECURITY TESTING CONCEPTS 3. SECURITY TESTING TYPES 4. TOP 10 SECURITY RISKS Few Security Breaches Date: 2013-14 September 2016, while in negotiations to

404 views • 18 slides
Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in

Security Security with Distributed Systems Why Security? The need for security mechanisms in distributed systems arises from the desire to share resources Resources must be protected against unauthorized access, as enemies (attackers)

1.16k views • 67 slides
Security Overview Security Goals The Attack Space Security Mechanisms

Security Overview Security Goals The Attack Space Security Mechanisms

CPSC 410/611 Operating Systems Security Security Overview Security Goals The Attack Space Security Mechanisms Introduction to Cryptography Authentication Authorization Confidentiality Case Studies

419 views • 19 slides
International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International

International and Global Security 1 Peer Discussion What is security? 2 International Security What is security? Freedom from threats to core values? Contestation over referent object: Individual? State? System? How is security achieved?

715 views • 11 slides
Security 101 Definition of Information Security Information security is the protection of

Security 101 Definition of Information Security Information security is the protection of

Computing Services Information Security Office Security 101 Definition of Information Security Information security is the protection of information and systems from unauthorized access, disclosure, modification, destruction or disruption. The

469 views • 22 slides
Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety

Security Update Security Plans Our Security plans are For Official Use Only, Safety Sensitive Information Not for public or media release F.S. 119.071. Required by law, rule and regulation: Homeland Security Directive 5 and 8.

393 views • 11 slides
Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the

Com puter Security Part One Security as a subject Security is an old problem in the computing world, and are parallel to even older problems outside computing Required level of security is always related to what you protect

237 views • 23 slides
Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn

ITS335 Intro. to Security Concepts Threats, Attacks, Assets Introduction to Security Comm. Security Strategy Summary ITS335: IT Security Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 2

965 views • 34 slides
Education Savings Account Information for School Administrators 1 AG AGENDA 1. Program

Education Savings Account Information for School Administrators 1 AG AGENDA 1. Program

Education Savings Account Information for School Administrators 1 AG AGENDA 1. Program Overview parent steps &amp; requirements funding amounts, timeline 2. Students with multiple program awards 3. Schools new to ESA 4. MyPortal

356 views • 13 slides
Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization

Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization

Heat-ray: Combating Identity Snowball Attacks Using Machine Learning, Combinatorial Optimization and Attack Graphs John Dunagan, Alice Zheng Microsoft Research Dan Simon Microsoft 1 Outline Problem Define identity snowball attack

374 views • 24 slides
How to Create an OLLI Student Account &amp; Pay Your

How to Create an OLLI Student Account &amp; Pay Your

How to Create an OLLI Student Account &amp; Pay Your No Charge Membership Fee Go to: www.USM.maine.edu/OLLI and click on registraJon

306 views • 16 slides
Optimizer Benchmarking Needs to Account for Hyperparameter Tuning Prabhu Teja S * 1, 2 Florian Mai

Optimizer Benchmarking Needs to Account for Hyperparameter Tuning Prabhu Teja S * 1, 2 Florian Mai

Optimizer Benchmarking Needs to Account for Hyperparameter Tuning Prabhu Teja S * 1, 2 Florian Mai * 1, 2 Thijs Vogels 2 Martin Jaggi 2 Franois Fleuret 1, 2 1 Idiap Research Institute, 2 EPFL, Switzerland * Equal Contribution prabhu.teja,

282 views • 15 slides
The Path to Toll Interoperability Report from the IBTTA Interoperability (IOP) Committee The

The Path to Toll Interoperability Report from the IBTTA Interoperability (IOP) Committee The

The Path to Toll Interoperability Report from the IBTTA Interoperability (IOP) Committee The Path to Toll Interoperability Report from the IBTTA Interoperability (IOP) Committee Martin Stone, Ph.D., AICP, Committee Chairman Martin Stone

740 views • 43 slides
Shoppy Medium-Fi Prototyping James L, Yolanda W, Hao W Value Prop, Problem, Solution -Value

Shoppy Medium-Fi Prototyping James L, Yolanda W, Hao W Value Prop, Problem, Solution -Value

Shoppy Medium-Fi Prototyping James L, Yolanda W, Hao W Value Prop, Problem, Solution -Value Prop: Fewer Choices, Better Products -Problem: The amount of time conventional shopping takes -Solution: A virtual shopping assistant to streamline

304 views • 13 slides
IVR Security:- Internal A3acks Via Phone Line Who

IVR Security:- Internal A3acks Via Phone Line Who

IVR Security:- Internal A3acks Via Phone Line Who am I ? Rahul Sasi Security Researcher @ iSIGHT Partners . Member Garage4Hackers.

891 views • 33 slides
15 Key Details Every Tax and Accounting Firm Should Know About SaaS How To Put SaaS (Cloud

15 Key Details Every Tax and Accounting Firm Should Know About SaaS How To Put SaaS (Cloud

15 Key Details Every Tax and Accounting Firm Should Know About SaaS How To Put SaaS (Cloud Computing) To Work In Your Firm Todays Speakers Greg LaFollette, Host and Moderator, CPA.CITP Matt Jagst, Product ManagerThomson Reuters

418 views • 16 slides

More recommend