Web Security. Course: EPL 682 Name: Savvas Savva
|
|
- Amelia White
- 5 years ago
- Views:
Transcription
1 Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell, Robust Defenses for Cross-Site Request Forgery, pub. in 15th ACM Conference, [2] L. Huang and A. Moshchuk and H. Wang, Clickjacking: Attacks and Defenses, pub. in USENIX Security Symposium, 2012.
2 Robust Defenses for Cross- Site Request Forgery Course: EPL 682 Name: Savvas Savva This presentation is based on: [1] A. Barth and C. Jackson and J. Mitchell, Robust Defenses for Cross-Site Request Forgery, pub. in 15th ACM Conference, 2008.
3 CSRF Attack CSRF = Cross-Site Request Forgery: The victim's browser, instructed by a malicious site, sent a request to an honest site. This attack: Leveraging Network Connectivity. Leveraging Browser state. Disrupts integrity of the victim session with a honest site. In login CSRF attack, an attacker uses the victim s browser to forge a cross-site request to the honest site s login URL, supplying the attacker s username and password.
4 Contribution / Contents Paper Contribution about the topic: A good explanation of the CSRF threat model. A study of current browser behavior. A proposal for an Origin header containing the information necessary for CSRF defense. A study of related session initialization vulnerabilities.
5 CSRF Definition Network Connectivity. Read Browser State. Write Browser State. In-Scope Threats Forum Poster. Web Attacker. Network Attacker.
6 Attack A: Login CSRF Attack
7 Another CSRF Attack Detailed
8 Defending Techniques Using a secret request Token: Validating using this secret token. Fraught with pitfalls. A Popular technique. Validating the HTTP Referer Header Simple technique. Referer header can be suppressed. Validating Custom Headers attached to XMLHttpRequests Ajax interface. Requires sites to valid all state-modifying requests.
9 Experiment Design Build Advertising networks and make it available from 5 April 2008 to 8 April advertisement impressions from unique IP address. GET and POST requests both over HTTP and HTTPS. Requests are generated by submitting forms, requesting images, and issuing XMLHttpRequests. Same-domain requests to the primary server and cross-domain requests to the secondary server. Log Referer header, User-Agent header, date, client s class C network, session identifier, document.referer. Did not log the client s IP address, instead logged the HMAC of client s IP address.
10 img Tag with malicious URL
11 img tag with malicious URL <script> document.write(unescape("%3cscript src='" + (document.location.protocol == " " : " + ".scorecardresearch.com/beacon.js' %3E%3C/script%3E")); </script> <noscript> <img src=" /> </noscript>
12 Execute malicious form using Http/Https POST Method
13 Experiment Results
14 Experiment Results The Referer header is suppressed more often for HTTP requests than for HTTPS requests. Browsers that suppress the Referer header also suppress the document.referrer value. But when Referer is suppressed in the network, the document.referrer value is not suppressed.
15 Experiment Results The document.referrer value being suppressed: PlayStation 3 browser does not support Opera suppresses for cross-site HTTPS request Bug in Firefox 1.0 and 1.5
16 Experiment Conclusions CSRF Defense over HTTPS HTTP: percentage (3-11%) of users HTTPS: percentage ( %) of users Site must reject requests that omit the Referer header Privacy Matters Must address privacy concerns in order to effective in large-scale deployments
17 Proposed Solution Origin Header: Privacy Includes only the information required to identify the principal that initiated the request. Sent only for POST requests. Server Behavior All state-modifying requests, including login requests, must be sent using the POST method. Server must reject any requests whose Origin header contains an undesired value.
18 Proposed Solution Origin Header: Security Analysis Rollback and Suppression, DNS Rebinding,Plug-ins Adoption Improves and unifies four other proposals and has been adopted by several working groups Implementation Browser side: WebKit, Safari, Firefox Server side: ModSecurity, Apache
19 What exactly is Origin header Improves and unifies previous proposals: Cross-Site XMLHttpRequest: The proposed standard for cross-site XMLHttpRequest included a Access-Control-Origin header to identify the origin issuing the request. XDomainRequest: The XDomainRequest API in Internet Explorer 8 Beta 1 sends cross-site HTTP requests that omit the path and query from the Referer header.
20 What exactly is Origin header Improves and unifies previous proposals: JSONRequest: The JSONRequest API for crosssite HTTP requests included a Domain header that identifies the host name of the requester. Cross-Document Messaging: The HTML 5 specification proposes a new browser API for authenticated client-side communication between HTML documents
21 To clear misleading Http Referer Header not equal to the proposed Origin Header. The Origin header is became HTML5 feature.
22 Malicious XMLHttpRequest
23 Session Initialization Authenticated as User Predictable session identifier Authenticated as Attacker Login CSRF Two common approaches to mounting an attack on session initialization HTTP Requests and Cookie Overwriting
24 HTTP Requests OpenID: 1. Web attacker visits the Relying Party (Blogger) and beings the authentication process with the Identity Provider (Yahoo!) 2. Identity Provider redirects the attacker s browser to the return to URL of the Relying Party 3. Attacker directs the user s browser to the return to URL 4. The Relying Party completes the OpenID protocol and stores a session cookie in the user s browser 5. The user is now logged in as the attacker
25 HTTP Requests PHP Cookieless Authentication: 1. The web attacker logs into the honest web site. 2. The web attacker redirects the user s browser to the URL currently displayed in the attacker s location bar. 3. Because this URL contains the attacker s session identifier, the user is now logged in as the attacker.
26 Cookie Overwriting An active network attacker can supply a Set-Cookie header over a HTTP connection to the same host name as the site and install either a Secure or a non-secure cookie of the same name Defense cannot be deployed without breaking standards and existing web apps Cookie-Integrity header
27 Related Work RequestRodeo Strips implicit authorization information from outgoing cross-site HTTP requests Breaks existing web site functionality CAPTCHA Attacker can manually solve CAPTCHAs Attacker can address captchas to be solved online from captcha solvers.
28 Conclusions Login CSRF Strict Referer validation Third-party Content Images, hyperlinks should use a framework that implements secret token validation correctly Origin header Eliminating the privacy concerns HTTPS and non-https requests both work
29 Thanks For Watching! Any Questions?
30 Clickjacking: Attacks and Defenses Course: EPL 682 Name: Savvas Savva This presentation is based on: [2] L. Huang and A. Moshchuk and H. Wang, Clickjacking: Attacks and Defenses, pub. in USENIX Security Symposium, 2012.
31 Introduction Defining clickjacking The user is tricked to click on something he didn t intend to click on. Existing defenses are insufficient This is proven in this paper with three new attack variants from existing clickjacking techniques. Clickjacking attacks can cause severe damages. Better results and more effective than Social engineering. New defense to address root causes The paper user study demonstrates its effectiveness.
32 What is Clickjacking? Simple definition: The user is tricked to click on something he didn t intend to click on. An attacker application presents a sensitive UI Element of a target application out of context to a user (e.g. hiding sensitive UI ELement by make it transparent ect). Some examples: Likejacking Sharejacking (Transparently overlaying on top of a safe UI element)
33 Defining clickjacking Formally Prerequisite: multiple mutually distrusting applications sharing the same display. An attack application compromises context integrity of another application s UI when the user acts on the UI.
34 Hiding the target Element - Likejacking Example C B Temporal integrity, for some noticeable amount of time transform to facebook page like button A Claim Your Free ipad Pro Cursorjacking is not Performed. Could be done Using CSS cursor property. Also, can perform strokejacking attack for fake blink in keyboard typing cursor and fake text input. The same appears in twitter tweet button to create the TweetBomb attack. Video link :
35 Compromise visual integrity target Hiding the target as previously shown. Use opacity 0 in css or attribute hidden. Partial overlays For example in the older trusted paypal checkout iframe. Cropping Crop elements in other visa checkout payments or the old paypal iframe and leave only a pay button.
36 Existing defenses to protect visual integrity User confirmation Degrades user experience. UI randomization Unreliable (e.g. multi-click attacks). Framebusting (X-Frame-Options) Incompatible with embedding 3rd-party objects.
37 Existing defenses to protect visual integrity Opaque overlay policy (Gazelle browser) Breaks legitimate sites. Visibility detection on click (NoScript) False positives.
38 Protecting temporal integrity Imposing a delay after displaying UI Annoying to user. None of current defenses consider pointer (Photo from Lifehacker)
39 Proposed Clickjacking Attack 1. Accessing user s webcam 2. Stealing user s 3. Revealing user s identity
40 Evaluating attacks 2064 Amazon Mechanical Turk web users Cost was 25 cents per user. Users can only participate once, and only for one Treatment. The user study on Amazon Mechanical Turk shows that people fall for these attacks with success rate 43% to 98%.
41 Accessing User s Webcam - Cursor Spoofing Attack Attack technique: cursor-spoofing Attack success: 43% (31/72)
42 Stealing User s s Double Click Attack Attack technique: pop-up window Attack success: 47% (43/90)
43 Revealing User s Identity - LikeJacking Attack Compromise web surfing anonymity. Whack-a-mole game. Attack technique: cursor-spoofing + fast-paced clicking Attack success: 98% (83/84)
44 InContext Defense Design Goals: Should support embedding 3rd-party objects. Should not prompt users for their actions. Should not break existing sites. Should be resilient to new attack vectors.
45 InContext Defense
46 Proposed InContext Defense InContext let websites mark their sensitive ui elements and then lets the browsers enforce the context integrity of user actions on the sensitive UI Elements. A set of techniques to ensure context integrity for user actions. Server opt-in approach: Let websites indicate their sensitive UIs. Let browsers enforce context integrity when users act on the sensitive UIs.
47 Ensuring visual integrity of target Dynamic OS-level screenshot comparison processing delay on click < 30ms (prototype on IE 9)
48 Ensuring visual integrity of pointer Remove cursor customization Attack success: 43% -> 16% Freeze screen around target on pointer entry Attack success: 43% -> 15% Attack success (margin=10px): 12% Attack success (margin=20px): 4% (baseline:5%) (GOOD) Lightbox effect around target on pointer entry Attack success (Freezing + lightbox): 2%
49 Accessing User s Webcam Attack Attack technique: cursor-spoofing Attack success: 43% (31/72)
50 Enforcing temporal integrity UI delay: after visual changes on target or pointer, invalidate clicks for some ms Pointer re-entry: after visual changes on target, invalidate clicks until pointer re-enters target
51
52 Enforcing temporal integrity UI delay: after visual changes on target or pointer, invalidate clicks for some ms Attack success (delay=250ms): 47% -> 2% (2/91) Attack success (delay=500ms): 1% (1/89) Pointer re-entry: after visual changes on target, invalidate clicks until pointer re-enters target Attack success: 0% (0/88)
53 Stealing User s s Double Click Attack Attack technique: pop-up window Attack success: 47% (43/90)
54 Whack-a-mole attack Exclude victims who were moving their pointer around the Like button for many seconds, and deliberating whether or not to click. Defense against clickjacking aspects: Screen freezing, margin=20px: 98% -> 16% Screen freezing, margin=20px, pointer entry delay=500ms: 4% Screen freezing, margin=20px, pointer entry delay=1000ms: 1% Social Engineering: 63% users intentionally clicked on Like button after the proposed defenses made them fully aware of this.
55 Revealing User s Identity Attack Attack technique: cursor-spoofing + fast-paced clicking Attack success: 98% (83/84)
56 Conclusion This paper demonstrates new clickjacking variants that can evade current defenses. The paper user studies show that our attacks are highly effective (success rates 43% to 98%). In the paper the InContext defense can be very effective against clickjacking.
57 Thanks For Watching! Any Questions?
Robust Defenses for Cross-Site Request Forgery
Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis Petros Paper Authors: Adam Barth, Collin Jackson, John C. Mitchell Outline What is CSRF attack? What is a login
More informationRobust Defenses for Cross-Site Request Forgery
University of Cyprus Department of Computer Science Advanced Security Topics Robust Defenses for Cross-Site Request Forgery Name: Elena Prodromou Instructor: Dr. Elias Athanasopoulos Authors: Adam Barth,
More informationRobust Defenses for Cross-Site Request Forgery Review
Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationWeb Security: 1) UI-based attacks 2) Tracking on the web
Web Security: 1) UI-based attacks 2) Tracking on the web CS 161: Computer Security Prof. Raluca Ada Popa November 15, 2016 Contains new slides, slides from past CS 161 offerings and slides from Dan Boneh
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationWeb Security: Authentication & UI-based attacks
Web Security: Authentication & UI-based attacks CS 161: Computer Security Prof. Raluca Ada Popa April 12, 2016 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof.
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 6 March 2, 2011 Question 1 Cross-Site Scripting (XSS) (10 min) As part of your daily routine, you are browsing through the news and status updates
More informationOWASP AppSec Research The OWASP Foundation New Insights into Clickjacking
New Insights into Clickjacking Marco `embyte` Balduzzi iseclab @ EURECOM embyte@iseclab.org AppSec Research 2010 Joint work with Egele, Kirda, Balzarotti and Kruegel Copyright The Foundation Permission
More informationImproving Web Security:
Finding and fixing vulnerabilities in web security mechanisms Devdatta Akhawe, Adam Barth, Peifung E. Lam, John C. Mitchell and Dawn Song Stanford Computer Security Lab Improving Web Security: Introduction
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationMore attacks on clients: Click-jacking/UI redressing, CSRF
Web Security More attacks on clients: Click-jacking/UI redressing, CSRF (Section 7.2.3 on Click-jacking; Section 7.2.7 on CSRF; Section 7.2.8 on Defenses against client-side attacks) 1 Recall from last
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationCS 361S. Clickjacking. Vitaly Shmatikov
CS 361S Clickjacking Vitaly Shmatikov Reading Assignment Next Generation Clickjacking Clickjacking: Attacks and Defenses slide 2 Clickjacking (UI Redressing) [Hansen and Grossman 2008] Attacker overlays
More informationGUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.
Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationIMPROVING CROSS-SITE REQUEST PRIVACY AND SECURITY: CLIENT-SIDE CROSS-SITE REQUEST WHITELISTS JUSTIN CLAYTON SAMUEL
IMPROVING CROSS-SITE REQUEST PRIVACY AND SECURITY: CLIENT-SIDE CROSS-SITE REQUEST WHITELISTS By JUSTIN CLAYTON SAMUEL A Thesis Submitted to The Honors College In Partial Fulfillment of the Bachelor s degree
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationOpenID Security Analysis and Evaluation
University of British Columbia OpenID Security Analysis and Evaluation San-Tsai Sun, Kirstie Hawkey, Konstantin Beznosov Laboratory for Education and Research in Secure Systems Engineering (LERSSE) University
More informationIs Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
More information2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationJared Moore
CSE 484 / CSE M 584 Computer Security: Clickjacking Jared Moore jlcmoore@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell,
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationCS6120: Intelligent Media Systems. User Models. How is User Model Data Obtained? 11/01/2014
CS6120: Intelligent Media Systems Dr. Derek Bridge School of Computer Science & Information Technology UCC User Models For personalization, we need user models which contain some or all of: Identification
More informationWeb Security: Web Application Security [continued]
CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security [continued] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationLecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationCross-Site Request Forgery (CSRF) Attack Lab
Laboratory for Computer Security Education 1 Cross-Site Request Forgery (CSRF) Attack Lab (Web Application: Collabtive) Copyright c 2006-2011 Wenliang Du, Syracuse University. The development of this document
More informationChrome Extension Security Architecture
Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationPreparing for the Cross Site Request Forgery Defense
Preparing for the Cross Site Request Forgery Defense By Chuck Willis chuck.willis@mandiant.com Presented at Black Hat Briefings DC 2008 on February 20, 2008 Slides available at www.blackhat.com. Abstract:
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More informationHTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys
HTML5 Unbound: A Security & Privacy Drama Mike Shema Qualys A Drama in Four Parts The Meaning & Mythology of HTML5 Security From Design Security (and Privacy) From HTML5 Design, Doom & Destiny This specification
More informationCSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More informationSecure Frame Communication in Browsers Review
Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationWeb Attacks CMSC 414. September 25 & 27, 2017
Web Attacks CMSC 414 September 25 & 27, 2017 Overview SQL Injection is frequently implemented as a web-based attack, but doesn t necessarily need to be There are a wide variety of web-based attacks Some
More informationCSCD 303 Essential Computer Security Fall 2018
CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server
More informationOAuth securing the insecure
Black Hat US 2011 khash kiani khash@thinksec.com OAuth securing the insecure roadmap OAuth flow malicious sample applications mobile OAuth google app web-based OAuth facebook app insecure implementation
More informationWeb Security II. Slides from M. Hicks, University of Maryland
Web Security II Slides from M. Hicks, University of Maryland Recall: Putting State to HTTP Web application maintains ephemeral state Server processing often produces intermediate results; not long-lived
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationPrevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side
www.ijcsi.org 650 Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side S.SHALINI 1, S.USHA 2 1 Department of Computer and Communication, Sri Sairam Engineering College,
More information2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.
Secure Coding CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationNoScript, CSP and ABE: When The Browser Is Not Your Enemy
NoScript, CSP and ABE: When The Browser Is Not Your Enemy Giorgio Maone CTO, NoScript lead developer InformAction OWASP-Italy Day IV Milan 6th, November 2009 Copyright 2008 - The OWASP Foundation Permission
More informationWeb Security: Web Application Security [continued]
CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security [continued] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationA Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications
A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications Riccardo Pelizzi System Security Lab Department of Computer Science Stony Brook University December 8, 2011 1 / 18 Riccardo Pelizzi
More informationPreventing Image based Cross Site Request Forgery Attacks
Preventing Image based Cross Site Request Forgery Attacks Ramarao R, Radhesh M, Alwyn R Pais Information Security Lab, Department of Computer Engineering, National Institute of Technology Karnataka, Surathkal,
More informationCS 161 Computer Security
Wagner Spring 2014 CS 161 Computer Security Midterm 1 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be reported
More informationCookies, sessions and authentication
Cookies, sessions and authentication TI1506: Web and Database Technology Claudia Hauff! Lecture 7 [Web], 2014/15 1 Course overview [Web] 1. http: the language of Web communication 2. Web (app) design &
More informationAndrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationCS 155 Project 2. Overview & Part A
CS 155 Project 2 Overview & Part A Project 2 Web application security Composed of two parts Part A: Attack Part B: Defense Due date: Part A: May 5th (Thu) Part B: May 12th (Thu) Project 2 Ruby-on-Rails
More informationClient-side Defenses for Context-Aware Phishing and Transaction Generator Spyware
Client-side Defenses for Context-Aware Phishing and Transaction Generator Spyware Collin Jackson Dan Boneh John Mitchell Stanford University Web Threats Phishing Spoof website convinces user to log in
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationJOE WIPING OUT CSRF
JOE ROZNER @JROZNER WIPING OUT CSRF IT S 2017 WHAT IS CSRF? 4 WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS WHERE DOES CSRF COME FROM? LET S TALK HTTP SAFE VS. UNSAFE
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationINF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015
INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationHacking Intranet Websites from the Outside
1 Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous" Black Hat (Japan) 10.05.2006 Jeremiah Grossman (Founder and CTO) WhiteHat Security 2 WhiteHat Sentinel -
More informationNetwork Security - ISA 656 Web Security
Network Security - ISA 656 Angelos Stavrou October 30, 2007 Crypto () Client security Server security 2 / 45 Trusting The Server s Client How Did That Happen? SET The Failure of SET Aside: The SET Root
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationAnalysing the Security of Google s implementation of OpenID Connect
Analysing the Security of Google s implementation of OpenID Connect Wanpeng Li and Chris J Mitchell Information Security Group, Royal Holloway, University of London Wanpeng.Li.2013@live.rhul.ac.uk, C.Mitchell@rhul.ac.uk
More informationCSCE 813 Internet Security Case Study II: XSS
CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that
More informationJOE WIPING OUT CSRF
JOE ROZNER @JROZNER WIPING OUT CSRF IT S 2017 WHAT IS CSRF? 4 WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS WHERE DOES CSRF COME FROM? 6 SAFE VS. UNSAFE Safe GET HEAD
More informationR (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.
R (2) N (5) Oral (3) Total (10) Dated Sign Experiment No: 1 Problem Definition: Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing. 1.1 Prerequisite:
More information8.0 Help for Community Managers Release Notes System Requirements Administering Jive for Office... 6
for Office Contents 2 Contents 8.0 Help for Community Managers... 3 Release Notes... 4 System Requirements... 5 Administering Jive for Office... 6 Getting Set Up...6 Installing the Extended API JAR File...6
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationCSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno
CSE 484 / CSE M 584: Computer Security and Privacy Web Security Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli,
More informationContent Security Policy
About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training
More informationCloud Help for Community Managers...3. Release Notes System Requirements Administering Jive for Office... 6
for Office Contents 2 Contents Cloud Help for Community Managers...3 Release Notes... 4 System Requirements... 5 Administering Jive for Office... 6 Getting Set Up...6 Installing the Extended API JAR File...6
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationThe security of Mozilla Firefox s Extensions. Kristjan Krips
The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting
More informationChecklist for Testing of Web Application
Checklist for Testing of Web Application Web Testing in simple terms is checking your web application for potential bugs before its made live or before code is moved into the production environment. During
More informationCross-Site Request Forgery
Cross-Site Request Forgery Venkateshwar Reddy S, MBA (Banking Technology), Pondicherry Central University, Puducherry, bobby938@gmail.com. Project guide: Dr. N.P. Dhavale, Deputy General Manager, INFINET
More informationAn analysis of security in a web application development process
An analysis of security in a web application development process Florent Gontharet Ethical Hacking University of Abertay Dundee MSc Ethical Hacking 2015 Table of Contents Abstract...2 Introduction...3
More informationCNIT 129S: Securing Web Applications. Ch 8: Attacking Access Controls
CNIT 129S: Securing Web Applications Ch 8: Attacking Access Controls Access Control Authentication and session management Ensure that you know who is using the application Access Controls Limit what actions
More informationAUTHENTICATION AND LOOKUP FOR NETWORK SERVICES
Vol.5, No.1, pp. 81-90, 2014 doi: 10.7903/ijecs.1040 AUTHENTICATION AND LOOKUP FOR NETWORK SERVICES Daniel J. Buehrer National Chung Cheng University 168 University Rd., Min-Hsiung Township, Chiayi County,
More informationCyber Attacks and Application - Motivation, Methods and Mitigation. Alfredo Vistola Solution Architect Security, EMEA
Cyber Attacks and Application - Motivation, Methods and Mitigation Alfredo Vistola a.vistola@f5.com Solution Architect Security, EMEA Attacks are Moving Up the Stack Network Threats Application Threats
More informationComputer Security Exam 3 Review. Paul Krzyzanowski. Rutgers University. Spring 2017
Computer Security 2017 Exam 3 Review Paul Krzyzanowski Rutgers University Spring 2017 April 18, 2018 CS 419 2017 Paul Krzyzanowski 1 Exam 3: Grade vs. Completion Time 5 Question 1 A high False Reject Rate
More informationPhishing. Eugene Davis UAH Information Security Club April 11, 2013
Phishing Eugene Davis UAH Information Security Club April 11, 2013 Overview A social engineering attack in which the attacker impersonates a trusted entity Attacker attempts to retrieve privileged information
More informationWeb Security Model and Applications
Web Security Model and Applications In this Tutorial Motivation: formal security analysis of web applications and standards Our Model of the Web Infrastructure Single Sign-On Case Studies Formal Security
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More information