AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Size: px
Start display at page:

Download "AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE"

Transcription

1 AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE Nicholas Carlini, Adrienne Porter Felt, David Wagner University of California, Berkeley

2 CHROME EXTENSIONS

3 CHROME EXTENSIONS

4 servers servers client-side website extension client-side website browser API history bookmarks WEB ATTACKER

5 servers servers client-side website extension client-side website browser API history bookmarks WEB ATTACKER

6 servers servers client-side website extension client-side website browser API history bookmarks NETWORK ATTACKER

7 servers servers client-side website extension client-side website browser API history bookmarks NETWORK ATTACKER

8 CHROME S SECURITY MECHANISMS

9 servers servers client-side website content script core extension extension browser API history bookmarks PRIVILEGE SEPARATION

10 servers servers client-side website content script content script core extension client-side website extension browser API history bookmarks ISOLATED WORLDS

11 servers server server client-side website content script core extension client-side website extension browser API history bookmarks PERMISSIONS

12 Vulnerabilities Isolated worlds Privilege separation Permissions New defenses

13 VULNERABILITIES

14 FINDING BUGS SAMPLE 50 most popular + 50 random extensions METHODS Black-box testing + source code analysis VERIFICATION Built exploits to confirm the vulnerabilities

15 Vulnerability Location Web Attacker Network Attacker Core 5 50 Content Script 3 1 Website vulnerabilities in 40 extensions VULNERABILITIES

16 Popular Random Total VULNERABLE EXTENSIONS

17 EXAMPLE: SPEED DIAL

18 ISOLATED WORLDS

19 Isolated worlds: protect content scripts from web attackers

20 Vulnerability count: 3 content script vulns

21 DATA AS HTML MISTAKE Insert data as HTML, where it can execute MITIGATION Will execute in website s isolated world VULNERABILITIES 6 extensions have data-as-html bugs that don t cause content script vulnerabilities

22 EVAL MISTAKE Use eval to execute untrusted data MITIGATION Isolated worlds does not mitigate this bug VULNERABILITIES 2 vulnerabilities due to this mistake

23 CLICK INJECTION MISTAKE Trusting event handlers on a website MITIGATION Isolated worlds does not mitigate this bug VULNERABILITIES 1 vulnerability due to this mistake

24 Isolated worlds is highly effective because it mitigates common bugs

25 PRIVILEGE SEPARATION

26 Privilege separation: protect core extensions

27 client-side website content script extension core extension browser API history bookmarks PRIVILEGE SEPARATION

28 Can regular developers use privilege separation?

29 Permissions Extensions All of the extensions 7% Partial: XHRs 15% Partial: tab control 8% Partial: other 8% (Of the 61 extensions with content scripts) PRIVILEGE LEAKAGE

30 Privilege separation would fully protect most core extensions, but a third of developers circumvent it

31 Vulnerability count: 50 core extension vulns

32 servers client-side website content script core extension extension browser API history bookmarks METADATA ATTACK

33 servers client-side website content script 5 metadata attacks core extension extension browser API history bookmarks METADATA ATTACK

34 servers client-side website content script core extension extension browser API history bookmarks HTTP SCRIPTS/XHRS

35 servers client-side website content script 16 HTTP XHRs 28 HTTP scripts core extension extension browser API history bookmarks HTTP SCRIPTS/XHRS

36 Privilege separation can be powerful, but its placement in the system matters

37 Something else is needed to protect core extensions

38 PERMISSIONS

39 Permissions: limit the scope of core vulnerabilities

40 None 15% Low 11% High 44% Medium 30% 27 buggy extensions PERMISSION RATE

41 Reduces potential for severe attacks by half

42 None None 15% Low 11% High 44% 1% Low 12% Medium High 49% Medium 37% 30% with bugs others RATE COMPARISON

43 No correlation between bugs and permissions

44 Yes, permissions limit the scope of vulnerabilities

45 NEW DEFENSES

46 Use CSP to ban unsafe coding practices

47 Restriction Security Benefit Broken, But Fixable Broken And Unfixable No HTTP scripts in cores 15% 15% 0% No inline scripts 15% 79% 0% No eval 3% 30% 2% No HTTP XHRs 17% 29% 14% POTENTIAL BANS

48 Restriction Security Benefit Broken, But Fixable Broken And Unfixable No HTTP scripts in cores 15% 15% 0% No inline scripts 15% 79% 0% No eval 3% 30% 2% No HTTP XHRs 17% 29% 14% ADOPTION

49 Restriction Security Benefit Broken, But Fixable Broken And Unfixable Chrome 18 policy 27% 85% 2% ADOPTION

50 CONCLUSION Isolated worlds prevents common bugs Some developers don t use privilege separation optimally Permissions reduce scope of vulns Recommend banning unsafe practices to protect core extensions

51 QUESTIONS?

An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture An Evaluation of the Google Chrome Extension Security Architecture Nicholas Carlini, Adrienne Porter Felt, and David Wagner University of California, Berkeley nicholas.carlini@berkeley.edu, apf@cs.berkeley.edu,

More information

Chrome Extension Security Architecture

Chrome Extension Security Architecture Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture

More information

The Evolution of Chrome Security Architecture. Huan Ren Director, Qihoo 360 Technology Ltd

The Evolution of Chrome Security Architecture. Huan Ren Director, Qihoo 360 Technology Ltd The Evolution of Chrome Security Architecture Huan Ren Director, Qihoo 360 Technology Ltd Today s Chrome Architecture Browser GPU Sandbox Policy Renderer Extension Plug In History Initial version: multi-process,

More information

The Most Dangerous Code in the Browser. Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan

The Most Dangerous Code in the Browser. Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Modern web experience Modern web experience Modern web experience Web apps Extensions NYTimes Chase AdBlock

More information

AdDroid Privilege Separa,on for Applica,ons and Adver,sers in Android

AdDroid Privilege Separa,on for Applica,ons and Adver,sers in Android AdDroid Privilege Separa,on for Applica,ons and Adver,sers in Android Paul Pearce 1, Adrienne Porter Felt 1, Gabriel Nunez 2, David Wagner 1 1 University of California, Berkeley 2 Sandia Na,onal Laboratory

More information

So we broke all CSPs. You won't guess what happened next!

So we broke all CSPs. You won't guess what happened next! So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele Spagnuolo Senior Information Security Engineer bitiodine.net rosettaflash.com Recap what happened last year Summary

More information

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

NoScript, CSP and ABE: When The Browser Is Not Your Enemy NoScript, CSP and ABE: When The Browser Is Not Your Enemy Giorgio Maone CTO, NoScript lead developer InformAction OWASP-Italy Day IV Milan 6th, November 2009 Copyright 2008 - The OWASP Foundation Permission

More information

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum ODDITIES Michele Spagnuolo Lukas Weichselbaum ABOUT US Michele Spagnuolo Lukas Weichselbaum Information Security Engineer Information Security Engineer We work in a special focus area of the Google security

More information

Northeastern University Systems Security Lab

Northeastern University Systems Security Lab Northeastern University Systems Security Lab Why is CSP Failing? Trends and Challenges in CSP Adoption Symposium on Research in Attacks, Intrusions and Defenses (RAID) Gothenburg, Sweden, September 2014

More information

Match the attack to its description:

Match the attack to its description: Match the attack to its description: 8 7 5 6 4 2 3 1 Attacks: Using Components with Known Vulnerabilities Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure

More information

Web Security: Vulnerabilities & Attacks

Web Security: Vulnerabilities & Attacks Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Cross-site Scripting What is Cross-site Scripting (XSS)? Vulnerability in web application that enables attackers to inject client-side

More information

HTTP Security Headers Explained

HTTP Security Headers Explained HTTP Security Headers Explained Scott Sauber Slides at scottsauber.com scottsauber Audience Anyone with a website Agenda What are HTTP Security Headers? Why do they matter? HSTS, XFO, XSS, CSP, CTO, RH,

More information

Defense-in-depth techniques. for modern web applications

Defense-in-depth techniques. for modern web applications Defense-in-depth techniques for modern web applications About Us Lukas Weichselbaum Michele Spagnuolo Senior Information Security Engineer Senior Information Security Engineer We work in a focus area of

More information

Content Security Policy

Content Security Policy About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training

More information

The security of Mozilla Firefox s Extensions. Kristjan Krips

The security of Mozilla Firefox s Extensions. Kristjan Krips The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting

More information

Writing Secure Chrome Apps and Extensions

Writing Secure Chrome Apps and Extensions Writing Secure Chrome Apps and Extensions Keeping your users safe Jorge Lucángeli Obes Software Engineer Keeping users safe A lot of work going into making browsers more secure What about users' data?

More information

Browser code isolation

Browser code isolation CS 155 Spring 2016 Browser code isolation John Mitchell Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at Stanford University. When slides are

More information

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are

More information

ZigZag - Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities

ZigZag - Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities ZigZag - Automatically Hardening Web Applications Against Client-side Validation Vulnerabilities Michael Weissbacher, William Robertson, Engin Kirda, Christopher Kruegel, Giovanni Vigna 1 XMLHTTPRequest

More information

An Empirical Study of Vulnerability Rewards Programs

An Empirical Study of Vulnerability Rewards Programs An Empirical Study of Vulnerability Rewards Programs Matthew Finifter, Devdatta Akhawe, David Wagner UC Berkeley security development lifecycle A vulnerability remediation strategy is any systematic approach

More information

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati

OWASP TOP Release. Andy Willingham June 12, 2018 OWASP Cincinnati OWASP TOP 10 2017 Release Andy Willingham June 12, 2018 OWASP Cincinnati Agenda A quick history lesson The Top 10(s) Web Mobile Privacy Protective Controls Why have a Top 10? Software runs the world (infrastructure,

More information

Web basics: HTTP cookies

Web basics: HTTP cookies Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the

More information

BOOSTING THE SECURITY

BOOSTING THE SECURITY BOOSTING THE SECURITY OF YOUR ANGULAR APPLICATION Philippe De Ryck March 2017 https://www.websec.be ANGULAR APPLICATIONS RUN WITHIN THE BROWSER JS code HTML code Load application JS code / HTML code JS

More information

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends

More information

Inline Reference Monitoring Techniques

Inline Reference Monitoring Techniques Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code

More information

HTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys

HTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys HTML5 Unbound: A Security & Privacy Drama Mike Shema Qualys A Drama in Four Parts The Meaning & Mythology of HTML5 Security From Design Security (and Privacy) From HTML5 Design, Doom & Destiny This specification

More information

Advanced Chrome Extension Exploita5on Leveraging API Powers for the Be=er Evil. Kyle Kos Osborn Krzysztof Kotowicz

Advanced Chrome Extension Exploita5on Leveraging API Powers for the Be=er Evil. Kyle Kos Osborn Krzysztof Kotowicz Advanced Chrome Extension Exploita5on Leveraging API Powers for the Be=er Evil Kyle Kos Osborn Krzysztof Kotowicz 1 Please complete the Speaker Feedback Surveys. This will help speakers to improve and

More information

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application

More information

Content Security Policy

Content Security Policy Content Security Policy And mitigating Cross-site Scripting vulnerabilities Joseph Fields M.Sc Computer Science - December 2016 Introduction HTML and Javascript power billions of websites visited daily

More information

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries PoCs included Content Security Policy WAFs whitelists nonces

More information

Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology

Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology One of the most popular application platforms Easy to deploy and access Almost anything

More information

Application Security Approach

Application Security Approach Technical Approach Page 1 CONTENTS Section Page No. 1. Introduction 3 2. What is Application Security 7 3. Typical Approaches 9 4. Methodology 11 Page 2 1. INTRODUCTION Page 3 It is a Unsafe Cyber world..

More information

Web basics: HTTP cookies

Web basics: HTTP cookies Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the

More information

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn Our Observations The same old code-level problems Input Validation, Parameter Manipulation,

More information

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018 Sandboxing CS-576 Systems Security Instructor: Georgios Portokalidis Sandboxing Means Isolation Why? Software has bugs Defenses slip Untrusted code Compartmentalization limits interference and damage!

More information

Extending the browser to secure applications

Extending the browser to secure applications Extending the browser to secure applications Highlights from W3C WebAppSec Group Deian Stefan Modern web apps have many moving pieces & parties Application code & content itself User provided content (e.g.,

More information

Browser Guide for PeopleSoft

Browser Guide for PeopleSoft Browser Guide for PeopleSoft Business Process Guide For Academic Support Specialists (Advisors) TABLE OF CONTENTS PURPOSE...2 INTERNET EXPLORER 7...3 GENERAL TAB...4 SECURITY TAB...6 PRIVACY TAB...10 CONTENT

More information

GPII Security. Washington DC, November 2015

GPII Security. Washington DC, November 2015 GPII Security Washington DC, November 2015 Outline User data User's device GPII Configuration use cases Preferences access and privacy filtering Work still to do Demo GPII User Data Preferences Device

More information

RIA Security - Broken By Design. Joonas Lehtinen IT Mill - CEO

RIA Security - Broken By Design. Joonas Lehtinen IT Mill - CEO RIA Security - Broken By Design Joonas Lehtinen IT Mill - CEO a system is secure if it is designed to be secure and there are no bugs no system should be designed to be insecure not all bugs are security

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session

More information

Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December

Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny Wear OWASP Tampa Chapter December Mee@ng 1 About the Speaker Informa@on Security Architect Areas of exper@se: Applica@on,

More information

CS 161 Computer Security

CS 161 Computer Security Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 9 Week of March 19, 2018 Question 1 Warmup: SOP (15 min) The Same Origin Policy (SOP) helps browsers maintain a sandboxed model by preventing

More information

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/

More information

Build Native-like Experiences in HTML5

Build Native-like Experiences in HTML5 Developers Build Native-like Experiences in HTML5 The Chrome Apps Platform Joe Marini - Chrome Developer Advocate About Me Joe Marini Developer Relations Lead - Google Chrome google.com/+joemarini @joemarini

More information

1 Post-Installation Configuration Tasks

1 Post-Installation Configuration Tasks 1 Post-Installation Configuration Tasks 1.1 Overview The previous chapters provide instructions on how to set up Appeon system architecture, including installing Appeon for PowerBuilder components, as

More information

Privacy Protection for Social Networking APIs

Privacy Protection for Social Networking APIs Privacy Protection for Social Networking APIs Adrienne Felt and David Evans University of Virginia W2SP, May 2008 social networking APIs Facebook Platform Third parties get screen real estate User information

More information

Secure Programming Techniques

Secure Programming Techniques Secure Programming Techniques Meelis ROOS mroos@ut.ee Institute of Computer Science Tartu University spring 2014 Course outline Introduction General principles Code auditing C/C++ Web SQL Injection PHP

More information

Large Scale Generation of Complex and Faulty PHP Test Cases

Large Scale Generation of Complex and Faulty PHP Test Cases Large Scale Generation of Complex and Faulty PHP Test Cases Bertrand STIVALET Elizabeth FONG ICST 2016 Chicago, IL, USA April 15th, 2016 http://samate.nist.gov Authors Bertrand STIVALET National Institute

More information

Some Facts Web 2.0/Ajax Security

Some Facts Web 2.0/Ajax Security /publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire

More information

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION Philippe De Ryck NG-BE Conference, December 9 th 2016 https://www.websec.be ABOUT ME PHILIPPE DE RYCK My goal is to help you build secure web applications

More information

Confinement (Running Untrusted Programs)

Confinement (Running Untrusted Programs) Confinement (Running Untrusted Programs) Chester Rebeiro Indian Institute of Technology Madras Untrusted Programs Untrusted Application Entire Application untrusted Part of application untrusted Modules

More information

Product Security Program

Product Security Program Product Security Program An overview of Carbon Black s Product Security Program and Practices Copyright 2016 Carbon Black, Inc. All rights reserved. Carbon Black is a registered trademark of Carbon Black,

More information

Introduction into browser hacking. Andrey Kovalev

Introduction into browser hacking. Andrey Kovalev Introduction into browser hacking Andrey Kovalev (@L1kvID) Who am I Security Engineer at Yandex Browser security enthusiast Public speaker (every ZeroNights since 2015) Author of @br0wsec channel (https://t.me/br0wsec)!3

More information

Privilege Separation in Browser Extensions Based on Web Workers

Privilege Separation in Browser Extensions Based on Web Workers Advanced Materials Research Submitted: 2014-05-24 ISSN: 1662-8985, Vols. 989-994, pp 4675-4679 Accepted: 2014-05-30 doi:10.4028/www.scientific.net/amr.989-994.4675 Online: 2014-07-16 2014 Trans Tech Publications,

More information

Bank Infrastructure - Video - 1

Bank Infrastructure - Video - 1 Bank Infrastructure - 1 05/09/2017 Threats Threat Source Risk Status Date Created Account Footprinting Web Browser Targeted Malware Web Browser Man in the browser Web Browser Identity Spoofing - Impersonation

More information

IronWASP (Iron Web application Advanced Security testing Platform)

IronWASP (Iron Web application Advanced Security testing Platform) IronWASP (Iron Web application Advanced Security testing Platform) 1. Introduction: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability

More information

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability

More information

last time: command injection

last time: command injection Web Security 1 last time: command injection 2 placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string

More information

Secure Frame Communication in Browsers Review

Secure Frame Communication in Browsers Review Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being

More information

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically

More information

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc. PHP Security Kevin Schroeder Zend Technologies Copyright 2007, Zend Technologies Inc. Disclaimer Do not use anything you learn here for nefarious purposes Why Program Securely? Your job/reputation depends

More information

CS 161 Computer Security

CS 161 Computer Security Nick Weaver Fall 2018 CS 161 Computer Security Homework 3 Due: Friday, 19 October 2018, at 11:59pm Instructions. This homework is due Friday, 19 October 2018, at 11:59pm. No late homeworks will be accepted

More information

Relay. Calendar Setup. Google Calendar

Relay. Calendar Setup. Google Calendar Relay Calendar Setup Google Calendar 1 Create a new calendar resource for your room. If your room already has a calendar, you can skip this step. If you don t have access to Google Admin, you may instead

More information

Using Threat Modeling To Find Design Flaws

Using Threat Modeling To Find Design Flaws Using Threat Modeling To Find Design Flaws Introduction Jim DelGrosso Run Cigital's Architecture Analysis practice 20+ years in software development in many different domains ~15 years focusing on software

More information

Application vulnerabilities and defences

Application vulnerabilities and defences Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database

More information

Copyright

Copyright 1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM

SECURIFY: A COMPOSITIONAL APPROACH OF BUILDING SECURITY VERIFIED SYSTEM 1 SRIFY: A COMPOSITIONAL APPROACH OF BUILDING SRITY VERIFIED SYSTEM Liu Yang, Associate Professor, NTU SG-CRC 2018 28 March 2018 2 Securify Approach Compositional Security Reasoning with Untrusted Components

More information

Security Principles & Sandboxes

Security Principles & Sandboxes Security Principles & Sandboxes CS 161: Computer Security Prof. Raluca Ada Popa January 25, 2018 Some slides credit Nick Weaver or David Wagner. Announcements Homework 1 is out, due on Monday Midterm 1

More information

Virtual machines (e.g., VMware)

Virtual machines (e.g., VMware) Case studies : Introduction to operating systems principles Abstraction Management of shared resources Indirection Concurrency Atomicity Protection Naming Security Reliability Scheduling Fairness Performance

More information

Web 2.0 Attacks Explained

Web 2.0 Attacks Explained Web 2.0 Attacks Explained Kiran Maraju, CISSP, CEH, ITIL, ISO27001, SCJP Email: Kiran_maraju@yahoo.com Abstract This paper details various security concerns and risks associated with web 2.0 technologies

More information

MODERN WEB APPLICATION DEFENSES

MODERN WEB APPLICATION DEFENSES MODERN WEB APPLICATION DEFENSES AGAINST DANGEROUS NETWORK ATTACKS Philippe De Ryck SecAppDev 2017 https://www.websec.be SETUP OF THE HANDS-ON SESSION I have prepared a minimal amount of slides Explain

More information

Modern client-side defenses. Deian Stefan

Modern client-side defenses. Deian Stefan Modern client-side defenses Deian Stefan Modern web site Modern web site Page code Modern web site Modern web site Page code Ad code Modern web site Page code Ad code Third-party APIs Modern web site Page

More information

CSC 482/582: Computer Security. Cross-Site Security

CSC 482/582: Computer Security. Cross-Site Security Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential

More information

Contego: Capability-Based Access Control for Web Browsers

Contego: Capability-Based Access Control for Web Browsers Contego: Capability-Based Access Control for Web Browsers Tongbo Luo and Wenliang Du Department of Electrical Engineering & Computer Science, Syracuse University, Syracuse, New York, USA, {toluo,wedu}@syr.edu

More information

Know Your Own Risks: Content Security Policy Report Aggregation and Analysis

Know Your Own Risks: Content Security Policy Report Aggregation and Analysis SESSION ID: CDS-F03 Know Your Own Risks: Content Security Policy Report Aggregation and Analysis Ksenia Dmitrieva Senior Consultant Cigital, Inc. @KseniaDmitrieva Agenda What is Content Security Policy

More information

Web Penetration Testing

Web Penetration Testing Web Penetration Testing What is a Website How to hack a Website? Computer with OS and some servers. Apache, MySQL...etc Contains web application. PHP, Python...etc Web application is executed here and

More information

Web Security IV: Cross-Site Attacks

Web Security IV: Cross-Site Attacks 1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one

More information

CIS 4360 Secure Computer Systems XSS

CIS 4360 Secure Computer Systems XSS CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection

More information

OAuth securing the insecure

OAuth securing the insecure Black Hat US 2011 khash kiani khash@thinksec.com OAuth securing the insecure roadmap OAuth flow malicious sample applications mobile OAuth google app web-based OAuth facebook app insecure implementation

More information

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit 1 2 o hai. 3 Why Think About HTTP Strict Transport Security? Roadmap what is HSTS?

More information

Logging in from Home. Follow these steps:

Logging in from Home. Follow these steps: Accessing from outside the PeaceHealth network Logging in from Home Quick Tips for a successful access! You must have administrator privileges on the computer you are using to be able to install the required

More information

Origin Policy Enforcement in Modern Browsers

Origin Policy Enforcement in Modern Browsers Origin Policy Enforcement in Modern Browsers A Case Study in Same Origin Implementations Frederik Braun Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 1 / 32 Table of

More information

RKN 2015 Application Layer Short Summary

RKN 2015 Application Layer Short Summary RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,

More information

Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns

Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies (@slekies) / Ben Stock (@kcotsneb) Martin Johns (@datenkeller) Agenda The Same-Origin Policy Cross-Site Script Inclusion (XSSI) Generalizing

More information

Go Secure Coding Practices

Go Secure Coding Practices Go Secure Coding Practices Introductions Sulhaedir IT Security Analyst at Tokopedia sulhaedir05@gmail.com Outline What is secure coding? Advantage of secure coding For Pentester For Developer / Programmer

More information

Navigate by Using Windows Explorer

Navigate by Using Windows Explorer Navigate by Using Windows Explorer Pinning a location to a Jump List 2013 Pearson Education, Inc. Publishing as Prentice Hall 26 Navigate by Using Windows Explorer Navigating using the address bar 2013

More information

Vulnerabilities in online banking applications

Vulnerabilities in online banking applications Vulnerabilities in online banking applications 2019 Contents Introduction... 2 Executive summary... 2 Trends... 2 Overall statistics... 3 Comparison of in-house and off-the-shelf applications... 6 Comparison

More information

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side www.ijcsi.org 650 Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side S.SHALINI 1, S.USHA 2 1 Department of Computer and Communication, Sri Sairam Engineering College,

More information

EasyCrypt passes an independent security audit

EasyCrypt passes an independent security audit July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored

More information

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA

The Weakest Link: Mitigating Web Application Vulnerabilities. webscurity White Paper. webscurity Inc. Minneapolis, Minnesota USA The Weakest Link: Mitigating Web Application Vulnerabilities webscurity White Paper webscurity Inc. Minneapolis, Minnesota USA March 19, 2008 Contents Executive Summary...3 Introduction...4 Target Audience...4

More information

Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting. William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia

Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting. William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia Riding out DOMsday: Toward Detecting and Preventing DOM Cross-Site Scripting William Melicher Anupam Das Mahmood Sharif Lujo Bauer Limin Jia XSS vulnerabilities account for 25% of web vulnerabilities url.com/page#">attack

More information

CSCE 548 Building Secure Software SQL Injection Attack

CSCE 548 Building Secure Software SQL Injection Attack CSCE 548 Building Secure Software SQL Injection Attack Professor Lisa Luo Spring 2018 Previous class DirtyCOW is a special type of race condition problem It is related to memory mapping We learned how

More information

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren Security in a Mainframe Emulator Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren October 25, 2017 Table of Contents Introduction... 2 About this paper...

More information

Evaluating the Security Risks of Static vs. Dynamic Websites

Evaluating the Security Risks of Static vs. Dynamic Websites Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline

More information

,

, Weekdays:- 1½ hrs / 3 days Fastrack:- 1½hrs / Day [Class Room and Online] ISO 9001:2015 CERTIFIED ADMEC Multimedia Institute www.admecindia.co.in 9911782350, 9811818122 Welcome to one of the highly professional

More information

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2 CNIT 129S: Securing Web Applications Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2 Finding and Exploiting XSS Vunerabilities Basic Approach Inject this string into every parameter on every

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Midterm 1 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic misconduct will be reported

More information

Design Inaccuracy Cross Link Authoring Flaw - ipaper Platform

Design Inaccuracy Cross Link Authoring Flaw - ipaper Platform COSEINC Design Inaccuracy Cross Link Authoring Flaw - ipaper Platform Aditya K Sood, - Sr. Security Researcher, Vulnerability Research Labs, COSEINC Email: Aditya [at] research.coseinc.com Website: http://www.coseinc.com

More information