HTML5 a clear & present danger

Size: px
Start display at page:

Download "HTML5 a clear & present danger"

Transcription

1 HTML5 a clear & present danger Renaud Bidou CTO 1/29/2014 Deny All /29/2014 Deny All

2 Menu 1. HTML5 new capabilities 2. HTML5 tricks 3. Empowering common threats 4. Hackers dreams come true 1/29/2014 Deny All /29/2014 Deny All

3 What s new with HTML5 1/29/2014 1/29/2014 1/29/2014 Deny All 2012 Deny All 2013 Deny All

4 HTML5 short history Project led by W3C Latest draft: HTML 5.1 May 2, 2013 Previous : December 17, 2012 Previously : 13 drafts starting from January 22, 2008 Why HTML5? Make HTML content natively dynamic Support offline mode Increase security control and tuning Improve internals for performance, task parallelization etc. 1/29/2014 Deny All /29/2014 Deny All

5 New HTML content On-the-fly graphics with the <canvas> tag Native MP3, Ogg and Wav audio format support with the <audio> tag Native MP4, WebM and Ogg video format support with the <video> tag Drag & Drop! with draggable attribute and ondrop event handler Embedded geolocation with the new getcurrentposition() method 1/29/2014 Deny All /29/2014 Deny All

6 Input Validation New input types through <input type> attribute type=" " URL: type="url" Numbers: type="number" type="range" Date: type="date" type="month" type="week" Embedded format validator Based on type attribute value Can be enforced through the pattern attribute Can be disabled don t try to understand <form novalidate> 1/29/2014 Deny All /29/2014 Deny All

7 New forms inputs <input type=" "> <input type="url"> <input pattern="d{4}" placeholder="4 digits PIN"> <input type="number" min="0" max="10" step="2" value="6"> 1/29/2014 Deny All /29/2014 Deny All

8 New HTML internals Web Workers enable JavaScript background processing Web Storage improves local storage to extend the cookie concept and natively support session-based data handling WebApp Cache to enable offline mode of Web/Cloud based applications Server Sent Events (SSE) enables Server to Client communication through the established connection 1/29/2014 Deny All /29/2014 Deny All

9 HTML5 new security tricks 1/29/2014 1/29/2014 1/29/2014 Deny All 2012 Deny All 2013 Deny All

10 iframe Sandboxing iframes sandboxing forbids forms, scripts, popups, access to cookies, local storage considers the content being provided by another domain iframe sandboxes are not set by default Backward compatibility sandbox attribute to be explicitly set without value <iframe src="iframe-source.html" sandbox=""> Not natural at all 1/29/2014 Deny All /29/2014 Deny All

11 Cross-document messaging Cross-document messaging provides mechanism for iframes to communicate with parent document overrides HTML4 restrictions Implementation failure Parent frame to control sources of messages Rarely (never) performed Origin iframe identification not even enforced window.parent.postmessage('hello', '*'); Origin iframe ID Wildcards are valid & Recommended 1/29/2014 Deny All /29/2014 Deny All

12 iframe insecurity Sandboxes are not applied iframes provide access to local storage iframes allows script execution and forms Thanks to cross-document messaging iframes communicate with parent window HTML5 opens doors between iframes and parents 1/29/2014 Deny All /29/2014 Deny All

13 CORS Cross-Origin Resource Sharing Required for «modern» applications Browsers to handle 3rd party domains content handling HTML5 powered browser Site A 1 2 Request for 3rd party content Site B Main page 1/29/2014 Deny All /29/2014 Deny All

14 CORS tricky concept CORS «security» controls Site A GET / HTTP/1.1 Host: Site_A 1 2 GET /content.htm HTTP/1.1 Host: Site_B Origin: Site B HTTP/ OK HTTP/ OK Access-Control-Allow-Origin: rely on Origin and Access-Control-Allow-Origin headers Relevant access control implemented on server Client Server trust relationship?????????????? 1/29/2014 Deny All /29/2014 Deny All

15 CORS Security Issues Access control No implementation standard Often set as site-level through includes or left universal Access-Control-Allow-Origin: * No reliable access control on server Preflighted requests Inform about supported methods Define security policy set on browser Responses are cached on client Browsers will not update their security policy 1/29/2014 Deny All /29/2014 Deny All

16 The Gig 1. CORS obsoletes SOP 2. iframes are out of control Browsers are turned into proxies «Native» browsing on internal networks Powerful DoS capabilities Accurate network (IP, port) scan behind the firewall Etc. 1/29/2014 Deny All /29/2014 Deny All

17 Empowering usual attacks 1/29/2014 1/29/2014 1/29/2014 Deny All 2012 Deny All 2013 Deny All

18 Injections heaven 31 HTML5 new tags 31 new injections vectors supported by browsers <audio> <canvas> <command> <embed> <nav> <param> <source> <ruby> <track> <video> HTML5 new script event handlers 52 on* injection points + formaction : will bypass on\w+= like filters <form id="test" /> <button form="test" formaction="javascript:alert(1)"> Thousands of new evasion combinations 1/29/2014 Deny All /29/2014 Deny All

19 Attributes you will love Self-triggering execution through autofocus <input type="text" value="" onfocus="alert(1)" autofocus> Can be efficiently combined with appropriate handlers <body onscroll=alert(1)> <br><br><br><br><br><br>...<br><br><br> <input autofocus> Overwrite Stealth user userinput abuses with dirname <form action="" method="post"> <input name="username" value="admin" /> <input name="password" type="password" value="secret" /> <input name="captcha" value="" dirname="password"/> <input type="submit"> </form> username=admin&password=ltr&captcha= 1/29/2014 Deny All /29/2014 Deny All

20 Drag&Drop Jacking Abusing the D&D API Have a user drag & drop something Image, text, browser element (scrollbar, slider etc.) Set the value of dragged element to whatever you want Malicious data to be submitted on behalf of the user Confidential data to be stolen Have an invisible element follow the mouse Set the ondrop event handler of the iframe to whatever Feed form content (with malicious data) : CSRF Send content (stolen data) to 3rd party : Cross-domain data leak Bypasses cross-domain & CSRF protections 1/29/2014 Deny All /29/2014 Deny All

21 S more Clickjacking External forms content definition Thanks to the form & formaction attributes <form id='auth' action='/login'> <input type='text' placeholder='login'> <br><input type='password' placeholder='password'> <br><input type='submit' value='enter > </form> <input form='auth' type='submit' value='enter HERE' formaction=' > Can also be used to bypass CSRF protections Not that subtile, but still smarter than average users Trivial data theft & CSRF protections bypass 1/29/2014 Deny All /29/2014 Deny All

22 XSS Unleashed Screenshots with XSS Thanks to <canvas> tag Relay Hacker 5. Hacker retrieves screenshot 4. Victim sends screenshot 1. Hacker exploits XSS vulnerability 3. Victim executes Javascript Victim Browser 2. Malicious Javascript is loaded on Victim Vulnerable App 1/29/2014 Deny All /29/2014 Deny All

23 BotnetNG Bi-directional communication channel Server-Side Events to change web-based botnets behaviour Past : Agent regularly connect to C&C channel : to get commands and provide output «Easy» to identify and sign Threat is in out Efficiently addressed with outgoing proxies Now: No recurring connections to C&C channel Commands sent by server / responses sent asynchronously No standard behaviour to modelize Threat is out in Not addressed by web client security devices Botnet prevention mechanisms are obsolete 1/29/2014 Deny All /29/2014 Deny All

24 HTML5 Inside 1/29/2014 1/29/2014 1/29/2014 Deny All 2012 Deny All 2013 Deny All

25 Password cracking A botnet case study Targets clients connected to compromised application Used to crack passwords Takes advantage of Web Workers Browsers compute hashes in the background Invisible to user, no impact on browser performances Just theory? Ravan, Distributed JS Computing Systems Supports MD5 and SHA hashes Simply a PoC, user are asked for permission Web hackers version of distributed computing 1/29/2014 Deny All /29/2014 Deny All

26 Dream comes True Issues with injections Volatile: limited timeframe Persistent: can be removed from compromised DB The Hacker s dream Persistent injections for unlimited timeframe Client-side persistency to prevent one-shot removal WebApp cache: HTML5 gift to the underground local HTML5 storage Independant from browser cache Not so easy to clean, whenever possible Prevents any request from the client Allow to cache anything, including the root of the application 1/29/2014 Deny All /29/2014 Deny All

27 WebApp Cache Browser requests a page GET / HTTP/1.1 <!DOCTYPE HTML> <html manifest="site.appcache"> <html> Manifest file URL Browser gets the Manifest file Specifies pages to be locally cached Some more stuff Browser stores the files Never to be requested again 1/29/2014 Deny All /29/2014 Deny All

28 The Ultimate APT One Scenario Exploit a client-side injection vulnerability on a server (XSS) Can be volatile, will be used just once Have the client browser execute something like document.getelementsbytagname("html")[0]\.setattribute("manifest"," Changes the manifest attribute to Set an entry in the corrupted manifest file to a corrupted file with «alternate» capabilties such as fishing or drive-by download Client access to application compromised forever 1/29/2014 Deny All /29/2014 Deny All

29 Conclusion 1/29/2014 1/29/2014 1/29/2014 Deny All 2012 Deny All 2013 Deny All

30 HTML5 opens doors between iframes and parents Browsers are turned into proxies Thousands of new evasion combinations 1/29/2014 Deny All /29/2014 Deny All

31 Preventing HTML5 abuses Identify new HTML5 content Tags, attributes, event handlers Identify previoulsy defined HTML5 content Now removed from recent drafts Still supported by browsers Evaluate suspicious combinations Tag name + attribute + event handler Efficiently identify script injections Don t try to understand (you can t) Identify the nature of data submitted to your application Enforce access restrictions In the core of applications for Cross-Document Messaging At the server level for CORS security 1/29/2014 Deny All /29/2014 Deny All

32 Thank you! /29/2014 Deny All /29/2014 Deny All

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch

More information

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst

HTML5 Web Security. Thomas Röthlisberger IT Security Analyst HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch

More information

Application vulnerabilities and defences

Application vulnerabilities and defences Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database

More information

EasyCrypt passes an independent security audit

EasyCrypt passes an independent security audit July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored

More information

RKN 2015 Application Layer Short Summary

RKN 2015 Application Layer Short Summary RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,

More information

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

The PKI Lie. The OWASP Foundation  Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,

More information

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Narendra Bhati @NarendraBhatiB http://websecgeeks.com Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page

More information

CSCE 813 Internet Security Case Study II: XSS

CSCE 813 Internet Security Case Study II: XSS CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that

More information

Techno Expert Solutions An institute for specialized studies!

Techno Expert Solutions An institute for specialized studies! HTML5 and CSS3 Course Content to WEB W3C and W3C Members Why WHATWG? What is Web? HTML Basics Parts in HTML Document Editors Basic Elements Attributes Headings Basics Paragraphs Formatting Links Head CSS

More information

HTML Forms. CITS3403 Agile Web Development. 2018, Semester 1

HTML Forms. CITS3403 Agile Web Development. 2018, Semester 1 HTML Forms CITS3403 Agile Web Development 2018, Semester 1 Some material Copyright 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley. Forms A form is the usual way to get information from

More information

Web basics: HTTP cookies

Web basics: HTTP cookies Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the

More information

Web basics: HTTP cookies

Web basics: HTTP cookies Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the

More information

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends

More information

Common Websites Security Issues. Ziv Perry

Common Websites Security Issues. Ziv Perry Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP

More information

Match the attack to its description:

Match the attack to its description: Match the attack to its description: 8 7 5 6 4 2 3 1 Attacks: Using Components with Known Vulnerabilities Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure

More information

Web Application Security. Philippe Bogaerts

Web Application Security. Philippe Bogaerts Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security

More information

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

NoScript, CSP and ABE: When The Browser Is Not Your Enemy NoScript, CSP and ABE: When The Browser Is Not Your Enemy Giorgio Maone CTO, NoScript lead developer InformAction OWASP-Italy Day IV Milan 6th, November 2009 Copyright 2008 - The OWASP Foundation Permission

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session

More information

Penetration Test Report

Penetration Test Report Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party

More information

Browser code isolation

Browser code isolation CS 155 Spring 2016 Browser code isolation John Mitchell Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at Stanford University. When slides are

More information

CIS 4360 Secure Computer Systems XSS

CIS 4360 Secure Computer Systems XSS CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection

More information

Chrome Extension Security Architecture

Chrome Extension Security Architecture Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture

More information

Multi-Post XSRF Web App Exploitation, total pwnage

Multi-Post XSRF Web App Exploitation, total pwnage Multi-Post XSRF Web App Exploitation, total pwnage Adrien de Beaupré SANS ISC Handler Tester of pens Certified SANS Instructor Intru-Shun.ca Inc. SecTor 2015 Introduction Web application vulnerabilities.

More information

Cross-Site Request Forgery in Cisco SG220 series

Cross-Site Request Forgery in Cisco SG220 series Cross-Site Request Forgery in Cisco SG220 series Security advisory 12/09/2016 Renaud Dubourguais Nicolas Collignon www.synacktiv.com 5 rue Sextius Michel 75015 Paris Vulnerability description The Cisco

More information

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised

More information

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018 HTB_WEBSECDOCS_v1.3.pdf Page 1 of 29 High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018 General Overview... 2 Meta-information... 4 HTTP Additional

More information

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2011 CS 161 Computer Security Discussion 6 March 2, 2011 Question 1 Cross-Site Scripting (XSS) (10 min) As part of your daily routine, you are browsing through the news and status updates

More information

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11 Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:

More information

WEB SECURITY: XSS & CSRF

WEB SECURITY: XSS & CSRF WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often

More information

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Computer Security 3e. Dieter Gollmann.  Chapter 18: 1 Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter

More information

WHY CSRF WORKS. Implicit authentication by Web browsers

WHY CSRF WORKS. Implicit authentication by Web browsers WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication

More information

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Application Security through a Hacker s Eyes James Walden Northern Kentucky University Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways

More information

CSC 482/582: Computer Security. Cross-Site Security

CSC 482/582: Computer Security. Cross-Site Security Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential

More information

16. HTML5, HTML Graphics, & HTML Media 웹프로그래밍 2016 년 1 학기 충남대학교컴퓨터공학과

16. HTML5, HTML Graphics, & HTML Media 웹프로그래밍 2016 년 1 학기 충남대학교컴퓨터공학과 16. HTML5, HTML Graphics, & HTML Media 웹프로그래밍 2016 년 1 학기 충남대학교컴퓨터공학과 목차 HTML5 Introduction HTML5 Browser Support HTML5 Semantic Elements HTML5 Canvas HTML5 SVG HTML5 Multimedia 2 HTML5 Introduction What

More information

Copyright

Copyright 1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?

More information

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn

Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn Our Observations The same old code-level problems Input Validation, Parameter Manipulation,

More information

Content Security Policy

Content Security Policy About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training

More information

HTML5 - INTERVIEW QUESTIONS

HTML5 - INTERVIEW QUESTIONS HTML5 - INTERVIEW QUESTIONS http://www.tutorialspoint.com/html5/html5_interview_questions.htm Copyright tutorialspoint.com Dear readers, these HTML5 Interview Questions have been designed specially to

More information

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application

More information

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015 INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3

More information

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs) Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs) Document last modified on: 17th September 2009 Date of discovery of vulnerabilities: December

More information

Building Layers of Defense with Spring Security. We have to distrust each other. It is our only defense against betrayal. Tennessee Williams

Building Layers of Defense with Spring Security. We have to distrust each other. It is our only defense against betrayal. Tennessee Williams Building Layers of Defense with Spring Security We have to distrust each other. It is our only defense against betrayal. Tennessee Williams About Me u Joris Kuipers ( @jkuipers) u Hands-on architect and

More information

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are

More information

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing

More information

HTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys

HTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys HTML5 Unbound: A Security & Privacy Drama Mike Shema Qualys A Drama in Four Parts The Meaning & Mythology of HTML5 Security From Design Security (and Privacy) From HTML5 Design, Doom & Destiny This specification

More information

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev

Chat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev Chat with a hacker Increase attack surface for Pentest A talk by Egor Karbutov and Alexey Pertsev $ Whoarewe Egor Karbutov & Alexey Pertsev Penetration testers @Digital Security Speakers Bug Hunters 2

More information

Tabular Presentation of the Application Software Extended Package for Web Browsers

Tabular Presentation of the Application Software Extended Package for Web Browsers Tabular Presentation of the Application Software Extended Package for Web Browsers Version: 2.0 2015-06-16 National Information Assurance Partnership Revision History Version Date Comment v 2.0 2015-06-16

More information

Eradicating DNS Rebinding with the Extended Same-Origin Policy

Eradicating DNS Rebinding with the Extended Same-Origin Policy Eradicating DNS Rebinding with the Extended Same-Origin Policy Martin Johns, Sebastian Lekies and Ben Stock USENIX Security August 16th, 2013 Agenda DNS Rebinding The basic attack History repeating HTML5

More information

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?

Why bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions? Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords

More information

Robust Defenses for Cross-Site Request Forgery Review

Robust Defenses for Cross-Site Request Forgery Review Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic

More information

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent

More information

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems Objectives Explain how to harden operating systems List ways to prevent attacks through a Web browser Define

More information

CSRF in the Modern Age

CSRF in the Modern Age CSRF in the Modern Age Sidestepping the CORS Standard Tanner Prynn @tannerprynn In This Talk The State of CSRF The CORS Standard How Not To Prevent CSRF The Fundamentals of HTTP Without cookies: With cookies:

More information

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Advanced Web Technology 10) XSS, CSRF and SQL Injection Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation

More information

P2_L12 Web Security Page 1

P2_L12 Web Security Page 1 P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction

More information

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0

BIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0 BIG-IP Application Security Manager : Attack and Bot Signatures Version 13.0 Table of Contents Table of Contents Assigning Attack Signatures to Security Policies...5 About attack signatures...5 About

More information

More attacks on clients: Click-jacking/UI redressing, CSRF

More attacks on clients: Click-jacking/UI redressing, CSRF Web Security More attacks on clients: Click-jacking/UI redressing, CSRF (Section 7.2.3 on Click-jacking; Section 7.2.7 on CSRF; Section 7.2.8 on Defenses against client-side attacks) 1 Recall from last

More information

What is HTML5? The previous version of HTML came in The web has changed a lot since then.

What is HTML5? The previous version of HTML came in The web has changed a lot since then. What is HTML5? HTML5 will be the new standard for HTML, XHTML, and the HTML DOM. The previous version of HTML came in 1999. The web has changed a lot since then. HTML5 is still a work in progress. However,

More information

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith Security issues Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith Criteria D3 D3 Recommend ways to improve web security when using web server scripting Clean browser input Don

More information

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013

86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013 Vulnerabilities help make Web application attacks amongst the leading causes of data breaches +7 Million Exploitable Vulnerabilities challenge organizations today 86% of websites has at least 1 vulnerability

More information

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department

More information

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes

More information

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment

More information

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/

More information

Modern client-side defenses. Deian Stefan

Modern client-side defenses. Deian Stefan Modern client-side defenses Deian Stefan Modern web site Modern web site Page code Modern web site Modern web site Page code Ad code Modern web site Page code Ad code Third-party APIs Modern web site Page

More information

Client-Side Security Using CORS

Client-Side Security Using CORS Università Ca Foscari Venezia Master s Degree programme Second Cycle (D.M. 270/2004) in Informatica Computer Science Final Thesis Client-Side Security Using CORS Supervisor Prof. Focardi Riccardo Candidate

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

CSCD 303 Essential Computer Security Fall 2017

CSCD 303 Essential Computer Security Fall 2017 CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the

More information

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc. PHP Security Kevin Schroeder Zend Technologies Copyright 2007, Zend Technologies Inc. Disclaimer Do not use anything you learn here for nefarious purposes Why Program Securely? Your job/reputation depends

More information

Evaluating the Security Risks of Static vs. Dynamic Websites

Evaluating the Security Risks of Static vs. Dynamic Websites Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline

More information

Combating Common Web App Authentication Threats

Combating Common Web App Authentication Threats Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App

More information

Client Side Injection on Web Applications

Client Side Injection on Web Applications Client Side Injection on Web Applications Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents INTRODUCTION... 3 HTML Injection Vulnerability... 4 How to

More information

Cross Site Request Forgery

Cross Site Request Forgery Cross Site Request Forgery VULNERABILITY OVERVIEW WHITE PAPER PUBLIC Version: 1.0 By: Acadion Security URL: http://www.acadion.nl/ Date: February 6, 2013 Address: Koornmarkt 46 2611 EH Delft Nederland

More information

Web Security. Aggelos Kiayias Justin Neumann

Web Security. Aggelos Kiayias Justin Neumann Web Security Aggelos Kiayias Justin Neumann Dynamic HTML Umbrella term : HTML Javascript Cascading Style Sheets (CSS) Document Object Model (DOM) : a hierarchical structure API for accessing / manipulating

More information

New Media Production HTML5

New Media Production HTML5 New Media Production HTML5 Modernizr, an HTML5 Detection Library Modernizr is an open source, MIT-licensed JavaScript library that detects support

More information

Exploiting and Defending: Common Web Application Vulnerabilities

Exploiting and Defending: Common Web Application Vulnerabilities Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,

More information

Everything you need to know to get you started. By Kevin DeRudder

Everything you need to know to get you started. By Kevin DeRudder Everything you need to know to get you started with HTML5 By Kevin DeRudder @kevinderudder working for eguidelines and a lecturer at the Technical University of West Flanders. Contact me on kevin@e-guidelines.be

More information

Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December

Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny Wear OWASP Tampa Chapter December Mee@ng 1 About the Speaker Informa@on Security Architect Areas of exper@se: Applica@on,

More information

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides: Avoiding Web Application Flaws In Embedded Devices Jake Edge LWN.net jake@lwn.net URL for slides: http://lwn.net/talks/elce2008 Overview Examples embedded devices gone bad Brief introduction to HTTP Authentication

More information

CSCE 120: Learning To Code

CSCE 120: Learning To Code CSCE 120: Learning To Code Module 11.0: Consuming Data I Introduction to Ajax This module is designed to familiarize you with web services and web APIs and how to connect to such services and consume and

More information

CS Paul Krzyzanowski

CS Paul Krzyzanowski Original Browser Static content on clients Servers were responsible for dynamic parts Computer Security 14. Web Security Security attacks were focused on servers Malformed URLs, buffer overflows, root

More information

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018 Computer Security 14. Web Security Paul Krzyzanowski Rutgers University Spring 2018 April 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Original Browser Static content on clients Servers were responsible for

More information

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications

More information

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer. Application Layer Attacks Application Layer Attacks Week 2 Part 2 Attacks Against Programs Application Layer Application Layer Attacks come in many forms and can target each of the 5 network protocol layers

More information

Content Security Policy

Content Security Policy Content Security Policy And mitigating Cross-site Scripting vulnerabilities Joseph Fields M.Sc Computer Science - December 2016 Introduction HTML and Javascript power billions of websites visited daily

More information

Sichere Software vom Java-Entwickler

Sichere Software vom Java-Entwickler Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer

More information

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13 Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access

More information

October 08: Introduction to Web Security

October 08: Introduction to Web Security October 08: Introduction to Web Security Scribe: Rohan Padhye October 8, 2015 Web security is an important topic because web applications are particularly hard to secure, and are one of the most vulnerable/buggy

More information

CS 161 Computer Security

CS 161 Computer Security Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 9 Week of March 19, 2018 Question 1 Warmup: SOP (15 min) The Same Origin Policy (SOP) helps browsers maintain a sandboxed model by preventing

More information

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs Web Application with AJAX Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar University of Colorado, Colorado Springs CS 526 Advanced Internet and Web Systems Abstract Asynchronous JavaScript and XML or Ajax

More information

Developer's HTML5. Cookbook. AAddison-Wesley. Chuck Hudson. Tom Leadbetter. Upper Saddle River, NJ Boston Indianapolis San Francisco

Developer's HTML5. Cookbook. AAddison-Wesley. Chuck Hudson. Tom Leadbetter. Upper Saddle River, NJ Boston Indianapolis San Francisco HTML5 Developer's Cookbook Chuck Hudson Tom Leadbetter AAddison-Wesley Upper Saddle River, NJ Boston Indianapolis San Francisco New York Toronto Montreal London Munich Paris Madrid Capetown Sydney Tokyo

More information

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security. Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language

More information

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007 Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1

More information

Welcome to the OWASP TOP 10

Welcome to the OWASP TOP 10 Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA

More information

SECURE CODING ESSENTIALS

SECURE CODING ESSENTIALS SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017 AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design

More information

Web Security IV: Cross-Site Attacks

Web Security IV: Cross-Site Attacks 1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one

More information