HTML5 a clear & present danger
|
|
- Godwin McCarthy
- 6 years ago
- Views:
Transcription
1 HTML5 a clear & present danger Renaud Bidou CTO 1/29/2014 Deny All /29/2014 Deny All
2 Menu 1. HTML5 new capabilities 2. HTML5 tricks 3. Empowering common threats 4. Hackers dreams come true 1/29/2014 Deny All /29/2014 Deny All
3 What s new with HTML5 1/29/2014 1/29/2014 1/29/2014 Deny All 2012 Deny All 2013 Deny All
4 HTML5 short history Project led by W3C Latest draft: HTML 5.1 May 2, 2013 Previous : December 17, 2012 Previously : 13 drafts starting from January 22, 2008 Why HTML5? Make HTML content natively dynamic Support offline mode Increase security control and tuning Improve internals for performance, task parallelization etc. 1/29/2014 Deny All /29/2014 Deny All
5 New HTML content On-the-fly graphics with the <canvas> tag Native MP3, Ogg and Wav audio format support with the <audio> tag Native MP4, WebM and Ogg video format support with the <video> tag Drag & Drop! with draggable attribute and ondrop event handler Embedded geolocation with the new getcurrentposition() method 1/29/2014 Deny All /29/2014 Deny All
6 Input Validation New input types through <input type> attribute type=" " URL: type="url" Numbers: type="number" type="range" Date: type="date" type="month" type="week" Embedded format validator Based on type attribute value Can be enforced through the pattern attribute Can be disabled don t try to understand <form novalidate> 1/29/2014 Deny All /29/2014 Deny All
7 New forms inputs <input type=" "> <input type="url"> <input pattern="d{4}" placeholder="4 digits PIN"> <input type="number" min="0" max="10" step="2" value="6"> 1/29/2014 Deny All /29/2014 Deny All
8 New HTML internals Web Workers enable JavaScript background processing Web Storage improves local storage to extend the cookie concept and natively support session-based data handling WebApp Cache to enable offline mode of Web/Cloud based applications Server Sent Events (SSE) enables Server to Client communication through the established connection 1/29/2014 Deny All /29/2014 Deny All
9 HTML5 new security tricks 1/29/2014 1/29/2014 1/29/2014 Deny All 2012 Deny All 2013 Deny All
10 iframe Sandboxing iframes sandboxing forbids forms, scripts, popups, access to cookies, local storage considers the content being provided by another domain iframe sandboxes are not set by default Backward compatibility sandbox attribute to be explicitly set without value <iframe src="iframe-source.html" sandbox=""> Not natural at all 1/29/2014 Deny All /29/2014 Deny All
11 Cross-document messaging Cross-document messaging provides mechanism for iframes to communicate with parent document overrides HTML4 restrictions Implementation failure Parent frame to control sources of messages Rarely (never) performed Origin iframe identification not even enforced window.parent.postmessage('hello', '*'); Origin iframe ID Wildcards are valid & Recommended 1/29/2014 Deny All /29/2014 Deny All
12 iframe insecurity Sandboxes are not applied iframes provide access to local storage iframes allows script execution and forms Thanks to cross-document messaging iframes communicate with parent window HTML5 opens doors between iframes and parents 1/29/2014 Deny All /29/2014 Deny All
13 CORS Cross-Origin Resource Sharing Required for «modern» applications Browsers to handle 3rd party domains content handling HTML5 powered browser Site A 1 2 Request for 3rd party content Site B Main page 1/29/2014 Deny All /29/2014 Deny All
14 CORS tricky concept CORS «security» controls Site A GET / HTTP/1.1 Host: Site_A 1 2 GET /content.htm HTTP/1.1 Host: Site_B Origin: Site B HTTP/ OK HTTP/ OK Access-Control-Allow-Origin: rely on Origin and Access-Control-Allow-Origin headers Relevant access control implemented on server Client Server trust relationship?????????????? 1/29/2014 Deny All /29/2014 Deny All
15 CORS Security Issues Access control No implementation standard Often set as site-level through includes or left universal Access-Control-Allow-Origin: * No reliable access control on server Preflighted requests Inform about supported methods Define security policy set on browser Responses are cached on client Browsers will not update their security policy 1/29/2014 Deny All /29/2014 Deny All
16 The Gig 1. CORS obsoletes SOP 2. iframes are out of control Browsers are turned into proxies «Native» browsing on internal networks Powerful DoS capabilities Accurate network (IP, port) scan behind the firewall Etc. 1/29/2014 Deny All /29/2014 Deny All
17 Empowering usual attacks 1/29/2014 1/29/2014 1/29/2014 Deny All 2012 Deny All 2013 Deny All
18 Injections heaven 31 HTML5 new tags 31 new injections vectors supported by browsers <audio> <canvas> <command> <embed> <nav> <param> <source> <ruby> <track> <video> HTML5 new script event handlers 52 on* injection points + formaction : will bypass on\w+= like filters <form id="test" /> <button form="test" formaction="javascript:alert(1)"> Thousands of new evasion combinations 1/29/2014 Deny All /29/2014 Deny All
19 Attributes you will love Self-triggering execution through autofocus <input type="text" value="" onfocus="alert(1)" autofocus> Can be efficiently combined with appropriate handlers <body onscroll=alert(1)> <br><br><br><br><br><br>...<br><br><br> <input autofocus> Overwrite Stealth user userinput abuses with dirname <form action="" method="post"> <input name="username" value="admin" /> <input name="password" type="password" value="secret" /> <input name="captcha" value="" dirname="password"/> <input type="submit"> </form> username=admin&password=ltr&captcha= 1/29/2014 Deny All /29/2014 Deny All
20 Drag&Drop Jacking Abusing the D&D API Have a user drag & drop something Image, text, browser element (scrollbar, slider etc.) Set the value of dragged element to whatever you want Malicious data to be submitted on behalf of the user Confidential data to be stolen Have an invisible element follow the mouse Set the ondrop event handler of the iframe to whatever Feed form content (with malicious data) : CSRF Send content (stolen data) to 3rd party : Cross-domain data leak Bypasses cross-domain & CSRF protections 1/29/2014 Deny All /29/2014 Deny All
21 S more Clickjacking External forms content definition Thanks to the form & formaction attributes <form id='auth' action='/login'> <input type='text' placeholder='login'> <br><input type='password' placeholder='password'> <br><input type='submit' value='enter > </form> <input form='auth' type='submit' value='enter HERE' formaction=' > Can also be used to bypass CSRF protections Not that subtile, but still smarter than average users Trivial data theft & CSRF protections bypass 1/29/2014 Deny All /29/2014 Deny All
22 XSS Unleashed Screenshots with XSS Thanks to <canvas> tag Relay Hacker 5. Hacker retrieves screenshot 4. Victim sends screenshot 1. Hacker exploits XSS vulnerability 3. Victim executes Javascript Victim Browser 2. Malicious Javascript is loaded on Victim Vulnerable App 1/29/2014 Deny All /29/2014 Deny All
23 BotnetNG Bi-directional communication channel Server-Side Events to change web-based botnets behaviour Past : Agent regularly connect to C&C channel : to get commands and provide output «Easy» to identify and sign Threat is in out Efficiently addressed with outgoing proxies Now: No recurring connections to C&C channel Commands sent by server / responses sent asynchronously No standard behaviour to modelize Threat is out in Not addressed by web client security devices Botnet prevention mechanisms are obsolete 1/29/2014 Deny All /29/2014 Deny All
24 HTML5 Inside 1/29/2014 1/29/2014 1/29/2014 Deny All 2012 Deny All 2013 Deny All
25 Password cracking A botnet case study Targets clients connected to compromised application Used to crack passwords Takes advantage of Web Workers Browsers compute hashes in the background Invisible to user, no impact on browser performances Just theory? Ravan, Distributed JS Computing Systems Supports MD5 and SHA hashes Simply a PoC, user are asked for permission Web hackers version of distributed computing 1/29/2014 Deny All /29/2014 Deny All
26 Dream comes True Issues with injections Volatile: limited timeframe Persistent: can be removed from compromised DB The Hacker s dream Persistent injections for unlimited timeframe Client-side persistency to prevent one-shot removal WebApp cache: HTML5 gift to the underground local HTML5 storage Independant from browser cache Not so easy to clean, whenever possible Prevents any request from the client Allow to cache anything, including the root of the application 1/29/2014 Deny All /29/2014 Deny All
27 WebApp Cache Browser requests a page GET / HTTP/1.1 <!DOCTYPE HTML> <html manifest="site.appcache"> <html> Manifest file URL Browser gets the Manifest file Specifies pages to be locally cached Some more stuff Browser stores the files Never to be requested again 1/29/2014 Deny All /29/2014 Deny All
28 The Ultimate APT One Scenario Exploit a client-side injection vulnerability on a server (XSS) Can be volatile, will be used just once Have the client browser execute something like document.getelementsbytagname("html")[0]\.setattribute("manifest"," Changes the manifest attribute to Set an entry in the corrupted manifest file to a corrupted file with «alternate» capabilties such as fishing or drive-by download Client access to application compromised forever 1/29/2014 Deny All /29/2014 Deny All
29 Conclusion 1/29/2014 1/29/2014 1/29/2014 Deny All 2012 Deny All 2013 Deny All
30 HTML5 opens doors between iframes and parents Browsers are turned into proxies Thousands of new evasion combinations 1/29/2014 Deny All /29/2014 Deny All
31 Preventing HTML5 abuses Identify new HTML5 content Tags, attributes, event handlers Identify previoulsy defined HTML5 content Now removed from recent drafts Still supported by browsers Evaluate suspicious combinations Tag name + attribute + event handler Efficiently identify script injections Don t try to understand (you can t) Identify the nature of data submitted to your application Enforce access restrictions In the core of applications for Cross-Document Messaging At the server level for CORS security 1/29/2014 Deny All /29/2014 Deny All
32 Thank you! /29/2014 Deny All /29/2014 Deny All
HTML5 Web Security. Thomas Röthlisberger IT Security Analyst
HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch
More informationHTML5 Web Security. Thomas Röthlisberger IT Security Analyst
HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationThe PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference
The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,
More informationAbusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)
Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Narendra Bhati @NarendraBhatiB http://websecgeeks.com Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page
More informationCSCE 813 Internet Security Case Study II: XSS
CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that
More informationTechno Expert Solutions An institute for specialized studies!
HTML5 and CSS3 Course Content to WEB W3C and W3C Members Why WHATWG? What is Web? HTML Basics Parts in HTML Document Editors Basic Elements Attributes Headings Basics Paragraphs Formatting Links Head CSS
More informationHTML Forms. CITS3403 Agile Web Development. 2018, Semester 1
HTML Forms CITS3403 Agile Web Development 2018, Semester 1 Some material Copyright 2013 Pearson Education, Inc. Publishing as Pearson Addison-Wesley. Forms A form is the usual way to get information from
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationMatch the attack to its description:
Match the attack to its description: 8 7 5 6 4 2 3 1 Attacks: Using Components with Known Vulnerabilities Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationNoScript, CSP and ABE: When The Browser Is Not Your Enemy
NoScript, CSP and ABE: When The Browser Is Not Your Enemy Giorgio Maone CTO, NoScript lead developer InformAction OWASP-Italy Day IV Milan 6th, November 2009 Copyright 2008 - The OWASP Foundation Permission
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session
More informationPenetration Test Report
Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party
More informationBrowser code isolation
CS 155 Spring 2016 Browser code isolation John Mitchell Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at Stanford University. When slides are
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationChrome Extension Security Architecture
Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture
More informationMulti-Post XSRF Web App Exploitation, total pwnage
Multi-Post XSRF Web App Exploitation, total pwnage Adrien de Beaupré SANS ISC Handler Tester of pens Certified SANS Instructor Intru-Shun.ca Inc. SecTor 2015 Introduction Web application vulnerabilities.
More informationCross-Site Request Forgery in Cisco SG220 series
Cross-Site Request Forgery in Cisco SG220 series Security advisory 12/09/2016 Renaud Dubourguais Nicolas Collignon www.synacktiv.com 5 rue Sextius Michel 75015 Paris Vulnerability description The Cisco
More informationLecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised
More informationHigh -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018
HTB_WEBSECDOCS_v1.3.pdf Page 1 of 29 High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018 General Overview... 2 Meta-information... 4 HTTP Additional
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 6 March 2, 2011 Question 1 Cross-Site Scripting (XSS) (10 min) As part of your daily routine, you are browsing through the news and status updates
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationCSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More information16. HTML5, HTML Graphics, & HTML Media 웹프로그래밍 2016 년 1 학기 충남대학교컴퓨터공학과
16. HTML5, HTML Graphics, & HTML Media 웹프로그래밍 2016 년 1 학기 충남대학교컴퓨터공학과 목차 HTML5 Introduction HTML5 Browser Support HTML5 Semantic Elements HTML5 Canvas HTML5 SVG HTML5 Multimedia 2 HTML5 Introduction What
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationSecure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn
Secure Parameter Filter (SPF) (AKA Protecting Vulnerable Applications with IIS7) Justin Clarke, Andrew Carey Nairn Our Observations The same old code-level problems Input Validation, Parameter Manipulation,
More informationContent Security Policy
About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training
More informationHTML5 - INTERVIEW QUESTIONS
HTML5 - INTERVIEW QUESTIONS http://www.tutorialspoint.com/html5/html5_interview_questions.htm Copyright tutorialspoint.com Dear readers, these HTML5 Interview Questions have been designed specially to
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationINF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015
INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationTitle: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)
Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs) Document last modified on: 17th September 2009 Date of discovery of vulnerabilities: December
More informationBuilding Layers of Defense with Spring Security. We have to distrust each other. It is our only defense against betrayal. Tennessee Williams
Building Layers of Defense with Spring Security We have to distrust each other. It is our only defense against betrayal. Tennessee Williams About Me u Joris Kuipers ( @jkuipers) u Hands-on architect and
More informationIs Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationHTML5 Unbound: A Security & Privacy Drama. Mike Shema Qualys
HTML5 Unbound: A Security & Privacy Drama Mike Shema Qualys A Drama in Four Parts The Meaning & Mythology of HTML5 Security From Design Security (and Privacy) From HTML5 Design, Doom & Destiny This specification
More informationChat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev
Chat with a hacker Increase attack surface for Pentest A talk by Egor Karbutov and Alexey Pertsev $ Whoarewe Egor Karbutov & Alexey Pertsev Penetration testers @Digital Security Speakers Bug Hunters 2
More informationTabular Presentation of the Application Software Extended Package for Web Browsers
Tabular Presentation of the Application Software Extended Package for Web Browsers Version: 2.0 2015-06-16 National Information Assurance Partnership Revision History Version Date Comment v 2.0 2015-06-16
More informationEradicating DNS Rebinding with the Extended Same-Origin Policy
Eradicating DNS Rebinding with the Extended Same-Origin Policy Martin Johns, Sebastian Lekies and Ben Stock USENIX Security August 16th, 2013 Agenda DNS Rebinding The basic attack History repeating HTML5
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationRobust Defenses for Cross-Site Request Forgery Review
Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic
More informationPROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH
Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems Objectives Explain how to harden operating systems List ways to prevent attacks through a Web browser Define
More informationCSRF in the Modern Age
CSRF in the Modern Age Sidestepping the CORS Standard Tanner Prynn @tannerprynn In This Talk The State of CSRF The CORS Standard How Not To Prevent CSRF The Fundamentals of HTTP Without cookies: With cookies:
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationBIG-IP Application Security Manager : Attack and Bot Signatures. Version 13.0
BIG-IP Application Security Manager : Attack and Bot Signatures Version 13.0 Table of Contents Table of Contents Assigning Attack Signatures to Security Policies...5 About attack signatures...5 About
More informationMore attacks on clients: Click-jacking/UI redressing, CSRF
Web Security More attacks on clients: Click-jacking/UI redressing, CSRF (Section 7.2.3 on Click-jacking; Section 7.2.7 on CSRF; Section 7.2.8 on Defenses against client-side attacks) 1 Recall from last
More informationWhat is HTML5? The previous version of HTML came in The web has changed a lot since then.
What is HTML5? HTML5 will be the new standard for HTML, XHTML, and the HTML DOM. The previous version of HTML came in 1999. The web has changed a lot since then. HTML5 is still a work in progress. However,
More informationSecurity issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith
Security issues Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith Criteria D3 D3 Recommend ways to improve web security when using web server scripting Clean browser input Don
More information86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013
Vulnerabilities help make Web application attacks amongst the leading causes of data breaches +7 Million Exploitable Vulnerabilities challenge organizations today 86% of websites has at least 1 vulnerability
More information(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection
Pattern Recognition and Applications Lab (System) Integrity attacks System Abuse, Malicious File upload, SQL Injection Igino Corona igino.corona (at) diee.unica.it Computer Security April 9, 2018 Department
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationModern client-side defenses. Deian Stefan
Modern client-side defenses Deian Stefan Modern web site Modern web site Page code Modern web site Modern web site Page code Ad code Modern web site Page code Ad code Third-party APIs Modern web site Page
More informationClient-Side Security Using CORS
Università Ca Foscari Venezia Master s Degree programme Second Cycle (D.M. 270/2004) in Informatica Computer Science Final Thesis Client-Side Security Using CORS Supervisor Prof. Focardi Riccardo Candidate
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationPHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.
PHP Security Kevin Schroeder Zend Technologies Copyright 2007, Zend Technologies Inc. Disclaimer Do not use anything you learn here for nefarious purposes Why Program Securely? Your job/reputation depends
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationClient Side Injection on Web Applications
Client Side Injection on Web Applications Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents INTRODUCTION... 3 HTML Injection Vulnerability... 4 How to
More informationCross Site Request Forgery
Cross Site Request Forgery VULNERABILITY OVERVIEW WHITE PAPER PUBLIC Version: 1.0 By: Acadion Security URL: http://www.acadion.nl/ Date: February 6, 2013 Address: Koornmarkt 46 2611 EH Delft Nederland
More informationWeb Security. Aggelos Kiayias Justin Neumann
Web Security Aggelos Kiayias Justin Neumann Dynamic HTML Umbrella term : HTML Javascript Cascading Style Sheets (CSS) Document Object Model (DOM) : a hierarchical structure API for accessing / manipulating
More informationNew Media Production HTML5
New Media Production HTML5 Modernizr, an HTML5 Detection Library Modernizr is an open source, MIT-licensed JavaScript library that detects support
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationEverything you need to know to get you started. By Kevin DeRudder
Everything you need to know to get you started with HTML5 By Kevin DeRudder @kevinderudder working for eguidelines and a lecturer at the Technical University of West Flanders. Contact me on kevin@e-guidelines.be
More informationCare & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers. Sunny Wear OWASP Tampa Chapter December
Care & Feeding of Programmers: Addressing App Sec Gaps using HTTP Headers Sunny Wear OWASP Tampa Chapter December Mee@ng 1 About the Speaker Informa@on Security Architect Areas of exper@se: Applica@on,
More informationAvoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:
Avoiding Web Application Flaws In Embedded Devices Jake Edge LWN.net jake@lwn.net URL for slides: http://lwn.net/talks/elce2008 Overview Examples embedded devices gone bad Brief introduction to HTTP Authentication
More informationCSCE 120: Learning To Code
CSCE 120: Learning To Code Module 11.0: Consuming Data I Introduction to Ajax This module is designed to familiarize you with web services and web APIs and how to connect to such services and consume and
More informationCS Paul Krzyzanowski
Original Browser Static content on clients Servers were responsible for dynamic parts Computer Security 14. Web Security Security attacks were focused on servers Malformed URLs, buffer overflows, root
More informationComputer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 14. Web Security Paul Krzyzanowski Rutgers University Spring 2018 April 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Original Browser Static content on clients Servers were responsible for
More informationComputer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks
Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications
More informationApplication Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.
Application Layer Attacks Application Layer Attacks Week 2 Part 2 Attacks Against Programs Application Layer Application Layer Attacks come in many forms and can target each of the 5 network protocol layers
More informationContent Security Policy
Content Security Policy And mitigating Cross-site Scripting vulnerabilities Joseph Fields M.Sc Computer Science - December 2016 Introduction HTML and Javascript power billions of websites visited daily
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationOctober 08: Introduction to Web Security
October 08: Introduction to Web Security Scribe: Rohan Padhye October 8, 2015 Web security is an important topic because web applications are particularly hard to secure, and are one of the most vulnerable/buggy
More informationCS 161 Computer Security
Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 9 Week of March 19, 2018 Question 1 Warmup: SOP (15 min) The Same Origin Policy (SOP) helps browsers maintain a sandboxed model by preventing
More informationWeb Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs
Web Application with AJAX Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar University of Colorado, Colorado Springs CS 526 Advanced Internet and Web Systems Abstract Asynchronous JavaScript and XML or Ajax
More informationDeveloper's HTML5. Cookbook. AAddison-Wesley. Chuck Hudson. Tom Leadbetter. Upper Saddle River, NJ Boston Indianapolis San Francisco
HTML5 Developer's Cookbook Chuck Hudson Tom Leadbetter AAddison-Wesley Upper Saddle River, NJ Boston Indianapolis San Francisco New York Toronto Montreal London Munich Paris Madrid Capetown Sydney Tokyo
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationSECURE CODING ESSENTIALS
SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017 AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design
More informationWeb Security IV: Cross-Site Attacks
1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one
More information