A CDN that can not XSS you. Using Subresource Integrity
|
|
- Peregrine Wilkins
- 6 years ago
- Views:
Transcription
1 A CDN that can not XSS you Using Subresource Integrity
2 about:frederik Frederik Braun Security Engineer at Mozilla
3 Why am I here?
4 Content Delivery Networks
5 Who has seen code like this? <script src=" <link href=' ' rel='stylesheet' type='text/css'>
6 What does it do? <script src="
7 The Same-Origin Policy
8 Origins Explained :80
9 Can execute but most not read? <script src="
10 The Same Origin Policy
11 The Same Origin Policy XMLHttpRequest DOM Access Cookies Permissions
12 kotowicz's XSS-Track
13 kotowicz's XSS-Track
14 one vulnerability is enough
15
16 Picture from Cloudfare Popular JS libraries used for DDoS
17 Dear burglar, here's the combination to our safe. Please do not wake us up.
18 Subresource Integrity to the Rescue
19
20 SR I1.0 <script src=" integrity="sha256-c6cb9uyis9ujeqinphwthvqh/e1uhg5twh+y5qfqmyg=" crossorigin="anonymous"></script>
21 <script src=" integrity="sha256-c6cb9uyis9ujeqinphwthvqh/e1uhg5twh+y5qfqmyg=" SR I1.0 crossorigin="anonymous"></script>
22 Integrity Cryptographic Hash Functions
23 $ sha256sum ubuntu desktop-amd64.iso b970b014b3a2ea216fcf077328bfe32 18ed5c2f923fe2d9dfd2b41df9d735a5
24 Cryptographic Hash Functions Input Digest Fox cryptographic hash function DFCD 3454 BBEA 788A 751A 696C 24D CA99 2D17 The red fox jumps over the blue dog cryptographic hash function BB FB7D CBE2 823C ACC7 6CD1 90B1 EE6E 3ABC The red fox jumps ouer the blue dog cryptographic hash function 8FD F32 D1C6 76B1 79A9 0DA4 AEFE 4819 The red fox jumps oevr the blue dog cryptographic hash function FCD3 7FDB 5AF2 C6FF 915F D401 C0A9 7D9A 46AF FB45 The red fox jumps oer the blue dog cryptographic hash function 8ACA D682 D588 4C75 4BF D88 BCF8 92B9 6A6C Image released into the public domain by Wikipedia user Lichtspiel
25 Cryptographic Hash Functions Input normal jquery modified jquery Digest cryptographic hash function DFCD 3454 BBEA 788A 751A 696C 24D CA99 2D17 cryptographic hash function BB FB7D CBE2 823C ACC7 6CD1 90B1 EE6E 3ABC
26 Reading Cross-Origin Data?
27 { 'status': 'authenticated, 'username': 'Alice' }
28 Let's attack! <script src=" integrity="{ hash for Bob }"></script> <script src=" integrity="{ hash for Alice }"></script>
29 HTTP/ OK Accept-Ranges: bytes Cache-Control: max-age= Content-Type: text/html Date: Wed, 29 Apr :33:56 GMT Etag: " " Server: Content-Length: {'wifi_enabled': true,, 'password': 'admin'}
30 Cross Origin Resource Sharing (CORS)
31 Recap
32 CORS Required
33 Using CORS HTTP/ OK Accept-Ranges: bytes Cache-Control: max-age= Content-Type: text/html Date: Wed, 29 Apr :33:56 GMT Etag: " " Server: Access-Control-Allow-Origin: * Content-Length:
34 SR I1.0 <script src=" integrity="sha256-c6cb9uyis9ujeqinphwthvqh/e1uhg5twh+y5qfqmyg=" crossorigin="anonymous"></script>
35 The Fineprint
36 integrity Syntax SR I1.0 <script src=" integrity="sha256-c6cb9u qfqmyg=" crossorigin="anonymous"></script>
37 integrity Syntax SR I1.0 sha256-c6cb9u qfqmyg=
38 Multiple Hash Functions SR I1.0 <script src=" integrity="sha256-c6cb9u qfqmyg= sha384-h8brh8j48o9oyatfu5azz t1flm52t+ex6xo" crossorigin="anonymous"></script>
39 Multiple Hashes SR I1.0 <script src=" integrity="sha256-c6cb9uyis9ujeqinphwthvqh/e1uhg5twh+y5qfqmyg= sha256-qznlcsrox4gacp2dm0uckczcg+hiz1guq6zzdob/tng=" crossorigin="anonymous"></script>
40 Multiple Hashes SR I1.0 <script src=" integrity="sha256-c6cb9uyis9ujeqinphwth 5qFQmYg= sha256-qznlcsrox4gacp2dm0uck Dob/Tng= sha384-h8brh8j48o9oyatfu5azz t1flm52t+ex6xo sha384-vqh/e1uhg5twh+yczcg+h LznqHiZ1guq6ZZ" crossorigin="anonymous"></script>
41 Outdated Hash Function SR I1.0 <script src=" integrity="brokenalgo-c6cb9uyis9ujeqinphwh/e1uhg5twh+y5qfqmyg=" crossorigin="anonymous"></script>
42 over HTTP or HTTPS?
43 Failover
44 An evil script was blocked \o/
45 Manual Error Recovery <script src=" integrity="sha256-c6cb9uyis9ujeqinphwthvq " crossorigin="anonymous"></script> SR I1.0 <script>window.jquery document.write('<script src="/jquery-.min.js"><\/script>')</script>
46 Future Work
47 Built-in Error Recovery? NO T IN SP EC <script src=" integrity="sha256-c6cb9uyis9ujeqinphwthvq " crossorigin="anonymous" fallbacksrc="/jquery.min.js"> </script>
48 Integrity Policies & Error Reporting NO T IN SP EC Content-Security-Policy: integrity-policy: ("block" / "report" / "fallback") ["require-forall"]
49 More Use Cases SR I1.0 <link rel="stylesheet" href=" integrity="sha256-sdfwewfae wefjijfe"/>
50 NO T IN SP EC Integrity and videos
51 NO T IN SP EC Integrity and videos
52 We need your help!
53 Editor's Draft
54 Tool Support Needed
55 Enable CORS! Send Access-Control-Allow-Origin: * now!
56 Conclusion
57 You can soon add integrity to secure your script loads.
58 Extending the Web is non-trivial
59 Browser Security needs to step up (and will)
60 Frederik #security on irc.mozilla.org Obligatory Red Panda photo by Wikipedia user Aconcagua, CC-BY-SA-3.0 Thank you for listening!
Browser code isolation
CS 155 Spring 2016 Browser code isolation John Mitchell Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at Stanford University. When slides are
More informationExtending the browser to secure applications
Extending the browser to secure applications Highlights from W3C WebAppSec Group Deian Stefan Modern web apps have many moving pieces & parties Application code & content itself User provided content (e.g.,
More informations642 web security computer security adam everspaugh
s642 computer security web security adam everspaugh ace@cs.wisc.edu review memory protections / data execution prevention / address space layout randomization / stack protector Sandboxing / Limit damage
More informationAlert. In [ ]: %%javascript alert("hello");
JavaScript V Alerts and Dialogs For many years, alerts and dialogs, which pop up over the browser, were popular forms of user interaction These days there are nicer ways to handle these interactions, collectively
More informationModern client-side defenses. Deian Stefan
Modern client-side defenses Deian Stefan Modern web site Modern web site Page code Modern web site Modern web site Page code Ad code Modern web site Page code Ad code Third-party APIs Modern web site Page
More informationCIS-331 Spring 2016 Exam 1 Name: Total of 109 Points Version 1
Version 1 Instructions Write your name on the exam paper. Write your name and version number on the top of the yellow paper. Answer Question 1 on the exam paper. Answer Questions 2-4 on the yellow paper.
More informationLesson 12: JavaScript and AJAX
Lesson 12: JavaScript and AJAX Objectives Define fundamental AJAX elements and procedures Diagram common interactions among JavaScript, XML and XHTML Identify key XML structures and restrictions in relation
More informationCIS-331 Exam 2 Fall 2015 Total of 105 Points Version 1
Version 1 1. (20 Points) Given the class A network address 117.0.0.0 will be divided into multiple subnets. a. (5 Points) How many bits will be necessary to address 4,000 subnets? b. (5 Points) What is
More informationScan Results - ( Essentials - Onsharp )
Scan Results - www.onsharp.com ( Essentials - Onsharp ) Overview Open Ports (18) Scan ID: 7675527 Target: www.onsharp.com Max Score: 2.6 Compliance: Passing PCI compliance, Expires undefined Profile: 15
More informationBlack Box DCX3000 / DCX1000 Using the API
Black Box DCX3000 / DCX1000 Using the API updated 2/22/2017 This document will give you a brief overview of how to access the DCX3000 / DCX1000 API and how you can interact with it using an online tool.
More informationCIS-331 Fall 2013 Exam 1 Name: Total of 120 Points Version 1
Version 1 1. (24 Points) Show the routing tables for routers A, B, C, and D. Make sure you account for traffic to the Internet. NOTE: Router E should only be used for Internet traffic. Router A Router
More informationICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies
ICS 351: Today's plan IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies IPv6 routing almost the same routing protocols as for IPv4: RIPng, OSPFv6, BGP with
More informationID: Cookbook: urldownload.jbs Time: 23:23:00 Date: 11/01/2018 Version:
ID: 42417 Cookbook: urldownload.jbs Time: 23:23:00 Date: 11/01/201 Version: 20.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Signature
More informationTriple DES and AES 192/256 Implementation Notes
Triple DES and AES 192/256 Implementation Notes Sample Password-to-Key and KeyChange results of Triple DES and AES 192/256 implementation For InterWorking Labs customers who require detailed information
More informationHigh Performance Websites Questions [10 pts] Computer Science nd Exam Prof. Papa Thursday, May 4, 2017, 6:00pm 7:20pm. Student ID Number:
Computer Science 571 2 nd Exam Prof. Papa Thursday, May 4, 2017, 6:00pm 7:20pm Name: Student ID Number: 1. This is a closed book exam. 2. Please answer all questions on the test Question Category Score
More informationBasics of Web Development
Supplementary Lecture 1 Outline 1. Big Picture 2. Client Side 3. Server Side 2 Big Picture Client Network Server Request (HTTP) Response (HTTP) 3 Client Any software capable of issuing HTTP requests (and
More informationMatt Terwilliger. Networking Crash Course
Matt Terwilliger Networking Crash Course Before We Start Client/Server Model Client requests information from server over pre-established protocols. TCP/IP Model Application Layer Transport Layer Internet
More informationIntegrity of messages
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 106 Integrity of messages Goal: Ensure change of message by attacker can be detected Key tool: Cryptographic hash function Definition
More informationICS 351: Today's plan. HTTPS: SSL and TLS certificates cookies DNS reminder Simple Network Management Protocol
ICS 351: Today's plan HTTPS: SSL and TLS certificates cookies DNS reminder Simple Network Management Protocol secure HTTP HTTP by itself is very insecure: any man-in-the-middle attacker can observe all
More informationIntroduction to Ethical Hacking
Introduction to Ethical Hacking Summer University 2017 Seoul, Republic of Korea Alexandre Karlov Today Some tools for web attacks Wireshark How a writeup looks like 0x04 Tools for Web attacks Overview
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More information4. Specifications and Additional Information
4. Specifications and Additional Information AGX52004-1.0 8B/10B Code This section provides information about the data and control codes for Arria GX devices. Code Notation The 8B/10B data and control
More informationThe security of Mozilla Firefox s Extensions. Kristjan Krips
The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting
More informationXSS Homework. 1 Overview. 2 Lab Environment
XSS Homework 1 Overview Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 web scripting languages web content described by HTML was originally static, corresponding to files
More informationAttacking Web2.0. Daiki Fukumori Secure Sky Technology Inc.
Attacking Web2.0 Daiki Fukumori Secure Sky Technology Inc. Agenda Introduction What Is Web2.0 (from Attackers view) Attacking Same-Origin Policy Advanced Attacking Same-Origin
More informationHTML5 Web Security. Thomas Röthlisberger IT Security Analyst
HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch
More informationAvoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:
Avoiding Web Application Flaws In Embedded Devices Jake Edge LWN.net jake@lwn.net URL for slides: http://lwn.net/talks/elce2008 Overview Examples embedded devices gone bad Brief introduction to HTTP Authentication
More informationIERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu
IERG 4210 Tutorial 07 Securing web page (I): login page and admin user authentication Shizhan Zhu Content for today Phase 4 preview From now please pay attention to the security issue of your website This
More informationStatus: SEO Tests. Title. Title Length. Title Relevancy. Description. Description Length. Description Relevancy. Keywords.
color = Error color = Warn color = Passed Status: http://tsetso.info/ SEO Tests Status: 200 OK Charset: utf-8-strict Page Content Size: 2,523,502 bytes Social Media Shares: 1 shares Passed: 31 passed Warnings:
More informationFlask-Cors Documentation
Flask-Cors Documentation Release 3.0.4 Cory Dolphin Apr 26, 2018 Contents 1 Installation 3 2 Usage 5 2.1 Simple Usage............................................... 5 3 Documentation 7 4 Troubleshooting
More informationHashCookies A Simple Recipe
OWASP London Chapter - 21st May 2009 HashCookies A Simple Recipe Take a cookie Add some salt Add a sequence number John Fitzpatrick Full paper at http://labs.mwrinfosecurity.com Structure What are hashcookies
More informationCommunication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner
Communication Networks (0368-3030) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University Allon Wagner Several slides adapted from a presentation made by Dan Touitou on behalf of Cisco.
More informationSecurity Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability
Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability Table of Contents SUMMARY 3 VULNERABILITY DETAILS 3 TECHNICAL DETAILS 4 LEGAL NOTICES 5 Secure Network - Security Research
More informationExecutive Summary. Performance Report for: https://edwardtbabinski.us/blogger/social/index. The web should be fast. How does this affect me?
The web should be fast. Executive Summary Performance Report for: https://edwardtbabinski.us/blogger/social/index Report generated: Test Server Region: Using: Analysis options: Tue,, 2017, 4:21 AM -0400
More informationICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder
ICS 351: Today's plan web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder 1 client-side scripts and security while client-side scripts do much to improve the appearance of pages,
More informationCryptographic Hash Functions. Secure Software Systems
1 Cryptographic Hash Functions 2 Cryptographic Hash Functions Input: Message of arbitrary size Output: Digest (hashed output) of fixed size Loreum ipsum Hash Function 23sdfw83x8mjyacd6 (message of arbitrary
More informationPenetration Test Report
Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party
More informationWeb Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le
Web Security Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Topics Web Architecture Parameter Tampering Local File Inclusion SQL Injection XSS Web Architecture Web Request Structure Web Request Structure
More informationMatch the attack to its description:
Match the attack to its description: 8 7 5 6 4 2 3 1 Attacks: Using Components with Known Vulnerabilities Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure
More informationExecutive Summary. Performance Report for: The web should be fast. Top 1 Priority Issues. How does this affect me?
The web should be fast. Executive Summary Performance Report for: http://instantwebapp.co.uk/8/ Report generated: Test Server Region: Using: Fri, May 19, 2017, 4:01 AM -0700 Vancouver, Canada Firefox (Desktop)
More informationThe HTTP Protocol HTTP
The HTTP Protocol HTTP Copyright (c) 2013 Young W. Lim. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later
More informationComputer Networks. Wenzhong Li. Nanjing University
Computer Networks Wenzhong Li Nanjing University 1 Chapter 8. Internet Applications Internet Applications Overview Domain Name Service (DNS) Electronic Mail File Transfer Protocol (FTP) WWW and HTTP Content
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationCIS 5373 Systems Security
CIS 5373 Systems Security Topic 5.1: Web Security Basics Endadul Hoque Slide Acknowledgment Contents are based on slides from Cristina Nita-Rotaru (Northeastern) Wil Robertson (Northeastern) John Mitchell
More informationSecurity. SWE 432, Fall 2017 Design and Implementation of Software for the Web
Security SWE 432, Fall 2017 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Authorization oauth 2 Security Why is it important? Users data is
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationThou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web
Toby Lauinger, A. Chaabane, S. Arshad, W. Robertson, C. Wilson, E. Kirda Thou Shalt Not Depend on Me: Analysing the Use of Outdated JavaScript Libraries on the Web NDSS 2017 Motivation 87% of Alexa websites
More informationThe cache is 4-way set associative, with 4-byte blocks, and 16 total lines
Sample Problem 1 Assume the following memory setup: Virtual addresses are 20 bits wide Physical addresses are 15 bits wide The page size if 1KB (2 10 bytes) The TLB is 2-way set associative, with 8 total
More informationWeb Applica+on Security
Web Applica+on Security Raluca Ada Popa Feb 25, 2013 6.857: Computer and Network Security See last slide for credits Outline Web basics: HTTP Web security: Authen+ca+on: passwords, cookies Security amacks
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationHTML5 Web Security. Thomas Röthlisberger IT Security Analyst
HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch
More informationCORS Attacks. Author: Milad Khoshdel Blog: P a g e. CORS Attacks
Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents What is CORS?...3 How to Test?...4 CORS Checker Script...6 References...9 2 P a g e What is CORS? CORS
More informationHosting Roadmap Upgrades, Improvements and Changes
Hosting Roadmap 2014 Upgrades, Improvements and Changes Objectives First and Foremost : Uptime Denial of Service (DDoS) Attack Mitigation Mitigate Hacking Attempts Eliminate Media Outages (95% of the data)
More informationYioop Full Historical Indexing In Cache Navigation. Akshat Kukreti
Yioop Full Historical Indexing In Cache Navigation Akshat Kukreti Agenda Introduction History Feature Cache Page Validation Feature Conclusion Demo Introduction Project goals History feature for enabling
More informationWhy bother? Causes of data breaches OWASP. Top ten attacks. Now what? Do it yourself Questions?
Jeroen van Beek 1 Why bother? Causes of data breaches OWASP Top ten attacks Now what? Do it yourself Questions? 2 In many cases the web application stores: Credit card details Personal information Passwords
More informationYour Turn to Hack the OWASP Top 10!
OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application
More informationID: Cookbook: browseurl.jbs Time: 19:37:50 Date: 11/05/2018 Version:
ID: 59176 Cookbook: browseurl.jbs Time: 19:37:50 Date: 11/05/2018 Version: 22.0.0 Table of Contents Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis
More informationWebsite review kizi10.top
Website review kizi10.top Generated on December 13 2018 22:07 PM The score is 43/100 SEO Content Title kizi10.top Length : 10 Perfect, your title contains between 10 and 70 characters. Description Length
More informationLEARN HOW TO USE CA PPM REST API in 2 Minutes!
LEARN HOW TO USE CA PPM REST API in 2 Minutes! WANT TO LEARN MORE ABOUT CA PPM REST API? If you are excited about the updates to the REST API in CA PPM V14.4 and would like to explore some of the REST
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationCIS-331 Fall 2014 Exam 1 Name: Total of 109 Points Version 1
Version 1 1. (24 Points) Show the routing tables for routers A, B, C, and D. Make sure you account for traffic to the Internet. Router A Router B Router C Router D Network Next Hop Next Hop Next Hop Next
More informationCS144 Notes: Web Standards
CS144 Notes: Web Standards Basic interaction Example: http://www.youtube.com - Q: what is going on behind the scene? * Q: What entities are involved in this interaction? * Q: What is the role of each entity?
More informationBOOSTING THE SECURITY
BOOSTING THE SECURITY OF YOUR ANGULAR APPLICATION Philippe De Ryck March 2017 https://www.websec.be ANGULAR APPLICATIONS RUN WITHIN THE BROWSER JS code HTML code Load application JS code / HTML code JS
More informationCS7026. Introduction to jquery
CS7026 Introduction to jquery What is jquery? jquery is a cross-browser JavaScript Library. A JavaScript library is a library of pre-written JavaScript which allows for easier development of JavaScript-based
More informationTECHNICAL NOTES. Player Security Statement. BrightSign, LLC Lark Ave., Suite 200 Los Gatos, CA
TECHNICAL NOTES Player Security Statement BrightSign, LLC. 16795 Lark Ave., Suite 200 Los Gatos, CA 95032 408-852-9263 www.brightsign.biz INTRODUCTION The network settings of a BrightSign player are highly
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationID: Cookbook: browseurl.jbs Time: 23:19:26 Date: 20/08/2018 Version:
ID: 73278 Cookbook: browseurl.jbs Time: 23:19:26 Date: 20/08/2018 Version: 23.0.0 Table of Contents Analysis Report Overview General Information Detection Confidence Classification Analysis Advice Signature
More informationOverview Cross-Site Scripting (XSS) Christopher Lam Introduction Description Programming Languages used Types of Attacks Reasons for XSS Utilization Attack Scenarios Steps to an XSS Attack Compromises
More informationExecutive Summary. Performance Report for: The web should be fast. Top 4 Priority Issues
The web should be fast. Executive Summary Performance Report for: https://www.wpspeedupoptimisation.com/ Report generated: Test Server Region: Using: Tue,, 2018, 12:04 PM -0800 London, UK Chrome (Desktop)
More informationSEEM4570 System Design and Implementation. Lecture 3 Cordova and jquery
SEEM4570 System Design and Implementation Lecture 3 Cordova and jquery Prepare a Cordova Project Assume you have installed all components successfully and initialized a project. E.g. follow Lecture Note
More informationAGENCE WEB MADE IN DOM
AGENCE WEB MADE IN DOM https://madeindom.com/ Création de site internet dans les DROM GUADELOUPE - MARTINIQUE GUYANE-MAYOTTE LA REUNION RAPPORT DE VITESSE SITE INTERNET The web should be fast. Executive
More informationCSCI-1680 WWW Rodrigo Fonseca
CSCI-1680 WWW Rodrigo Fonseca Based partly on lecture notes by Sco2 Shenker and John Janno6 Administrivia HW3 out today Will cover HTTP, DNS, TCP TCP Milestone II coming up on Monday Make sure you sign
More informationeb Security Software Studio
eb Security Software Studio yslin@datalab 1 OWASP Top 10 Security Risks in 2017 Rank Name 1 Injection 2 Broken Authentication and Session Management 3 Cross-Site Scripting (XSS) 4 Broken Access Control
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationCSCI-1680 WWW Rodrigo Fonseca
CSCI-1680 WWW Rodrigo Fonseca Based partly on lecture notes by Scott Shenker and John Jannotti Precursors 1945, Vannevar Bush, Memex: a device in which an individual stores all his books, records, and
More informationClient-Side Security Using CORS
Università Ca Foscari Venezia Master s Degree programme Second Cycle (D.M. 270/2004) in Informatica Computer Science Final Thesis Client-Side Security Using CORS Supervisor Prof. Focardi Riccardo Candidate
More informationManaging Administrative Security
5 CHAPTER 5 Managing Administrative Security This chapter describes how to manage administrative security by using the secure administration feature. This chapter assumes that you are familiar with security
More informationOrigin Policy Enforcement in Modern Browsers
Origin Policy Enforcement in Modern Browsers A Case Study in Same Origin Implementations Frederik Braun Frederik Braun (Ruhr-Uni Bochum/Mozilla) Origin Policy Enforcement June 21, 2013 1 / 32 Table of
More informationWeb as a Distributed System
Web as a Distributed System The World Wide Web is a large distributed system. In 1998 comprises 70-75% of Internet traffic. With large transfers of streaming media and p2p, no longer a majority of bytes,
More informationNetwork-based Origin Confusion Attacks against HTTPS Virtual Hosting
Network-based Origin Confusion Attacks against HTTPS Virtual Hosting Antoine Delignat-Lavaud, Karthikeyan Bhargavan Prosecco, Inria Paris-Rocquencourt 1 The Web Security Protocol Stack JavaScript runtime
More informationNoScript, CSP and ABE: When The Browser Is Not Your Enemy
NoScript, CSP and ABE: When The Browser Is Not Your Enemy Giorgio Maone CTO, NoScript lead developer InformAction OWASP-Italy Day IV Milan 6th, November 2009 Copyright 2008 - The OWASP Foundation Permission
More informationExecutive Summary. Performance Report for: The web should be fast. Top 5 Priority Issues
The web should be fast. Executive Summary Performance Report for: http://magento-standard.eworld-accelerator.com Report generated: Test Server Region: Using: Tue, Sep 22, 2015, 11:12 AM +0200 London, UK
More informationWeb Architecture and Technologies
Web Architecture and Technologies Ambient intelligence Fulvio Corno Politecnico di Torino, 2015/2016 Goal Understanding Web technologies Adopted for User Interfaces Adopted for Distributed Application
More informationWeb Security. Thierry Sans
Web Security Thierry Sans 1991 Sir Tim Berners-Lee Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing Web
More informationZN-DN312XE-M Quick User Guide
ZN-DN312XE-M Quick User Guide This manual provides instructions for quick installation and basic configuration of your IP device. Step1. Connect cables to IP device Connect required cables to the device
More informationECE297 Quick Start Guide Wiki
ECE297 Quick Start Guide Wiki Problems are solved not by giving new information, but by arranging what we have always known." Ludwig Wittgenstein 1 Intro: The ECE297 Wiki Welcome to the ECE297 wiki. A
More informationWeb Security Model and Applications
Web Security Model and Applications In this Tutorial Motivation: formal security analysis of web applications and standards Our Model of the Web Infrastructure Single Sign-On Case Studies Formal Security
More informationHTTP Protocol and Server-Side Basics
HTTP Protocol and Server-Side Basics Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming HTTP Protocol and Server-Side Basics Slide 1/26 Outline The HTTP protocol Environment Variables
More informationThe HTTP protocol. Fulvio Corno, Dario Bonino. 08/10/09 http 1
The HTTP protocol Fulvio Corno, Dario Bonino 08/10/09 http 1 What is HTTP? HTTP stands for Hypertext Transfer Protocol It is the network protocol used to delivery virtually all data over the WWW: Images
More informationSecure Remote Password (SRP)
COMP5351 Internet Infrastructure Security A Practical Study and Analysis of Secure Remote Password (SRP) Protocol May 2006 Group Members: Billy Chan, 04716379G Billy Yeung, 02413190G Chris Chow, 04413645G
More informationExecutive Summary. Performance Report for: The web should be fast. Top 5 Priority Issues. How does this affect me?
The web should be fast. Executive Summary Performance Report for: http://ardrosscs.ie/ Report generated: Test Server Region: Using: Sat, May 6, 2017, 5:14 AM -0700 Vancouver, Canada Firefox (Desktop) 49.0.2,
More informationLecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised
More informationLecture 6: Web Security CS /17/2017
Lecture 6: Web Security CS5431 03/17/2017 2015 Security Incidents Web Vulnerabilities by Year 2500 2000 1500 1000 500 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
More informationJavaScript: Events, the DOM Tree, jquery and Timing
JavaScript: Events, the DOM Tree, jquery and Timing CISC 282 October 11, 2017 window.onload Conflict Can only set window.onload = function once What if you have multiple files for handlers? What if you're
More informationAppSpider Enterprise. Getting Started Guide
AppSpider Enterprise Getting Started Guide Contents Contents 2 About AppSpider Enterprise 4 Getting Started (System Administrator) 5 Login 5 Client 6 Add Client 7 Cloud Engines 8 Scanner Groups 8 Account
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Web Application Security Dr. Basem Suleiman Service Oriented Computing Group, CSE, UNSW Australia Semester 1, 2016, Week 8 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2442
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationInternet Architecture. Web Programming - 2 (Ref: Chapter 2) IP Software. IP Addressing. TCP/IP Basics. Client Server Basics. URL and MIME Types HTTP
Web Programming - 2 (Ref: Chapter 2) TCP/IP Basics Internet Architecture Client Server Basics URL and MIME Types HTTP Routers interconnect the network TCP/IP software provides illusion of a single network
More information