A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications
|
|
- Esther Ward
- 5 years ago
- Views:
Transcription
1 A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications Riccardo Pelizzi System Security Lab Department of Computer Science Stony Brook University December 8, / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
2 Outline CSRF Attacks 2 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
3 Outline CSRF Attacks 2 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
4 Outline CSRF Attacks 2 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
5 Outline CSRF Attacks and Q&A 2 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
6 CSRF Attacks Attacker Victim Please visit evil.com Browser Bank 3 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
7 CSRF Attacks Attacker Victim Please visit evil.com Click on link Browser Bank 3 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
8 CSRF Attacks Attacker Victim Please visit evil.com Click on link Browser POST bank.com data + cookies Bank 3 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
9 CSRF Attacks Attacker Victim Please visit evil.com Click on link Browser POST bank.com data + cookies Bank Transfer money to attacker 3 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
10 CSRF Attacks (2) Attacker Please visit evil.com Victim Click on link Browser Malicious Server Bank Server Bank Database 4 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
11 CSRF Attacks (2) Attacker Please visit evil.com Victim Click on link Browser Malicious Server Bank Server Bank Database GET evil.com Send response 4 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
12 CSRF Attacks (2) Attacker Please visit evil.com Victim Click on link Browser Malicious Server Bank Server Bank Database GET evil.com Send response Automatically submit form 4 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
13 CSRF Attacks (2) Attacker Please visit evil.com Victim Click on link Browser Malicious Server Bank Server Bank Database GET evil.com Send response Automatically submit form POST bank.com data + cookies 4 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
14 CSRF Attacks (2) Attacker Please visit evil.com Victim Click on link Browser Malicious Server Bank Server Bank Database GET evil.com Send response Automatically submit form POST bank.com data + cookies Transfer money 4 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
15 Harder: Must recognize which requests are intended. Easier: allow requests from trusted origins. 5 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
16 Harder: Must recognize which requests are intended. Easier: allow requests from trusted origins. Two techniques: Use explicit origin information. Referrer : http :// attacker. com / csrf. html Require source pages to (manually) insert a secret token in requests. <form action="transfer.php" method="post"> <input type="hidden" name="csrf-token" value="gdfgf4sjhf4fgfa-df4">... 5 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
17 Key Benefits of Our Approach How does our solution improve the state of the art? 6 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
18 Key Benefits of Our Approach How does our solution improve the state of the art? Handles requests dynamically generated on the browser from JavaScript code. 6 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
19 Key Benefits of Our Approach How does our solution improve the state of the art? Handles requests dynamically generated on the browser from JavaScript code. Can authenticate cross-origin requests. 6 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
20 Key Benefits of Our Approach How does our solution improve the state of the art? Handles requests dynamically generated on the browser from JavaScript code. Can authenticate cross-origin requests. Is compatible with all browsers and transparent to web applications and languages. 6 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
21 Overview User Browser Visit safe.com GET Proxy GET Response Server 7 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
22 Overview User Browser Visit safe.com Display page GET Modified Response Proxy GET Response Server 7 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
23 Overview User Browser Visit safe.com Display page Submit form GET Modified Response Proxy GET Response Server 7 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
24 Overview User Browser Visit safe.com Display page Submit form GET Modified Response Proxy GET Response Server adds token POST 7 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
25 Overview User Browser Visit safe.com Display page Submit form GET Modified Response Proxy GET Response Server adds token POST Verify Token POST 7 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
26 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Response 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
27 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
28 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Register submit handler for forms 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
29 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Display page Register submit handler for forms 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
30 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Display page Submit form Register submit handler for forms 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
31 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Display page Submit form Handler Register submit handler for forms Copy C from cookies into form as P 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
32 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Display page Submit form Handler Register submit handler for forms Copy C from cookies into form as P POST post.php Cookie: C Data: form data + P 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
33 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Display page Submit form Handler Register submit handler for forms Copy C from cookies into form as P POST post.php Cookie: C Data: form data + P C == P 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
34 Same-Origin Protocol User Browser Proxy Bank Server Visit safe.com GET safe.com GET safe.com Set-Cookie: C Response Response + jscript Display page Submit form Handler Register submit handler for forms Copy C from cookies into form as P POST post.php Cookie: C Data: form data + P C == P POST post.php Data: form data 8 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
35 Potential Attack Vectors Guess the user s token. 9 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
36 Potential Attack Vectors Guess the user s token. Steal user s token. 9 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
37 Potential Attack Vectors Guess the user s token. Steal user s token. Cause victim to use attacker s token. 9 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
38 Supporting Cross-Origin Request Scenario: Source domain S submits a request to target T. Problem: S can set authentication parameter P for T, but can t set a cookie for T. 10 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
39 Supporting Cross-Origin Request Scenario: Source domain S submits a request to target T. Problem: S can set authentication parameter P for T, but can t set a cookie for T. Approach: T gives S a capability S includes this capability into the request for T. 10 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
40 Supporting Cross-Origin Request Scenario: Source domain S submits a request to target T. Problem: S can set authentication parameter P for T, but can t set a cookie for T. Approach: T gives S a capability S includes this capability into the request for T. Challenge: capability should be usable only by one specific user. If S requests the capability from T on behalf of the user, T has nothing to bind the user to. Solution: have the browser bind the capability for T, then send it to S. 10 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
41 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
42 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form S handler 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
43 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form GET T iframe T iframe T S IFRAME handler 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
44 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form GET T iframe T iframe T S IFRAME handler XmlHttpRequest X-No-Csrf: Yes Data: S 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
45 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form GET T iframe T iframe T S IFRAME handler XmlHttpRequest X-No-Csrf: Yes Data: S Set-Cookie: C P ST P ST = AES(C S) 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
46 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form GET T iframe T iframe T S IFRAME handler Insert P ST into form postmessage P ST to S XmlHttpRequest X-No-Csrf: Yes Data: S Set-Cookie: C P ST P ST = AES(C S) 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
47 Cross-Origin Protocol User Browser Source Proxy (S) Target Proxy (T) Visit safe.com GET safe.com Response + jscript Register submit handler for forms Display page Submit form GET T iframe T iframe T S IFRAME handler Insert P ST into form postmessage P ST to S XmlHttpRequest X-No-Csrf: Yes Data: S Set-Cookie: C P ST P ST = AES(C S) POST post.php Cookie: C Data: form data + P ST Decrypt P ST to check for C and S 11 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
48 Potential Attack Vectors Guess the user s token. 12 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
49 Potential Attack Vectors Guess the user s token. Steal the user s token. 12 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
50 Potential Attack Vectors Guess the user s token. Steal the user s token. Cause victim to use attacker s token. 12 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
51 Limitations only protects POST requests. RFC 2616 mandates GET requests free of side effects Usability Issues: cannot type url or bookmark pages 13 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
52 Implementation Prototype implemented in Python as a server-side transparent proxy that includes a JavaScript file in every HTML page. Adds token to POST forms before submission. Uses jquery s live handlers to bind the token handler to all forms, including those dynamically created afterwards. Wraps existing event handlers to make transparent to them. 14 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
53 Protection Correctness is achieved by design, by relying on the Same-Origin Policy to prevent the attack scenarios presented. Tested it against two CVE vulnerabilities (RoundCube CVE , Acc PHP CVE ). 15 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
54 Compatibility Tested with popular Open-Source web applications. Future Work: develop a client-side proxy to test it with known web applications. Application Version LOC Type Compatible phpmyadmin K MySQL Administration Tool Yes SquirrelMail K WebMail Yes punbb K Bulletin Board Yes WordPress K Content-Management System Yes Drupal K Content-Management System Yes MediaWiki K Content-Management System Yes phpbb K Bulletin Board Yes 16 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
55 Related Work NoForge Dynamic Requests Support Cross-Origin Support Com- Browser patible No source code required X-Protect CSRFMagic CSRFGuard Origin SOMA 17 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
56 and Q&A Automatically protect dynamic web applications against POST-based CSRF attacks. Low overhead (if implemented as an apache module), compatible with most web applications. 18 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
57 and Q&A Automatically protect dynamic web applications against POST-based CSRF attacks. Low overhead (if implemented as an apache module), compatible with most web applications. Questions? 18 / 18 Riccardo Pelizzi : A CSRF Defense for Web 2.0 Applications
Robust Defenses for Cross-Site Request Forgery
University of Cyprus Department of Computer Science Advanced Security Topics Robust Defenses for Cross-Site Request Forgery Name: Elena Prodromou Instructor: Dr. Elias Athanasopoulos Authors: Adam Barth,
More informationLecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised
More informationRobust Defenses for Cross-Site Request Forgery
Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis Petros Paper Authors: Adam Barth, Collin Jackson, John C. Mitchell Outline What is CSRF attack? What is a login
More informationRobust Defenses for Cross-Site Request Forgery Review
Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationCross-Site Request Forgery
Cross-Site Request Forgery Venkateshwar Reddy S, MBA (Banking Technology), Pondicherry Central University, Puducherry, bobby938@gmail.com. Project guide: Dr. N.P. Dhavale, Deputy General Manager, INFINET
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationCross-Site Request Forgery in Cisco SG220 series
Cross-Site Request Forgery in Cisco SG220 series Security advisory 12/09/2016 Renaud Dubourguais Nicolas Collignon www.synacktiv.com 5 rue Sextius Michel 75015 Paris Vulnerability description The Cisco
More informationAutomatically Checking for Session Management Vulnerabilities in Web Applications
Regular Paper Automatically Checking for Session Management Vulnerabilities in Web Applications Yusuke Takamatsu 1,a) Yuji Kosuga 2 Kenji Kono 1,3 Received: July 4, 2012, Accepted: October 17, 2012 Abstract:
More informationSECURING APACHE : ATTACKS ON SESSION MANAGEMENT
SECURING APACHE : ATTACKS ON SESSION MANAGEMENT In this part of the series, we are going to concentrate on attacks on session management. Application-level attacks on the session is about obtaining or
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationWeb Security: Web Application Security [continued]
CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security [continued] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationPreventing Image based Cross Site Request Forgery Attacks
Preventing Image based Cross Site Request Forgery Attacks Ramarao R, Radhesh M, Alwyn R Pais Information Security Lab, Department of Computer Engineering, National Institute of Technology Karnataka, Surathkal,
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationWeb Security: Cross-Site Attacks
Web Security: Cross-Site Attacks CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin,
More informationChrome Extension Security Architecture
Chrome Extension Security Architecture Presenter: Jienan Liu Network, Intelligence & security Lab outline Chrome extension introduction Threats towards extension Chrome extension s security architecture
More informationPenetration Test Report
Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party
More informationCSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationAbusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)
Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Narendra Bhati @NarendraBhatiB http://websecgeeks.com Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationCross-Site Request Forgery (CSRF) Attack Lab
Laboratory for Computer Security Education 1 Cross-Site Request Forgery (CSRF) Attack Lab (Web Application: Collabtive) Copyright c 2006-2011 Wenliang Du, Syracuse University. The development of this document
More informationMore attacks on clients: Click-jacking/UI redressing, CSRF
Web Security More attacks on clients: Click-jacking/UI redressing, CSRF (Section 7.2.3 on Click-jacking; Section 7.2.7 on CSRF; Section 7.2.8 on Defenses against client-side attacks) 1 Recall from last
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Web Security: Vulnerabilities & Attacks Type 2 Type 1 Type 0 Three Types of XSS Type 2: Persistent or Stored The attack vector is stored at the server Type 1: Reflected The attack
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationPerslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.
Eleonora Petridou Pascal Cuylaerts System And Network Engineering University of Amsterdam June 30, 2011 Outline Research question About Perslink Approach Manual inspection Automated tests Vulnerabilities
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationSecure web proxy resistant to probing attacks
Technical Disclosure Commons Defensive Publications Series December 04, 2017 Secure web proxy resistant to probing attacks Benjamin Schwartz Follow this and additional works at: http://www.tdcommons.org/dpubs_series
More informationWeb Security IV: Cross-Site Attacks
1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one
More informationWeb Security II. Slides from M. Hicks, University of Maryland
Web Security II Slides from M. Hicks, University of Maryland Recall: Putting State to HTTP Web application maintains ephemeral state Server processing often produces intermediate results; not long-lived
More informationIs Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
More informationWeb Security: Web Application Security [continued]
CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security [continued] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationWeb Security. Course: EPL 682 Name: Savvas Savva
Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell, Robust Defenses for Cross-Site Request Forgery, pub. in 15th ACM Conference, 2008. [2] L. Huang and A. Moshchuk
More informationMulti-Post XSRF Web App Exploitation, total pwnage
Multi-Post XSRF Web App Exploitation, total pwnage Adrien de Beaupré SANS ISC Handler Tester of pens Certified SANS Instructor Intru-Shun.ca Inc. SecTor 2015 Introduction Web application vulnerabilities.
More informationHTML5 Web Security. Thomas Röthlisberger IT Security Analyst
HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 6 March 2, 2011 Question 1 Cross-Site Scripting (XSS) (10 min) As part of your daily routine, you are browsing through the news and status updates
More informationAssignment 6: Web Security
COS 432 November 20, 2017 Information Security Assignment 6: Web Security Assignment 6: Web Security This project is due on Monday, December 4 at 11:59 p.m.. Late submissions will be penalized by 10% per
More information2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationReflected XSS Cross-Site Request Forgery Other Attacks
Reflected XSS Cross-Site Request Forgery Other Attacks CS 166: Introduction to Computer Systems Security 2/21/18 XSS, CSRF, Other Attacks 1 Reflected XSS 2/21/18 XSS, CSRF, Other Attacks 2 Recap of Persistent
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationWeb Security. Aggelos Kiayias Justin Neumann
Web Security Aggelos Kiayias Justin Neumann Dynamic HTML Umbrella term : HTML Javascript Cascading Style Sheets (CSS) Document Object Model (DOM) : a hierarchical structure API for accessing / manipulating
More informationCSCE 813 Internet Security Case Study II: XSS
CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that
More informationHomework 5: Exam Review
CIS 331 April 18, 2017 Introduction to Networks & Security Homework 5: Exam Review Homework 5: Exam Review This homework is due Wednesday, April 26 at 10 p.m.. You will have a budget of five late days
More informationIERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu
IERG 4210 Tutorial 07 Securing web page (I): login page and admin user authentication Shizhan Zhu Content for today Phase 4 preview From now please pay attention to the security issue of your website This
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer
More informationSecurity. CSC309 TA: Sukwon Oh
Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and
More informationLecture 6: Web Security CS /17/2017
Lecture 6: Web Security CS5431 03/17/2017 2015 Security Incidents Web Vulnerabilities by Year 2500 2000 1500 1000 500 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationHTML5 Web Security. Thomas Röthlisberger IT Security Analyst
HTML5 Web Security Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch
More informationProject 2: Web Security
EECS 388 September 30, 2016 Intro to Computer Security Project 2: Web Security Project 2: Web Security This project is due on Thursday, October 13 at 6 p.m. and counts for 8% of your course grade. Late
More informationOMOS: A Framework for Secure Communication in Mashup Applications
: A Framework for in Mashup Applications Saman Zarandioon Danfeng (Daphne) Yao Vinod Ganapathy Department of Computer Science Rutgers University Piscataway, NJ 08854 {samanz,danfeng,vinodg}@cs.rutgers.edu
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationlast time: command injection
Web Security 1 last time: command injection 2 placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string
More informationESORICS September Martin Johns
SessionSafe: Implementing XSS Immune SessionHandling Universität Hamburg ESORICS 06 20. September 2006 Martin Johns Fachbereich Informatik SVS Sicherheit in Verteilten Systemen Me, myself and I Martin
More informationMWR InfoSecurity Security Advisory. DotNetNuke Cross Site Request Forgery Vulnerability Contents
Contents MWR InfoSecurity Security Advisory DotNetNuke Cross Site Request Forgery Vulnerability 2010-06-14 2010-06-14 Page 1 of 7 Contents Contents 1 Detailed Vulnerability Description... 4 1.1 Introduction...
More informationCSCD 303 Essential Computer Security Fall 2018
CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server
More informationWeb Attacks CMSC 414. September 25 & 27, 2017
Web Attacks CMSC 414 September 25 & 27, 2017 Overview SQL Injection is frequently implemented as a web-based attack, but doesn t necessarily need to be There are a wide variety of web-based attacks Some
More informationYour Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns
Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies (@slekies) / Ben Stock (@kcotsneb) Martin Johns (@datenkeller) Agenda The Same-Origin Policy Cross-Site Script Inclusion (XSSI) Generalizing
More informationPreparing for the Cross Site Request Forgery Defense
Preparing for the Cross Site Request Forgery Defense By Chuck Willis chuck.willis@mandiant.com Presented at Black Hat Briefings DC 2008 on February 20, 2008 Slides available at www.blackhat.com. Abstract:
More informationProgressive Authentication in ios
Progressive Authentication in ios Genghis Chau, Denis Plotnikov, Edwin Zhang December 12 th, 2014 1 Overview In today s increasingly mobile-centric world, more people are beginning to use their smartphones
More informationThe three faces. DeepSec Martin Johns University of Hamburg Universität Hamburg
The three faces of CSRF Universität Hamburg DeepSec 2007 23.11.2007 Martin Johns University of Hamburg johns@informatik.uni-hamburg.de Fachbereich Informatik SVS Sicherheit in Verteilten Systemen Me, myself
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationTitle: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)
Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs) Document last modified on: 17th September 2009 Date of discovery of vulnerabilities: December
More information2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.
Secure Coding CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationBen Livshits and Úlfar Erlingsson. Microsoft Research
Ben Livshits and Úlfar Erlingsson Microsoft Research Web application vulnerabilities more common than ever before The usual suspects: code injection vulnerabilities SQL injection Cross site scripting (XSS)
More informationEradicating DNS Rebinding with the Extended Same-Origin Policy
Eradicating DNS Rebinding with the Extended Same-Origin Policy Martin Johns, Sebastian Lekies and Ben Stock USENIX Security August 16th, 2013 Agenda DNS Rebinding The basic attack History repeating HTML5
More informationCS4264 Programming Assignment 3 Principles of Computer Security Due 4/11/2018, 5PM EST.
Laboratory for Computer Security Education 1 CS4264 Programming Assignment 3 Principles of Computer Security Due 4/11/2018, 5PM EST. Copyright c 2006-2010 Wenliang Du, Syracuse University. The development
More informationWeb Application Security
Web Application Security Rajendra Kachhwaha rajendra1983@gmail.com October 16, 2015 Lecture 16: 1/ 14 Outline Browser Security Principles: 1 Cross Site Scripting (XSS) 2 Types of XSS 3 Lecture 16: 2/ 14
More informationClient-Side Security Using CORS
Università Ca Foscari Venezia Master s Degree programme Second Cycle (D.M. 270/2004) in Informatica Computer Science Final Thesis Client-Side Security Using CORS Supervisor Prof. Focardi Riccardo Candidate
More informationStop sweating the password and learn to love public key cryptography. Chris Streeks Solutions Engineer, Yubico
1 Stop sweating the password and learn to love public key cryptography Chris Streeks Solutions Engineer, Yubico Stop Sweating the Password! 2 Agenda Introduction The modern state of Phishing How to become
More informationWeb Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le
Web Security Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Topics Web Architecture Parameter Tampering Local File Inclusion SQL Injection XSS Web Architecture Web Request Structure Web Request Structure
More informationWeb Attacks Lab. 35 Points Group Lab Due Date: Lesson 16
CS482 SQL and XSS Attack Lab AY172 1 Web Attacks Lab 35 Points Group Lab Due Date: Lesson 16 Derived from c 2006-2014 Wenliang Du, Syracuse University. Do not redistribute with explicit consent from MAJ
More informationWeb Security Part 2. Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu
Web Security Part 2 CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu Liberal borrowing from Mitchell, Boneh, Stanford CS 155 University of Wisconsin
More informationWeb Security. Thierry Sans
Web Security Thierry Sans 1991 Sir Tim Berners-Lee Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing Web
More informationWeb security: an introduction to attack techniques and defense methods
Web security: an introduction to attack techniques and defense methods Mauro Gentile Web Application Security (Elective in Computer Networks) F. d'amore Dept. of Computer, Control, and Management Engineering
More informationApplication Architectures for Critical Data Isolation. Zhenkai Liang
Application Architectures for Critical Data Isolation Zhenkai Liang 1 Computing Platform in Cloud Era User access control Same Origin Policy App Permissions 2 New Security Challenges Heterogeneous system
More informationCyber Security. Web Application Security 2. Adrian Dabrowski, Christian Kudera
Cyber Security Web Application Security 2 Adrian Dabrowski, Christian Kudera inetsec@seclab.tuwien.ac.at Last Lecture on Web Security OWASP Top Ten Web Application Vulnerabilities injections caused through
More informationUnusual Web Bugs. A Web App Hacker s Bag O Tricks. Alex kuza55 K.
Unusual Web Bugs A Web App Hacker s Bag O Tricks Alex kuza55 K. kuza55@gmail.com http://kuza55.blogspot.com/ I'm Alex Starting Uni next year Working for SIFT http://www.sift.com.au/ This talk is Not an
More information20486-Developing ASP.NET MVC 4 Web Applications
Course Outline 20486-Developing ASP.NET MVC 4 Web Applications Duration: 5 days (30 hours) Target Audience: This course is intended for professional web developers who use Microsoft Visual Studio in an
More informationIntroductions. Jack Katie
Main Screen Turn On Hands On Workshop Introductions Jack Skinner @developerjack Katie McLaughlin @glasnt And what about you? (not your employer) What s your flavour? PHP, Ruby, Python? Wordpress, Drupal,
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationMan-In-The-Browser Attacks. Daniel Tomescu
Man-In-The-Browser Attacks Daniel Tomescu 1 About me Work and education: Pentester @ KPMG Romania Moderator @ Romanian Security Team MSc. Eng. @ University Politehnica of Bucharest OSCP, CREST CRT Interests:
More informationCross Site Request Forgery
Cross Site Request Forgery VULNERABILITY OVERVIEW WHITE PAPER PUBLIC Version: 1.0 By: Acadion Security URL: http://www.acadion.nl/ Date: February 6, 2013 Address: Koornmarkt 46 2611 EH Delft Nederland
More information