MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions
|
|
- Mavis Price
- 5 years ago
- Views:
Transcription
1 MTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions Kristjan Krips 1 Introduction Mozilla Firefox has 24.05% of the recorded usage share of web browsers as of October 2009, making it the second most popular browser in terms of current use worldwide after Microsoft's Internet Explorer [1]. One reason behind its popularity is the possibility to change the functionality and the appearance of the browser. These modifications are added by extensions. With the growing usage of the browsers, also the extensions will be used more and more. Another reason is the security, which is supposed to be better compared to closed source browsers. But as Firefox gains more users it will also get more attention from attackers. So it is important to know where the possible weaknesses in its security model are. In this paper i will give an overview of the risks that Firefox s extensions may have. When used in the wrong way, extensions may become a very big security threat. It is possible to overlay Firefox s code using extensions, even the code of other extensions. Also it is possible to change the way web pages are being displayed. Website defacement is easy to achive. Considering the latter it is important to find out if the current security model of Firefox s extensions is sufficient and if it is not, then what can be done to improve it. 2 The extension model Extensions work by overlaying the code of Firefox. It is done through the user interface. User interface is written using XUL (XML user interface language), which is combined with JavaScript, CSS, HTML elements. XUL-based applications load the code for their interface from chrome:// URLs. Code loaded from a chrome URL has extended, or chrome, privileges. The code running with chrome privileges is allowed to do everything, unlike the web content, which is restricted in several ways [2]. When loading content using a Chrome URI, Firefox uses the Chrome Registry to translate these Uri s into the actual source files on disk (or in JAR packages) [3]. Extensions can access the Gecko engine, which is a cross-platform layout engine. Access to the engine is provided through a middle layer named XPConnect, which allows JavaScript to interfere with XPCOM (Cross Platform Component Object Model). This component object model makes virtually all of the functionality of Gecko available as a series of components, or reusable cross-platform libraries, which can be accessed from the web browser or scripted from any Mozilla application. Applications that want to access the various Mozilla XPCOM libraries (networking, security, DOM, etc.) use a special layer of XPCOM called XPConnect, which reflects the library interfaces into JavaScript (or other languages). XPConnect glues the front end to the C++ or C programming language-based components in XPCOM, and it can be extended to include scripting support for other languages [4]. 3 Threats from the extensions 3.1 Website defacement Website defacement is the main topic of this paper. It is possible to change the way a web page is being displayed while it is being loaded. JavaScript with a specific event listener is enough to be able to change the content of a web page. DOMContentLoaded is the event listener that could be used. Fired on a Window object when a document's DOM content is finished loading, but unlike "load", does not wait until all images are loaded [5]. 1
2 I made an extension to test if I could use these methods to change the way a https page is being displayed. It worked; after the DOM had been loaded it was possible to modify the content before it was displayed. It shows that Firefox doesn t guarantee that a verified web page is always being displayed uniquely. 3.2 Tricking a user to think that he is using a secure site To be able to trick an user to think that a web page is secure, it is needed to make him see no difference between the real page and the fake one. Firefox uses several methods to change the user interface so that the user sees certain icons or extra information when using a secure site. Firefox classifies web pages into three categories: pages with no identity information, pages with basic identity information and pages with complete identity information. The last two are both encrypted pages whose domain has been verified but the latter also has the information about the owner of the site. To visualize the categorization it provides a colored button on the left side of the address bar since version 3.0. This area is called the site identity button. If the page has no identity information, then the button is colored grey, else if it is verified and uses encryption but doesn t have the information about the owner it will be colored blue and when the page has complete identity information it is colored green. It shouldn t be possible to change the color of the site identity button, as this is the first thing, which makes the user notice that he is using a secure site. But using only a few lines of code it is possible to overlay the site identity button s background color to make it look identical to the ones used on secure sites. This is done by overlaying the default background color with the chosen one. #identity-box { background: #339933; } /* For Mac OS a few more lines are needed */ Another security feature is the padlock icon, which is shown on secure sites. Firefox places the icon on the right side of the status bar. But there are no restrictions on the extensions overlaying the skin of the browser. It is possible to disable the icon with one line of code and add a false icon with a few more lines. Overlaying the browser.xul file with these lines added, the extension will add the identical padlock icon to the status bar. <statusbar id="status-bar"> <statusbarpanel id="testapp-status-bar-icon" class="statusbarpanel-iconic" src="chrome://testapp/skin/status-barpadlock.png" position="3" /> </statusbar> 3.2 Cross site scripting Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user [6]. Suggi Liverani and Nick Freeman at Defcon 17 any input rendered in the chrome is a potential XSS injection point. XSSin chrome is privileged code, so there are no same origin policy restrictions [7]. 4 Attack scenarios 4.1 Stealing sensitive information Using website defacement gives the attacker the opportunity to change the URL behind the name of the link on secure web page. The false link could lead to a visually identical web page, which is controlled by the attacker. Additionally the web site could have been modified in such a way that clicking on login or send information button would send the information also to the attacker. In addition a bad extension could collect the usernames and passwords, which are saved in Firefox and send these to the attacker. This could be done if a master password hasn t been set for viewing the saved passwords. 4.2 Adding security holes Suggi Liverani and Nick Freeman at Defcon 17. there are no security boundaries between extensions. It means that it is possible to write an extension, which alters the behavior of another extension [7]. Using that it would be possible to create security holes, for example allowing using cross 2
3 site scripting. For example an attacker has made a web page which injects code into the browser s chrome and he wants the user of his bad extension to visit that site. Attacker can set the default home page to his site, if he doesn t want to be hidden or open a new tab at a certain time and hope that the user won t understand what has happened. 5 How are extensions distributed Firefox is an open source project and anyone willing to learn the basics could write simple extensions. Because of that there are many who would like to get feedback about their extensions. Mozilla has made a web page for that, where anyone can post their extensions. There is a huge number of extensions being developed and they all can t be reviewed as they are submitted. The solution is that new extensions are sent to the sandbox, where the possibilities of distribution are somewhat limited. This is called a sandbox review system. The sandbox is an area for advanced users to test add-ons before they are reviewed for general use. In order to access the sandbox, you must enable it in your account settings. Caution should be used when installing sandboxed add-ons, as they have not been tested by an editor and may harm your computer [8]. In order to make an extension public, it is submitted for reviewing, but to do that there has to be some feedback from other developers. Reviewing is done by an editor. Editors are usually developers who like to review others extensions. Anyone who meets the requirements can apply to become an editor. The requirements are reviews and showing the understanding of the sandbox system. When two editors or administrators think that the candidate is ready then he will become an editor. This requirement style doesn t require much resource but it won t guarantee that the new editor has the proper knowledge to deal with security issues. Also an attacker could apply for becoming an editor and could have the right to accept bad extensions if the second editor hadn t noticed a possible threat to security. 6 How could bad extensions be distributed 6.1 Hijacking a public Wi-Fi Having control over the wireless network gives the possibility to fake the update of an extension and instead install the bad extension. Every time the browser starts it checks for updates for its extensions. Extensions which are hosted in Mozilla s official servers are updated using secure protocols but there are many popular extensions that use insecure protocols for transmitting updates. These extensions are a potential security threat. According to Chris Soghoian, the Indiana University doctoral candidate who discovered the weakness, the vulnerability exists for some of the most popular Firefox add-ons, including Google Toolbar, Google Browser Sync, Yahoo Toolbar, Del.icio.us, Facebook Toolbar, AOL Toolbar, Ask.com Toolbar, LinkedIn Browser Toolbar, Netcraft Anti-Phishing Toolbar, PhishTank SiteChecker and a number of others, mainly commercial extensions.[9]. 6.2 Installing a bad extension to a public computer Installing an extension is easy, it can be done using drag and drop. Dragging the extension file to the browser window initiates the installation. By default the extension is installed only to the user who installed the extension. In public computers it is possible for anyone to install an extension, as it doesn t require administrative rights. There is vulnerability when the public computer doesn t delete user profiles after every usage. For example, students in some classes are able to use the computers in administrative rights. 6.3 Using a trusted extension The trusted extensions that are hosted at Mozilla s official site don t need reviews for updates. After an extension has been granted trust it is possible for the developer to add bad code into the next update and the extension with the bad code will spread widely. 3
4 7 Ways of improving the security model At the moment the extension code is trusted by Firefox. It doesn t differentiate right of the extensions by the security level of the web site. User should always feel safe when visiting trusted and encrypted web sites; it shouldn t be possible to alter the way a secure site s content is being displayed. To change this behavior there are several solutions. The strictest would be to disable all extensions on secure web pages. But this could reflect on the popularity of Firefox. Also at the moment the extension model is built so that in order to disable an extension a restart is needed. To modify that it is necessary to rewrite the way Firefox uses extensions. Another solution would be to allow the use of trusted or certified extensions on the secure pages and to disable all other extensions. This faces the same problem as the latter with the restart. But if restarting could be avoided then this would probably be a better solution. As shown before, it is possible to change to content of the web page before it is displayed, this is done via modifying DOM. There should be a restriction regarding https pages, which would not allow modifications in DOM. The downside of this would be the impossibility to use extensions for blocking advertisements, as they are also a part of the content of the page. But usually there are not too many advertisements on secure pages and it is better to know that you are safe. At the moment there is a solution for all these problems, but many people may not like it. Namely when Firefox is started in safe mode, it disables all extensions and thus there is no threat from the extensions. Even if users know that a safer way exists, many won t like the idea of closing the current browser s window with all of its tabs just to open the same browser again. While working, it would take valuable time and changing the way users behave requires time and effort. They would have to know that extensions are not always safe, but it is more realistic that eventually the developers will change the extensions safer rather than tell the users that there is a potential threat to security and it is recommended to use safe mode. 8 Conclusion Current extension model has its flaws. Very little has been thought about the security. With the growth of the user base it is necessary to focus on the security or the browser might loose its status of being safe. Suggi Liverani and Nick Freeman at Defcon 17 the security model of Firefox is nonexistent. The code of the extensions is fully trusted and there are no boundaries between extensions [7]. The risk of attacks originating from extensions grows but users aren t aware of the dangers, because of that it is important to minimize the risks. To do that it is nessecary to make a new security model, which would consider the security of developing, distributing, updating, giving different rights to different extensions and limiting the rights on secure sites. 4
5 References [1] Browser Market Share (October 2009). Mozilla Firefox [9] A New Vector For Hackers -- Firefox Add- Ons 007/05/bungled_addon_updates_endanger.ht ml [2] Chrome [3] Building an extension _Extension [4] XPCOM [5] Gecko-Specific DOM Events Specific_DOM_Events [6] Cross-site Scripting (XSS) [7] Abusing Firefox Extensions ting_firefox_extensions/eusecwest09_- _Roberto_Suggi_Liverani_- _Nick%20Freeman_- _Exploiting_Firefox_Extensions.pdf [8] Sandbox review system US/firefox/pages/sandbox 5
The security of Mozilla Firefox s Extensions. Kristjan Krips
The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting
More informationOverview Cross-Site Scripting (XSS) Christopher Lam Introduction Description Programming Languages used Types of Attacks Reasons for XSS Utilization Attack Scenarios Steps to an XSS Attack Compromises
More informationSecure Frame Communication in Browsers Review
Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationWayward Wi-Fi. How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk
Wayward Wi-Fi How Rogue Hotspots Can Hijack Your Data and Put Your Mobile Devices at Risk 288 MILLION There are more than 288 million unique Wi-Fi networks worldwide. Source: Wireless Geographic Logging
More informationWeb Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le
Web Security Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Topics Web Architecture Parameter Tampering Local File Inclusion SQL Injection XSS Web Architecture Web Request Structure Web Request Structure
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationSecurity Course. WebGoat Lab sessions
Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationHow to Stay Safe on Public Wi-Fi Networks
How to Stay Safe on Public Wi-Fi Networks Starbucks is now offering free Wi-Fi to all customers at every location. Whether you re clicking connect on Starbucks Wi-Fi or some other unsecured, public Wi-Fi
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationSECURITY ON PUBLIC WI-FI New Zealand. A guide to help you stay safe online while using public Wi-Fi
SECURITY ON PUBLIC WI-FI New Zealand A guide to help you stay safe online while using public Wi-Fi WHAT S YOUR WI-FI PASSWORD? Enter password for the COFFEE_TIME Wi-Fi network An all too common question
More informationWeb Security Computer Security Peter Reiher December 9, 2014
Web Security Computer Security Peter Reiher December 9, 2014 Page 1 Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow around
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationArchitecture. Steven M. Bellovin October 31,
Architecture Steven M. Bellovin October 31, 2016 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More informationQuick Heal AntiVirus Pro Advanced. Protects your computer from viruses, malware, and Internet threats.
AntiVirus Pro Advanced Protects your computer from viruses, malware, and Internet threats. Features List Ransomware Protection anti-ransomware feature is more effective and advanced than other anti-ransomware
More informationVetting Browser Extensions for Security Vulnerabilities
Vetting Browser Extensions for Security Vulnerabilities Risto Sandvik Helsinki 28.3.2011 UNIVERSITY OF HELSINKI Faculty of Science Department of Computer Science HELSINGIN YLIOPISTO HELSINGFORS UNIVERSITET
More informationWeb Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs
Web Application with AJAX Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar University of Colorado, Colorado Springs CS 526 Advanced Internet and Web Systems Abstract Asynchronous JavaScript and XML or Ajax
More informationThe Most Dangerous Code in the Browser. Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan
The Most Dangerous Code in the Browser Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Modern web experience Modern web experience Modern web experience Web apps Extensions NYTimes Chase AdBlock
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationHow to Build a Culture of Security
How to Build a Culture of Security March 2016 Table of Contents You are the target... 3 Social Engineering & Phishing and Spear-Phishing... 4 Browsing the Internet & Social Networking... 5 Bringing Your
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More informationStefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan. Stanford University, Chalmers University of Technology
Stefan Heule, Devon Rifkin, Alejandro Russo, Deian Stefan Stanford University, Chalmers University of Technology One of the most popular application platforms Easy to deploy and access Almost anything
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationQuick Heal AntiVirus Pro. Tough on malware, light on your PC.
Tough on malware, light on your PC. Features List Ransomware Protection Quick Heal anti-ransomware feature is more effective and advanced than other anti-ransomware tools. Signature based detection Detects
More informationCSCE 120: Learning To Code
CSCE 120: Learning To Code Module 11.0: Consuming Data I Introduction to Ajax This module is designed to familiarize you with web services and web APIs and how to connect to such services and consume and
More informationArchitecture. Steven M. Bellovin October 27,
Architecture Steven M. Bellovin October 27, 2015 1 Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache
More information7.2.4 on Media content; on XSS) sws2 1
Software and Web Security 2 Attacks on Clients (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Last week: web server can be attacked by malicious input web browser web server
More informationRouterCheck Installation and Usage
RouterCheck Installation and Usage February 16, 2015 No part of this document may be reproduced, copied, or distributed in any fashion without the express written permission of Sericon Technology Inc.
More informationPrevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side
www.ijcsi.org 650 Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side S.SHALINI 1, S.USHA 2 1 Department of Computer and Communication, Sri Sairam Engineering College,
More informationA Simple Course Management Website
A Simple Course Management Website A Senior Project Presented to The Faculty of the Computer Engineering Department California Polytechnic State University, San Luis Obispo In Partial Fulfillment Of the
More informationProgress Exchange June, Phoenix, AZ, USA 1
1 COMP-1: Securing your web application against hackers Edwin Lijnzaad & Ronald Smits Consultants Agenda Introduction Issues How to... Questions 2 COMP-1: Securing your web application against hackers
More informationOnline Security Software Version 1.2
Comodo Online Security Software Version 1.2 User Guide Guide Version 1.2 061118 Comodo Security Solutions 255 Broad Street Clifton, NJ 07013 1 Introduction to Comodo Online Security Comodo Online Security
More informationOWASP AppSec Research The OWASP Foundation New Insights into Clickjacking
New Insights into Clickjacking Marco `embyte` Balduzzi iseclab @ EURECOM embyte@iseclab.org AppSec Research 2010 Joint work with Egele, Kirda, Balzarotti and Kruegel Copyright The Foundation Permission
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationElementary Computing CSC 100. M. Cheng, Computer Science
Elementary Computing CSC 100 1 Internet (2) TCP/IP and IP Addresses Hostnames and Domain Name System Internet Services Client/Server and Peer- 2- Peer Applications SPAMs & Phishing, Worms, Viruses & Trojans
More informationLooking at the Internet with Google Chrome & Firefox. Scoville Memorial Library Claudia Cayne - September, 2010
Looking at the Internet with Google Chrome & Firefox Scoville Memorial Library Claudia Cayne - ccayne@biblio.org September, 2010 Google Chrome & Firefox are web browsers - the decoder you need to view
More informationSecurity Philosophy. Humans have difficulty understanding risk
Android Security Security Philosophy Humans have difficulty understanding risk Safer to assume that Most developers do not understand security Most users do not understand security Security philosophy
More informationApplication Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.
Application Layer Attacks Application Layer Attacks Week 2 Part 2 Attacks Against Programs Application Layer Application Layer Attacks come in many forms and can target each of the 5 network protocol layers
More informationCertified Secure Web Application Engineer
Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),
More informationHacking Intranet Websites from the Outside
1 Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous" Black Hat (Japan) 10.05.2006 Jeremiah Grossman (Founder and CTO) WhiteHat Security 2 WhiteHat Sentinel -
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More informationAutomated Detection of Firefox Extension-
Automated Detection of Firefox Extension- Click to edit Master text Reuse stylesvulnerabilities Ahmet S BUYUKKAYHAN William ROBERTSON Co-directs Third the level NEU Systems Security Lab with Engin Kirda
More informationKASPERSKY FRAUD PREVENTION FOR ENDPOINTS
KASPERSKY FRAUD PREVENTION FOR ENDPOINTS www.kaspersky.com KASPERSKY FRAUD PREVENTION 1. Ways of Attacking Online Banking The prime motive behind cybercrime is making money and today s sophisticated criminal
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationWeb Attacks CMSC 414. September 25 & 27, 2017
Web Attacks CMSC 414 September 25 & 27, 2017 Overview SQL Injection is frequently implemented as a web-based attack, but doesn t necessarily need to be There are a wide variety of web-based attacks Some
More informationshortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge
shortcut Your Short Cut to Knowledge The following is an excerpt from a Short Cut published by one of the Pearson Education imprints. Short Cuts are short, concise, PDF documents designed specifically
More informationC1: Define Security Requirements
OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security
More informationCan HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit
Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit 1 2 o hai. 3 Why Think About HTTP Strict Transport Security? Roadmap what is HSTS?
More informationCSCE 813 Internet Security Case Study II: XSS
CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that
More informationCyber Security Guide. For Politicians and Political Parties
Cyber Security Guide For Politicians and Political Parties Indian Election Integrity Initiative Design by ccm.design Cover Image by Paul Dufour Helping to Safeguard the Integrity of the Electoral Process
More informationWeb Security II. Slides from M. Hicks, University of Maryland
Web Security II Slides from M. Hicks, University of Maryland Recall: Putting State to HTTP Web application maintains ephemeral state Server processing often produces intermediate results; not long-lived
More informationClient Side Injection on Web Applications
Client Side Injection on Web Applications Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents INTRODUCTION... 3 HTML Injection Vulnerability... 4 How to
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationRobust Defenses for Cross-Site Request Forgery Review
Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic
More informationTHUNDERKRYPT: THUNDERBIRD EXTENSION
THUNDERKRYPT: THUNDERBIRD EXTENSION Version: 1.0 Date: 08.03.2009 Authors: Dirk, Eduardo, Zakaria Description: Thunderkrypt adds java-based decryption to Mozilla Thunderbird > 1.5 The current document
More informationThe Highly Insidious Extreme Phishing Attacks
The Highly Insidious Extreme Phishing Attacks Rui Zhao, Samantha John, Stacy Karas, Cara Bussell, Jennifer Roberts, Daniel Six, Brandon Gavett, and Chuan Yue Colorado School of Mines, Golden, CO 80401
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More informationAutomated Discovery of Parameter Pollution Vulnerabilities in Web Applications
Automated Discovery of Parameter Pollution Vulnerabilities in Web Applications Marco Balduzzi, Carmen Torrano Gimenez, Davide Balzarotti, and Engin Kirda NDSS 2011 The Web as We Know It 2 Has evolved from
More informationJohn Coggeshall Copyright 2006, Zend Technologies Inc.
PHP Security Basics John Coggeshall Copyright 2006, Zend Technologies Inc. Welcome! Welcome to PHP Security Basics Who am I: John Coggeshall Lead, North American Professional Services PHP 5 Core Contributor
More informationCSWAE Certified Secure Web Application Engineer
CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized
More informationOne of the fundamental kinds of websites that SharePoint 2010 allows
Chapter 1 Getting to Know Your Team Site In This Chapter Requesting a new team site and opening it in the browser Participating in a team site Changing your team site s home page One of the fundamental
More informationAuthor: Tonny Rabjerg Version: Company Presentation WSF 4.0 WSF 4.0
Author: Tonny Rabjerg Version: 20150730 Company Presentation WSF 4.0 WSF 4.0 Cybercrime is a growth industry. The returns are great, and the risks are low. We estimate that the likely annual cost to the
More informationINTERNET SAFETY IS IMPORTANT
INTERNET SAFETY IS IMPORTANT Internet safety is not just the ability to avoid dangerous websites, scams, or hacking. It s the idea that knowledge of how the internet works is just as important as being
More informationInstructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3 6 players. Play starts with the 3 of Tampering. Play
More informationSECURE CODING ESSENTIALS
SECURE CODING ESSENTIALS DEFENDING YOUR WEB APPLICATION AGAINST CYBER ATTACKS ROB AUGUSTINUS 30 MARCH 2017 AGENDA Intro - A.S. Watson and Me Why this Presentation? Security Architecture Secure Code Design
More informationDreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com
DreamFactory Customer Privacy and Security Whitepaper Delivering Secure Applications on Salesforce.com By Bill Appleton, CTO, DreamFactory Software billappleton@dreamfactory.com Introduction DreamFactory
More informationCopyright
1 SECURITY TEST Data flow -- Can you establish an audit trail for data, what goes where, is data in transit protected, and who has access to it? Data storage -- Where is data stored, and is it encrypted?
More informationSecurity issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith
Security issues Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith Criteria D3 D3 Recommend ways to improve web security when using web server scripting Clean browser input Don
More informationWeb Application Penetration Testing
Web Application Penetration Testing COURSE BROCHURE & SYLLABUS Course Overview Web Application penetration Testing (WAPT) is the Security testing techniques for vulnerabilities or security holes in corporate
More informationTHREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda
THREAT MODELING IN SOCIAL NETWORKS Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda INTRODUCTION Social Networks popular web service. 62% adults worldwide use social media 65% of world top companies
More informationManually Create Phishing Page For Facebook 2014
Manually Create Phishing Page For Facebook 2014 While you are creating phishing page manually you have to do a lot of work Web Templates -- For importing premade template for Gmail, Facebook from SET.
More informationChat with a hacker. Increase attack surface for Pentest. A talk by Egor Karbutov and Alexey Pertsev
Chat with a hacker Increase attack surface for Pentest A talk by Egor Karbutov and Alexey Pertsev $ Whoarewe Egor Karbutov & Alexey Pertsev Penetration testers @Digital Security Speakers Bug Hunters 2
More informationInstructions 1 Elevation of Privilege Instructions
Instructions 1 Elevation of Privilege Instructions Draw a diagram of the system you want to threat model before you deal the cards. Deal the deck to 3-6 players. Play starts with the 3 of Tampering. Play
More informationSecurity and Privacy. Xin Liu Computer Science University of California, Davis. Introduction 1-1
Security and Privacy Xin Liu Computer Science University of California, Davis Introduction 1-1 What is network security? Confidentiality: only sender, intended receiver should understand message contents
More informationQuick Heal Total Security
For secure online banking, smooth Internet surfing, and robust protection for your PC. Features List Ransomware Protection Quick Heal anti-ransomware feature is more effective and advanced than other anti-ransomware
More informationAttacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14
Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.
More informationCS 161 Computer Security
Nick Weaver Fall 2018 CS 161 Computer Security Homework 3 Due: Friday, 19 October 2018, at 11:59pm Instructions. This homework is due Friday, 19 October 2018, at 11:59pm. No late homeworks will be accepted
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationSecurity and Privacy
E-mail Security and Privacy Department of Computer Science Montclair State University Course : CMPT 320 Internet/Intranet Security Semester : Fall 2008 Student Instructor : Alex Chen : Dr. Stefan Robila
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationInstallation & Configuration Guide Enterprise/Unlimited Edition
Installation & Configuration Guide Enterprise/Unlimited Edition Version 2.3 Updated January 2014 Table of Contents Getting Started... 3 Introduction... 3 Requirements... 3 Support... 4 Recommended Browsers...
More informationPratt User Guide
25LIVE @ Pratt User Guide This guide is to be used by Pratt Institute Faculty, Staff and Official Student Groups who want to request a campus public room for a class or an event. Technical questions and
More informationWebomania Solutions Pvt. Ltd. 2017
The other name for link manipulation is Phishing or you can say link manipulation is type of phishing attack done generally to mislead the user to a replica website or a looka-like of some well-known site.
More informationMozilla Security Blog
Mozilla Security Blog Mixed Content Blocking in Firefox Aurora Tanvi May 16 2013 Firefox 23 moved from Nightly to Aurora this week, bundled with a new browser security feature. The Mixed Content Blocker
More informationDownload firefox with virus protection
P ford residence southampton, ny Download firefox with virus protection 3-11-2015 Protect your devices with the best free antivirus on the market. Download Avast antivirus and anti-spyware protection for
More informationWeb Servers and Security
Web Servers and Security The Web is the most visible part of the net Two web servers Apache (open source) and Microsoft s IIS dominate the market Apache has 49%; IIS has 36% (source: http://news.netcraft.com/archives/2008/09/30/
More information2 User Guide. Contents
E-mail User Guide 2 E-mail User Guide Contents Logging in to your web mail... 3 Changing your password... 5 Editing your signature... 6 Adding an e-mail account to Outlook 2010/2013/2016... 7 Adding an
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems Objectives Explain how to harden operating systems List ways to prevent attacks through a Web browser Define
More informationEXECUTIVE BRIEF: WHY NETWORK SANDBOXING IS REQUIRED TO STOP RANSOMWARE
EXECUTIVE BRIEF: WHY NETWORK SANDBOXING IS REQUIRED TO STOP RANSOMWARE Why you need to use sandboxing as well as signatures and heuristics Abstract Next-gen firewalls leverage signatures and heuristics
More information