Browser Security Model

Transcription

1 CS155 Sprig 2017 Browser Security Model Joh Mitchell

2 Top Web Vulerabilities

3 Historical Web Vulerabilities "I the Wild" Data from aggregator ad validator of NVD-reported vulerabilities

4 Historical Web vs System vulerabilities XSS peak Declie i % web vuls sice % i > 37% i Big declie i SQL Ijectio vulerabilities

5 Five lectures o Web security Browser security model The browser as a OS ad executio platform Protocols, isolatio, commuicatio, Web applicatio security Applicatio pitfalls ad defeses Sessio maagemet ad user autheticatio How users autheticate to web sites Browser-server mechaisms for maagig state Cotet security policies Additioal mechaisms for sadboxig ad security HTTPS: goals ad pitfalls (after Crypto lecture) Network issues ad browser protocol hadlig This 2.5-week sectio could fill a etire course

6 Web programmig poll Familiar with basic html? Developed a web applicatio usig: Apache? PHP? Ruby? Pytho? SQL? JavaScript? CSS? JSON? Kow about: postmessage? NaCl? Webworkers? CSP? WebView? Resource:

7 Goals of web security Safely browse the web Visit a variety of web sites without icurrig harm w Cofidetiality: o stole iformatio w Itegrity: Site A caot compromise sessio at Site B Support secure web apps Apps provided over the web ca have same security properties as stad-aloe applicatios Support secure mobile apps Web protocols ad cotet stadards are used as back ed of may mobile apps

8 Web security threat model System Alice Web Attacker Sets up malicious site visited by victim; o cotrol of etwork

9 Network security threat model Network Attacker System Itercepts ad cotrols etwork commuicatio Alice

10 Alice System Web Attacker Alice System Network Attacker

11 Web Threat Models Web attacker Cotrols attacker.com Ca obtai SSL/TLS certificate for attacker.com User visits attacker.com w Or: rus attacker s Facebook app, etc. Network attacker Passive: Wireless eavesdropper Active: Evil router, DNS poisoig Malware attacker Attacker escapes browser isolatio mechaisms ad ru separately uder cotrol of OS

12 Malware attacker Browsers may cotai exploitable bugs Ofte eable remote code executio by web sites Google study: [the ghost i the browser 2007] w Foud Trojas o 300,000 web pages (URLs) w Foud adware o 18,000 web pages (URLs) Eve if browsers were bug-free, still lots of vulerabilities associated with the web NOT OUR FOCUS IN THIS PART OF COURSE All vulerabilities o previous slide: XSS, SQLi, CSRF,

13 Outlie Http Rederig cotet Isolatio Commuicatio Navigatio Security User Iterface Cookies Frames ad frame bustig

14 HTTP

15 URLs Global idetifiers of etwork-retrievable documets Example: Protocol Fragmet Hostame Port Path Query Special characters are ecoded as hex: %0A = ewlie %20 or + = space, %2B = + (special exceptio)

16 HTTP Request Method File HTTP versio Headers GET /idex.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Laguage: e Coectio: Keep-Alive User-Aget: Mozilla/1.22 (compatible; MSIE 2.0; Widows 95) Host: Referer: Blak lie Data oe for GET GET : o side effect POST : possible side effect

17 HTTP Respose HTTP versio Status code Reaso phrase Headers HTTP/ OK Date: Su, 21 Apr :20:42 GMT Server: Microsoft-Iteret-Iformatio-Server/5.0 Coectio: keep-alive Cotet-Type: text/html Last-Modified: Thu, 18 Apr :39:05 GMT Set-Cookie: Cotet-Legth: 2543 Data <HTML> Some data... whatever...</html> Cookies

18 RENDERING CONTENT

19 Rederig ad evets Basic browser executio model Each browser widow or frame w Loads cotet w Reders it Processes HTML ad scripts to display page May ivolve images, subframes, etc. w Respods to evets Evets ca be User actios: OClick, OMouseover Rederig: OLoad, OBeforeUload Timig: settimeout(), cleartimeout()

20 Example <!DOCTYPE html> <html> <body> <h1>my First Web Page</h1> <p>my first paragraph.</p> <butto oclick="documet.write(5 + 6)">Try it</butto> </body> </html> Source:

21 Example

22 Documet Object Model (DOM) Object-orieted iterface used to read ad write docs web page i HTML is structured data DOM provides represetatio of this data structure Examples Properties: documet.alikcolor, documet.url, documet.forms[ ], documet.liks[ ], documet.achors[ ] Methods: documet.write(documet.referrer) Icludes Browser Object Model (BOM) widow, documet, frames[], history, locatio, avigator (type ad versio of browser)

23 Chagig HTML usig Script, DOM Some possibilities createelemet(elemetname) createtextnode(text) appedchild(ewchild) removechild(ode) HTML Example: Add a ew list item: <ul id="t1"> <li> Item 1 </li> </ul> var list = documet.getelemetbyid('t1') var ewitem = documet.createelemet('li') var ewtext = documet.createtextnode(text) list.appedchild(ewitem) ewitem.appedchild(ewtext)

24 Example <!DOCTYPE html> <html> <body> <h1>my First Web Page</h1> <p>my First Paragraph</p> <p id="demo"></p> <script> documet.getelemetbyid("demo").ierhtml = 5 + 6; </script> </body> </html> Source:

25 Basic web fuctioality HTML Image Tags <html> <p> </p> <img src= height="50" width="100"> </html> Displays this ice picture è Security issues?

26 Security cosequeces Image tag security issues Commuicate with other sites <img src= > Hide resultig image <img src= height= 1" width= 1"> Spoof other sites Add logos that fool a user Importat Poit: A web page ca sed iformatio to ay site Q: what threat model are we talkig about here?

27 Basic web fuctioality JavaScript oerror Basic fuctio Triggered whe error occurs loadig a documet or a image Example <img src="image.gif" oerror="alert('the image could ot be loaded.') > Rus oerror hadler if image does ot exist ad caot load

28 Basic web fuctioality JavaScript timig Sample code <html><body><img id="test" style="display: oe"> <script> var test = documet.getelemetbyid( test ); var start = ew Date(); test.oerror = fuctio() { var ed = ew Date(); alert("total time: " + (ed - start)); } test.src = " </script> </body></html> Whe respose header idicates that page is ot a image, the browser stops ad otifies JavaScript via the oerror hadler.

29 Security cosequece Port scaig behid firewall JavaScript ca: Request images from iteral IP addresses w Example: <img src= :8080 /> Use timeout/oerror to determie success/failure Figerprit webapps usig kow image ames Server 1) show me dacig pigs! sca 2) check this out Malicious Web page 3) port sca results sca Browser sca Firewall

30 Remote scriptig Goal: commuicate betwee cliet-side app ruig i browser ad server-side app, without reloadig Methods Java Applet/ActiveX cotrol/flash w Ca make HTTP requests ad iteract with cliet-side JavaScript code, but some aspects may be browser specific XML-RPC w ope, stadards-based techology that requires XML-RPC libraries o server ad i your cliet-side code. Simple HTTP via a hidde IFRAME w IFRAME with a script o your web server is by far the easiest of the three remote scriptig optios Importat Poit: A page ca maitai bi-directioal commuicatio with browser (util user closes/quits) See:

31 Simple remote scriptig example cliet.html: RPC by passig argumets to server.html i query strig <script type="text/javascript"> fuctio hadlerespose() { alert('this fuctio is called from server.html') } </script> <iframe id="rsiframe" ame="rsiframe" style="width:0px; height:0px; border: 0px" src="blak.html"> </iframe> <a href="server.html" target="rsiframe">make RPC call</a> server.html: aother page o same server, could be server.php, etc <script type="text/javascript"> widow.paret.hadlerespose() </script> RPC ca be doe siletly i JavaScript, passig ad receivig argumets

32 ISOLATION

33 Frame ad iframe Widow may cotai frames from differet sources Frame: rigid divisio as part of frameset iframe: floatig ilie frame iframe example <iframe src="hello.html" width=450 height=100> If you ca see this, your browser does't uderstad IFRAME. </iframe> Why use frames? Delegate scree area to cotet from aother source Browser provides isolatio based o frames Paret may work eve if frame is broke

34 Widows ad frames iteract 34

35 Aalogy Operatig system Primitives System calls Processes Disk Pricipals: Users Discretioary access cotrol Vulerabilities Buffer overflow Root exploit Web browser Primitives Documet object model Frames Cookies / localstorage Pricipals: Origis Madatory access cotrol Vulerabilities Cross-site scriptig Cross-site request forgery Cache history attacks

36 Policy Goals Safe to visit a evil web site Safe to visit two pages at the same time Address bar distiguishes them Allow safe delegatio

37 Browser security mechaism A B A A B Each frame of a page has a origi Origi = protocol://host:port Frame ca access its ow origi Network access, Read/write DOM, Storage (cookies) Frame caot access data associated with a differet origi

38 Compoets of browser security policy Frame-Frame relatioships cascript(a,b) w Ca Frame A execute a script that maipulates arbitrary/otrivial DOM elemets of Frame B? canavigate(a,b) w Ca Frame A chage the origi of cotet for Frame B? Frame-pricipal relatioships readcookie(a,s), writecookie(a,s) w Ca Frame A read/write cookies from site S? See

39 Library import excluded from SOP <script src= =a.com></script> VeriSig Script has privileges of imported page, NOT source server. Ca script other pages i this origi, load more scripts Other forms of importig

40 Domai Relaxatio chat.facebook.com facebook.com chat.facebook.com Origi: scheme, host, (port), hassetdomai Try documet.domai = documet.domai

41 Additioal mechaisms Site A Site B Cross-origi etwork requests Site A cotext Access-Cotrol-Allow-Origi: <list of domais> Site B cotext Access-Cotrol-Allow-Origi: * Cross-origi cliet side commuicatio Cliet-side messagig via avigatio (old browsers) postmessage (moder browsers)

42 COMMUNICATION

43 widow.postmessage API for iter-frame commuicatio Supported i stadard browsers A etwork-like chael betwee frames Add a cotact Share cotacts

44 postmessage sytax frames[0].postmessage("attack at daw!", " widow.addevetlisteer("message", fuctio (e) { if (e.origi == " {... e.data... } }, false); Attack at daw! Facebook Aecdote

45 Why iclude targetorigi? What goes wrog? frames[0].postmessage("attack at daw!"); Messages set to frames, ot pricipals Whe would this happe? 45

46 NAVIGATION 46

47 A Guiski Attack awglogi widow.ope(" "awglogi");

48 What should the policy be? Child Siblig Frame Bust Descedat 48

49 Legacy Browser Behavior Browser IE 6 (default) IE 6 (optio) IE7 (o Flash) IE7 (with Flash) Firefox 2 Safari 3 Opera 9 HTML 5 Policy Permissive Child Descedat Permissive Widow Permissive Widow Child

50 Widow Policy Aomaly top.frames[1].locatio = " top.frames[2].locatio = "

51 Legacy Browser Behavior Browser IE 6 (default) IE 6 (optio) IE7 (o Flash) IE7 (with Flash) Firefox 2 Safari 3 Opera 9 HTML 5 Policy Permissive Child Descedat Permissive Widow Permissive Widow Child

52 Adoptio of Descedat Policy Browser IE7 (o Flash) IE7 (with Flash) Firefox 3 Safari 3 Opera 9 HTML 5 Policy Descedat Descedat Descedat Descedat (may policies) Descedat

53 Whe is it safe to type my password? SECURITY USER INTERFACE

54 Safe to type your password? 54

55 Safe to type your password? 55

56 Safe to type your password? 56

57 Safe to type your password??????? 57

58 Safe to type your password? 58

59 Mixed Cotet: HTTP ad HTTPS Problem Page loads over HTTPS, but has HTTP cotet Network attacker ca cotrol page IE: displays mixed-cotet dialog to user Flash files over HTTP loaded with o warig (!) Note: Flash ca script the embeddig page Firefox: red slash over lock ico (o dialog) Flash files over HTTP do ot trigger the slash Safari: does ot detect mixed cotet Da will talk about this later.

60 Mixed Cotet: HTTP ad HTTPS silly dialogs

61 Mixed cotet ad etwork attacks Old sites: after logi all cotet over HTTPS Developer error: Somewhere o bak site write <script src= </script> Active etwork attacker ca ow hijack ay sessio Better way to iclude cotet: <script src=// </script> served over the same protocol as embeddig page

62 Lock Ico 2.0 Exteded validatio (EV) certs Promiet security idicator for EV certificates ote: EV site loadig cotet from o-ev site does ot trigger mixed cotet warig

63 Fially: the status Bar Trivially spoofable <a href= oclick= this.href = ; > PayPal</a>

64 COOKIES: CLIENT STATE 64

65 Cookies Used to store state o user s machie Browser If expires=null: this sessio oly POST HTTP Header: Set-cookie: NAME=VALUE ; Server domai = (who ca read) ; expires = (whe expires) ; secure = (oly over SSL) Browser POST Cookie: NAME = VALUE Server HTTP is stateless protocol; cookies add state

66 Cookie autheticatio Browser Web Server Auth server POST logi.cgi Userame & pwd Validate user Set-cookie: auth=val auth=val Store val GET restricted.html Cookie: auth=val If YES, restricted.html restricted.html auth=val YES/NO Check val

67 Cookie Security Policy Uses: User autheticatio Persoalizatio User trackig: e.g. Doubleclick (3 rd party cookies) Origi is the tuple <domai, path> Ca set cookies valid across a domai suffix

68 Secure Cookies Browser GET HTTP Header: Set-cookie: NAME=VALUE ; Secure=true Server Provides cofidetiality agaist etwork attacker Browser will oly sed cookie back over HTTPS but o itegrity Ca rewrite secure cookies over HTTP Þ etwork attacker ca rewrite secure cookies Þ ca log user ito attacker s accout

69 httpoly Cookies Browser GET HTTP Header: Set-cookie: NAME=VALUE ; httpoly Server Cookie set over HTTP(s), but ot accessible to scripts caot be read via documet.cookie Helps prevet cookie theft via XSS but does ot stop most other risks of XSS bugs

70 FRAMES AND FRAME BUSTING

71 Frames Embed HTML documets i other documets <iframe ame= myframe src= > This text is igored by most browsers. </iframe>

72 Frame Bustig Goal: prevet web page from loadig i a frame example: opeig logi page i a frame will display correct passmark image Frame bustig: if (top!= self) top.locatio.href = locatio.href

73 Better Frame Bustig Problem: Javascript OUload evet <body ouload="javascript: cause_a_abort;)"> Try this istead: if (top!= self) top.locatio.href = locatio.href else { code of page here }

74 Eve better (after ~2010) Set X-Frame-Optios HTTP respose header Tell browser ot to reder a page i a <frame> or <iframe> Esurig that cotet is ot embedded ito other sites. Use optios "DENY", "SAMEORIGIN", or "ALLOW-FROM uri" Browser DENY/SAMEORIGIN Support Itroduced ALLOW-FROM Support Itroduced Chrome Supports CSP frameacestors istead Firefox (Gecko) ( ) 18.0 Iteret Explorer Opera Safari 4.0 Wo't support - Supports CSP frame-acestors is

75 Summary Http Rederig cotet Isolatio Commuicatio Navigatio Security User Iterface Cookies Frames ad frame bustig