LECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security

Similar documents
Running Remote Code is Risky. Why Study Browser Security. Browser Sandbox. Threat Models. Security User Interface.

CS 5450 HTTP. Vitaly Shmatikov

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Information Security CS 526 Topic 8

s642 web security computer security adam everspaugh

s642 web security computer security adam everspaugh

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Browser Security Model

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

WEB SECURITY: XSS & CSRF

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Match the attack to its description:

Information Security CS 526 Topic 11

CS526: Information security

Common Websites Security Issues. Ziv Perry

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

RKN 2015 Application Layer Short Summary

Web Application Security. Philippe Bogaerts

P2_L12 Web Security Page 1

Advanced Web Technology 10) XSS, CSRF and SQL Injection

WHY CSRF WORKS. Implicit authentication by Web browsers

CNIT 129S: Securing Web Applications. Ch 10: Attacking Back-End Components

Certified Secure Web Application Engineer

0x1A Great Papers in Computer Security

Progress Exchange June, Phoenix, AZ, USA 1

Secure Frame Communication in Browsers Review

CNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Web basics: HTTP cookies

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Robust Defenses for Cross-Site Request Forgery

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway

Uniform Resource Locators (URL)

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

Browser Security Model

Lecture Overview. IN5290 Ethical Hacking. Lecture 4: Web hacking 1, Client side bypass, Tampering data, Brute-forcing

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

The security of Mozilla Firefox s Extensions. Kristjan Krips

Development of Web Applications

Web basics: HTTP cookies

Browser Security Model

CSWAE Certified Secure Web Application Engineer

Computer Security CS 426 Lecture 41

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

C1: Define Security Requirements

En#ty Authen#ca#on and Session Management

7.2.4 on Media content; on XSS) sws2 1

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Acknowledgments... xix

CIS 4360 Secure Computer Systems XSS

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Application security : going quicker

En partenariat avec CA Technologies. Genève, Hôtel Warwick,

How to Configure SSL VPN Portal for Forcepoint NGFW TECHNICAL DOCUMENT

CS 161 Computer Security

RiskSense Attack Surface Validation for Web Applications

F5 Big-IP Application Security Manager v11

SAML-Based SSO Solution

Lesson 12: JavaScript and AJAX

CSCE 813 Internet Security Case Study II: XSS

Some Facts Web 2.0/Ajax Security

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Web Security [SSL/TLS and Browser Security Model]

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Information Security. Gabriel Lawrence Director, IT Security UCSD

CSE392/ISE331. Web Security Goals & Workings of the Web. Nick Nikiforakis

W H IT E P A P E R. Salesforce Security for the IT Executive

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Tabular Presentation of the Application Software Extended Package for Web Browsers

October 08: Introduction to Web Security

ICS 351: Today's plan. web scripting languages HTTPS: SSL and TLS certificates cookies DNS reminder

Web Application Security

Combating Common Web App Authentication Threats

Web Application Penetration Testing

Integrity attacks (from data to code): Cross-site Scripting - XSS

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Contents 1 INTRODUCTION TO COMPUTER NETWORKS...

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

ICS 351: Today's plan. IPv6 routing protocols (summary) HTML HTTP web scripting languages certificates (review) cookies

Code-Injection Attacks in Browsers Supporting Policies. Elias Athanasopoulos, Vasilis Pappas, and Evangelos P. Markatos FORTH-ICS

CS 161 Computer Security

Web Security II. Slides from M. Hicks, University of Maryland

ESORICS September Martin Johns

Security Course. WebGoat Lab sessions

PHP-security Software lifecycle General Security Webserver security PHP security. Security Summary. Server-Side Web Languages

Lecture Notes on Safety and Information Flow on the Web: II

CIS 551 / TCOM 401 Computer and Network Security. Spring 2008 Lecture 24

ArcGIS Enterprise Security: An Introduction. Randall Williams Esri PSIRT

Policy Settings for Windows Server 2003 (including SP1) and Windows XP (including SP2)

Computer and Network Security

last time: command injection

Web Attacks CMSC 414. September 25 & 27, 2017

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

Transcription:

Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security UMTS (3G) security LTE (4G) security WEB Security Browser/WWW security Web services security BROWSER SECURITY Modified from Mayra Sacanamboy

Topics Introduction Web Application Components Common Vulnerabilities Improving security in Web applications Introduction What does World Wide Web security mean? For Webmasters: confidence that their site won t be hacked or used as a gateway to get into their LANS For Web users: it is the ability to browse securely through the web But in general Introduction World Wide Web security Procedures Technologies Practices Effects: Infrastructure Client Network/Transport Web Application Web Application is a client/server software application that interacts with users or other systems using HTTP(S). Browser HTML & CSS HTTP request (web)server Back-end server

Web Threat Models Web attacker Control attacker.com Can obtain SSL/TLS certificate for attacker.com ($0) User visits attacker.com Some important Components 1. Authentication 2. Browser Security 3. Scripts and Active Code 4. Technologies : e.g. Ajax Network attacker Passive: Wireless eavesdropper Active: Evil router, DNS poisoning Malware attacker Attacker escapes browser sandbox Authentication Of a user or entity using HTTP basic HTTP digest For secure authentication SSL (https://...) Cookies Used to store state on user s machine Browser If expires=null: this session only GET HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; secure = (only over SSL) Browser GET Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state

Cookie authentication Browser Web Server Auth server POST login.cgi Username & pwd Set-cookie: auth=val Validate user auth=val Store val SAME ORIGIN POLICY (SOP) GET restricted.html Cookie: auth=val restricted.html auth=val Check val If YES, restricted.html YES/NO Document Object Model (DOM) Object-oriented interface used to read and write docs web page in HTML is (tree) structured data DOM provides representation of this hierarchy Examples Properties: document.alinkcolor, document.url, document.forms[ ], document.links[ ], document.anchors[ ] Methods: document.write(document.referrer) Also Browser Object Model (BOM) window, document, frames[], history, location, navigator (type and version of browser) Browser Same Origin Policy (SOP) Web sites from different domains cannot interact except in very limited ways Applies to: Cookies: cookie from origin A not visible to origin B DOM: script from origin A cannot read or set properties for origin B For DOM access, two origins are the same if and only if tuple ( domain-name, port, and protocol ) is equal Safari note: until 3.0 SOP was only (domain-name, port)

SOP Examples Example HTML at www.lu.com Disallowed access: <iframe src="http://kth.com"></iframe> alert( frames[0].contentdocument.body.innerhtml ) alert( frames[0].src ) Allowed access: <img src="http://kth.com/logo.gif"> alert( images[0].height ) Navigating child frame is allowed (but reading frame[0].src is not): frames[0].location.href = http://mysite.com/ Web Browser: the new OS Origins are similar to processes One origin should not interfere with another Cooperation: often sites want to communicate Google AdSense: <script src="http://googlesyndication.com/show_ads.js"> Mash-ups Gadget aggregators (e.g. igoogle or live.com) To communicate with B, site A must give B full control: <script src=http://siteb.com/script.html> now script from site B runs in origin of site A Browser Security Cookie Data file originated by a web server, with the client s information (machine name, keystrokes the user types, etc) Types Per-session, secure Persistent, nonsecure Cookies = vulnerability ~ privacy Structure Of A Cookie Scripts and Active Code Scripts Programs executed on the server side performing advanced operations. E.g: perl, c, php, etc Active Code Programs designed to perform detailed task on the client s side. E.g: javascript, Java Applets, ActiveX, Domain Flag Path Secure Expiration Name Value www.redhat.com FALSE / FALSE 1154029490 Apache 64.3.40.151.16018996349247480

Scripts and Active Code Vulnerabilities Misusing interpreters: putting the script interpreter in the same place as the scripts directory. http://www.victim.com/cgi-bin/perl.exe?-e+%27unlink+%3c*%3e%27 Web Server --> perl e unlink <*> Scripts and Active Code Passing unchecked user input to command interpreters: user input is passed to a command shell, allowing remote users to execute shell commands on the web server. Opening files based on unchecked user input. When writing user inputs to disk. Flawed memory management: is in the domain of programming languages that do not perform memory management internally such as c, c++. Scripts and Active Code Security Model Java Applets => sandbox JavaScript sandbox same origin policy object signing Scripts and Active Code ActiveX Is a binary code that extend the functionality of a web application; it can take any action as the user. Security is partially controlled by the web designer and a third party. Security Options safe for initializing safe for scripting

3.4 AJAX (Asynchronous JavaScript and XML) presentation management using XHTML, CSS, and the Document Object Model; Asynchronous data retrieval using XMLHttpRequest; and, JavaScript AJAX Synchronous Asynchronous Two common vulnerabilities Cross Site Scripting (XSS) Sql Injection Common Vulnerabilities: XSS Cross Site Scripting (XSS) An attacker injects malicious code, usually client-side scripts, into web applications from outside sources. Types - Stored - Reflected Due to lack of input/output filtering

Reflection XSS Common Vulnerabilities 3: result page with embedded script Sql Injection 2: form with embedded script Trusted server An attacker adds SQL statements through a web application's input fields or hidden parameters to gain access to resources or make changes to data 4: cookie 1. Page click Attacker s server Common Vulnerabilities Sql Injection: SELECT * FROM users WHERE login = Bush AND password = '123' (If it returns something then login!) PHP/PostgreSql Server login syntax $sql = "SELECT * FROM users WHERE login = '". $formusr. "' AND password = '". $formpwd. "'"; Security Guidelines Validate Input and Output Fail Securely (Closed) Keep it Simple Use and Reuse Trusted Components Defense in Depth Only as Secure as the Weakest Link Security By Obscurity Won't Work Least Privilege Compartmentalization (Separation of Privileges)

Topics WEB SERVICES Federated Identity Management XML signatures (not treated) Federated Identity Management refers to having a common set of policies, practices and protocols in place to manage a digital identity and trust into IT users and devices between organizations Single sign-on (SSO) systems allow a single user authentication process between multiple IT systems or even organizations. OpenID SAML: security assertion markup language XACML: descriptive policy language

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback