Project 3 Web Security Part 1. Outline

Similar documents
Web Security, Summer Term 2012

Web Security, Summer Term 2012

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

Introduction to WEB PROGRAMMING

recall: a Web page is a text document that contains additional formatting information in the HyperText Markup Language (HTML)

Information Security CS 526 Topic 11

CSC 121 Computers and Scientific Thinking

Information Security CS 526 Topic 8

Web basics: HTTP cookies

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Introduction to using HTML to design webpages

Web basics: HTTP cookies

week8 Tommy MacWilliam week8 October 31, 2011

A Balanced Introduction to Computer Science, 3/E

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

MODULE 2 HTML 5 FUNDAMENTALS. HyperText. > Douglas Engelbart ( )

Student, Perfect Final Exam May 25, 2006 ID: Exam No CS-081/Vickery Page 1 of 6

Content Security Policy

Lecture : 3. Practical : 2. Course Credit. Tutorial : 0. Total : 5. Course Learning Outcomes

Client Side Injection on Web Applications

COMS W3101: SCRIPTING LANGUAGES: JAVASCRIPT (FALL 2018)

BOOSTING THE SECURITY

Browser code isolation

Computer Security CS 426 Lecture 41

CIS 228 (Spring, 2012) Final, 5/17/12

CS134 Web Site Design & Development. Quiz1

c122jan2714.notebook January 27, 2014

COMS W3101: SCRIPTING LANGUAGES: JAVASCRIPT (FALL 2017)

Programmazione Web a.a. 2017/2018 HTML5

HTML CS 4640 Programming Languages for Web Applications

HTML + CSS. ScottyLabs WDW. Overview HTML Tags CSS Properties Resources

HTML. HTML Evolution

Index. alt, 38, 57 class, 86, 88, 101, 107 href, 24, 51, 57 id, 86 88, 98 overview, 37. src, 37, 57. backend, WordPress, 146, 148

The internet is a worldwide collection of networks that link millions of computers. These links allow the computers to share and send data.

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Client-side Techniques. Client-side Techniques HTML/XHTML. Static web pages, Interactive web page: without depending on interaction with a server

Assignments (4) Assessment as per Schedule (2)

Web Security, Part 2

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Some Facts Web 2.0/Ajax Security

Markup Language. Made up of elements Elements create a document tree

Standard 1 The student will author web pages using the HyperText Markup Language (HTML)

Web Application Security

Review of HTML. Chapter Pearson. Fundamentals of Web Development. Randy Connolly and Ricardo Hoar

CPSC 481: CREATIVE INQUIRY TO WSBF

CS 1100: Web Development: Client Side Coding / Fall 2016 Lab 2: More HTML and CSS

Web Development and HTML. Shan-Hung Wu CS, NTHU

CSS for Page Layout Robert K. Moniot 1

RKN 2015 Application Layer Short Summary

XSS Homework. 1 Overview. 2 Lab Environment

CS 350 COMPUTER/HUMAN INTERACTION. Lecture 6

Perfect Student Midterm Exam March 20, 2007 Student ID: 9999 Exam: 7434 CS-081/Vickery Page 1 of 5

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

introduction to XHTML

Assignment 6: Web Security

Security. CSC309 TA: Sukwon Oh

JavaScript: Events, DOM and Attaching Handlers

Web Programming/Scripting: JavaScript

HTML and CSS COURSE SYLLABUS

Content Security Policy

PIC 40A. Midterm 1 Review

Web Security: Vulnerabilities & Attacks

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Document Object Model. Overview

Student, Perfect Midterm Exam March 24, 2006 Exam ID: 3193 CS-081/Vickery Page 1 of 5

CSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum

UI Course HTML: (Html, CSS, JavaScript, JQuery, Bootstrap, AngularJS) Introduction. The World Wide Web (WWW) and history of HTML

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

CSC 405 Computer Security. Web Security

WEB SECURITY: XSS & CSRF

BASICS OF WEB DESIGN CHAPTER 2 HTML BASICS KEY CONCEPTS

As we design and build out our HTML pages, there are some basics that we may follow for each page, site, and application.

A HTML document has two sections 1) HEAD section and 2) BODY section A HTML file is saved with.html or.htm extension

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

HTML Summary. All of the following are containers. Structure. Italics Bold. Line Break. Horizontal Rule. Non-break (hard) space.

Match the attack to its description:

Web Application Security. Philippe Bogaerts

CUSTOMER PORTAL. Custom HTML splashpage Guide

IT430- E-COMMERCE Solved MCQ(S) From Midterm Papers (1 TO 22 Lectures) BY Arslan Arshad

CSCE 813 Internet Security Case Study II: XSS

Basics of Web Design, 3 rd Edition Instructor Materials Chapter 2 Test Bank

A Brief Introduction to HTML

Common Websites Security Issues. Ziv Perry

CIS 4360 Secure Computer Systems XSS

Controlled Assessment Task. Question 1 - Describe how this HTML code produces the form displayed in the browser.

Web Security IV: Cross-Site Attacks

Introduction to Web Technologies

2/6/2012. Rich Internet Applications. What is Ajax? Defining AJAX. Asynchronous JavaScript and XML Term coined in 2005 by Jesse James Garrett

Deccansoft Software Services

JavaScript CS 4640 Programming Languages for Web Applications

BEFORE CLASS. If you haven t already installed the Firebug extension for Firefox, download it now from

Building Your Website

BOOSTING THE SECURITY OF YOUR ANGULAR 2 APPLICATION

This document provides a concise, introductory lesson in HTML formatting.

HTML. Mohammed Alhessi M.Sc. Geomatics Engineering. Internet GIS Technologies كلية اآلداب - قسم الجغرافيا نظم المعلومات الجغرافية

UNIT 3 SECTION 1 Answer the following questions Q.1: What is an editor? editor editor Q.2: What do you understand by a web browser?

Uniform Resource Locators (URL)

By Ryan Stevenson. Guidebook #2 HTML

AJAX: Rich Internet Applications

Transcription:

Project 3 Web Security Part 1 CS155 Indrajit Indy Khare Outline Quick Overview of the Technologies HTML (and a bit of CSS) Javascript PHP Assignment Assignment Overview Example Attack 1

New to web programming? There are 4 different languages you need to know for this project Part 1 requires that you write code in at least 2 of them Read the FAQ! References HTML, JS, and PHP http://www.w3schools.com If you end up using AJAX (only worry about XHMLHttpRequest): http://www.openjs.com/articles/ ajax_xmlhttp_using_post.php PHP http://php.net 2

HTML Hypertext Markup Language Used to tell the browser the structure of a document HTML - Tags Surrounded by angle brackets <> <html> - wraps entire page <head> - header information, not displayed <title> - displayed at top of browser <body> - content that will be displayed Normally come in pairs Optional for some older tags, e.g. <br> (in valid XHTML that should be <br/>) Can also be self-closed: <td/> = <td></td> Not case sensitive, but usually lower case 3

HTML - Tags Headings: <h1>this text will be large</h1> Paragraphs: <p>this paragraph has a margin</p> Page regions: <div><span>stop</span> it!</div> Comments: <!-- This text is ignored --> Tables: <table> <tr><th>header1</th><th>header2</th></tr> <tr><td>data</td><td><data2</td></tr> </table> Header1 Header2 Data1 Data2 HTML - Properties Key=value pairs inside a tag <img src="hamster.gif" /> Can represent URLs in different ways relative: images/hamster.gif server-relative: /images/hamster.gif absolute: http://animals.com/images/hamster.gif Use relative where possible on Project 2 Can delimit value with ' or " or nothing (In valid XHML it must be surrounded by double quotes) 4

HTML iframes (Helpful!) Embed HTML documents in other documents <iframe name= myframe src= http://www.google.com/ > This text is ignored by most browsers. </iframe> HTML Anchor Tags Hyperlink navigates the browser to a URL when clicked <a href= cs155.html#officehours >link text</a> Can set an anchor for a fragment <a name= officehours ></a>my office hours are Can target a frame or new window <a href= http://mysite.com target= myframe > <a href= http://mysite.com target= _top > <a href= http://mysite.com target= _parent > <a href= http://mysite.com target= _blank > 5

HTML - Forms Provides a way to interact with server-side scripts <form action= /login.php > <input type= text name= username value= > <input type= password name= password value= > <input type= submit value= Log in > </form> Use method= GET for queries that do not send state Use method= POST for requests have side effects, or passwords Use target= myframe to avoid navigating away (Useful!) CSS Style information can be set as a property <span style="color: red >This will be red.</span> Stylesheets set styles globally <style type="text/css"> body { margin-left: 1em; font-size: 10pt; } /* by tag */ #par3 { font-size: 14pt; } /* by id */.conclusion { font-weight: bold; } /* class only */ p.conclusion { display: block } /* by tag+class */ </style> 6

Javascript Browser scripting language with C-like syntax Sandboxed, garbage collected Closures var x = 3; var y = function() { alert(x); }; return y; Encapsulation/objects function X() { this.y = 3; } var z = new X(); alert(z.y); Can interpret data as code (eval) Browser-dependent Invoking Javascript Tags: <script>alert( Hello world! )</script> Links: javascript:alert( Hello world! ) Wrap code in void if it has return value Beware, newlines in URIs require encoding Event handlers: <button onclick= alert( Hello world! ) > 7

Dom Manipulations document.getelementbyid(id) document.getelementsbytagname(tag) document.write(htmltext) document.createelement(tagname) document.body.appendchild(node) document.forms[index].fieldname.value = document.formname.fieldname.value = frame.contentdocument.getelementbyid(id) somehtmlelement.innerhtml Other useful functions Navigation document.location document.formname.submit() document.forms[0].submitfield.click() Delayed Events node.addeventlistener(eventname, handler, usecapture) node.removeeventlistener(eventname, handler, usecapture) window.settimeout(handler, milliseconds) 8

Adding Events (Firefox) <div id= foo > Blended Coffee </div> <script type= text/javascript > var foo = document.getelementbyid( foo ); foo.addeventlistener( click, function() { alert( Is freakin awesome! ); }, false); </script> Useful CSS var node = document.getelementbyid( mynodeid ); node.style.display = none ; // may not load at all node.style.visibility = hidden ; // still takes up space node.style.position = absolute ; // not included in flow document.write( // can also write CSS rules to page <style>#mynodeid { visibility:hidden; }</style> ); 9

The most useful thing EVER Download Firebug for Firefox! Turn on the console for script and error logging Firefox is your best friend when it comes to client side development for the web PHP Server scripting language with C-like syntax Can intermingle static HTML and code <input value=<?php echo $myvalue;?>> Encapsulation/objects class X { public $y = 3; } $z = new X(); echo $z->y; Can embed variables in double-quote strings $user = world ; echo Hello $user! ; or $user = world ; echo Hello. $user.! ; Form data in global arrays $_GET, $_POST, 10

How does it work together? Browser Go to URL Request Server Interpret PHP Interpret HTML, CSS, JS etc. Generate HTML, CSS, JS, Images Etc. OK, Let s get on with the project then! 11

Attack A Cookie Theft Cross Site Scripting Inject and execute arbitrary code on the site Attack B Cross-site request forgery Execute commands on another website Exploits the fact that the website doesn t check who is making the request Eg. <img src="http://bank.example/withdraw?account=bob&amount=1000000&for=mallory"> Ref. wikipedia.org In your case it s a form submission 12

Attack C Reading Leaked Data Can t simply load in read and manipulate HTML from another domain What can we load directly onto our page? Attack C - Phishing Making a website appear like another to steal a user s information Hard to defend, it s basically up to the user 13

Attack D Profile Worm Essentially another XSS attack Read the linked description of the Myspace vulnerability Tips Read the source of the web pages and all included files In Firefox: Right Click > View Source Read the source after JS manipulation In Firefox: Select a particular area Then Right Click > View Selection Source Or Right Click on the page > View Generated Source 14

Tips You have the PHP source! Read it to understand what s going on Use Firebug! Let s do some attacking http://zoobar.org 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback