1Web Browser SecurityJohn MitchellCS 155Spring 2006Course ScheduleProjects Proj 1: Assigned April 11, Due April 27 Proj 2: Assigned May 2, Due May 18 Proj 3: Assigned May 18, Due June 8 No Late DaysHomework HW 1: Assigned April 20, Due May 4 HW 2: Assigned May 11, Due May 25 HW 3: no HW3 this yearOutlineBrowser review Bugs happen HTTP, scripts, events, DOM Session state and cookiesProtecting the browser environment Execution sandbox Access policies, signed scriptsPrivacy and confidentiality for sensitive information Protecting the file system, OS, platform Protecting information associated with other browser processes (e.g., other windows) Protecting the user against deception Protecting against traffic analysisBrowser and NetworkBrowserNetworkBrowser sends requests May reveal private information (in forms, cookies)Browser receives information, code May corrupt state by running unsafe codeInteraction susceptible to network attacks Consider network security later in the courseOSHardwareWeb siterequestreply2Microsoft Issues New IE Browser Security PatchBy Richard Karpinski Microsoft has released a security patch that closes some major holes in its Internet Explorer browser The so-called "cumulative patch" fixes six different IE problems ... Affected browsers include Internet Explorer 5.01, 5.5 and 6.0. Microsoft rated the potential security breaches as "critical." Tuesday, February 12, 2002Feb 2002 patch addresses: A buffer overrun associated with an HTML directive ... Hackers could use this breach to run malicious code on a user's system. A scripting vulnerability that would let an attacker read files on a user's systems. A vulnerability related to the display of file names ... Hackerscould … misrepresent the name of a file ... and trick a userinto downloading an unsafe file. A vulnerability that would allow a Web page to improperly invoke an application installed on a user's system to open a file on a Web site. …more …MS announced 20 vulnerabilities on April 13, 2004 !!!And then again last year, …Windows Security Updates Summary for April 2005Published: April 12, 2005A security issue has been identified that could allow an attacker to compromise a computer running Internet Explorer and gain control over it. You can help protect your computer by installing this update from Microsoft. After you install this item, you may have to restart your computer.Microsoft Security Bulletin MS06-013, April 2006Browser security topicsReview HTTP, scriptingControlling outgoing information Cookies Cookie mechanism, JunkBuster Routing privacy Anonymizer, Crowds Privacy policy – P3PRisks from incoming executable code JavaScript ActiveX Plug-ins JavaHyperText Transfer ProtocolUsed to request and return data Methods: GET, POST, HEAD, …Stateless request/response protocol Each request is independent of previous requests Statelessness has a significant impact on design and implementation of applications Evolution HTTP 1.0: simple HTTP 1.1: more complexHTTP3GET /default.asp HTTP/1.0Accept: image/gif, image/x-bitmap, image/jpeg, */*Accept-Language: enUser-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)Connection: Keep-AliveIf-Modified-Since: Sunday, 17-Apr-96 04:32:58 GMTHTTP RequestMethod File HTTP version HeadersData – none for GETBlank lineHTTP/1.0 200 OKDate: Sun, 21 Apr 1996 02:20:42 GMTServer: Microsoft-Internet-Information-Server/5.0 Connection: keep-aliveContent-Type: text/htmlLast-Modified: Thu, 18 Apr 1996 17:39:05 GMTContent-Length: 2543<HTML> Some data... blah, blah, blah </HTML>HTTP ResponseHTTP version Status code Reason phraseHeadersDataHTTP Server Status CodesDescriptionCodeInternal Server Error500Not Found404Forbidden – not authorized403Unauthorized401Bad Request – not understood400Moved Temporarily302Moved Permanently301Created201OK200Return code 401 Used to indicate HTTP authorization HTTP authorization has serious problems!!!HTML and Scripting<html>…<P> <script>var num1, num2, sumnum1 = prompt("Enter first number")num2 = prompt("Enter second number")sum = parseInt(num1) + parseInt(num2)alert("Sum = " + sum)</script>…</html>Browser receives content, displays HTML and executes scriptsEvents<script type="text/javascript">function whichButton(event) {if (event.button==1) {alert("You clicked the left mouse button!") }else {alert("You clicked the right mouse button!") }}</script>…<body onmousedown="whichButton(event)">…</body>Mouse event causes page-defined function to be called Other events: onLoad, onMouseMove, onKeyPress, onUnLoadDocument object model (DOM)Object-oriented interface used to read and write documents web page in HTML is structured data DOM provides representation of this hierarchyExamples Properties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ] Methods: document.write(document.referrer)Also Browser Object Model (BOM) Window, Document, Frames[], History, Location, Navigator (type and version of browser)4Need for session statewww.e_buy.comwww.e_buy.com/shopping.cfm?pID=269View Catalogwww.e_buy.com/shopping.cfm?pID=269&item1=102030405www.e_buy.com/checkout.cfm?pID=269&item1=102030405Check outSelect ItemStore session information in URL; Easily read on networkStore info across sessions?Cookies A cookie is a file created by an Internet site to store information on your computerBrowserServerEnters form dataStores cookieBrowserServerRequests cookieReturns dataHttp is stateless protocol; cookies add stateCookie A named string stored by the browser Accessible as property of the Document object Can be read and written entirely on client side using JavascriptAccessibility persists for the duration of the browser session (but an expiration date may be given) is associated with the subtree of the document that created it (but a cookie path may be specified) is accessible to pages on the server that created it (but a cookie domain may be declared)Browser security risksCompromise host Write to file system Interfere with other processes in browser environmentSteal information Read file system Read information associated with other browser processes (e.g., other windows) Fool the user Reveal information through traffic analysisBrowser sandboxIdea Code executed in browser has only restricted access to OS, network,
View Full Document
Unlocking...