1Computer SecurityCS 426Lecture 12Browser and Web Application SecurityElisa BertinoPurdue UniversityIN, [email protected] Features for Active Contents• Browser Plugins •Active X • Javascript• VBScript•PHP• ASP.NET AJAX• Java applets3Security/Privacy Issues in Web Browsers• How to securely run mobile code?• How to provide access control to cookies and DOM objects?• How to deal with privacy risks?4Security Risks Posted by Mobile Code• Compromise host– Write to file system– Interfere with other processes in browser environment• Steal information– Read file system– Read information associated with other browser processes (e.g., other windows)– Fool the user the reveal information– Reveal information through traffic analysis5Approaches to run Mobile Code• Sandboxing– Code executed in browser has only restricted access to OS, network• Same-origin principle– Only the site that stores some information in the browser may later read or modify that information (or depend on it in any way).• Establishing trust in the code– code digitally signed6Java Virtual Machine ArchitectureA.classA.javaJavaCompilerB.classLoaderVerifierLinkerBytecode InterpreterJava Virtual MachineCompile source codeNetwork7Security Mechanisms for Effective Sandboxing• Examine code before executing– Java bytecode verifier performs critical tests• Interpret code and trap risky operations– Java bytecode interpreter does run-time tests– Security manager applies local access policy• Security manager – Allows you to establish a custom security policy for an application (it’s written in Java)– Java API enforces the custom security policy– Site that supplied the code– Code signing – who signed it?8Checks Enforced by Security Manager• Network related: – Accept a socket connection from a specified host and port number– Open a socket connection to a specified host and port number– Wait for a connection on a specified local port number• Thread/process management– Modify a thread (change its priority, stop it, and so on)– Create a new process• Library/class management– Create a new class loader– Load a dynamic library that contains native methods– Load a class from a specified package (used by class loaders)– Add a new class to a specified package (used by class loaders)• Read/write/delete from a specified file9Javascript Security Model• “Sandbox” design (at least conceptually)– No direct file access or network access• Same-origin policy– Can only read properties of documents and windows from same place: server, protocol, port• Access control with signed scripts– User can grant privileges to signed scripts • UniversalBrowserRead/Write• UniversalFileread,• UniversalSendMailReference: http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/10Same-Origin Policy Revisited• Origin = domain name + protocol + port of the site hosting the document– all three must be equal for origin to be considered the same– however, some access allowed for pages from same domain, but not same hostMaterials from wikipedia and http://taossa.com/index.php/2007/02/08/same-origin-policy/11ExamplesURL of Target Window Result of Same Origin Check with www.example.com Reason http://www.example.com/ index.html Passes Same domain and protocol http://www.example.com/ other1/other2/index.html Passes Same domain and protocol http://www.example.com:81/dir/page.html Does not pass Different port http://www2.example.com/ dir/page.html Does not pass Different server http://otherdomain.com/ Does not pass Different domain ftp://www.example.com/ Does not pass Different protocol 12• Manipulating browser windows • URLs requested via the XmlHttpRequest– XmlHttpRequest is an API that can be used by web browser scripting languages to transfer XML and other text data to and from a web server using HTTP, by establishing an independent and asynchronous communication channel (used by AJAX)•Manipulating frames (including inline frames) • Manipulating documents (included using the object tag)• Manipulating cookies• NOTE: There is no limitation on including documents from other sources in HTML tag element: images, style sheets, and scripts are often included from other domains.Same-origin Policy Applies To13• Impersonation of a Legitimate User (Session Hijacking)– violating the trust a website places in a remote user, allowing the attacker to initiate HTTP requests in the context of the remote user or impersonate the remote user entirely.• Impersonation of a Legitimate Website (Phishing)– violating the trust a user places in a remote site by impersonating the site in whole or in part.Same-Origin Policy Designed to Prevent14Problems with Same-origin Policy• Poorly enforced on some browsers • Limitations if site hosts unrelated pages• Same-origin policy allows script on one page to access properties of document from another• Exceptions and workarounds open door for attacks• Certain types of attacks, such as DNS rebindingpermit the host name check to be partly subverted15Same-Origin Policy: Exceptions, Issues, and Workarounds• Parent Domain Traversal– x.y.com can set its domain to y.com– becomes problematic with international domains• Use Flash browser plugins– allow cross-domain requests if allowed by a rule in crossdomain.xml• Many vulnerabilities16Same-origin Attacks• Cross-site request forgery: – Malicious site provides a form to a browser and the browser can be made to submit the form to a trusted site with which the user has an active set of credentials.• Cross-site scripting (41% of vulnerabilities 2007 http://www.webappsec.org/)– exploits the trust a user places in a website• Variants of cross-site scripting– Cross-Site Tracing: uses the HTTP TRACE method to echo back an attacker-controlled content body– Web Cache Poisoning: targets the local browser cache or (more often) a remote caching proxy– HTTP Response Splitting: injects text in the HTTP response header instead of the entity body.17Cross-Site Request Forgery (CSRF, XSRF)• Attacker posts a link to the malicious site on the targeted site • Victim browses to the malicious website• Malicious website entices victim to submit a form with the action pointing to the target site• Form submission is accepted if victim is already authenticated to the target site• Form submission modifies sensitive data (e.g the