Slide 1Reported Web Vulnerabilities "In the Wild"Slide 3Web vs System vulnerabilitiesWeb application vulnerabilitiesFive lectures on Web securityWeb programming pollGoals of web securitySlide 9Slide 10Web Threat ModelsMalware attackerOutlineHTTPURLsHTTP RequestHTTP ResponseRendering ContentRendering and eventsExampleExampleDocument Object Model (DOM)Changing HTML using Script, DOMHTML Image TagsImage tag security issuesJavaScript onErrorJavaScript timingPort scanning behind firewallRemote scriptingSimple remote scripting exampleIsolationFrame and iFrameWindows InteractAnalogyPolicy GoalsBrowser security mechanismComponents of browser security policyLibrary import excluded from SOPDomain RelaxationAdditional mechanismsCommunicationwindow.postMessagepostMessage syntaxWhy include “targetOrigin”?NavigationA Guninski AttackWhat should the policy be?Slide 48Window Policy AnomalySlide 50Slide 51Security User InterfaceSafe to type your password?Safe to type your password?Safe to type your password?Safe to type your password?Safe to type your password?Mixed Content: HTTP and HTTPSMixed content and network attacksLock Icon 2.0Finally: the status BarCookies: client stateCookiesCookie authenticationCookie Security PolicySecure CookieshttpOnly CookiesFrames and frame bustingFramesFrame BustingBetter Frame BustingSummaryBrowser Security ModelJohn MitchellCS155 Spring 2014Reported Web Vulnerabilities"In the Wild"Data from aggregator and validator of NVD-reported vulnerabilitiesWeb vs System vulnerabilitiesDecline in % web vulns since 200949% in 2010 -> 37% in 2011.Big decline in SQL Injection vulnerabilitiesXSS peakWeb application vulnerabilitiesFive lectures on Web securityBrowser security modelThe browser as an OS and execution platformProtocols, isolation, communication, …Web application securityApplication pitfalls and defensesAuthentication and session managementHow users authenticate to web sitesBrowser-server mechanisms for managing stateContent security policiesAdditional mechanisms for sandboxing and securityHTTPS: goals and pitfallsNetwork issues and browser protocol handlingThis two-week section could fill an entire courseWeb programming pollFamiliar with basic html?Developed a web application using:Apache? PHP? Ruby? Python? SQL?JavaScript? CSS?JSON?Know about: postMessage? NaCL? Webworkers? CSP?Resource: http://www.w3schools.com/Goals of web securitySafely browse the webUsers should be able to visit a variety of web sites, without incurring harm:No stolen information (without user’s permission)Site A cannot compromise session at Site BSupport secure web applicationsApplications delivered over the web should have the same security properties we require for stand-alone applicationsWeb AttackerSets up malicious site visited by victim; no control of networkAliceSystemWeb securityNetwork AttackerIntercepts and controls network communicationAliceSystemNetwork securityWeb Threat ModelsWeb attackerControl attacker.comCan obtain SSL/TLS certificate for attacker.comUser visits attacker.comOr: runs attacker’s Facebook app, etc.Network attackerPassive: Wireless eavesdropperActive: Evil router, DNS poisoningMalware attackerAttacker escapes browser isolation mechanisms and run separately under control of OSMalware attackerBrowsers may contain exploitable bugsOften enable remote code execution by web sitesGoogle study: [the ghost in the browser 2007]Found Trojans on 300,000 web pages (URLs)Found adware on 18,000 web pages (URLs)Even if browsers were bug-free, still lots of vulnerabilities on the webAll of the vulnerabilities on previous graph: XSS, SQLi, CSRF, …NOT OUR FOCUS IN THIS PART OF COURSEOutlineHttpRendering contentIsolationCommunicationNavigationSecurity User InterfaceCookiesFrames and frame bustingHTTPURLsGlobal identifiers of network-retrievable documents Example: http://stanford.edu:81/class?name=cs155#homeworkSpecial characters are encoded as hex:%0A = newline%20 or + = space, %2B = + (special exception)ProtocolHostnamePortPathQueryFragmentGET /index.html HTTP/1.1Accept: image/gif, image/x-bitmap, image/jpeg, */*Accept-Language: enConnection: Keep-AliveUser-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)Host: www.example.comReferer: http://www.google.com?q=dingbatsHTTP RequestMethod File HTTP version HeadersData – none for GETBlank lineGET : no side effect POST : possible side effectHTTP/1.0 200 OKDate: Sun, 21 Apr 1996 02:20:42 GMTServer: Microsoft-Internet-Information-Server/5.0 Connection: keep-aliveContent-Type: text/htmlLast-Modified: Thu, 18 Apr 1996 17:39:05 GMTSet-Cookie: …Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML>HTTP ResponseHTTP version Status code Reason phraseHeadersDataCookiesRENDERING CONTENTRendering and eventsBasic browser execution modelEach browser window or frameLoads contentRenders itProcesses HTML and scripts to display pageMay involve images, subframes, etc. Responds to eventsEvents can beUser actions: OnClick, OnMouseoverRendering: OnLoad, OnBeforeUnload Timing: setTimeout(), clearTimeout()Example<html> <body> <div style="-webkit-transform: rotateY(30deg) rotateX(-30deg); width: 200px;"> I am a strange root. </div> </body> </html>Source: http://www.html5rocks.com/en/tutorials/speed/layers/Examplehttp://phet.colorado.edu/en/simulations/category/htmlDocument Object Model (DOM)Object-oriented interface used to read and write docsweb page in HTML is structured dataDOM provides representation of this hierarchyExamplesProperties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ]Methods: document.write(document.referrer)Includes Browser Object Model (BOM)window, document, frames[], history, location, navigator (type and version of browser)Changing HTML using Script, DOMSome possibilitiescreateElement(elementName)createTextNode(text)appendChild(newChild)removeChild(node)Example: Add a new list item: var list = document.getElementById('t1') var newitem = document.createElement('li') var newtext = document.createTextNode(text) list.appendChild(newitem) newitem.appendChild(newtext)<ul id="t1"><li> Item 1 </li></ul>HTMLHTML Image Tags24Displays this nice picture Security issues?<html> … <p> … </p> …<img src=“http://example.com/sunset.gif”
View Full Document
Unlocking...