Basic web security modelVulnerability Stats: web is “winning”Web security: two sidesCreditsOutlineWeb RefresherHTTP protocolURLsHTTP RequestHTTP ResponseSecurity User InterfaceSafe to type your password?Slide 13Slide 14Slide 15Slide 16Slide 17Same-Origin PolicySlide 19Policy GoalsComponents of browser security policyPopup windowsWindows InteractAre all interactions good?FramesFrames and iFramesMasups: lots of frames (gadgets)Need for isolation - mashupsWindow Policy AnomalyA Guninski AttackWhat should the policy be?Slide 32Slide 33Library importPages can embed content from many sources (example)Cross-origin InteractionMashupsNeed for isolation: embedded contentRecent Developmentswindow.postMessagepostMessage syntaxWhy include “targetOrigin”?Data exportSame Origin Requests with XMLHttpRequestSending a Cross-Domain GETSending a Cross-Domain POSTCookie SecuritySlide 48Same origin policy: “high level”Setting/deleting cookies by serverScope setting rules (write SOP)Cookies are identified by (name,domain,path)Reading cookies on server (read SOP)ExamplesClient side read/write: document.cookieSlide 56Viewing/deleting cookies in Browser UICookie protocol problemsInteraction with the DOM SOPHttpOnly Cookies IE6 SP1, FF2.0.0.5Browser security designSlide 62ApproachSlide 64PREVENTING THE INTRODUCTIONDrive-by downloadsWorld of Warcraft keyloggerScaling it up to the entire webNow do it in the browserHelping the webmaster outIntroductions are easyVulnerability ResponseClosing the vulnerability windowObstacles to patch deploymentGetting better, but not fast enoughFailure ContainmentSeverityProtected Mode IEIE7 Containment GoalsContainment GoalsChromium Security ArchitecturePreventing File TheftTask AllocationIs the "kernel" too complex?Another approach: Cookie BlockingConclusionBasic web security model Elie Bursztein CS155Vulnerability Stats: web is “winning”Source: MITRE CVE trendsMajority of vulnerabilities now found in web softwareWeb security: two sidesWeb browser: (client side)Attacks target browser security weaknessesResult in:Malware installation (keyloggers, bot-nets)Document theft from corporate networkLoss of private dataWeb application code: (server side)Runs at web site: banks, e-merchants, blogsWritten in PHP, ASP, JSP, Ruby, …Many potential bugs: XSS, XSRF, SQL injectionAttacks lead to stolen CC#, defaced sites.CreditsAdam Barth, Collin Jackson, John Mitchell, Dan Boneh and the entire websec teamhttp://crypto.stanford.edu/websecOutlineWeb Refresher: Security User InterfaceGoals of a browserWhen is it safe to type my password?Same-Origin PolicyHow sites are isolatedOpting out of isolationFrame hijackingNavigation policyCookie security Browser security designWeb RefresherHTTP protocolHTTP is widely used SimpleStatelessUnencryptedURLsGlobal identifiers of network-retrievable documents Example:http://stanford.edu:81/class?name=cs155#homeworkSpecial characters are encoded as hex:%0A = newline%20 or + = space, %2B = + (special exception)ProtocolHostnamePortPathQueryFragmentGET /index.html HTTP/1.1Accept: image/gif, image/x-bitmap, image/jpeg, */*Accept-Language: enConnection: Keep-AliveUser-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)Host: www.example.comReferer: http://www.google.com?q=dingbatsHTTP RequestMethod File HTTP version HeadersData – none for GETBlank lineGET: no side effect. POST: possible side effect.HTTP/1.0 200 OKDate: Sun, 21 Apr 1996 02:20:42 GMTServer: Microsoft-Internet-Information-Server/5.0 Connection: keep-aliveContent-Type: text/htmlLast-Modified: Thu, 18 Apr 1996 17:39:05 GMTSet-Cookie: …Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML>HTTP ResponseHTTP version Status code Reason phraseHeadersDataCookies11Security User InterfaceWhen is it safe to type my password?Safe to type your password?12OutlineWeb Refresher: Security User InterfaceGoals of a browserWhen is it safe to type my password?Same-Origin PolicyHow sites are isolatedOpting out of isolationFrame hijackingNavigation policyCookie security Browser security designSafe to type your password?14Safe to type your password?15Safe to type your password?16??????Safe to type your password?1718Same-Origin PolicyHow does the browser isolate different sites?OutlineWeb Refresher: Security User InterfaceGoals of a browserWhen is it safe to type my password?Same-Origin PolicyHow sites are isolatedOpting out of isolationFrame hijackingNavigation policyCookie security Browser security designPolicy GoalsSafe to visit an evil web siteSafe to visit two pages at the same timeAddress bardistinguishes themAllow safe delegationComponents of browser security policyFrame to Frame relationshipscanScript(A,B)Can Frame A execute a script that reads or writes DOM elements of Frame B?canNavigate(A,B)Can Frame A change the origin of content for Frame B?Frame to cookie relationshipsreadCookie(A,S), writeCookie(A,S)Can Frame A read/write cookies from origin S?SecurityIndicator (W) [ssl lock icon]Is the security indicator displayed for window W?Popup windowsWith hyperlinks<a href=“http://www.b.com” target=“foo”>click here</a>With JavaScriptmywin = window.open(“http://www.b.com”, “foo”, “width=10,height=10”)Navigating named window re-uses existing oneCan access properties of remote window:mywin.document.bodymywin.location = “http://www.c.com”;Windows Interact23Are all interactions good?24FramesModularityBrings together content from multiple sourcesClient-side aggregationDelegationFrame can draw only on its own rectanglesrc = 7.gmodules.com/...name = remote_iframe_7src = google.com/…name = awgloginFrames and iFramesawgloginAddress bar says nothing about origin of embedded content• frames (ads), scripts, flash objects, CSS<iframe name=awgloginsrc=“https://www.google.com/ accounts/ServiceLoginBox”style=“width:19em; height:16.4em” >Masups: lots of frames (gadgets)27Need for isolation - mashupsMalicious gadget should not affect other gadgetsWindow Policy Anomalytop.frames[1].location = "http://www.attacker.com/...";top.frames[2].location = "http://www.attacker.com/...";...30A Guninski Attackawgloginwindow.open("https://attacker.com/", "awglogin");What should the policy be?31ChildSiblingDescendantFrame BustBrowser Policy IE 6 (default) Permissive IE 6 (option)
View Full Document