SlideShare a Scribd company logo

Chapter 13 web security

N
newbie2019

https://spada.teknokrat.ac.id Keamanan sistem informasi

Education
1 of 36
Download to read offline
INFORMATION SYSTEM SECURITY Jupriyadi, S.Kom. M.T. jupriyadi@teknokrat.ac.id Chapter 13
Outline HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery
Background • Many sensitive tasks are done through web – Online banking, online shopping – Database access – System administration • Web applications and web users are targets of many attacks – Cross site scripting – SQL injection – Cross site request forgery – Information leakage – Session hijacking
Web Browser and Network Browser Network • Browser sends requests • Web site sends response pages, which may include code • Interaction susceptible to network attacks OS Hardware Web site request reply
Web Security/Privacy Issues • Secure communications between client & server – HTTPS (HTTP over Secure Socket Layer) • User authentication & session management – Cookies & other methods • Active contents from different websites – Protecting resources maintained by browsers • Web application security • Web site authentication (e.g., anti-phishing) • Privacy concerns
HTTP: HyperText Transfer Protocol • Browser sends HTTP requests to the server – Methods: GET, POST, HEAD, … – GET: to retrieve a resource (html, image, script, css,…) – POST: to submit a form (login, register, …) – HEAD • Server replies with a HTTP response • Stateless request/response protocol – Each request is independent of previous requests – Statelessness has a significant impact on design and implementation of applications
Use Cookies to Store State Info • Cookies – A cookie is a name/value pair created by a website to store information on your computer Browser Server Enters form data Response + cookies Browser Server Request + cookies Returns data Http is stateless protocol; cookies add state
Cookies Fields An example cookie from my browser – Name session-token – Content "s7yZiOvFm4YymG….” – Domain .amazon.com – Path / – Send For Any type of connection – Expires Monday, September 08, 2031 7:19:41 PM
Cookies • Stored by the browser • Used by the web applications – used for authenticating, tracking, and maintaining specific information about users • e.g., site preferences, contents of shopping carts – data may be sensitive – may be used to gather information about specific users • Cookie ownership – Once a cookie is saved on your computer, only the website that created the cookie can read it
Web Authentication via Cookies • HTTP is stateless – How does the server recognize a user who has signed in? • Servers can use cookies to store state on client – After client successfully authenticates, server computes an authenticator and gives it to browser in a cookie • Client cannot forge authenticator on his own (session id) – With each request, browser presents the cookie – Server verifies the authenticator
A Typical Session with Cookies client server POST /login.cgi Set-Cookie:authenticator GET /restricted.html Cookie:authenticator Restricted content Verify that this client is authorized Check validity of authenticator Authenticators must be unforgeable and tamper-proof (malicious clients shouldn’t be able to modify an existing authenticator) How to design it?
Cross Site Scripting
Client Side Scripting • Web pages (HTML) can embed dynamic contents (code) that can be executed on the browser • JavaScript – embedded in web pages and executed inside browser • Java applets – small pieces of Java bytecodes that execute in browsers • Browser extensions (plug-ins) provide further client-side programming abilities – E.g., Flash
HTML and Scripting <html> … <P> <script> var num1, num2, sum num1 = prompt("Enter first number") num2 = prompt("Enter second number") sum = parseInt(num1) + parseInt(num2) alert("Sum = " + sum) </script> … </html> Browser receives content, display HTML and executes scripts
Scripts are Powerful • Client-side scripting is powerful and flexible, and can access the following resources – Local files on the client-side host • read / write local files – Webpage resources maintained by the browser • Cookies • Domain Object Model (DOM) objects – steal private information – control what users see – impersonate the user – Communicating with websites (via XMLHttpRequest)
Domain Object Model (DOM) Object-oriented model to represent webpages that allow programming access in Javascript
Browser as an Operating System • Web users visit multiple websites simultaneously • A browser serves web pages (which may contain programs) from different web domains – i.e., a browser runs programs provided by mutually untrusted entities – Running code one does not know/trust is dangerous – A browser also maintains resources created/updated by web domains • Browser must confine (sandbox) these scripts so that they cannot access arbitrary local resources • Browser must have a security policy to manage/protect browser-maintained resources and to provide separation among mutually untrusted scripts
Sandbox • A security mechanism for separating/limiting running programs – Running untrusted programs. • E.g., javascripts in webpages, mobile apps – Running programs that are likely to be exploited. • E.g., network daemon programs • Implementation: Clearly identify what resources a program needs and cut off the rest – Examples include operating system–level virtualization (such as Unix chroot), virtual machine monitors (VMMs), Java applets,
Same Origin Policy • The basic security model enforced in the browser • SoP isolates the scripts and resources downloaded from different origins – E.g., evil.org scripts cannot access bank.com resources • Use origin as the security principal – Note that the concept of user accounts does not apply here as security principals • Origin = domain name + protocol + port – all three must be equal for origin to be considered the same
Same Original Policy: What it Controls Same-origin policy applies to the following accesses: – manipulating browser windows – URLs requested via the XmlHttpRequest – manipulating frames (including inline frames) – manipulating documents (included using the object tag) – manipulating cookies
Problems with S-O Policy • Poorly enforced on some browsers – Particularly older browsers • Limitations if site hosts unrelated pages – Example: Web server often hosts sites for unrelated parties • http://www.example.com/account/ • http://www.example.com/otheraccount/ – Same-origin policy allows script on one page to access properties of document from another • Can be bypassed in Cross-Site-Scripting attacks • Usability: Sometimes prevents desirable cross-origin resource sharing
Browser Architecture: One Process versus Multiple Processes • Most processes (e.g., Firefox, Internet Explorer) use one process for a web browser – Multiple threads are used for rendering different webpages • Chrome uses multiple processes – Use OS protection mechanism to ensure that webpages from different sites cannot easily interact • Because they run in different processes – Reliability advantage: crashing in rendering one website doesn’t affect another – Security advantage: vulnerability in rendering does not compromise other sites; isolate plug-ins – Uses 3 types of processes: browser, renderers, plug-ins
Cross Site Scripting (XSS) • Recall the basics – scripts embedded in web pages run in browsers – scripts can access cookies • get private information – and manipulate DOM objects • controls what users see – scripts controlled by the same-origin policy • Why would XSS occur – Web applications often take user inputs and use them as part of webpage (these inputs can have scripts)
How XSS Works on Online Blog • Everyone can post comments, which will be displayed to everyone who view the post • Attacker posts a malicious comment that includes scripts (which reads local authentication credentials and send of to the attacker) • Anyone who view the post can have local authentication cookies stolen • Web apps will check that posts do not include scripts, but the check sometimes fail. • Bug in the web application. Attack happens in browser.
Effect of the Attack • Attacker can execute arbitrary scripts in browser • Can manipulate any DOM component on victim.com – Control links on page – Control form fields (e.g. password field) on this page and linked pages. • Can infect other users: MySpace.com worm.
MySpace.com (Samy worm) • Users can post HTML on their pages – MySpace.com ensures HTML contains no <script>, <body>, onclick, <a href=javascript://> – However, attacker find out that a way to include Javascript within CSS tags: <div style=“background:url(‘javascript:alert(1)’)”> And can hide “javascript” as “javanscript” • With careful javascript hacking: – Samy’s worm: infects anyone who visits an infected MySpace page … and adds Samy as a friend. – Samy had millions of friends within 24 hours. • More info: http://namb.la/popular/tech.html
Avoiding XSS bugs (PHP) • Main problem: – Input checking is difficult --- many ways to inject scripts into HTML. • Preprocess input from user before echoing it • PHP: htmlspecialchars(string) &  &amp; "  &quot; '  &#039; <  &lt; >  &gt; – htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES); Outputs: &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;
Avoiding XSS bugs (ASP.NET) • ASP.NET 1.1: – Server.HtmlEncode(string) • Similar to PHP htmlspecialchars – validateRequest: (on by default) • Crashes page if finds <script> in POST data. • Looks for hardcoded list of patterns. • Can be disabled: <%@ Page validateRequest=“false" %>
Cross site request forgery
Cross site request forgery (abbrev. CSRF or XSRF) • Also known as one click attack or session riding • Effect: Transmits unauthorized commands from a user who has logged in to a website to the website. • Recall that a browser attaches cookies set by domain X to a request sent to domain X; the request may be from another domain – Site Y redirects you to facebook; if you already logged in, the cookie is attached by the browser
CSRF Explained • Example: – User logs in to bank.com. Forgets to sign off. – Session cookie remains in browser state – Then user visits another site containing: <form name=F action=http://bank.com/BillPay.php> <input name=recipient value=badguy> … <script> document.F.submit(); </script> – Browser sends user auth cookie with request • Transaction will be fulfilled • Problem: – The browser is a confused deputy; it is serving both the websites and the user and gets confused who initiated a request
Real World CSRF Vulnerabilities • Gmail • NY Times • ING Direct (4th largest saving bank in US) • YouTube • Various DSL Routers • Purdue WebMail • PEFCU • Purdue CS Portal • …
Prevention • Server side: – use cookie + hidden fields to authenticate a web form • hidden fields values need to be unpredictable and user- specific; thus someone forging the request need to guess the hidden field values – requires the body of the POST request to contain cookies • Since browser does not add the cookies automatically, malicious script needs to add the cookies, but they do not have access because of Same Origin Policy • User side: – logging off one site before using others – selective sending of authentication tokens with requests (may cause some disruption in using websites)
Coming Attractions … • More Web Security Issues – SQL injection – Side channel information leakage – Browser fingerprinting
What's Next ?
36

Recommended

Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 

Recommended

Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updatedInfosecTrain
 
Chapter 15 incident handling
Chapter 15 incident handlingChapter 15 incident handling
Chapter 15 incident handlingnewbie2019
 
Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017Web App Security Presentation by Ryan Holland - 05-31-2017
Web App Security Presentation by Ryan Holland - 05-31-2017TriNimbus
 
Mobile platform security models
Mobile platform security modelsMobile platform security models
Mobile platform security modelsG Prachi
 
Web application security part 02
Web application security part 02Web application security part 02
Web application security part 02G Prachi
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Threat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesThreat Modeling - Locking the Door to Vulnerabilities
Threat Modeling - Locking the Door to VulnerabilitiesSecurity Innovation
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01EduclentMegasoftel
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapJerod Brennen
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Database security for PHP
Database security for PHPDatabase security for PHP
Database security for PHPRohan Faye
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Cyber security for system design
Cyber security for system designCyber security for system design
Cyber security for system designTom Kaczmarek
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4FRSecure
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.pptssuserec53e73
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.pptssuserec53e73
 

More Related Content

What's hot

Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & ArchitecturePriyanka Aash
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)Michael Man
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapJerod Brennen
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The HorizonLalit Kale
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending ApplicationsMichael Coates
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareMichael Coates
 
Database security for PHP
Database security for PHPDatabase security for PHP
Database security for PHPRohan Faye
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security FrameworkJerod Brennen
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)abhimanyubhogwan
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksAPNIC
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingPriyanka Aash
 
Cyber security for system design
Cyber security for system designCyber security for system design
Cyber security for system designTom Kaczmarek
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationPriyanka Aash
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01G Prachi
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentationConfiz
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking AuthenticationSam Bowne
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte
 
Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4FRSecure
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationChris Gates
 

What's hot (20)

Ccna sec 01
Ccna sec 01Ccna sec 01
Ccna sec 01
 
Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture Understanding Application Threat Modelling & Architecture
Understanding Application Threat Modelling & Architecture
 
5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)5 things i wish i knew about sast (DSO-LG July 2021)
5 things i wish i knew about sast (DSO-LG July 2021)
 
Bridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit GapBridging the Social Media Implementation/Audit Gap
Bridging the Social Media Implementation/Audit Gap
 
Application Security-Understanding The Horizon
Application Security-Understanding The HorizonApplication Security-Understanding The Horizon
Application Security-Understanding The Horizon
 
Self Defending Applications
Self Defending ApplicationsSelf Defending Applications
Self Defending Applications
 
Security in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of SoftwareSecurity in an Interconnected and Complex World of Software
Security in an Interconnected and Complex World of Software
 
Database security for PHP
Database security for PHPDatabase security for PHP
Database security for PHP
 
Common Sense Security Framework
Common Sense Security FrameworkCommon Sense Security Framework
Common Sense Security Framework
 
Threat modelling(system + enterprise)
Threat modelling(system + enterprise)Threat modelling(system + enterprise)
Threat modelling(system + enterprise)
 
Cambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacksCambodia CERT Seminar: Incident response for ransomeware attacks
Cambodia CERT Seminar: Incident response for ransomeware attacks
 
Application Security Architecture and Threat Modelling
Application Security Architecture and Threat ModellingApplication Security Architecture and Threat Modelling
Application Security Architecture and Threat Modelling
 
Cyber security for system design
Cyber security for system designCyber security for system design
Cyber security for system design
 
Wfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security InnovationWfh security risks - Ed Adams, President, Security Innovation
Wfh security risks - Ed Adams, President, Security Innovation
 
Web application security part 01
Web application security part 01Web application security part 01
Web application security part 01
 
Security testing presentation
Security testing presentationSecurity testing presentation
Security testing presentation
 
Ch 6: Attacking Authentication
Ch 6: Attacking AuthenticationCh 6: Attacking Authentication
Ch 6: Attacking Authentication
 
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training SessionInfocyte - Digital Forensics and Incident Response (DFIR) Training Session
Infocyte - Digital Forensics and Incident Response (DFIR) Training Session
 
Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4Slide Deck CISSP Class Session 4
Slide Deck CISSP Class Session 4
 
Client-Side Penetration Testing Presentation
Client-Side Penetration Testing PresentationClient-Side Penetration Testing Presentation
Client-Side Penetration Testing Presentation
 

Similar to Chapter 13 web security

15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.pptshatrutrial44
 
www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywebre24h
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)Sam Bowne
 
02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptxssuserec53e73
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresRoel Palmaers
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101 Stormpath
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)Sam Bowne
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Web browser architecture.87 to 88
Web browser architecture.87 to 88Web browser architecture.87 to 88
Web browser architecture.87 to 88myrajendra
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfnanangAris1
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 

Similar to Chapter 13 web security (20)

14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
14_526_topic11.ppt
14_526_topic11.ppt14_526_topic11.ppt
14_526_topic11.ppt
 
15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt15_526_topic11 for topics for students.ppt
15_526_topic11 for topics for students.ppt
 
526_topic08.ppt
526_topic08.ppt526_topic08.ppt
526_topic08.ppt
 
www.webre24h.com - Ajax security
www.webre24h.com - Ajax securitywww.webre24h.com - Ajax security
www.webre24h.com - Ajax security
 
Cos 432 web_security
Cos 432 web_securityCos 432 web_security
Cos 432 web_security
 
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
CNIT 129S: 12: Attacking Users: Cross-Site Scripting (Part 1 of 2)
 
02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx02-browser-sec-model-sop.pptx
02-browser-sec-model-sop.pptx
 
Isys20261 lecture 09
Isys20261 lecture 09Isys20261 lecture 09
Isys20261 lecture 09
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Web Security
Web SecurityWeb Security
Web Security
 
Chrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasuresChrome extensions threat analysis and countermeasures
Chrome extensions threat analysis and countermeasures
 
Browser Security 101
Browser Security 101 Browser Security 101
Browser Security 101
 
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
CNIT 129S: 13: Attacking Users: Other Techniques (Part 2 of 2)
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Web browser architecture.87 to 88
Web browser architecture.87 to 88Web browser architecture.87 to 88
Web browser architecture.87 to 88
 
Secure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdfSecure Coding BSSN Semarang Material.pdf
Secure Coding BSSN Semarang Material.pdf
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 

More from newbie2019

Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedurenewbie2019
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensiknewbie2019
 
Pendahuluan it forensik
Pendahuluan it forensikPendahuluan it forensik
Pendahuluan it forensiknewbie2019
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injectionnewbie2019
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information Systemnewbie2019
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2newbie2019
 
Iso iec 27000_2018
Iso iec 27000_2018Iso iec 27000_2018
Iso iec 27000_2018newbie2019
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessnewbie2019
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standartnewbie2019
 
Chapter 8 cryptography lanjutan
Chapter 8 cryptography lanjutanChapter 8 cryptography lanjutan
Chapter 8 cryptography lanjutannewbie2019
 
Pertemuan 7 cryptography
Pertemuan 7 cryptographyPertemuan 7 cryptography
Pertemuan 7 cryptographynewbie2019
 
Chapter 6 information hiding (steganography)
Chapter 6 information hiding (steganography)Chapter 6 information hiding (steganography)
Chapter 6 information hiding (steganography)newbie2019
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attacknewbie2019
 
Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack newbie2019
 
Chapter 3 security principals
Chapter 3 security principalsChapter 3 security principals
Chapter 3 security principalsnewbie2019
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanannewbie2019
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1newbie2019
 
Chapter 1 introduction
Chapter 1 introductionChapter 1 introduction
Chapter 1 introductionnewbie2019
 
CCNA RSE Routing concept
CCNA RSE Routing conceptCCNA RSE Routing concept
CCNA RSE Routing conceptnewbie2019
 

More from newbie2019 (20)

Digital forensic principles and procedure
Digital forensic principles and procedureDigital forensic principles and procedure
Digital forensic principles and procedure
 
Fundamental digital forensik
Fundamental digital forensikFundamental digital forensik
Fundamental digital forensik
 
Pendahuluan it forensik
Pendahuluan it forensikPendahuluan it forensik
Pendahuluan it forensik
 
Chapter 14 sql injection
Chapter 14 sql injectionChapter 14 sql injection
Chapter 14 sql injection
 
NIST Framework for Information System
NIST Framework for Information SystemNIST Framework for Information System
NIST Framework for Information System
 
Nist.sp.800 37r2
Nist.sp.800 37r2Nist.sp.800 37r2
Nist.sp.800 37r2
 
Iso iec 27000_2018
Iso iec 27000_2018Iso iec 27000_2018
Iso iec 27000_2018
 
Chapter 12 iso 27001 awareness
Chapter 12 iso 27001 awarenessChapter 12 iso 27001 awareness
Chapter 12 iso 27001 awareness
 
Chapter 10 security standart
Chapter 10 security standartChapter 10 security standart
Chapter 10 security standart
 
Chapter 8 cryptography lanjutan
Chapter 8 cryptography lanjutanChapter 8 cryptography lanjutan
Chapter 8 cryptography lanjutan
 
Pertemuan 7 cryptography
Pertemuan 7 cryptographyPertemuan 7 cryptography
Pertemuan 7 cryptography
 
Chapter 6 information hiding (steganography)
Chapter 6 information hiding (steganography)Chapter 6 information hiding (steganography)
Chapter 6 information hiding (steganography)
 
Vulnerability threat and attack
Vulnerability threat and attackVulnerability threat and attack
Vulnerability threat and attack
 
Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack Chapter 4 vulnerability threat and attack
Chapter 4 vulnerability threat and attack
 
C02
C02C02
C02
 
Chapter 3 security principals
Chapter 3 security principalsChapter 3 security principals
Chapter 3 security principals
 
Chapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamananChapter 2 konsep dasar keamanan
Chapter 2 konsep dasar keamanan
 
Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1Fundamentals of information systems security ( pdf drive ) chapter 1
Fundamentals of information systems security ( pdf drive ) chapter 1
 
Chapter 1 introduction
Chapter 1 introductionChapter 1 introduction
Chapter 1 introduction
 
CCNA RSE Routing concept
CCNA RSE Routing conceptCCNA RSE Routing concept
CCNA RSE Routing concept
 

Recently uploaded

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104misteraugie
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...fonyou31
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfsanyamsingh5019
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajanpragatimahajan3
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityGeoBlogs
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room servicediscovermytutordmt
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Sapana Sha
 

Recently uploaded (20)

The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104Nutritional Needs Presentation - HLTH 104
Nutritional Needs Presentation - HLTH 104
 
Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 
Paris 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activityParis 2024 Olympic Geographies - an activity
Paris 2024 Olympic Geographies - an activity
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111Call Girls in Dwarka Mor Delhi Contact Us 9654467111
Call Girls in Dwarka Mor Delhi Contact Us 9654467111
 

Chapter 13 web security

  • 1. INFORMATION SYSTEM SECURITY Jupriyadi, S.Kom. M.T. jupriyadi@teknokrat.ac.id Chapter 13
  • 2. Outline HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery
  • 3. Background • Many sensitive tasks are done through web – Online banking, online shopping – Database access – System administration • Web applications and web users are targets of many attacks – Cross site scripting – SQL injection – Cross site request forgery – Information leakage – Session hijacking
  • 4. Web Browser and Network Browser Network • Browser sends requests • Web site sends response pages, which may include code • Interaction susceptible to network attacks OS Hardware Web site request reply
  • 5. Web Security/Privacy Issues • Secure communications between client & server – HTTPS (HTTP over Secure Socket Layer) • User authentication & session management – Cookies & other methods • Active contents from different websites – Protecting resources maintained by browsers • Web application security • Web site authentication (e.g., anti-phishing) • Privacy concerns
  • 6. HTTP: HyperText Transfer Protocol • Browser sends HTTP requests to the server – Methods: GET, POST, HEAD, … – GET: to retrieve a resource (html, image, script, css,…) – POST: to submit a form (login, register, …) – HEAD • Server replies with a HTTP response • Stateless request/response protocol – Each request is independent of previous requests – Statelessness has a significant impact on design and implementation of applications
  • 7. Use Cookies to Store State Info • Cookies – A cookie is a name/value pair created by a website to store information on your computer Browser Server Enters form data Response + cookies Browser Server Request + cookies Returns data Http is stateless protocol; cookies add state
  • 8. Cookies Fields An example cookie from my browser – Name session-token – Content "s7yZiOvFm4YymG….” – Domain .amazon.com – Path / – Send For Any type of connection – Expires Monday, September 08, 2031 7:19:41 PM
  • 9. Cookies • Stored by the browser • Used by the web applications – used for authenticating, tracking, and maintaining specific information about users • e.g., site preferences, contents of shopping carts – data may be sensitive – may be used to gather information about specific users • Cookie ownership – Once a cookie is saved on your computer, only the website that created the cookie can read it
  • 10. Web Authentication via Cookies • HTTP is stateless – How does the server recognize a user who has signed in? • Servers can use cookies to store state on client – After client successfully authenticates, server computes an authenticator and gives it to browser in a cookie • Client cannot forge authenticator on his own (session id) – With each request, browser presents the cookie – Server verifies the authenticator
  • 11. A Typical Session with Cookies client server POST /login.cgi Set-Cookie:authenticator GET /restricted.html Cookie:authenticator Restricted content Verify that this client is authorized Check validity of authenticator Authenticators must be unforgeable and tamper-proof (malicious clients shouldn’t be able to modify an existing authenticator) How to design it?
  • 13. Client Side Scripting • Web pages (HTML) can embed dynamic contents (code) that can be executed on the browser • JavaScript – embedded in web pages and executed inside browser • Java applets – small pieces of Java bytecodes that execute in browsers • Browser extensions (plug-ins) provide further client-side programming abilities – E.g., Flash
  • 14. HTML and Scripting <html> … <P> <script> var num1, num2, sum num1 = prompt("Enter first number") num2 = prompt("Enter second number") sum = parseInt(num1) + parseInt(num2) alert("Sum = " + sum) </script> … </html> Browser receives content, display HTML and executes scripts
  • 15. Scripts are Powerful • Client-side scripting is powerful and flexible, and can access the following resources – Local files on the client-side host • read / write local files – Webpage resources maintained by the browser • Cookies • Domain Object Model (DOM) objects – steal private information – control what users see – impersonate the user – Communicating with websites (via XMLHttpRequest)
  • 16. Domain Object Model (DOM) Object-oriented model to represent webpages that allow programming access in Javascript
  • 17. Browser as an Operating System • Web users visit multiple websites simultaneously • A browser serves web pages (which may contain programs) from different web domains – i.e., a browser runs programs provided by mutually untrusted entities – Running code one does not know/trust is dangerous – A browser also maintains resources created/updated by web domains • Browser must confine (sandbox) these scripts so that they cannot access arbitrary local resources • Browser must have a security policy to manage/protect browser-maintained resources and to provide separation among mutually untrusted scripts
  • 18. Sandbox • A security mechanism for separating/limiting running programs – Running untrusted programs. • E.g., javascripts in webpages, mobile apps – Running programs that are likely to be exploited. • E.g., network daemon programs • Implementation: Clearly identify what resources a program needs and cut off the rest – Examples include operating system–level virtualization (such as Unix chroot), virtual machine monitors (VMMs), Java applets,
  • 19. Same Origin Policy • The basic security model enforced in the browser • SoP isolates the scripts and resources downloaded from different origins – E.g., evil.org scripts cannot access bank.com resources • Use origin as the security principal – Note that the concept of user accounts does not apply here as security principals • Origin = domain name + protocol + port – all three must be equal for origin to be considered the same
  • 20. Same Original Policy: What it Controls Same-origin policy applies to the following accesses: – manipulating browser windows – URLs requested via the XmlHttpRequest – manipulating frames (including inline frames) – manipulating documents (included using the object tag) – manipulating cookies
  • 21. Problems with S-O Policy • Poorly enforced on some browsers – Particularly older browsers • Limitations if site hosts unrelated pages – Example: Web server often hosts sites for unrelated parties • http://www.example.com/account/ • http://www.example.com/otheraccount/ – Same-origin policy allows script on one page to access properties of document from another • Can be bypassed in Cross-Site-Scripting attacks • Usability: Sometimes prevents desirable cross-origin resource sharing
  • 22. Browser Architecture: One Process versus Multiple Processes • Most processes (e.g., Firefox, Internet Explorer) use one process for a web browser – Multiple threads are used for rendering different webpages • Chrome uses multiple processes – Use OS protection mechanism to ensure that webpages from different sites cannot easily interact • Because they run in different processes – Reliability advantage: crashing in rendering one website doesn’t affect another – Security advantage: vulnerability in rendering does not compromise other sites; isolate plug-ins – Uses 3 types of processes: browser, renderers, plug-ins
  • 23. Cross Site Scripting (XSS) • Recall the basics – scripts embedded in web pages run in browsers – scripts can access cookies • get private information – and manipulate DOM objects • controls what users see – scripts controlled by the same-origin policy • Why would XSS occur – Web applications often take user inputs and use them as part of webpage (these inputs can have scripts)
  • 24. How XSS Works on Online Blog • Everyone can post comments, which will be displayed to everyone who view the post • Attacker posts a malicious comment that includes scripts (which reads local authentication credentials and send of to the attacker) • Anyone who view the post can have local authentication cookies stolen • Web apps will check that posts do not include scripts, but the check sometimes fail. • Bug in the web application. Attack happens in browser.
  • 25. Effect of the Attack • Attacker can execute arbitrary scripts in browser • Can manipulate any DOM component on victim.com – Control links on page – Control form fields (e.g. password field) on this page and linked pages. • Can infect other users: MySpace.com worm.
  • 26. MySpace.com (Samy worm) • Users can post HTML on their pages – MySpace.com ensures HTML contains no <script>, <body>, onclick, <a href=javascript://> – However, attacker find out that a way to include Javascript within CSS tags: <div style=“background:url(‘javascript:alert(1)’)”> And can hide “javascript” as “javanscript” • With careful javascript hacking: – Samy’s worm: infects anyone who visits an infected MySpace page … and adds Samy as a friend. – Samy had millions of friends within 24 hours. • More info: http://namb.la/popular/tech.html
  • 27. Avoiding XSS bugs (PHP) • Main problem: – Input checking is difficult --- many ways to inject scripts into HTML. • Preprocess input from user before echoing it • PHP: htmlspecialchars(string) &  &amp; "  &quot; '  &#039; <  &lt; >  &gt; – htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES); Outputs: &lt;a href=&#039;test&#039;&gt;Test&lt;/a&gt;
  • 28. Avoiding XSS bugs (ASP.NET) • ASP.NET 1.1: – Server.HtmlEncode(string) • Similar to PHP htmlspecialchars – validateRequest: (on by default) • Crashes page if finds <script> in POST data. • Looks for hardcoded list of patterns. • Can be disabled: <%@ Page validateRequest=“false" %>
  • 30. Cross site request forgery (abbrev. CSRF or XSRF) • Also known as one click attack or session riding • Effect: Transmits unauthorized commands from a user who has logged in to a website to the website. • Recall that a browser attaches cookies set by domain X to a request sent to domain X; the request may be from another domain – Site Y redirects you to facebook; if you already logged in, the cookie is attached by the browser
  • 31. CSRF Explained • Example: – User logs in to bank.com. Forgets to sign off. – Session cookie remains in browser state – Then user visits another site containing: <form name=F action=http://bank.com/BillPay.php> <input name=recipient value=badguy> … <script> document.F.submit(); </script> – Browser sends user auth cookie with request • Transaction will be fulfilled • Problem: – The browser is a confused deputy; it is serving both the websites and the user and gets confused who initiated a request
  • 32. Real World CSRF Vulnerabilities • Gmail • NY Times • ING Direct (4th largest saving bank in US) • YouTube • Various DSL Routers • Purdue WebMail • PEFCU • Purdue CS Portal • …
  • 33. Prevention • Server side: – use cookie + hidden fields to authenticate a web form • hidden fields values need to be unpredictable and user- specific; thus someone forging the request need to guess the hidden field values – requires the body of the POST request to contain cookies • Since browser does not add the cookies automatically, malicious script needs to add the cookies, but they do not have access because of Same Origin Policy • User side: – logging off one site before using others – selective sending of authentication tokens with requests (may cause some disruption in using websites)
  • 34. Coming Attractions … • More Web Security Issues – SQL injection – Side channel information leakage – Browser fingerprinting
  • 36. 36