co 445h
play

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS - PowerPoint PPT Presentation

Sep 19, 2022 •216 likes •840 views

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits British Airw rways Hack 2 BA last week admitted that personal and payment card info for 380,000 customers had been swiped from

  1. CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits

  2. British Airw rways Hack 2  BA last week admitted that personal and payment card info for 380,000 customers had been swiped from its site between 21 August and 5 September. The airline said on Friday that an unnamed security partner detected the breach, which has already been resolved.  Security researcher Mustafa Al-Bassam said BA had switched around the third-party JavaScript code loaded onto its website in response to a privacy complaint he'd initiated. These changes – only applied in the month running up to the breach – related to running third-party ads and trackers (including LinkedIn, Twitter and DoubleClick) on a booking page. https://www.theregister.co.uk/2018/09/11/british_airways_website_scripts/

  3. British Airw rways Hack 3  Security experts are debating the cause of the British Airways mega- breach, with external scripts on its payment systems emerging as a prime suspect in the hack.  BA has said little related to the cause of the breach, much less who might have carried it out. Security vendor RiskIQ has advanced the theory that malicious code was planted on the airline’s payments page, via a modified version of the Modernizr JavaScript library. To carry out the attack in this way, hackers would have had to modify JavaScript files without hobbling its core functionality.

  4. rd party Magecart – 3 rd 4  Magecart set up custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible.  While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial.

  5. Dissassembling This 5

  6. Dissassembling This 6

  7. Se Security Researchers Dis iscussing on Twitter 7

  8. Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice

  9. Network Security Network Attacker Intercepts and controls network communication Alice

  10. Web Malware Attacker Malware Attacker Escapes the browser to wreak havoc on Alice’s machine Alice

  11. Web Threat Models  Web attacker  Control https://attacker.com  Can obtain SSL/TLS certificate for https://attacker.com  User visits attacker.com ◼ Or: runs attacker’s Facebook app, etc. This is what connects the world of web attacks to low-level  Network attacker memory-based exploitation  Passive: Wireless eavesdropper we’ve seen so far  Active: Evil router, DNS poisoning  Malware attacker  Attacker escapes browser is isola olation mec echanisms and run separately under control of OS

  12. Cookies: Client State 12

  13. Cookies: Browser State POST … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; If expires=NULL: expires = (when expires) ; this session only secure = (only over SSL) Browser POST … Server Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state

  14. Cookie-Based Authentication Browser Web Server Auth server POST login.cgi Username & pwd Validate user auth=val Set-cookie: auth=val Store val GET restricted.html restricted.html Cookie: auth=val auth=val Check val If YES, YES/NO restricted.html

  15. Cookie Security Policy  Uses:  User authentication  Personalization  User tracking: e.g. Doubleclick (3 rd party cookies)  Browser will store:  At most 20 cookies/site, 3 KB / cookie  Origin is the tuple <domain, path>  Can set cookies valid across a domain suffix

  16. Cookies From www.marketplace.org 16 16

  17. Secure Cookies GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; Secure=true  Provides confidentiality against network attacker  Browser will only send cookie back over HTTPS  No integrity  Can rewrite secure cookies over HTTP  Network attacker can rewrite secure cookie  Can log user into attacker’s account

  18. A Real Secure Set-Cookie Request 18 18

  19. httpOnly Cookies GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; httpOnly  Cookie sent over HTTP(s), but not ot ac accessib ible le to scripts  cannot be read via document.cookie  Helps prevent cookie theft via XSS  … but does not stop most other risks of XSS bugs

  20. Frame and Content Is Isolation

  21. Frame and IFRAME  Window may contain frames from different sources  Frame: rigid division as part of frameset  iFrame: flo floati ting inline frame  iFrame example < iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </ iframe >  Why use frames?  Delegate screen area to content from another source  Browser provides isolation based on frames  Parent may work even if frame is broken

  22. Floating IFRAME s 22 22

  23. Windows In Interact. What? 23

  24. Web vs. OS: An Analogy Operating system Web browser Primitives Primitives   Document object model (DOM)  System calls  Frames  Processes  Cookies / localStorage  Disk  Principals: “Origins”  Principals: Users Mandatory access control   Discretionary access control  Application-level vulnerabilities  Cross-site scripting  Low-level vulnerabilities  Cross-site request forgery  Buffer overflow  SQL injection  Other memory issues etc.  

  25. Policy Goals  Safe to visit a potentially evil web site  Safe to visit two pages at the same time  Address bar distinguishes them  Allow safe delegation

  26. Browser Security Mechanism A B A A B  Each frame of a page has an origin  Origin = <pr protocol://host:port>  Frame can access its own origin  Network access, Read/write DOM, Storage (cookies)  Frame cannot access data associated with a different origin

  27. Origin Determination: http://www.example.com 27 27

  28. Components of f Browser Security Poli licy  Frame-Frame relationships  canScript(A,B) ◼ Can Frame A execute a script that manipulates arbitrary/nontrivial DOM elements of Frame B?  canNavigate(A,B) ◼ Can Frame A change the origin of content for Frame B?  Frame-principal relationships  readCookie(A,S), writeCookie(A,S) ◼ Can Frame A read/write cookies from site S? See https://code.google.com/p/browsersec/wiki/Part1 https://code.google.com/p/browsersec/wiki/Part2

  29. Library ry Im Import Excluded From SOP <script src=https://seal.verisign.com/getseal?host_name=a.com></script> VeriSign Script has privileges of im imported page, NOT source server. • Can script other pages in this origin, load more scripts • Other forms of importing •

  30. Domain Relaxation www.facebook.com chat.facebook.com www.facebook.com facebook.com chat.facebook.com facebook.com www.facebook.com  Origin: scheme, host, (port), hasSetDomain  Try document.domain = document.domain

  31. Additional Mechanisms Server : CORS (Cross-origin network requests) Access-Control-Allow- Site B Site A Origin: <list of domains> Access-Control-Allow- Origin: * Client : Cross-origin client side communication Client-side messaging via navigation (old browsers) Site A context Site B context postMessage (modern browsers)

  32. if iframes  Embed HTML documents in other documents <iframe name=“ myframe ” src =“http://www.google.com/”> This text is ignored by most browsers. </iframe>

  33. Frame Busting  Goal: prevent web page from loading in a frame  example: opening login page in a frame will display correct passmark image  Frame busting: if (top != self) top.location.href = location.href

  34. Better Frame Busting  Problem: Javascript OnUnload event <body onUnload="javascript: cause_an_abort;)">  Try this instead: if (top != self) top.location.href = location.href else { … code of page here …}

  35. Frame Busting via Headers 35 35 Set X-Frame-Options to DENY or SAMEORIGIN dfd  $ npm install busted var busted = require('busted'); var URL = 'http://www.bbc.co.uk'; busted.headersTest(URL, function(url, passed) { console.log(url + (passed ? ' passed ' : ' failed ') + 'the headers test.'); });

  36. CSP an CORS

  37. CSP: Content Security Policy 37 37  Example le 1:  A server wants all content to come from its own domain: X-Content-Security-Policy: default-src 'self‘  Example le 2:  An auction site wants to allow images from an anywhere, plugin content from a list of tr trusted media providers including a content distribution network, and scr scripts only from a server under its control hosting sanitized JavaScript: X-Content-Security-Policy: default-src 'self'; img-src *; object-src media1.example.com media2.example.com *.cdn.example.com; script-src trustedscripts.example.com

Recommend

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is

CO 445H MALWARE AND VIRUSES Dr. Benjamin Livshits Malware: Different Types 2 Spyware is software that aids in gathering A virus is a computer program that is information about a person or organization capable of making copies of itself

716 views • 56 slides
CO 445H BLOCKCHAIN SECURITY Dr. Benjamin Livshits Apps Stealing Your Data 2 What are they

CO 445H BLOCKCHAIN SECURITY Dr. Benjamin Livshits Apps Stealing Your Data 2 What are they

CO 445H BLOCKCHAIN SECURITY Dr. Benjamin Livshits Apps Stealing Your Data 2 What are they doing with this data? We dont know what is happening with this data once it is collected. Its conceivable that this information could be analysed

959 views • 59 slides
CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits

CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits

CO 445H SECURE DESIGN PRIN INCIPLES JAVA SECURITY ROP AND ADVANCED EXPLOITS Dr. Ben Livshits Some Survey Responses 2 Sunsetting Google+ 3 https://www.blog.google/technology/safety-security/project-strobe/ Details 4 Notifications 5

1.12k views • 64 slides
CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International

CO 445H MOBILE PLATFORM SECURITY AND MOBILE PRIVACY Dr. Benjamin Livshits Privacy International Data Tracking 2 http://privacyinternational.org/feature/2433/i-asked-online-tracking-company-all-my-data-and-heres-what-i-found Two Main Attack

986 views • 63 slides
COURSE IN INTRODUCT CTION SECURITY PROPERTIES SECURE DESIG IGN Dr. Ben Livshits High-Level

COURSE IN INTRODUCT CTION SECURITY PROPERTIES SECURE DESIG IGN Dr. Ben Livshits High-Level

CO 445H COURSE IN INTRODUCT CTION SECURITY PROPERTIES SECURE DESIG IGN Dr. Ben Livshits High-Level Course Logistics 2 https:/ ://www.doc.ic ic.ac.uk/~liv livshit its/cla lasses/CO445H/ / Course Logistics 3 Monday: 2-hour time

874 views • 53 slides

More recommend