cse484 cse584
play

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Is - PowerPoint PPT Presentation

Mar 08, 2023 •177 likes •787 views

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Is Isolation Frame and IFRAME Window may contain frames from different sources Frame: rigid division as part of frameset iFrame: flo floati ting inline frame iFrame

  1. CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits

  2. Is Isolation

  3. Frame and IFRAME  Window may contain frames from different sources  Frame: rigid division as part of frameset  iFrame: flo floati ting inline frame  iFrame example < iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </ iframe >  Why use frames?  Delegate screen area to content from another source  Browser provides isolation based on frames  Parent may work even if frame is broken

  4. Floating IFRAME s 4

  5. At Least A Handful of IFRAMEs is Common 5

  6. Windows Interact 6

  7. Web vs. OS: An Analogy Operating system Web browser  Primitives  Primitives  System calls  Document object model (DOM)  Processes  Frames  Disk  Cookies / localStorage  Principals: Users  Principals: “Origins”  Low-level vulnerabilities  Application-level vulnerabilities  Buffer overflow  Cross-site scripting  Other memory issues  Cross-site request forgery  SQL injection  etc.

  8. Side-by-Side vs. Embedded in a Page 8  Two independent  Interesting windows interactions  …or frames  …or browser instances

  9. Frame Embedding 9

  10. Browser Security Mechanism A B A A B  Each frame of a page has an origin  Origin = <pr protocol://host:port>  Frame can access its own origin  Network access, Read/write DOM, Storage (cookies)  Frame cannot access data associated with a different origin

  11. Origin Determination: http://www.example.com 11 11

  12. SOP For the DOM 12 12 With no additional qualifiers, the term 2) Any page may set document.domain "same-origin policy" most commonly refers parameter to a right-hand, fully-qualified to a mechanism that governs the ability for fragment of its current host name (e.g., JavaScript and other scripting languages to foo.bar.example.com may set it to access DOM properties and methods across example.com, but not apple.com). If two domains (reference). In essence, the model pages explicitly and mutually set their boils down to this three-step decision respective document.domain parameters process to the same value, and the remaining same- origin checks are satisfied, access is granted. 1) If protocol , host name , port number for two interacting pages match , access is 3) If neither of the above conditions is granted with no further checks satisfied, access is denied.

  13. Domain Relaxation www.facebook.com chat.facebook.com www.facebook.com facebook.com facebook.com chat.facebook.com www.facebook.com  Origin: <scheme, host, (port), hasSetDomain>  Try document.domain = document.domain

  14. SOP Policy For Cookies: It’s Complicated 14 14 https://code.google.com/p/browsersec/wiki/Part2

  15. Script Inclusion Excluded From SOP www.example.com:  Why is this a good idea? <script src =“ http://ajax.aspnetcdn.c om/ajax/jquery.validate/1.11 .0/jquery.validate.min.js”>  Why is this a bad idea? </script> Script has privileges of imported • page, NOT source server. Can script other pages in this • origin, load more scripts Other forms of importing •

  16. SOP: More Details 16 16  Same-origin policy for DOM access  Same-origin policy for XMLHttpRequest  Same-origin policy for cookies  Same-origin policy for Flash  Same-origin policy for Java  Same-origin policy for Silverlight  Same-origin policy for Gears  Origin inheritance rules

  17. Remote Scrip iptin ing and Cross-Domain Access

  18. Site B Site A Additional Mechanisms Cross-origin network requests Site A context Site B context Access-Control-Allow-Origin: <list of domains> Access-Control-Allow-Origin: * Cross-origin client side communication Client-side messaging via navigation (old browsers) postMessage (modern browsers)

  19. Cross-Domain Request 19 19  For example, suppose web content on domain http://foo.example.com wishes to invoke content on domain http://bar.other.com  Code of this sort might be used within JavaScript deployed on http://foo.example.com

  20. Cross-Domain GET Request 20 20 Firefox headers sent out as part of the request the resource can be accessed by any domain in a cross-site manner

  21. Pre-Flighting 21 21 Allows to pre-flight cross- domain requests to see if they are allowed Which methods are supported by the domain

  22. Communication

  23. Client-Side window.postMessage API 23 23  Client-side communication between principals (domains) that don’t necessarily trust each other Add a contact Share contacts

  24. Syntax of postMessage frames[0].postMessage("Attack at dawn!", "http://b.com/"); window.addEventListener("message", function (e) { if (e.origin == "http://a.com") { ... e.data ... } }, false); Attack at dawn!

  25. Why Include “ targetOrigin ”?  What goes wrong? frames[0].postMessage("Attack at dawn!");  Messages sent to frames , not principals  When would this happen? 25

  26. Summary  Http  Rendering content  Cookies  Isolation  Communication  Navigation  Security User Interface  Frames and frame busting

  27. Break… 27 27 Source : http://xkcd.com/327/

  28. Web Application Scenario 28 28 HTTP REQUEST HTTP RESPONSE client server

  29. Memory Exploits and Web App Vulnerabilities Compared 29 29  Format t str trin ing  SQL in inje jection vu vuln lnerabiliti ties  Generally, better, more restrictive APIs are enough  Generally, better, more restrictive APIs are enough  Simple static tools help  Simple static tools help  Buffer overruns  Cross-site scrip ipting  Stack-based  XSS-0, -1, -2, -3  Return-to-libc, etc.  Requires careful  Heap-based programming  Heap spraying attacks  Requires careful programming or memory-safe languages

  30. SQL Injection Attacks 30 30  Attacks a particular sit site, not (usually) a particular user  Affect applications that use untrusted input as part of an SQL query to a back-end database  Specific case of a more general problem: using untrusted input in commands

  31. SQL Injection: Example 31 31  Consider a browser form, e.g.:  When the user enters a number and clicks the button, this generates an http request like https://www.pizza.com/show_orders?month=10

  32. Example Continued … 32 32  Upon receiving the request, a Java program might produce an SQL query as follows: sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND order_month= " + request.getParameter("month") ;  A normal query would look like: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=10

  33. Example Continued … 33 33  What if the user makes a modified http request: https://www.pizza.com/show_orders?month=0%20OR%201%3D1  (Parameters transferred in URL-encoded form, where meta-characters are encoded in ASCII)  This has the effect of setting request.getParameter (“month”) equal to the string 0 OR 1=1

  34. Example Continued 34 34  So the script generates the following SQL query: SELECT pizza, quantity, order_day FROM orders ( WHERE userid=4123 ) AND order_month=0 OR 1=1  Since AND takes precedence over OR, the above always evaluates to TRUE  The attacker gets every entry in the database!

  35. Even Worse … 35 35  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 OR 1=0 UNION SELECT cardholder, number, exp_date FROM creditcards  Attacker gets the entire credit card database as well!

  36. More Damage … 36 36  SQL queries can encode multiple commands, separated by ‘;’  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 ; DROP TABLE creditcards  Credit card table deleted!  DoS attack

  37. More Damage … 37 37  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 ; INSERT INTO admin VALUES (‘hacker’, ...)  User (with chosen password) entered as an administrator!  Database owned!

  38. May Need to be More Clever … 38 38  Consider the following script for text queries: sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND topping= ‘ " + request.getParameter (“topping") + “’”  Previous attacks will not work directly, since the commands will be quoted  But easy to deal with this…

  39. Example Continued … 39 39  Craft an http request where request.getParameter (“topping”) is set to abc ’; DROP TABLE creditcards; --  The effect is to generate the SQL query: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND toppings=‘ abc ’; DROP TABLE creditcards ; -- ’  (‘ -- ’ represents an SQL comment)

  40. Mitigation? Solutions? 40 40  Blacklisting  Whitelisting  Encoding routines  Prepared statements/bind variables  Mitigate the impact of SQL injection

Recommend

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2 XSS-0 : client-side XSS-1 : reflective XSS-2 : persistent XSS Is Exceedingly Common 3 Web Hacking Incident Database (1999 -

887 views • 44 slides
CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Final Project 2 How many of you have

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Final Project 2 How many of you have

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Final Project 2 How many of you have your teams fully formed How many of you are still looking for a team? How many of you have a copy of A Bug Hunters Diary book? How many

537 views • 30 slides
CSE484/CSE584 MOBILE PLATFORM SECURITY Dr. Benjamin Livshits Two Main Attack Vectors Web

CSE484/CSE584 MOBILE PLATFORM SECURITY Dr. Benjamin Livshits Two Main Attack Vectors Web

CSE484/CSE584 MOBILE PLATFORM SECURITY Dr. Benjamin Livshits Two Main Attack Vectors Web browser Installed apps Both types of threats increasing in prevalence and sophistication source:

861 views • 31 slides
CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Homework, Labs, and Project 2 Please

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Homework, Labs, and Project 2 Please

CSE484/CSE584 DRIVE-BY MALWARE Dr. Benjamin Livshits Homework, Labs, and Project 2 Please be ready to give HW-3 due Friday a short 2-minute pitch Lab-3 due Tuesday about your strategy We want to give you Ask more questions

792 views • 21 slides
CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of

CSE484/CSE584 SECURE DESIGN PRINCIPLES, OS, AND RUNTIME SECURITY Dr. Benjamin Livshits Some of f the Common Principles Minimize attack Secure by surface area Default Principle of Fail-Safe Least Stance Privilege Secure the

975 views • 56 slides
CSE484/CSE584 MEMORY-(UN)SAFETY Dr. Benjamin Livshits FUD About Shellshock 2 CVE-2014-6271

CSE484/CSE584 MEMORY-(UN)SAFETY Dr. Benjamin Livshits FUD About Shellshock 2 CVE-2014-6271

CSE484/CSE584 MEMORY-(UN)SAFETY Dr. Benjamin Livshits FUD About Shellshock 2 CVE-2014-6271 Announcement 3 How Systems Fail il Systems may fail for many reasons, including Reliability deals with accidental failures Usability deals

778 views • 62 slides
CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up

CSE484/CSE584 BASIC WEB SECURITY MODEL Dr. Benjamin Livshits Web Security Web Attacker Sets up malicious site visited by victim; no control of network Alice Network Security Network Attacker Intercepts and controls network communication

907 views • 44 slides
COURSE IN INTRODUCT CTION Dr. Benjamin Livshits High-Level Course Logistics 2 https:/

COURSE IN INTRODUCT CTION Dr. Benjamin Livshits High-Level Course Logistics 2 https:/

CSE484/CSE584 COURSE IN INTRODUCT CTION Dr. Benjamin Livshits High-Level Course Logistics 2 https:/ ://courses.c .cs.washin ington.e .edu/courses/cse484/14au Course Logistics 3 Office hours: Tuesday after class Office hours: Mon

826 views • 59 slides

More recommend