the problem s with the browser
play

The Problem(s) with the Browser Collin Jackson - PowerPoint PPT Presentation

Jun 09, 2023 •29 likes •509 views

The Problem(s) with the Browser Collin Jackson collin.jackson@sv.cmu.edu Web: The OS of the Future? Ubiquitous Dynamic Instant updates Interactive Programs Pages Web Applications Remote code? Are you crazy?? Integrity Compromise

  1. The Problem(s) with the Browser Collin Jackson collin.jackson@sv.cmu.edu

  2. Web: The OS of the Future? Ubiquitous Dynamic Instant updates Interactive Programs Pages Web Applications

  3. Remote code? Are you crazy?? • Integrity – Compromise your machine – Install a malware rootkit – Buy stuff with your credit card • Confidentiality – Steal passwords – Read your email

  4. Browser Sandbox • Goal – Run remote web applications safely – Limit access to OS, network, and browser data • Approach – Isolate sites in different security contexts – Browser manages resources, like an OS

  5. What the Sandbox Can't Stop Clickjacking Cross-Site Scripting (XSS) Network Attacks (Firesheep, etc.) Cross-Site Request Forgery (CSRF)

  6. WEB BUILDING BLOCKS 6

  7. Safe to Type My Password? • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  8. URLs Global identifiers of network-retrievable documents • Example: • http:// sv.cmu.edu :81/class?name=browsersec #homework Protocol Fragment Hostname Path Port Query

  9. HTTP Request Method File HTTP version Headers GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats Blank line Data – none for GET GET : no side effect POST : possible side effect

  10. HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Data Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: … Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML>

  11. Network Primitives • Navigation <a href="http://www.a.com">Click here</a> ● • Import ● <script src="prototype.js"></script> ● <link rel="stylesheet" href="base.css"> • Export ● <form action="login.cgi"> ● postMessage('hello world', '*'); ● XMLHttpRequest

  12. Same-Origin Access • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level Origin = Scheme, host, port Full DOM access 12

  13. Cross-Origin Access • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level http://www.google.com != http://petscaravan.com Navigation, import, export only

  14. Domain Relaxation www.facebook.com chat.facebook.com www.facebook.com facebook.com facebook.com chat.facebook.com www.facebook.com Origin: scheme, host, (port), hasSetDomain • Try document.domain = document.domain •

  15. Site B Site A Newer forms of Import/Export Cross-origin network requests Site A context Site B context Access-Control-Allow-Origin: <list of domains> Access-Control-Allow-Origin: * Cross-origin client side communication Client-side messaging via navigation (older browsers) postMessage (newer browsers)

  16. SESSION MANAGEMENT 16

  17. URL-based Session Management • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  18. Limitations of URL-based Session Management • Shoulder surfing • Screenshots • HTML Sharing • Printing • Referrer leaking • Accidental sharing • Cache • Bookmark theft

  19. Alternatives • HTTP Authentication • HTTPS Mutual Authentication • Cookies – Expiration – Wildcard sharing – Logout – Recovery – Minimizing server state

  20. Cookies • Used to store state on user’s machine POST … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; expires = (when expires) ; If expires=NULL: this session only secure = (only over SSL) Browser POST … Server Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state

  21. Cookie-based Session Management Browser Web Server POST login.cgi Username & pwd Set-cookie: auth=val GET restricted.html Cookie: auth=val If YES, restricted.html

  22. Cookie Security Policy • Uses: – User authentication – Personalization – User tracking: e.g. Doubleclick (3rd party cookies) • Browser will store: – At most 20 cookies/site, 3 KB / cookie • Origin is the tuple <domain, path> – Can set cookies valid across a domain suffix

  23. History • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  24. httpOnly Cookies GET … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; httpOnly • Cookie sent over HTTP(s), but not accessible to scripts • cannot be read via document.cookie • Helps prevent cookie theft via XSS … but does not stop most other risks of XSS bugs

  25. SESSION INTEGRITY

  26. Threat Models • Web Attacker – https://www.attacker.com – Free user visit • Sibling Domain Attacker – attacker.appspot.com • Network Attacker – Eavesdrop (Firesheep) – Corrupt network traffic – Present fake certificates

  27. Cross-Site Request Forgery

  28. Login CSRF

  29. Payments Login CSRF

  30. Payments Login CSRF

  31. Payments Login CSRF

  32. Payments Login CSRF

  33. Another login CSRF problem

  34. Common CSRF Defense • Secret Validation Token <input type=hidden value=23a3af01b> • Referer Validation Referer: http://www.facebook.com/home.php • Custom HTTP Header X-Requested-By: XMLHttpRequest

  35. What have we lost? • Shoulder surfing • Screenshots • HTML Sharing • Printing • Referrer leaking • Accidental sharing • Cache • Bookmark theft

  36. Alternatives • Referer Validation / Origin Validation Referer: http://www.facebook.com/home.php • Custom HTTP Header X-Requested-By: XMLHttpRequest

  37. Cross-Subdomain Overwriting Click to edit Master text styles • – Second level Shopping cart • modification Third level – Fourth level • Login CSRF • – Fifth level Session fixation •

  38. Network Attacker • Eavesdrop or corrupt network traffic – Wireless networks – ISP – Pharming • Defense: HTTPS – Protects passwords – Use “Secure” cookies to protect session

  39. Secure Cookie Overwriting • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  40. Secure Cookie Overwriting • Click to edit Master text styles – Second level – Third level Hidden • Fourth level http://mail.google.com – Fifth level iframe

  41. SSL Rebinding • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  42. SSL Rebinding • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  43. Is there any hope?

  44. What we want Unforgeability + Integrity + Persistence = Session integrity

  45. Suggestion Courtesy of Adam Barth, Andrew Bortz, and Alexei Czeskis • Existing browsers: Custom HTTP Header X-Session-T oken: 62DV2f323t23 – Use LocalStorage for integrity • Future browsers: Send it automatically Cake: 62DV2f323t23 – Doesn't solve confused deputy problems – Still need CSRF defenses

  46. Strict Transport Security Collaborators: Adam Barth (UC Berkeley), Jeff Hodges (PayPal), Sid Stamm (Mozilla), VeriSig – HTTPS is rarely used securely SSL stripping – Mixed content – Certificate error override – – Help browsers identify high-security servers – Reduces burden on user – Extensible – Backwards compatible

  47. Browserscope.org • Click to edit Master text styles – Second level – Third level • Fourth level – Fifth level

  48. Thanks! http://websec.sv.cmu.edu/

Recommend

Cascading Style Sheets (CSS) Mendel Rosenblum CS142 Lecture Notes - CSS 1 Driving problem

Cascading Style Sheets (CSS) Mendel Rosenblum CS142 Lecture Notes - CSS 1 Driving problem

Cascading Style Sheets (CSS) Mendel Rosenblum CS142 Lecture Notes - CSS 1 Driving problem behind CSS How what font type and size does &lt;h1&gt;Introduction&lt;/h1&gt; generate? Answer: Some default from the browser (HTML tells what browser how

517 views • 19 slides
Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network Security Hardware Alexandra (Sasha) Boldyreva Browser sends requests May reveal private information (in forms, cookies) Web security.

517 views • 7 slides
RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS

RequireJS Javascript Modules for the Browser By Ben Keith Quoin, Inc. Traditional Browser JS One global namespace Often inline JS code embedded directly in HTML Many &lt;script&gt; tags with hidden ordering dependencies Very

362 views • 15 slides
Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does

Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does

Circumventing Internet censorship with Tor Philipp Winter The Tor Project What Tor Browser does Standard Tor is easy to block GetTor helps you get Tor Browser GetTor helps you get Tor Browser Tor Browser ships with default

567 views • 24 slides
THE BROWSER IS DEAD Dan North Dan North &amp; Associates LONG LIVE THE BROWSER! Dan North

THE BROWSER IS DEAD Dan North Dan North &amp; Associates LONG LIVE THE BROWSER! Dan North

THE BROWSER IS DEAD Dan North Dan North &amp; Associates LONG LIVE THE BROWSER! Dan North Dan North &amp; Associates The gangs 1990: Tim Berners-Lee - (WorldWideWeb) 1993: NCSA Mosaic 1994: Netscape - Navigator 1995: Microsoft -

971 views • 21 slides
CS371m - Mobile Computing WebView and Web Services Using Built In Browser App To use the

CS371m - Mobile Computing WebView and Web Services Using Built In Browser App To use the

CS371m - Mobile Computing WebView and Web Services Using Built In Browser App To use the built in browser create an Intent and start the Activity 2 WebView A View that display web pages basis for creating your own web browser OR

1.28k views • 54 slides
GWT-Gears The Browser is the Platform The Browser is the Platform Didier Girard

GWT-Gears The Browser is the Platform The Browser is the Platform Didier Girard

GWT-Gears The Browser is the Platform The Browser is the Platform Didier Girard girard.d@sfeir.com Sfeir CTO Member of OSSGTP Before starting, some questions Who knows javascript ? Who is a javascript expert ? Who knows java ?

1.57k views • 93 slides
Google Chrome The Invisible Browser Ben Goodger Tech Lead, User Interface Google Inc.

Google Chrome The Invisible Browser Ben Goodger Tech Lead, User Interface Google Inc.

Google Chrome The Invisible Browser Ben Goodger Tech Lead, User Interface Google Inc. Beginnings A new browser... a new opportunity A modern platform for web applications Objective: An Invisible Browser Deliver a transparent experience:

557 views • 9 slides
WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp;

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities &amp; Defenses 2 Server-side woes Browser mechanisms: Same origin SQL injection Cross-domain request XSS overview Content

738 views • 50 slides
Browser UX in VR Is The Web Accessible at All in VR? Oculus Overview Virtual Desktop &amp;

Browser UX in VR Is The Web Accessible at All in VR? Oculus Overview Virtual Desktop &amp;

Oculus Browser UX in VR Is The Web Accessible at All in VR? Oculus Overview Virtual Desktop &amp; Browser VR Apps Have Long Engagement Times How? Did they do something special? Uncomfortable Yet Still Compelling Content High

362 views • 6 slides
If you are viewing this presentation in a PDF, please stop and open the slides in browser (slides

If you are viewing this presentation in a PDF, please stop and open the slides in browser (slides

If you are viewing this presentation in a PDF, please stop and open the slides in browser (slides in the browser look way better): https://switowski.github.io/functional-css-talk/ 1 1 Maintainable CSS with visual regression testing and

850 views • 37 slides
Download for PC The most accessible web browser available. Download Step 1:

Download for PC The most accessible web browser available. Download Step 1:

Download for PC The most accessible web browser available. Download Step 1: https://www.google.com/intl/en/chrome/browser/ Step 2: Accept Terms of Service Download Step 3: Double Click on Download Step 4: Run Installation Download Select

496 views • 14 slides
How to protect your browser 0-day Codenamed #IRONSQUIRREL TS//SI//FVEY FOUO//SI//FVEY Zoltan

How to protect your browser 0-day Codenamed #IRONSQUIRREL TS//SI//FVEY FOUO//SI//FVEY Zoltan

How to protect your browser 0-day Codenamed #IRONSQUIRREL TS//SI//FVEY FOUO//SI//FVEY Zoltan Balazs MRG Effitas 2017 November Whoami? Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack HWFW Bypass tool Idea later(?)

711 views • 55 slides
Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June

Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June

Understanding and Combating Man-in-the- Browser Attacks 22 nd Annual FIRST Conference 16 June 2010 Jason Milletary Topics What is a Man-in-the-Browser Attack? How are they used? How can I identify and mitigate when they are

207 views • 18 slides
L2: Browser/HTML/Accessibility Web Engineering 188.951 2VU SS20 Jrgen Cito L2:

L2: Browser/HTML/Accessibility Web Engineering 188.951 2VU SS20 Jrgen Cito L2:

L2: Browser/HTML/Accessibility Web Engineering 188.951 2VU SS20 Jrgen Cito L2: Browser/HTML/Accessibility Browser Overview Semantic HTML Accessibility for the Web Web Accessibility Initiative (WAI) Learning Goals

513 views • 34 slides
Browser testing via Selenium What is Selenium? Browser framework - automating user-level

Browser testing via Selenium What is Selenium? Browser framework - automating user-level

Browser testing via Selenium What is Selenium? Browser framework - automating user-level testing Has a method for saving scripts - but its not very good Good for testing behaviour that cant be tested any other way - e.g.

743 views • 9 slides
Designing the Browser @joshcarpenter, Google Oct 19 2016, W3C WebVR Workshop All browsers

Designing the Browser @joshcarpenter, Google Oct 19 2016, W3C WebVR Workshop All browsers

Designing the Browser @joshcarpenter, Google Oct 19 2016, W3C WebVR Workshop All browsers should... No UI dead zones: Maximize for creative freedom of 360 experiences. Do not take away real estate from developers by persisting browser UI

499 views • 16 slides
Browser Development Tools by Rusty Keele Altair 8800 (1975)

Browser Development Tools by Rusty Keele Altair 8800 (1975)

Browser Development Tools by Rusty Keele Altair 8800 (1975) https://www.flickr.com/photos/mratzloff/9169309781/ Who This Presentation Is For Anyone who wants to learn about browser developer tools Basic knowledge of HTML, CSS and

871 views • 24 slides
Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami ,

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami ,

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami , Panagiotis Ilia, Konstantinos Solomos, Jason Polakis University of Illinois at Chicago, USA skaram5@uic.edu February 24, 2020 Browser extensions

492 views • 28 slides
Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami ,

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami ,

Carnus: Exploring the Privacy Threats of Browser Extension Fingerprinting Soroush Karami , Panagiotis Ilia, Konstantinos Solomos, Jason Polakis University of Illinois at Chicago, USA skaram5@uic.edu February 24, 2020 Browser extensions

886 views • 30 slides
Training Manual Google Docs and the Chrome browser work great together! If you do not have the

Training Manual Google Docs and the Chrome browser work great together! If you do not have the

Freehold Borough Schools Technology Department Training Manual Google Docs and the Chrome browser work great together! If you do not have the Chrome browser on your laptop, please put in a helpdesk ticket. Go to the district website

575 views • 18 slides
USING RUST TO BUILD THE NEXT GENERATION WEB BROWSER Lars Bergstrom Mike Blumenkrantz Mozilla

USING RUST TO BUILD THE NEXT GENERATION WEB BROWSER Lars Bergstrom Mike Blumenkrantz Mozilla

USING RUST TO BUILD THE NEXT GENERATION WEB BROWSER Lars Bergstrom Mike Blumenkrantz Mozilla Research Samsung R&amp;D America Why a new web engine? Support new types of applications and new devices All modern browser engines (Safari,

891 views • 41 slides
How far can client-only solutions go for mobile browser speed? Zhen Wang , Felix Xiaozhu Lin, Lin

How far can client-only solutions go for mobile browser speed? Zhen Wang , Felix Xiaozhu Lin, Lin

How far can client-only solutions go for mobile browser speed? Zhen Wang , Felix Xiaozhu Lin, Lin Zhong, Mansoor Chishtie Rice Efficient Computing Group - http://recg.org Mobile browsers are slow Average browser delay: 5 seconds Commercial

1.38k views • 80 slides
2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no

2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no

2007 Self morphing viruses 2009 - The Zeus virus Man in the browser attacks no browser is safe 2011 300% increase in cyber attacks Who they are Why they do it Who are the targets Our filter processes 3 billion

407 views • 17 slides

More recommend