Secure webbrowsing 1


Published on

Published in: Career, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Secure webbrowsing 1

  1. 1. Odyssey to Web Browser Security - 1 Prepared by: Prosunjit Biswas, Advisor : Dr. Ravi Sandhu Presented : ICS @ UTSA (12th April, 2012) Email:
  2. 2. What is Web Browsers for?• Web Browsers Retrieve, Present and Traverse information on Web typically provided by web servers.• Web Browsers use URI/URLs to locate and retrieve information.
  3. 3. Http Request (URL) format"protocol:" "//" host [ ":" port ] [ abs_path ["?" query ]]Examples:1. ?url=search-alias%3Daps&field-keywords=iphone
  4. 4. Notice…• The ‘query’ part in the URL may contain user provided data that is feed to the application.• And contains Payload for maximum possible attacks.
  5. 5. Web Application Architecture: Server Side & Client Side Courtesy: “Top 10 attacks” by Saumil Shah
  6. 6. How a Request is resolved by the Server for the Browser?
  7. 7. Server Response at Browser SideServer Response Includes: o Data/Information (personal Info) o HTML Markups(table, paragraph) o Javascript / Other Script o Cookies ( session information) o Browser Configuration Meta data o Other Resources(Ex: Flash, CSS )
  8. 8. HTML Markup• HTML Markups provides presentation for the data/content.• In Web 2.0 data & Markup altogether build Document Object Model (DOM)• DOM form a XML tree structure for easy retrieval of data.
  9. 9. Script / Javascript• When We say Dynamic HTML( DHTML), this dynamicity is achieved by JavaScript at the Browser Side.• JavaScript can manipulate (Insert/delete/ Modify) any content in the browser .• Unfortunately it is „The Worlds Most Misunderstood Programming Language’ -- Douglas Crockford
  10. 10. Where to put JavaScript in a web page ?• Typically JS can be put almost all places.• <script> JS content </script>• <input onclick=“JS content”>• <img src=“javascript:JS Content”>• And others.
  11. 11. How Web Browsing can be insecure?• Attacker Steals data [Attack User information]• Attacker defaces a webpage [Attack markup]• Inject / Modify JavaScript [Script Based attack]• Steal Cookie• Insert Meta Data on page• Attack other Resources [ex: Image]
  12. 12. Notice …• All the mentioned attacks can be achieved by injecting / modifying JavaScript on a honest web page.
  13. 13. Risk That We Do Not Care …• A website is malicious and an user visits this site and get infected. [We can leave it to the discretion of the visitor]
  14. 14. Risk That We Care(2) …• A website is not intended to be malicious but attacker has compromised this page and let everyone who visit it, be compromised. o [ We do Care for this ]
  15. 15. Attacking Approach (Client-server Perspective)• Attack Servers / Services [ Server side attack] o Ex. Website Defacement , o SQL injection, o DoS Attack and others• Attack Web Client [ Client / Browser based attack]. o Ex: XSS ( Cross Site Scripting) o XSRF ( Cross Site Request forgery) o Phishing ( Social Eng.) and others
  16. 16. Attacking Approach (Way of Attacks)• Content Injection o SQL Injection o Script Injection (XSS) o DOM element Injection (DOM based XSS)• Breaking Access-Control / Access- Restriction o Cross Domain / Cross Frame Attack o Ex. Cross Domain Capability Leaks• Exploiting Application Configuration o Session Hijacking / Credential Stealing o Failure to Restrict URL access o Insecure Cryptography
  17. 17. Attacking Approach (Way of Attacks) continuing…• Insecure Network o Proxy-based attack o Man-in-the-middle attacks• Web Based Malware Attack We are more Interested on Content Injection Attack because of its wide attack surface.
  18. 18. Content Injection (Through URL)Demonstrating Reflected XSS attack Sends through email / other way @#badcontent #@ Clicks the URL Client Web Browser @#badcontent #@ @#badcontent#@ @#badcontent #@ Web Server User is infected with the injection attack
  19. 19. Content Injection (via comment)Demonstrating ‘Stored XSS attack’ Inserted in DB @#comment!@# Malicious content Comment Retrieved From database @#comment!@# Clicks the URL Clicks the URL Request Put Malicious comment Bob Request the same page
  20. 20. Content Injection Attack (2) (What content?)• SQL ( Data Integrity & Privacy attack)• Script / JavaScript (Privacy attack – Steal Cookie)• DOM Element ( Data Integrity - Phishing ) We are more Interested in Script Injection attack (also called XSS) which is easy and obvious but impact is severe therefore critical to handle.
  21. 21. Why attackers prefer JavaScript injection?• JavaScript can access almost all resources in a web page.• JavaScript is supported by all major browsers• JavaScript has great expressive power.
  22. 22. Consequence of XSS attack• Sensitive Information theft. o Credential Theft ( Ex: cookies)• Intranet Scanning o Scan Open ports .• Attacking other users o Replay attack from compromised browser.
  23. 23. What are the Existing Approaches to Protect XSS attacks?All the existing approaches place some kinds of restrictions over JavaScript uses.• Host based Restriction o allow JavaScript from a White listed hosts. o Restrict JavaScript from Black listed hosts.• Place holder Restriction o Restrict places where JavaScript can be inserted.
  24. 24. What are the Existing Approachesto Protect XSS attacks …• Transfer Restriction o Restrict Sensitive Resources to be send out to other hosts/domains.• Content Rewrite o Re-write JavaScript to delete unsafe code.• Flow Control o Control the flow of sensitive information in JavaScript (Taint Sensitive information)
  25. 25. What are other Control Points ? Control JS & DOM Interactions Output Interface Input Interface JS DOM Control Flow of User providedSanitize URL to data Cookiediscardmalicious Web Servercontent Control JS Communication with External Domain Control Cookie Send out to External Domain Compare input / output interface data for to check user whether malicious content is Other Domains trespassed through the server .
  26. 26. References:• methods-detection-and-recovery•
  27. 27. o Thanks.