• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Secure webbrowsing 1
 

Secure webbrowsing 1

on

  • 1,063 views

 

Statistics

Views

Total Views
1,063
Views on SlideShare
1,062
Embed Views
1

Actions

Likes
0
Downloads
6
Comments
0

1 Embed 1

http://nodeslide.herokuapp.com 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Secure webbrowsing 1 Secure webbrowsing 1 Presentation Transcript

    • Odyssey to Web Browser Security - 1 Prepared by: Prosunjit Biswas, Advisor : Dr. Ravi Sandhu Presented : ICS @ UTSA (12th April, 2012) Email: prosun.csedu@gmail.com
    • What is Web Browsers for?• Web Browsers Retrieve, Present and Traverse information on Web typically provided by web servers.• Web Browsers use URI/URLs to locate and retrieve information.
    • Http Request (URL) format"protocol:" "//" host [ ":" port ] [ abs_path ["?" query ]]Examples:1. http://cs.utsa.edu/index.html2. http://utsa.summon.serialssolutions.com/search/results?spellcheck=true&q=security3. http://www.php.net/manual/en/reserved.variables.get.php4. http://www.amazon.com/s/ref=nb_sb_noss/185-1213459-6355102 ?url=search-alias%3Daps&field-keywords=iphone
    • Notice…• The ‘query’ part in the URL may contain user provided data that is feed to the application.• And contains Payload for maximum possible attacks.
    • Web Application Architecture: Server Side & Client Side Courtesy: “Top 10 attacks” by Saumil Shah
    • How a Request is resolved by the Server for the Browser?
    • Server Response at Browser SideServer Response Includes: o Data/Information (personal Info) o HTML Markups(table, paragraph) o Javascript / Other Script o Cookies ( session information) o Browser Configuration Meta data o Other Resources(Ex: Flash, CSS )
    • HTML Markup• HTML Markups provides presentation for the data/content.• In Web 2.0 data & Markup altogether build Document Object Model (DOM)• DOM form a XML tree structure for easy retrieval of data.
    • Script / Javascript• When We say Dynamic HTML( DHTML), this dynamicity is achieved by JavaScript at the Browser Side.• JavaScript can manipulate (Insert/delete/ Modify) any content in the browser .• Unfortunately it is „The Worlds Most Misunderstood Programming Language’ -- Douglas Crockford
    • Where to put JavaScript in a web page ?• Typically JS can be put almost all places.• <script> JS content </script>• <input onclick=“JS content”>• <img src=“javascript:JS Content”>• And others.
    • How Web Browsing can be insecure?• Attacker Steals data [Attack User information]• Attacker defaces a webpage [Attack markup]• Inject / Modify JavaScript [Script Based attack]• Steal Cookie• Insert Meta Data on page• Attack other Resources [ex: Image]
    • Notice …• All the mentioned attacks can be achieved by injecting / modifying JavaScript on a honest web page.
    • Risk That We Do Not Care …• A website is malicious and an user visits this site and get infected. [We can leave it to the discretion of the visitor]
    • Risk That We Care(2) …• A website is not intended to be malicious but attacker has compromised this page and let everyone who visit it, be compromised. o [ We do Care for this ]
    • Attacking Approach (Client-server Perspective)• Attack Servers / Services [ Server side attack] o Ex. Website Defacement , o SQL injection, o DoS Attack and others• Attack Web Client [ Client / Browser based attack]. o Ex: XSS ( Cross Site Scripting) o XSRF ( Cross Site Request forgery) o Phishing ( Social Eng.) and others
    • Attacking Approach (Way of Attacks)• Content Injection o SQL Injection o Script Injection (XSS) o DOM element Injection (DOM based XSS)• Breaking Access-Control / Access- Restriction o Cross Domain / Cross Frame Attack o Ex. Cross Domain Capability Leaks• Exploiting Application Configuration o Session Hijacking / Credential Stealing o Failure to Restrict URL access o Insecure Cryptography
    • Attacking Approach (Way of Attacks) continuing…• Insecure Network o Proxy-based attack o Man-in-the-middle attacks• Web Based Malware Attack We are more Interested on Content Injection Attack because of its wide attack surface.
    • Content Injection (Through URL)Demonstrating Reflected XSS attack Sends through email / other way www.goodhost.com?search=@#badcontent#@ @#badcontent #@ Clicks the URL Client Web Browser @#badcontent #@ @#badcontent#@ @#badcontent #@ Web Server User is infected with the injection attack
    • Content Injection (via comment)Demonstrating ‘Stored XSS attack’ Inserted in DB @#comment!@# Malicious content Comment Retrieved From database @#comment!@# Clicks the URL Clicks the URL Request Put Malicious comment Bob Request the same page
    • Content Injection Attack (2) (What content?)• SQL ( Data Integrity & Privacy attack)• Script / JavaScript (Privacy attack – Steal Cookie)• DOM Element ( Data Integrity - Phishing ) We are more Interested in Script Injection attack (also called XSS) which is easy and obvious but impact is severe therefore critical to handle.
    • Why attackers prefer JavaScript injection?• JavaScript can access almost all resources in a web page.• JavaScript is supported by all major browsers• JavaScript has great expressive power.
    • Consequence of XSS attack• Sensitive Information theft. o Credential Theft ( Ex: cookies)• Intranet Scanning o Scan Open ports .• Attacking other users o Replay attack from compromised browser.
    • What are the Existing Approaches to Protect XSS attacks?All the existing approaches place some kinds of restrictions over JavaScript uses.• Host based Restriction o allow JavaScript from a White listed hosts. o Restrict JavaScript from Black listed hosts.• Place holder Restriction o Restrict places where JavaScript can be inserted.
    • What are the Existing Approachesto Protect XSS attacks …• Transfer Restriction o Restrict Sensitive Resources to be send out to other hosts/domains.• Content Rewrite o Re-write JavaScript to delete unsafe code.• Flow Control o Control the flow of sensitive information in JavaScript (Taint Sensitive information)
    • What are other Control Points ? Control JS & DOM Interactions Output Interface Input Interface JS DOM Control Flow of User providedSanitize URL to data Cookiediscardmalicious Web Servercontent Control JS Communication with External Domain Control Cookie Send out to External Domain Compare input / output interface data for to check user whether malicious content is Other Domains trespassed through the server .
    • References:• http://stackoverflow.com/questions/1267284/common-website-attack- methods-detection-and-recovery• http://yehg.net/lab/pr0js/papers/What%20XSS%20Can%20Do.pdf
    • o Thanks.