The document discusses web browser security and cross-site scripting (XSS) attacks. It explains that XSS attacks work by injecting malicious JavaScript code into web pages. This code can then access sensitive data like cookies or modify the page's content. The document outlines the risks of XSS and how attackers use it to steal user information or launch other attacks. It also summarizes some existing approaches to prevent XSS, such as restricting where JavaScript can be placed or limiting its access to sensitive resources.

1. Odyssey to Web Browser Security - 1
Prepared by: Prosunjit Biswas,
Advisor : Dr. Ravi Sandhu
Presented : ICS @ UTSA (12th April, 2012)
Email: prosun.csedu@gmail.com

2. What is Web Browsers
for?
• Web Browsers Retrieve, Present and
Traverse information on Web typically
provided by web servers.
• Web Browsers use URI/URLs to locate and
retrieve information.

3. Http Request (URL) format
"protocol:" "//" host [ ":" port ] [ abs_path [
"?" query ]]
Examples:
1. http://cs.utsa.edu/index.html
2. http://utsa.summon.serialssolutions.com/search/results?
spellcheck=true&q=security
3. http://www.php.net/manual/en/reserved.variables.get.php
4. http://www.amazon.com/s/ref=nb_sb_noss/185-1213459-
6355102 ?url=search-alias%3Daps&field-keywords=iphone

4. Notice…
• The ‘query’ part in the URL may contain
user provided data that is feed to the
application.
• And contains Payload for maximum
possible attacks.

5. Web Application Architecture:
Server Side & Client Side
Courtesy: “Top 10 attacks” by Saumil Shah

6. How a Request is resolved by the
Server for the Browser?

7. Server Response at Browser Side
Server Response Includes:
o Data/Information (personal Info)
o HTML Markups(table, paragraph)
o Javascript / Other Script
o Cookies ( session information)
o Browser Configuration Meta data
o Other Resources(Ex: Flash, CSS )

8. HTML Markup
• HTML Markups provides presentation for the
data/content.
• In Web 2.0 data & Markup altogether build
Document Object Model (DOM)
• DOM form a XML tree structure for easy
retrieval of data.

9. Script / Javascript
• When We say Dynamic HTML( DHTML), this
dynamicity is achieved by JavaScript at the
Browser Side.
• JavaScript can manipulate (Insert/delete/
Modify) any content in the browser .
• Unfortunately it is „The World's Most
Misunderstood Programming Language’
-- Douglas Crockford

10. Where to put JavaScript in a web
page ?
• Typically JS can be put almost all places.
• <script> JS content </script>
• <input onclick=“JS content”>
• <img src=“javascript:JS Content”>
• And others.

11. How Web Browsing can be
insecure?
• Attacker Steals data [Attack User information]
• Attacker defaces a webpage [Attack markup]
• Inject / Modify JavaScript [Script Based
attack]
• Steal Cookie
• Insert Meta Data on page
• Attack other Resources [ex: Image]

12. Notice …
• All the mentioned attacks can be achieved
by injecting / modifying JavaScript on a
honest web page.

13. Risk That We Do Not Care …
• A website is malicious and an user visits this
site and get infected.
[We can leave it to the discretion of the
visitor]

14. Risk That We Care(2) …
• A website is not intended to be malicious but
attacker has compromised this page and let
everyone who visit it, be compromised.
o [ We do Care for this ]

15. Attacking Approach (Client-server
Perspective)
• Attack Servers / Services [ Server side
attack]
o Ex. Website Defacement ,
o SQL injection,
o DoS Attack and others
• Attack Web Client [ Client / Browser based
attack].
o Ex: XSS ( Cross Site Scripting)
o XSRF ( Cross Site Request forgery)
o Phishing ( Social Eng.) and others

16. Attacking Approach (Way of
Attacks)
• Content Injection
o SQL Injection
o Script Injection (XSS)
o DOM element Injection (DOM based XSS)
• Breaking Access-Control / Access-
Restriction
o Cross Domain / Cross Frame Attack
o Ex. Cross Domain Capability Leaks
• Exploiting Application Configuration
o Session Hijacking / Credential Stealing
o Failure to Restrict URL access
o Insecure Cryptography

17. Attacking Approach (Way of
Attacks) continuing…
• Insecure Network
o Proxy-based attack
o Man-in-the-middle attacks
• Web Based Malware Attack
We are more Interested on Content Injection Attack
because of its wide attack surface.

18. Content Injection (Through URL)
Demonstrating Reflected XSS attack
Sends through email / other way
www.goodhost.com?search=@#badcontent#@
@#badcontent #@
Clicks the URL
Client Web Browser
@#badcontent #@
@#badcontent#@
@#badcontent #@
Web Server
User is infected with the injection attack

19. Content Injection (via comment)
Demonstrating ‘Stored XSS attack’
Inserted in DB
@#comment!@#
Malicious content Comment Retrieved
From database
@#comment!@#
Clicks the URL
Clicks the URL
Request
Put Malicious comment
Bob Request the same page

20. Content Injection Attack (2) (What
content?)
• SQL ( Data Integrity & Privacy attack)
• Script / JavaScript (Privacy attack – Steal
Cookie)
• DOM Element ( Data Integrity - Phishing )
We are more Interested in Script Injection
attack (also called XSS) which is easy and
obvious but impact is severe therefore
critical to handle.

21. Why attackers prefer JavaScript
injection?
• JavaScript can access almost all resources in
a web page.
• JavaScript is supported by all major browsers
• JavaScript has great expressive power.

22. Consequence of XSS attack
• Sensitive Information theft.
o Credential Theft ( Ex: cookies)
• Intranet Scanning
o Scan Open ports .
• Attacking other users
o Replay attack from compromised browser.

23. What are the Existing Approaches
to Protect XSS attacks?
All the existing approaches place some kinds of
restrictions over JavaScript uses.
• Host based Restriction
o allow JavaScript from a White listed hosts.
o Restrict JavaScript from Black listed hosts.
• Place holder Restriction
o Restrict places where JavaScript can be inserted.

24. What are the Existing Approaches
to Protect XSS attacks …
• Transfer Restriction
o Restrict Sensitive Resources to be send out to
other hosts/domains.
• Content Rewrite
o Re-write JavaScript to delete unsafe code.
• Flow Control
o Control the flow of sensitive information in
JavaScript (Taint Sensitive information)

25. What are other Control Points ?
Control JS & DOM
Interactions
Output Interface
Input Interface
JS DOM
Control Flow of
User provided
Sanitize URL to data Cookie
discard
malicious Web Server
content
Control JS Communication with
External Domain
Control Cookie Send out to
External Domain
Compare input / output interface data for to
check user whether malicious content is Other Domains
trespassed through the server .

26. References:
• http://stackoverflow.com/questions/1267284/common-website-attack-
methods-detection-and-recovery
• http://yehg.net/lab/pr0js/papers/What%20XSS%20Can%20Do.pdf

27. o Thanks.