Secure webbrowsing 1
Download as PPTX, PDF0 likes560 views
The document discusses web browser security and cross-site scripting (XSS) attacks. It explains that XSS attacks work by injecting malicious JavaScript code into web pages. This code can then access sensitive data like cookies or modify the page's content. The document outlines the risks of XSS and how attackers use it to steal user information or launch other attacks. It also summarizes some existing approaches to prevent XSS, such as restricting where JavaScript can be placed or limiting its access to sensitive resources.
![Http Request (URL) format
"protocol:" "//" host [ ":" port ] [ abs_path [
"?" query ]]
Examples:
1. http://cs.utsa.edu/index.html
2. http://utsa.summon.serialssolutions.com/search/results?
spellcheck=true&q=security
3. http://www.php.net/manual/en/reserved.variables.get.php
4. http://www.amazon.com/s/ref=nb_sb_noss/185-1213459-
6355102 ?url=search-alias%3Daps&field-keywords=iphone](https://image.slidesharecdn.com/securewebbrowsing-1-120412215533-phpapp02/85/Secure-webbrowsing-1-3-320.jpg)
![How Web Browsing can be
insecure?
• Attacker Steals data [Attack User information]
• Attacker defaces a webpage [Attack markup]
• Inject / Modify JavaScript [Script Based
attack]
• Steal Cookie
• Insert Meta Data on page
• Attack other Resources [ex: Image]](https://image.slidesharecdn.com/securewebbrowsing-1-120412215533-phpapp02/85/Secure-webbrowsing-1-11-320.jpg)
![Risk That We Do Not Care …
• A website is malicious and an user visits this
site and get infected.
[We can leave it to the discretion of the
visitor]](https://image.slidesharecdn.com/securewebbrowsing-1-120412215533-phpapp02/85/Secure-webbrowsing-1-13-320.jpg)
![Risk That We Care(2) …
• A website is not intended to be malicious but
attacker has compromised this page and let
everyone who visit it, be compromised.
o [ We do Care for this ]](https://image.slidesharecdn.com/securewebbrowsing-1-120412215533-phpapp02/85/Secure-webbrowsing-1-14-320.jpg)
![Attacking Approach (Client-server
Perspective)
• Attack Servers / Services [ Server side
attack]
o Ex. Website Defacement ,
o SQL injection,
o DoS Attack and others
• Attack Web Client [ Client / Browser based
attack].
o Ex: XSS ( Cross Site Scripting)
o XSRF ( Cross Site Request forgery)
o Phishing ( Social Eng.) and others](https://image.slidesharecdn.com/securewebbrowsing-1-120412215533-phpapp02/85/Secure-webbrowsing-1-15-320.jpg)
Secure webbrowsing 1
- 1. Odyssey to Web Browser Security - 1 Prepared by: Prosunjit Biswas, Advisor : Dr. Ravi Sandhu Presented : ICS @ UTSA (12th April, 2012) Email: prosun.csedu@gmail.com
- 2. What is Web Browsers for? • Web Browsers Retrieve, Present and Traverse information on Web typically provided by web servers. • Web Browsers use URI/URLs to locate and retrieve information.
- 3. Http Request (URL) format "protocol:" "//" host [ ":" port ] [ abs_path [ "?" query ]] Examples: 1. http://cs.utsa.edu/index.html 2. http://utsa.summon.serialssolutions.com/search/results? spellcheck=true&q=security 3. http://www.php.net/manual/en/reserved.variables.get.php 4. http://www.amazon.com/s/ref=nb_sb_noss/185-1213459- 6355102 ?url=search-alias%3Daps&field-keywords=iphone
- 4. Notice… • The ‘query’ part in the URL may contain user provided data that is feed to the application. • And contains Payload for maximum possible attacks.
- 5. Web Application Architecture: Server Side & Client Side Courtesy: “Top 10 attacks” by Saumil Shah
- 6. How a Request is resolved by the Server for the Browser?
- 7. Server Response at Browser Side Server Response Includes: o Data/Information (personal Info) o HTML Markups(table, paragraph) o Javascript / Other Script o Cookies ( session information) o Browser Configuration Meta data o Other Resources(Ex: Flash, CSS )
- 8. HTML Markup • HTML Markups provides presentation for the data/content. • In Web 2.0 data & Markup altogether build Document Object Model (DOM) • DOM form a XML tree structure for easy retrieval of data.
- 9. Script / Javascript • When We say Dynamic HTML( DHTML), this dynamicity is achieved by JavaScript at the Browser Side. • JavaScript can manipulate (Insert/delete/ Modify) any content in the browser . • Unfortunately it is „The World's Most Misunderstood Programming Language’ -- Douglas Crockford
- 10. Where to put JavaScript in a web page ? • Typically JS can be put almost all places. • <script> JS content </script> • <input onclick=“JS content”> • <img src=“javascript:JS Content”> • And others.
- 11. How Web Browsing can be insecure? • Attacker Steals data [Attack User information] • Attacker defaces a webpage [Attack markup] • Inject / Modify JavaScript [Script Based attack] • Steal Cookie • Insert Meta Data on page • Attack other Resources [ex: Image]
- 12. Notice … • All the mentioned attacks can be achieved by injecting / modifying JavaScript on a honest web page.
- 13. Risk That We Do Not Care … • A website is malicious and an user visits this site and get infected. [We can leave it to the discretion of the visitor]
- 14. Risk That We Care(2) … • A website is not intended to be malicious but attacker has compromised this page and let everyone who visit it, be compromised. o [ We do Care for this ]
- 15. Attacking Approach (Client-server Perspective) • Attack Servers / Services [ Server side attack] o Ex. Website Defacement , o SQL injection, o DoS Attack and others • Attack Web Client [ Client / Browser based attack]. o Ex: XSS ( Cross Site Scripting) o XSRF ( Cross Site Request forgery) o Phishing ( Social Eng.) and others
- 16. Attacking Approach (Way of Attacks) • Content Injection o SQL Injection o Script Injection (XSS) o DOM element Injection (DOM based XSS) • Breaking Access-Control / Access- Restriction o Cross Domain / Cross Frame Attack o Ex. Cross Domain Capability Leaks • Exploiting Application Configuration o Session Hijacking / Credential Stealing o Failure to Restrict URL access o Insecure Cryptography
- 17. Attacking Approach (Way of Attacks) continuing… • Insecure Network o Proxy-based attack o Man-in-the-middle attacks • Web Based Malware Attack We are more Interested on Content Injection Attack because of its wide attack surface.
- 18. Content Injection (Through URL) Demonstrating Reflected XSS attack Sends through email / other way www.goodhost.com?search=@#badcontent#@ @#badcontent #@ Clicks the URL Client Web Browser @#badcontent #@ @#badcontent#@ @#badcontent #@ Web Server User is infected with the injection attack
- 19. Content Injection (via comment) Demonstrating ‘Stored XSS attack’ Inserted in DB @#comment!@# Malicious content Comment Retrieved From database @#comment!@# Clicks the URL Clicks the URL Request Put Malicious comment Bob Request the same page
- 20. Content Injection Attack (2) (What content?) • SQL ( Data Integrity & Privacy attack) • Script / JavaScript (Privacy attack – Steal Cookie) • DOM Element ( Data Integrity - Phishing ) We are more Interested in Script Injection attack (also called XSS) which is easy and obvious but impact is severe therefore critical to handle.
- 21. Why attackers prefer JavaScript injection? • JavaScript can access almost all resources in a web page. • JavaScript is supported by all major browsers • JavaScript has great expressive power.
- 22. Consequence of XSS attack • Sensitive Information theft. o Credential Theft ( Ex: cookies) • Intranet Scanning o Scan Open ports . • Attacking other users o Replay attack from compromised browser.
- 23. What are the Existing Approaches to Protect XSS attacks? All the existing approaches place some kinds of restrictions over JavaScript uses. • Host based Restriction o allow JavaScript from a White listed hosts. o Restrict JavaScript from Black listed hosts. • Place holder Restriction o Restrict places where JavaScript can be inserted.
- 24. What are the Existing Approaches to Protect XSS attacks … • Transfer Restriction o Restrict Sensitive Resources to be send out to other hosts/domains. • Content Rewrite o Re-write JavaScript to delete unsafe code. • Flow Control o Control the flow of sensitive information in JavaScript (Taint Sensitive information)
- 25. What are other Control Points ? Control JS & DOM Interactions Output Interface Input Interface JS DOM Control Flow of User provided Sanitize URL to data Cookie discard malicious Web Server content Control JS Communication with External Domain Control Cookie Send out to External Domain Compare input / output interface data for to check user whether malicious content is Other Domains trespassed through the server .
- 26. References: • http://stackoverflow.com/questions/1267284/common-website-attack- methods-detection-and-recovery • http://yehg.net/lab/pr0js/papers/What%20XSS%20Can%20Do.pdf
- 27. o Thanks.