Web
Security
CS642:
Computer
Security
Professor
Ristenpart
h9p://www.cs.wisc.edu/~rist/
rist
at
cs
dot
wisc
dot
edu
Liberal
borrowing
from
Mitchell,
Boneh,
Stanford
CS
155
University
of
Wisconsin
CS
642
�Announcements
HW3
should
be
posted
tonight
or
tomorrow
Check
the
web
site
announcements
Check
email
�Web
security
part
1
Basic
web
security
models
Browser
security
Same-origin
policy
/
NavigaQon
policy
Cookies
/
Session
handling
University
of
Wisconsin
CS
642
�WWW
Tim
Berners-Lee
and
Robert
Cailliau
1990
HTTP,
CERN
h9pd,
gopher
1993
Mosiac
web
browser
(UIUC,
Marc
Andreesen)
1994
W3C
WWW
ConsorQum
---
generate
standards
Gopher
started
charging
licensing
fees
(Univ
of
Minnesota)
�Nowdays:
ecosystem
of
technologies
HTTP
/
HTTPS
AJAX
PHP
Javascript
SQL
Apache
Ruby
h9p://w3schools.com/
�Threat
model
network
a9acker
User
A
Internet
a9acker.com
bank.com
�Some
basics
of
HTTP
h9p://www.tom.com:80/calendar/render.php?gsessionid=OK
protocol
port
hostname
URLs
only
allow
ASCII-US
characters.
Encode
other
characters:
%0A
=
newline
%20
=
space
path
query
Special
characters:
+
=
space
?
=
separates
URL
from
parameters
%
=
special
characters
/
=
divides
directories,
subdirectories
#
=
bookmark
&
=
separator
between
parameters
�HTTP
Request
Method
File
HTTP version
Headers
GET /index.html HTTP/1.1
Accept: image/gif, image/x-bitmap, image/jpeg, */*
Accept-Language: en
Connection: Keep-Alive
User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)
Host: www.example.com
Referer: http://www.google.com?q=dingbats
Blank line
Data none for GET
GET
:
no
side
eect
POST
:
possible
side
eect
�HTTP
Response
HTTP version
Status code
Reason phrase
Headers
HTTP/1.0 200 OK
Date: Sun, 21 Apr 1996 02:20:42 GMT
Server: Microsoft-Internet-Information-Server/5.0
Connection: keep-alive
Content-Type: text/html
Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT
Set-Cookie:
Content-Length: 2543
<HTML> Some data... blah, blah, blah </HTML>
Cookies
Data
�Browser
execuQon
Each
window
(or
tab):
Retrieve/load
content
Render
it
Process
the
HTML
Might
run
scripts,
fetch
more
content,
etc.
Respond
to
events
User
acQons:
OnClick,
OnMouseover
Rendering:
OnLoad,
OnBeforeUnload
Timing:
setTimeout(),
clearTimeout()
�Web
pages
are
not
single-origin
lFrames:
<iframe
src=//site.com/frame.html
>
</iframe>
Scripts:
<script
src=//site.com/script.js
>
</script>
CSS:
<link
rel="stylesheet"
type="text
/css
href=//site/com/theme.css"
/>
Objects
(ash):
[using
swfobject.js
script
]
<script>
var
so
=
new
SWFObject(//site.com/ash.swf',
);
so.addParam(allowscriptaccess',
always');
so.write('ashdiv);
</script>
�Document
Object
Model
(DOM)
Object-oriented
way
to
refer
to
objects
in
a
web
page
ProperQes:
document.alinkColor,
document.URL,
document.forms[
],
document.links[
],
document.anchors[
]
Methods:
document.write(document.referrer)
From
h9p://w3schools.com/htmldom/default.asp
�Document
Object
Model
(DOM)
Object-oriented
way
to
refer
to
objects
in
a
web
page
ProperQes:
document.alinkColor,
document.URL,
document.forms[
],
document.links[
],
document.anchors[
]
Methods:
document.write(document.referrer)
Browser
Object
Model
(BOM)
window,
document,
frames[],
history,
locaQon,
navigator
(type
and
version
of
browser)
�Seemingly
innocuous
features?
<img
src=bucky.jpg
height=50pt
width=50pt>
Displays
an
image
What
can
a9acker
do?
�Javascript
Qming
<html><body><img
id="test"
style="display:
none">
<script>
var
test
=
document.getElementById(test);
var
start
=
new
Date();
test.onerror
=
funcQon()
{
var
end
=
new
Date();
alert("Total
Qme:
"
+
(end
-
start));
}
test.src
=
"h9p://www.example.com/page.html";
</script>
</body></html>
�Behind-rewall
webapp
scanning
JavaScript
can:
Request
images
from
internal
IP
addresses
Example:
<img
src=192.168.0.4:8080/>
Use
Qmeout/onError
to
determine
success/failure
Fingerprint
webapps
using
known
image
names
Server
1)
show
me
dancing
pigs!
scan
Malicious
Web
page
2)
check
this
out
3)
port
scan
results
scan
Firewall
Browser
scan
�Browser
security
model
Should
be
safe
to
visit
an
a9acker
website
Should
be
safe
to
visit
sites
simultaneously
Should
be
safe
to
delegate
content
�Browser
isolaQon
Browser
is
running
untrusted
inputs
(a9acker
webpage)
Like
all
big,
complex
so}ware,
browser
has
security
vulnerabiliQes
Browsers
include
Rich
Internet
ApplicaQons
(RIAs)
that
increase
a9ack
surface:
e.g.,
Adobe
Flash
(see
reading
for
today
by
Blazakis)
Malicious
website
exploits
browser,
from
there
system
�Browser
handles
mulQple
sites,
must
maintain
separate
security
contexts
for
each
OperaQng
system
PrimiQves
System
calls
Processes
Disks
Principals:
Users
DiscreQonary
access
controls
VulnerabiliQes
Buer
overows
root
exploit
Browsers
PrimiQves
Document
object
model
Frames
Cookies
/
local
storage
Principals:
Origins
Mandatory
access
controls
VulnerabiliQes
Cross-site
scripQng
(XSS)
Cross-site
request
forgery
(CSRF)
Cache
history
a9acks
�Same-origin
policy
Each
frame
of
page(s)
has
an
origin
protocol://host:port
Origin
is
(protocol,host,port)
Frame
can
access
its
own
orign
Network
access,
Read/write
DOM,
storage
(cookies)
Frame
cannot
access
data
associated
with
another
origin
�Frame
relaQonships
Child
Sibling
Frame
Bust
Descendant
21
�Frame
policies
canScript(A,B)
and
canNavigate(A,
B)
Permissive
any
frame
can
navigate
any
other
frame
Child
only
can
navigate
if
you
are
parent
Descendent
only
can
navigate
if
you
are
ancestor
Which
do
you
think
should
be
used?
�Problems
with
permissive
frames['right'].window.locaQon=evil.com/login.html;
window.open("https://attacker.com/",
"awglogin");
awglogin
�UI
Redressing
(Clickjacking)
Overlayed
frame
Do
evil
thing()
�FramebusQng
<script
type="text/javascript">
if(top
!=
self)
top.locaQon.replace(locaQon);
</script>
�Cookies:
Seng/DeleQng
GET
if
expires=NULL:
this
session
only
HTTP Header:
Set-cookie: NAME=VALUE ;
domain = (when to send) ;
scope
path = (when to send)
secure = (only send over SSL);
expires = (when expires) ;
HttpOnly
Delete cookie by setting expires to date in past
Default scope is domain and path of setting URL
Client can also set cookies (Javascript)
�Cookie
scope
rules
(domain
and
path)
Say
we
are
at
www.wisc.edu
Any
non-TLD
sux
can
be
scope:
allowed:
www.wisc.edu
or
wisc.edu
disallowed:
www2.wisc.edu
or
ucsd.edu
Path
can
be
set
to
anything
�Cookies:
reading
by
server
GET /url-domain/url-path
Cookie: name=value
Browser sends all cookies such that
domain scope is suffix of url-domain
path is prefix of url-path
protocol is HTTPS if cookie marked secure
�Cookie
security
issues
Cookies
have
no
integrity
HTTPS
cookies
can
be
overwri9en
by
HTTP
cookie
(network
injecQon)
Malicious
clients
can
modify
cookies
Shopping
cart
vulnerabiliQes
Privacy
Cookies
can
be
used
to
track
you
around
the
Internet
HTTP
cookies
sent
in
clear
Session
hijacking
��<script
type="text/javascript">
//<![CDATA[
var
hint
=
'mainpage';
document.write('<script
type="text/javascript"
src="h9p://ad.doubleclick.net/adj/
ostg.slashdot/pg_index_p1_leader;pg=index2;logged_in=0;Qle='+dfp_Qle
+';sz=728x90;u=;ord='+dfp_ord+'?"><\/script>');
dfp_Qle++;
//]]>
</script>
In
addiQon
to
ads
based
on
interest
categories,
Google
allows
adverQsers
(including
Google)
to
show
you
ads
based
on
your
previous
interacQons
online,
such
as
visits
to
adverQsers
websites.
For
example,
someone
who
visited
the
website
of
an
online
sporQng
goods
store
can
receive
ads
about
special
oers
from
that
store.
---
h9p://www.google.com/privacy/ads/
�Session
handling
and
login
GET /index.html
Set-Cookie: AnonSessID=134fds1431
Protocol
is
HTTPS.
Elsewhere
just
HTTP
POST /login.html?name=bob&pw=12345
Cookie: AnonSessID=134fds1431
Set-Cookie: SessID=83431Adf
GET /account.html
Cookie: SessID=83431Adf
�Session
Hijacking
From
h9p://codebutler.com/resheep
�Towards
prevenQng
hijacking
Use
encrypQon
when
seng
session
cookies
SessID
=
Enc(K,info)
where
:
K
is
server-side
secret
key
Enc
is
Encrypt-then-MAC
encrypQon
scheme
info
contains:
user
id
expiraQon
Qme
other
data
Server
should
record
if
user
logs
out
Does
this
prevent
Firesheep
hijacking?
include
in
data
machine-specic
informaQon
turn
on
HTTPS
always
