Securing the Web Platform - CyLab Security & Privacy Institute · Securing the Web Platform....

Securing the Web Platform

Collin Jacksoncollin.jackson@sv.cmu.edu

The Web Application Platform More powerful than

ever• Faster• Easier• Ubiquitous• Interoperable

Safer?

Browserscope Security Tests

Both opt-in and on-by-default improvements Applicable and adoptable by all vendors

Collaborators: Lindsey Simon (Google), Steve Souders (Google), Mustafa Acer (CMU), David Huang (CMU)

Research Collaborations

Block Reflected XSSCollaborators: Adam Barth (UC Berkeley), Dan Bates (UC Berkeley)

Cross-Site Scripting

Unfiltered user input appears in output• JavaScript code can hijack

session• #1 most common web

vulnerability

Browser identifies common strings in the request and response

Does not address persistent XSS

Goal: Mitigate vulnerabilities, not attacks

Collaborators: Adam Barth (UC Berkeley), Dan Bates (UC Berkeley)

Limitations of Regular Expressions

Correct parsing requires browser simulation

Script is now easy to find

XSS Filter Architectures

Google Chrome

Internet Explorer

Clickjacking

Induced False Positives

top.location = document.location;}</script>

Attack:

http://victim.com/?<script>if (top != self) { …

X-Frame-OptionsCollaborators: Adam Barth (UC Berkeley), Dan Bates (UC Berkeley)

Full Page Hyperlink Attack

http://www.victim.com/?<a href="…" style="…">

http://www.victim.com/?<script>/*attack*/<script>

Gadget Containers

Container Escape Attack

Origin Header CSRF DefenseCollaborators: Adam Barth (UC Berkeley), John C. Mitchell (Stanford), Ian Hickson (Google)

Cookies as Session Identifiers

Cross-Site Request Forgery

User credentials

Cookie: SessionID=523FA4cd2E

Existing Defenses Secret Validation Token

Referer Validation

Custom HTTP Header

Referer: http://www.facebook.com/home.php

X-Requested-By: XMLHttpRequest

Referer Suppression

Introduced by network proxies

Strict Referer validation not feasible for most sites

Lenient Referer validation (allowing blank Referer) is insecure

Measurement Technique283,945 impressions = $150

Ongoing work to measureother browser behaviors

• Private browsing usage• Browser patch deployment• DNS rebinding vulnerabilities

Origin Header

Never send privacy-sensitive path and query information

Always set to "null" when suppressed

Strict Transport SecurityCollaborators: Adam Barth (UC Berkeley), Jeff Hodges (PayPal), Sid Stamm (Mozilla)

Strict Transport Security

• HTTPS is rarely used securely

• SSL stripping• Mixed content• Certificate error override

• Help browsers identify high-security servers

• Reduces burden on user• Extensible• Backwards compatible

Collaborators: Adam Barth (UC Berkeley), Jeff Hodges (PayPal), Sid Stamm (Mozilla)

Ongoing Work

Different issuing practices Weak crypto Unenforced revocation SSL rebinding

Collaborators: Dinesh Israni (CMU)

Thanks!

collin.jackson@sv.cmu.eduwww.collinjackson.com

Securing the Web Platform - CyLab Security & Privacy Institute · Securing the Web Platform....

Documents

Carnegie MellonCarnegie Mellon 1 Business Meeting Organizer A Multi-Agent Meeting Scheduler using Mobile Context Kathleen Yang Kathleen.Yang@sv.cmu.eduKathleen.Yang@sv.cmu.edu

Microsoft Platform Test for ISV Solutions Client Test Managed Code Test AwareComm’s ®.Net platform technology creates awareness while securing and delivering

Hacking and Securing Next Generation iPhone and iPad Apps · PDF fileHacking and Securing Next Generation iPhone and iPad Apps ... ‣Do NOT send company ... ‣The iOS platform introduces

Securing small Securing small business business

Securing Your E-mail Communication - Cisco · Securing Your E-mail Communication T-SECB3&4 Hrvoje Dogan, Consulting Systems Engineer, Security. ... EMAIL PLATFORM Data Loss Prevention

Securing Mobile Devices - NSS · 2017. 4. 25. · Securing Mobile Devices DATASHEET Automate Deployments with MDM and EMM Platform Integrations Mobile Device Management (MDM) and

Securing Oracle E-Business Suite in the Cloud - Integrigy Securing Oracle EBS in...Oracle E-Business Suite ... (IAAS) and “Platform as ... Oracle E-Business Suite Cloud Perimeter

Securing the container platform - informaconnect.com€¦ · orchestration system, securing all critical data the booting host requires comparison to a known and workloads during

COMMUNICATION NETWORKS We are securing the · PDF fileCOMMUNICATION NETWORKS We are securing the past in a fast moving future. FOX605 multiservice platform. ... information transmitted

SECURING THE 3DEXPERIENCE PLATFORM OWASP AND …...For an example, see the illustration below detailing the Top 10 risks from 2013: OWASP AND 3DEXPERIENCE PLATFORM APPLICATION SECURITY

ARCHIVED: Securing the Microsoft Platform on Amazon Web

A Platform Approach to Securing Your Medical Devices · White Paper – A Platform Approach to Securing Your Medical Devices Page 4 of 12 – To prevent disclosure of vulnerabilities

Securing Industrial Control Systems · Case Study –Electric Utilities Transmission • Deployed Palo Alto Networks platform • Next-generation Firewall • 2 Control Centers &

Securing Sharepoint platform

Securing Buy-in Step 5: Securing Buy-in. Securing Buy-in Securing Buy-in Our Roadmap

Regular Expressions Considered Harmful in ... - Collin Jacksoncollinjackson.com/research/xssauditor.pdfCollin Jackson Carnegie Mellon University collin.jackson@sv.cmu.edu ABSTRACT

Securing Cloud Applications with a Distributed Web ... · security platform needs to be flexible with changing demands. Cross Platform Portability As you evolve and transform your

Securing Digital Fintech Platform - ACCI · Security challenges in the evolving Fintech landscape . 4 . What is Value Proposition Digital Fintech Platform? 1 . Potential Security

Securing the Microsoft Platform on Amazon Web Services · in the platform that you can configure to mitigate ... IP addresses. These ACLs can contain ... Securing the Microsoft Platform

SECURING THE 3DEXPERIENCE PLATFORM …...For an example, see the illustration below detailing the Top 10 risks from 2013: OWASP AND 3DEXPERIENCE PLATFORM APPLICATION SECURITY PROGRAM