Upload
prosunjit-biswas
View
1.201
Download
0
Tags:
Embed Size (px)
DESCRIPTION
Citation preview
Odyssey to Web Browser Security - 1
Prepared by: Prosunjit Biswas, Advisor : Dr. Ravi SandhuPresented : ICS @ UTSA (12th April, 2012)Email: [email protected]
What is Web Browsers for?
• Web Browsers Retrieve, Present and Traverse information on Web typically provided by web servers.
• Web Browsers use URI/URLs to locate and retrieve information.
Http Request (URL) format
"protocol:" "//" host [ ":" port ] [ abs_path [ "?" query ]]
Examples:1. http://cs.utsa.edu/index.html
2. http://utsa.summon.serialssolutions.com/search/results? spellcheck=true&q=security
3. http://www.php.net/manual/en/reserved.variables.get.php
4. http://www.amazon.com/s/ref=nb_sb_noss/185-1213459-6355102 ?url=search-alias%3Daps&field-keywords=iphone
Notice…
• The ‘query’ part in the URL may contain user provided data that is feed to the application.
• And contains Payload for maximum possible attacks.
Courtesy: “Top 10 attacks” by Saumil Shah
Web Application Architecture: Server Side & Client Side
How a Request is resolved by the Server for the Browser?
Server Response at Browser Side
Server Response Includes:o Data/Information (personal Info)
o HTML Markups(table, paragraph)
o Javascript / Other Script
o Cookies ( session information)
o Browser Configuration Meta data
o Other Resources(Ex: Flash, CSS )
HTML Markup
• HTML Markups provides presentation for the data/content.
• In Web 2.0 data & Markup altogether build Document Object Model (DOM)
• DOM form a XML tree structure for easy retrieval of data.
Script / Javascript
• When We say Dynamic HTML( DHTML), this dynamicity is achieved by JavaScript at the Browser Side.
• JavaScript can manipulate (Insert/delete/ Modify) any content in the browser .
• Unfortunately it is ‘The World's Most Misunderstood Programming Language’
-- Douglas Crockford
Where to put JavaScript in a web page ?
• Typically JS can be put almost all places.
• <script> JS content </script>
• <input onclick=“JS content”>
• <img src=“javascript:JS Content”>
• And others.
How Web Browsing can be insecure?
• Attacker Steals data [Attack User information]
• Attacker defaces a webpage [Attack markup]
• Inject / Modify JavaScript [Script Based attack]
• Steal Cookie
• Insert Meta Data on page
• Attack other Resources [ex: Image]
Notice …
• All the mentioned attacks can be achieved by injecting / modifying JavaScript on a honest web page.
Risk That We Do Not Care …
• A website is malicious and an user visits this site and get infected.
[We can leave it to the discretion of the visitor]
Risk That We Care(2) …
• A website is not intended to be malicious but attacker has compromised this page and let everyone who visit it, be compromised.o [ We do Care for this ]
Attacking Approach (Client-server Perspective)
• Attack Servers / Services [ Server side attack]o Ex. Website Defacement ,o SQL injection, o DoS Attack and others
• Attack Web Client [ Client / Browser based attack].o Ex: XSS ( Cross Site Scripting)o XSRF ( Cross Site Request forgery)o Phishing ( Social Eng.) and others
Attacking Approach (Way of Attacks)
• Content Injectiono SQL Injectiono Script Injection (XSS)o DOM element Injection (DOM based XSS)
• Breaking Access-Control / Access-Restrictiono Cross Domain / Cross Frame Attacko Ex. Cross Domain Capability Leaks
• Exploiting Application Configurationo Session Hijacking / Credential Stealingo Failure to Restrict URL accesso Insecure Cryptography
o Cross Domain Attack
Attacking Approach (Way of Attacks) continuing…
• Insecure Networko Proxy-based attacko Man-in-the-middle attacks
• Web Based Malware Attack
We are more Interested on Content Injection Attack because of its wide attack surface.
Content Injection (Through URL)Demonstrating Reflected XSS attack
www.goodhost.com?search=@#badcontent#@
Sends through email / other way
Clicks the URL
@#badcontent #@
@#badcontent #@
@#badcontent #@ @#badcontent#@
Client Web Browser
User is infected with the injection attackWeb Server
Content Injection (via comment)Demonstrating ‘Stored XSS attack’
Bob Request the same page
Put Malicious comment
@#comment!@#
@#comment!@#
Inserted in DB
Request
Clicks the URLClicks the URL
Malicious content Comment Retrieved From database
Content Injection Attack (2) (What content?)
• SQL ( Data Integrity & Privacy attack)
• Script / JavaScript (Privacy attack – Steal Cookie)
• DOM Element ( Data Integrity - Phishing )
We are more Interested in Script Injection attack (also called XSS) which is easy and obvious but impact is severe therefore critical to handle.
Why attackers prefer JavaScript injection?
• JavaScript can access almost all resources in a web page.
• JavaScript is supported by all major browsers
• JavaScript has great expressive power.
Consequence of XSS attack
• Sensitive Information theft.o Credential Theft ( Ex: cookies)
• Intranet Scanningo Scan Open ports .
• Attacking other userso Replay attack from compromised browser.
What are the Existing Approaches to Protect XSS attacks?
All the existing approaches place some kinds of restrictions over JavaScript uses.
• Host based Restrictiono allow JavaScript from a White listed hosts.o Restrict JavaScript from Black listed hosts.
• Place holder Restrictiono Restrict places where JavaScript can be inserted.
What are the Existing Approaches to Protect XSS attacks …
• Transfer Restrictiono Restrict Sensitive Resources to be send out to
other hosts/domains.
• Content Rewriteo Re-write JavaScript to delete unsafe code.
• Flow Controlo Control the flow of sensitive information in
JavaScript (Taint Sensitive information)
What are other Control Points ?
JS DOM
CookieSanitize URL to discard malicious content
Compare input / output interface data for to check user whether malicious content is trespassed through the server .
Input InterfaceOutput Interface
Control Flow of User provided data
Web Server
Other Domains
Control JS Communication with External Domain
Control Cookie Send out to External Domain
Control JS & DOM Interactions
References:• http://stackoverflow.com/questions/1267284/common-website-attack-metho
ds-detection-and-recovery
• http://yehg.net/lab/pr0js/papers/What%20XSS%20Can%20Do.pdf
o Thanks.