Securing the Web Platform - CyLab Security & Privacy Institute · Securing the Web Platform. Collin...
Transcript of Securing the Web Platform - CyLab Security & Privacy Institute · Securing the Web Platform. Collin...
Securing the Web Platform
Collin [email protected]
The Web Application Platform More powerful than
ever• Faster• Easier• Ubiquitous• Interoperable
Safer?
Browserscope Security Tests
Both opt-in and on-by-default improvements Applicable and adoptable by all vendors
Collaborators: Lindsey Simon (Google), Steve Souders (Google), Mustafa Acer (CMU), David Huang (CMU)
Research Collaborations
Block Reflected XSSCollaborators: Adam Barth (UC Berkeley), Dan Bates (UC Berkeley)
Cross-Site Scripting
Unfiltered user input appears in output• JavaScript code can hijack
session• #1 most common web
vulnerability
Browser identifies common strings in the request and response
Does not address persistent XSS
Goal: Mitigate vulnerabilities, not attacks
Collaborators: Adam Barth (UC Berkeley), Dan Bates (UC Berkeley)
Limitations of Regular Expressions
Correct parsing requires browser simulation
Script is now easy to find
XSS Filter Architectures
Google Chrome
Internet Explorer
Clickjacking
Induced False Positives
<script>if ( top != self ) {
top.location = document.location;}</script>
Attack:
http://victim.com/?<script>if (top != self) { …
X-Frame-OptionsCollaborators: Adam Barth (UC Berkeley), Dan Bates (UC Berkeley)
Full Page Hyperlink Attack
http://www.victim.com/?<a href="…" style="…">
http://www.victim.com/?<script>/*attack*/<script>
Gadget Containers
Container Escape Attack
Origin Header CSRF DefenseCollaborators: Adam Barth (UC Berkeley), John C. Mitchell (Stanford), Ian Hickson (Google)
Cookies as Session Identifiers
Cross-Site Request Forgery
User credentials
Cookie: SessionID=523FA4cd2E
Existing Defenses Secret Validation Token
Referer Validation
Custom HTTP Header
<input type=hidden value=23a3af01b>
Referer: http://www.facebook.com/home.php
X-Requested-By: XMLHttpRequest
Referer Suppression
Introduced by network proxies
Strict Referer validation not feasible for most sites
Lenient Referer validation (allowing blank Referer) is insecure
Measurement Technique283,945 impressions = $150
Ongoing work to measureother browser behaviors
• Private browsing usage• Browser patch deployment• DNS rebinding vulnerabilities
Origin Header
Never send privacy-sensitive path and query information
Always set to "null" when suppressed
Strict Transport SecurityCollaborators: Adam Barth (UC Berkeley), Jeff Hodges (PayPal), Sid Stamm (Mozilla)
Strict Transport Security
• HTTPS is rarely used securely
• SSL stripping• Mixed content• Certificate error override
• Help browsers identify high-security servers
• Reduces burden on user• Extensible• Backwards compatible
Collaborators: Adam Barth (UC Berkeley), Jeff Hodges (PayPal), Sid Stamm (Mozilla)
Ongoing Work
Different issuing practices Weak crypto Unenforced revocation SSL rebinding
Collaborators: Dinesh Israni (CMU)
Thanks!