web security cs642: computer...
TRANSCRIPT
![Page 1: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/1.jpg)
CS642: Computer Security
University of Wisconsin CS 642
Web Security
Liberal borrowing from Mitchell, Boneh, Stanford CS 155
![Page 2: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/2.jpg)
University of Wisconsin CS 642
Web security part 1
Same-origin policy / Navigation policy
Basic web security models
Browser security
Cookies / Session handling
![Page 3: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/3.jpg)
WWW
Tim Berners-Lee and Robert Cailliau 1990HTTP, CERN httpd, gopher
1993 Mosiac web browser (UIUC, Marc Andreesen)
1994 W3C WWW Consortium --- generate standards Gopher started charging licensing fees (Univ of Minnesota)
![Page 4: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/4.jpg)
Nowadays: ecosystem of technologies
• HTTP / HTTPS• AJAX• PHP • Javascript• SQL• Apache• Ruby• http://w3schools.com/
![Page 5: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/5.jpg)
Threat model
Internet attacker.com
User
bank.com
A B
networkattacker
![Page 6: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/6.jpg)
Some basics of HTTP
http://www.tom.com:80/calendar/render.php?gsessionid=OK
protocol
hostname
portpath
query
URL’s only allow ASCII-US characters. Encode other characters:
%0A = newline%20 = space
Special characters:+ = space? = separates URL from parameters% = special characters/ = divides directories, subdirectories# = bookmark& = separator between parameters
![Page 7: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/7.jpg)
HTTP Request
GET /index.html HTTP/1.1Accept: image/gif, image/x-bitmap, image/jpeg, */*Accept-Language: enConnection: Keep-AliveUser-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)Host: www.example.comReferer: http://www.google.com?q=dingbats
Method File HTTP version Headers
Data – none for GETBlank line
GET : no side effect POST : possible side effect
![Page 8: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/8.jpg)
HTTP Response
HTTP/1.0 200 OKDate: Sun, 21 Apr 1996 02:20:42 GMTServer: Microsoft-Internet-Information-Server/5.0 Connection: keep-aliveContent-Type: text/htmlLast-Modified: Thu, 18 Apr 1996 17:39:05 GMTSet-Cookie: …Content-Length: 2543
<HTML> Some data... blah, blah, blah </HTML>
HTTP version Status code Reason phrase Headers
Data
Cookies
![Page 9: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/9.jpg)
Browser execution
• Each window (or tab):– Retrieve/load content– Render it
• Process the HTML• Might run scripts, fetch more
content, etc.
– Respond to events• User actions: OnClick, OnMouseover• Rendering: OnLoad, OnBeforeUnload• Timing: setTimeout(), clearTimeout()
![Page 10: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/10.jpg)
Document object model (DOM)
https://www.w3schools.com/js/js_htmldom.asp
Object-oriented way to organize objects in a web page
Properties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ]
Methods: document.write(document.referrer)
![Page 11: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/11.jpg)
Browser object model (BOM)Corresponding model for larger browser window,
document, frames[], history, location, navigator (type and version of browser)
From boostlog.io
![Page 12: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/12.jpg)
Seemingly innocuous features?
• <img src=“bucky.jpg” height=“50pt” width=“50pt”>
• Displays an image• What can attacker do?
![Page 13: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/13.jpg)
Javascript timing
<html><body><img id="test" style="display: none"><script>
var test = document.getElementById(’test’);var start = new Date();test.onerror = function() {
var end = new Date();alert("Total time: " + (end - start));
}test.src = "http://www.example.com/page.html";
</script></body></html>
![Page 14: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/14.jpg)
Behind-firewall webapp scanning
• JavaScript can:– Request images from internal IP addresses
• Example: <img src=“192.168.0.4:8080”/>– Use timeout/onError to determine success/failure– Fingerprint webapps using known image names
Server
MaliciousWeb page
Firewall
1) “show me dancing pigs!”
2) “check this out”
Browser
scan
scan
scan3) port scan results
![Page 15: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/15.jpg)
Browser security model
Should be safe to visit an attacker website
Should be safe to visit sites simultaneously
Should be safe to delegate content
![Page 16: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/16.jpg)
Browser isolation
Browser is running untrusted inputs (attacker webpage)
Like all big, complex software, browser has securityvulnerabilities
Browsers include “Rich Internet Applications” (RIAs) that increase attack surface:
e.g., Adobe Flash
Malicious website exploits browser, from there system
![Page 17: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/17.jpg)
Web pages are not single-origin
lFrames: <iframe src=“//site.com/frame.html” > </iframe>
Scripts: <script src=“//site.com/script.js” > </script>
CSS:
<link rel="stylesheet" type="text /css” href=“//site/com/theme.css" />
Objects (flash): [using swfobject.js script ]
<script>
var so = new SWFObject(‘//site.com/flash.swf', …); so.addParam(‘allowscriptaccess', ‘always'); so.write('flashdiv’);
</script>
![Page 18: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/18.jpg)
multi-origin pages• iframes: <iframe src="//site.com/frame.html"/>• scripts: <script src="//site.com/script.js"/> • CSS: <link rel="stylesheet" type="text/css”
href=“//site.com/theme.css"/>• Images• Videos• Content delivery network (CDN)• Authentication (OAUTH, others)• Payment• Social sharing buttons• Tracking beacons• Analytics• Ads• Ads• Ads• Even more ads
![Page 19: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/19.jpg)
Isolation challenges
• What are the subjects?• To what things do we grant access?
• What are the objects?• What are we controlling protection over?• What are the operations we control?
• What are the policies?• What do we want to allow / disallow?
![Page 20: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/20.jpg)
Browser handles multiple sites, must maintain separate
security contexts for each
Operating system
• Primitives
• System calls
• Processes
• Disks
• Principals: Users
• Discretionary access controls
• Vulnerabilities
• Buffer overflows
• root exploit
• …
Browsers
• Primitives
• Document object model
• Frames
• Cookies / local storage
• Principals: Origins
• Mandatory access controls
• Vulnerabilities
• Cross-site scripting (XSS)
• Cross-site request forgery (CSRF)
• Cache history attacks
• …
![Page 21: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/21.jpg)
javascript contextsJavaScript context 1
JavaScript context 2
JavaScript context 3
[slide credit: V. Shmatikov, CS380]
![Page 22: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/22.jpg)
Policy for scripts
• Scripts want to access resources– Contact web servers– Access cookies– Read/write DOM
• How do we know if this is allowed?–When requests are to the same company?–When requests are to the same web site?–When requests are to the same web page?
![Page 23: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/23.jpg)
DOM access control
JavaScript Context
DOM Reference Monitor
Access?
Object
Object reference
Is this context allowed to access object?
[slide credit: V. Shmatikov, CS380]
JavaScript ContextObject ref
![Page 24: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/24.jpg)
Same-origin policy for scripts
• Each frame of page(s) has an origin– protocol://host:port– Origin is (protocol,host,port)
• Script in a frame can access its own origin– Network access, Read/write DOM, storage
(cookies)– Content from other frames from same origin
• Frame cannot access data associated with another origin
![Page 25: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/25.jpg)
Frame relationships
26
Child
Sibling
Descendant
Ancestor(frame bust)
![Page 26: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/26.jpg)
frame policies
canScript(A,B)– Can frame A execute a script that manipulates
arbitrary DOM elements in frame B?
canNavigate(A,B)– Can frame A change the origin of content for
frame B?– frameB.src = "http://newurl.com/page5.html"
![Page 27: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/27.jpg)
Frame policies
• Permissive– any frame can navigate any other frame
• Child– only can navigate if you are parent
• Descendent– only can navigate if you are ancestor
Which do you think should be used?
![Page 28: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/28.jpg)
Problems with permissive
awgloginwindow.open("https://attacker.com/", "awglogin");
frames['right'].window.location=“evil.com/login.html”;
![Page 29: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/29.jpg)
General Approach
• A frame can navigate another frame that it owns the pixels for– If you delegate some pixels in your frame to
another frame, you can make that other frame navigate places
• Why?– You could draw anything you want in those pixels
anyway
![Page 30: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/30.jpg)
Cookies: Setting/Deleting
scope
• Delete cookie by setting �expires� to date in past
• Default scope is domain and path of setting URL
• Client can also set cookies (Javascript)
GET …
HTTP Header:
Set-cookie: NAME=VALUE ;
domain = (when to send) ;
path = (when to send)
secure = (only send over SSL);
expires = (when expires) ;
HttpOnly
if expires=NULL:this session only
![Page 31: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/31.jpg)
Cookie scope rules(domain and path)
• Say we are at www.wisc.edu– Any non-TLD suffix can be scope:• allowed: www.wisc.edu or wisc.edu• disallowed: www2.wisc.edu or ucsd.edu
• Path can be set to anything
![Page 32: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/32.jpg)
Cookies: reading by server
• Browser sends all cookies such that• domain scope is suffix of url-domain• path is prefix of url-path• protocol is HTTPS if cookie marked “secure”
GET /url-domain/url-pathCookie: name=value
![Page 33: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/33.jpg)
Cookie security issues?• Cookies have no integrity– HTTPS cookies can be overwritten by HTTP cookie
(network injection)– Malicious clients can modify cookies
• Shopping cart vulnerabilities
• Scoping rules can be abused– blog.example.com can read/set cookies for example.com
• Privacy– Cookies can be used to track you around the Internet
• HTTP cookies sent in clear– Session hijacking
![Page 34: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/34.jpg)
authentication cookies
Browser
website.com
HTTP/1.1 200 OKSet-Cookie:auth=981mndg897asdfd
db.users.insert({username:"user",auth-cookie:981mnd89...,login:true,
})
POST /login.html HTTP/1.1username=user&passwd=pass
GET /index.html HTTP/1.1Cookie: auth=981mndg897asdfd
![Page 35: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/35.jpg)
Session handling and loginGET /index.html
Set-Cookie: AnonSessID=134fds1431
POST /login.html?name=bob&pw=12345
Set-Cookie: SessID=83431Adf
Protocolis HTTPS.Elsewherejust HTTP
Cookie: AnonSessID=134fds1431
GET /account.htmlCookie: SessID=83431Adf
![Page 36: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/36.jpg)
Cookie example
![Page 37: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/37.jpg)
Session Hijacking
From http://codebutler.com/firesheep
Eavesdrop on network
Listen forunencryptedsessioncookies
Makerequests withother’scookies
![Page 38: Web Security CS642: Computer Securitypages.cs.wisc.edu/~swift/classes/cs642-sp19/wiki/uploads/Main/Lec… · CS642: Computer Security University of Wisconsin CS 642 Web Security Liberal](https://reader030.vdocument.in/reader030/viewer/2022041011/5ebc42b3225d864327167137/html5/thumbnails/38.jpg)
Towards preventing hijacking• Use encryption when setting session cookies• SessID = Enc(K,info) where :– K is server-side secret key– Enc is Encrypt-then-MAC encryption scheme– info contains:
• user id• expiration time• other data
• Server should record if user logs out• Does this prevent Firesheep hijacking?– No– include in data machine-specific information– turn on HTTPS always