DistriNet Large-scale evaluation of remote JavaScript inclusions You are what you include: Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven.

Slides:

Advertisements

Similar presentations

Advertisements

Nick Feamster CS 6262 Spring 2009

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Cross-site Request Forgery (CSRF) Attacks

Enabling Secure Internet Access with ISA Server

PowerPoint presentation of first 25 pages of instructional manual Edith Fabiyi Essentials of Internet Access.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

CS 22: Enhanced Web Site Design - Week 8Slide 1 of 15 Enhanced Web Site Design Stanford University Continuing Studies CS 22 Mark Branom

Section 10.1 Identify how Web sites are structured Explain the role of URLs Describe the function of HTTP Section 10.2 Explain how the Web has affected.

Chapter 17: WEB COMPONENTS

How the Internet Works Course Objectives Introduce the various web browsers Introduce some new terms Explain the basic Internet to PC hookup  ISP  Wired.

1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.

Content  Overview of Computer Networks (Wireless and Wired)  IP Address, MAC Address and Workgroups  LAN Setup and Creating Workgroup  Concept on.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Web Servers How do our requests for resources on the Internet get handled? Can they be located anywhere? Global?

IIS Configuration © N. Ganesan, Ph.D.. Renaming the Default Web.

Introduction 2: Internet, Intranet, and Extranet J394 – Perancangan Situs Web Program Sudi Manajemen Universitas Bina Nusantara.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Internet Basics.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Test Review. What is the main advantage to using shadow copies?

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

IT 210 The Internet & World Wide Web introduction.

 Internet vs WWW  Pages vs Sites  How the Internet Works  Getting a Web Presence.

Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Session 10 Windows Platform Eng. Dina Alkhoudari.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

JavaScript, Fourth Edition

5 Chapter Five Web Servers. 5 Chapter Objectives Learn about the Microsoft Personal Web Server Software Learn how to improve Web site performance Learn.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

 2001 Prentice Hall, Inc. All rights reserved. 1 Chapter 21 - Web Servers (IIS, PWS and Apache) Outline 21.1 Introduction 21.2 HTTP Request Types 21.3.

Chapter 1: The Internet and the WWW CIS 275—Web Application Development for Business I.

 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.

Copyright © cs-tutorial.com. Overview Introduction Architecture Implementation Evaluation.

Cross Site Scripting and its Issues By Odion Oisamoje.

By Gianluca Stringhini, Christopher Kruegel and Giovanni Vigna Presented By Awrad Mohammed Ali 1.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

Chapter 14: Representing Identity Dr. Wayne Summers Department of Computer Science Columbus State University

Web Browsing *TAKE NOTES*. Millions of people browse the Web every day for research, shopping, job duties and entertainment. Installing a web browser.

The Internet. Important Terms Network Network Internet Internet WWW (World Wide Web) WWW (World Wide Web) Web page Web page Web site Web site Browser.

Sessions and cookies (part 2) MIS 3501, Fall 2015 Brad N Greenwood, PhD Department of MIS Fox School of Business Temple University 11/19/2015.

Secure Transactions Chapter 17. The user's machine No control over security of user's machine –Might be in very insecure: library, school, &c. Users disable.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Information Systems Design and Development Security Precautions Computing Science.

1 Web Technologies Website Publishing/Going Live! Copyright © Texas Education Agency, All rights reserved.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

ALL THINGS IIS TERRI DONAHUE

ArcGIS for Server Security: Advanced

Web Application Vulnerabilities

IS1500: Introduction to Web Development

World Wide Web policy.

Jon Peppler, Menlo Security Channels

What’s New in Fireware v12.1.1

What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.

Analyzing WebView Vulnerabilities in Android Applications

CSC 495/583 Topics of Software Security Intro to Web Security

Configuring Internet-related services

Nate Nelson I*LEVEL, Inc.

Web Security Advanced Network Security Peter Reiher August, 2014

Implementing Client Security on Windows 2000 and Windows XP Level 150

6. Application Software Security

Exploring DOM-Based Cross Site Attacks

Cross-Site Scripting Attack (XSS)

Cross Site Request Forgery (CSRF)

Presentation transcript:

DistriNet Large-scale evaluation of remote JavaScript inclusions You are what you include: Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna

DistriNet Introduction: my USB stick

DistriNet Introduction: browsers don’t care

DistriNet Large-scale evaluation of remote JavaScript inclusions You are what you include: Nick Nikiforakis, Luca Invernizzi, Alexandros Kapravelos, Steven Van Acker, Wouter Joosen, Christopher Kruegel, Frank Piessens, Giovanni Vigna

DistriNet Outline JavaScript in a browser … and motivation for an experiment Our experiment Our results Some unsurprising results Some weirdness Countermeasures

DistriNet JavaScript in the browser

DistriNet JavaScript in a browser: origins Origin: http, facebook.com, 80Origin: http, google-maps.com, 80

DistriNet JavaScript in a browser: inclusions Origin: http, facebook.com, 80Origin: http, google-maps.com, 80

DistriNet Motivation… 32 days…

DistriNet Our experiment

DistriNet Our experiment: questions Given that remote JS inclusions happen… … Should sites be trusting remote providers? Which third-party vendors do they currently trust? Are JS providers capable of securing their website? What is the quality of maintenance profile of each JS provider? Could a provider be attacked as a way of reaching a harder-to- get target? Are there attack vectors, in relation to remote inclusions, that we were not aware of ? How can one protect his web application? Are coarse-grained sandboxes sufficient?

DistriNet Our experiment: crawler Crawler requirements: Download webpages Log JavaScript inclusions Execute JavaScript for dynamic inclusions HTMLUnit: JS-enabled headless browser in Java Queried Bing for max 500 pages of Alexa top 10000

DistriNet Our experiment: some numbers Crawled over 3,300,000 pages belonging to the Alexa top 10,000 Discovered: 8,439,799 remote inclusions 88.45% of Alexa top 10k uses at least 1 remote JS library 301,968 unique JS files 20,225 uniquely-addressed remote hosts

DistriNet Results: unsurprisingly…

DistriNet Results: how many remote hosts?

DistriNet Results: Popular JavaScript includes

DistriNet Results: quality of maintenance? Assumption: Unmaintained websites are easier to attack QoM indicator comprised of these factors: Availability: DNS not expired, publicly-routable IP address Cookies (at least one): HttpOnly? Secure? Path & Expiration? Anti-XSS & Anti-Clickjacking headers? TLS/SSL implementation Weak ciphers Valid certificates Strict Transport Protocol Cache control when using TLS/SSL? Outdated web servers?

DistriNet Results: QoM in color!

DistriNet Results: like attracts like

DistriNet Results: weirdness!

DistriNet Results: weirdness? In about 8.5 million records of remote inclusions, is there something that we didn’t know? 4 Things! Cross-user & Cross-network Scripting Stale domain-based inclusions Stale IP-based inclusions Typo-squatting Cross-Site Scripting

DistriNet Weirdness: Cross-user Scripting records were found 131 specified a port (localhost:12345), always greater than 1024 Attack: Setup a web-server, listen to high ports, hack other users

DistriNet Weirdness: Cross-network Scripting 68 of them Same as before, but now you just need to be in the same local network Who is doing that? akamai.com virginmobileusa.com gc.ca (Government of Canada)

DistriNet Weirdness: Stale IP-based remote inclusions What if the IP address of the host which you trust for JavaScript, changes? The including page’s scripts must also change Do they? Manual analysis of the 299 pages 39 addresses had: a)Not changed b)no longer provided JavaScript a)In 89.74%, we got a “Connection Timeout”

DistriNet Weirdness: Stale domain-based inclusions What happens when you trust a remote site and the domain of that site expires? Anyone can register it, and start serving malicious JS Equal in power to the, almost extinct, stored XSS Try proving in court that someone hacked you with that 56 domains found, used in 47 sites 6 were identified as special cases (TXSS) Scared yet?

DistriNet Weirdness: Typo-squatting XSS (TXSS) Unfortunately… developers are humans Typo-squatting registering domains that are mistypes of popular domains Serve ads, phishing, drive-by downloads etc. to users that mistype the domain

DistriNet Weirdness: TXSS examples found… Googlesyndicatio.com (15 days) Unique visitors163,188 Including domains1185 Including pages21,830

DistriNet Countermeasures

DistriNet Countermeasures Problems with remote inclusions Never the visitor’s fault A developer can mess up Cross-user, cross-network and TXSS The remote host can mess up Low security, expiration of domain names How to protect one’s self? i.Sandbox remote scripts ii.Download them locally

DistriNet Countermeasures: sandboxing Is it feasible? What are the current requirements of legitimate scripts? Study the top 100 Automatically study each script JavaScript wrappers + stack trace Find out what sensitive resources they access Cookies, Storage, Geolocation, Eval, document.write Is containment possible?

DistriNet … sandboxing: Access to resources Coarse-grained sandboxing is useless here, legitimate scripts and attackers act the same way 

DistriNet Countermeasures: local copies Study the frequency of script modifications Discover overhead for administrator Top 1,000 most-included scripts (803) Download every script three consecutive times and remove the ones that changed all three times Study the rest for a week 10.21% were modified 6.97% were modified once 1.86% were modified twice 1.83% were modified three or more 89.79% was never modified! 96.76% at most once

DistriNet Conclusions

DistriNet Conclusions Remote inclusions mean, almost unconditional, trust Think twice before including something from a remote host Do NOT: Include from or private networks Include from IP addresses Include from stale domains Include from typodomains Include from questionable JS providers Do: Make local copies Sandbox 3 rd party JS if it is feasible Have hope: sleep sound tonight

DistriNet Questions? Thank you!