Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Monitoring a web sites health. Web Analytics - Definition Measurement of the behavior of visitors to a website Which aspects of the website work towards.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
A Third Party Service for Providing Trust on the Internet Work done in 2001 at HP Labs by Michael VanHilst and Ski Ilnicki.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.
Beware of Finer-Grained Origins
Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
Client State Management & Application Security  Client State Management  Concept  ASP Examples  Application Security  Database Based Approach 
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Chapter 9 Introduction to the Document Object Model (DOM) JavaScript, Third Edition.
1 Subspace: Secure Cross Domain Communication for Web Mashups Collin Jackson and Helen J. Wang Mamadou H. Diallo.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
Examining the Effectiveness and Techniques of the Anti-Phishing Technology in Leading Web Browsers and Security Toolbars. Wesley W. Owen
Presented by…. Group 2 1. Programming language 2Introduction.
Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.
GONE PHISHING ECE 4112 Final Lab Project Group #19 Enid Brown & Linda Larmore.
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Invasive Browser Sniffing and Countermeasures Markus Jakobsson & Sid Stamm.
Server-side Scripting Powering the webs favourite services.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
JavaScript, Fourth Edition
Project Proposal Interface Design Website Coding Website Testing & Launching Website Maintenance.
I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan §, Yinzhi Cao †,
CSE 154 LECTURE 12: COOKIES. Including files: include include("filename"); PHP include("header.html"); include("shared-code.php"); PHP inserts the entire.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Gaurav Aggarwal and Elie Bursztein, Collin Jackson, Dan Boneh, USENIX (Aug.,2010) A N A NALYSIS OF P RIVATE B ROWSING M ODES IN M ODERN B ROWSERS 1.
Chapter 8 Cookies And Security JavaScript, Third Edition.
XP New Perspectives on The Internet, Sixth Edition— Comprehensive Tutorial 1 1 Browser Basics Introduction to the Web and Web Browser Software Tutorial.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Web Spoofing Steve Newell Mike Falcon Computer Security CIS 4360.
Robust Defenses for Cross-Site Request Forgery
Chapter 6 Server-side Programming: Java Servlets
Overview Web Session 3 Matakuliah: Web Database Tahun: 2008.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
I STILL KNOW WHAT YOU VISITED LAST SUMMER User Interaction And Side Channel Attacks On Browser History Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
I Do Not Know What You Visited Last Summer: Protecting users from stateful third-party web tracking with TrackingFree browser Xiang Pan, Northwestern University.
11 MANAGING INTERNET EXPLORER CONNECTIONS AND SECURITY Chapter 12.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Web Design Terminology Unit 2 STEM. 1. Accessibility – a web page or site that address the users limitations or disabilities 2. Active server page (ASP)
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Web Analytics Fundamentals Presented by Tejaswi, Chandrika, Sunil.
Some from Chapter 11.9 – “Web” 4 th edition and SY306 Web and Databases for Cyber Operations Cookies and.
Bridging the Disconnect Between Web Privacy and User Perception Mike Perry W3C Identity May 24, 2011.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Group 18: Chris Hood Brett Poche
CSE 154 Lecture 20: Cookies.
World Wide Web policy.
CISC103 Web Development Basics: Web site:
Ad-blocker circumvention System
Practical Censorship Evasion Leveraging Content Delivery Networks
Latest Updates on BlackHawk Mines Music : Privacy Policy
Client / Session Identification Cookies
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
Unit 27 Web Server Scripting Extended Diploma in ICT
Riding Someone Else’s Wave with CSRF
Cookies Cookie :- A cookie is often used to identify a user. A cookie is often used to identify a user. A cookie is a small file that the server embeds.
Cross Site Request Forgery New Attacks and Defenses
Exploring DOM-Based Cross Site Attacks
Security and JavaScript
Cross Site Request Forgery (CSRF)
Presentation transcript:

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University

Context-aware Phishing Bank of America customers see: Wells Fargo customers see: Works in all major browsers Design issue, not a just bug

Example Attacks Query visited links: a#visited { background: url(track.php?example.com); } Hi Time browser cache: start = new Date(); <img src=" onload="end = new Date(); if (end.getTime() – start.getTime() < 5) { // image was in cache }"> Can we block script, background image?

Chameleon Pages No JavaScript required No server involvement Even works in Outlook 2002

Perspectives Phisher: Where do you bank? China: Have you been to subversive sites? Amazon: Can I show contexual ads? Phished site: Can I check history against phishing blacklist? PayPal: Can I use history as 2 nd factor? Sensitive website: Can I protect visitors? Browser vendor: Can I protect users at every site?

Only the site that stores some information in the browser may later read or modify that information. Site: protocol + port + host Too restrictive to use in practice Web relies on site interconnections Same Origin Principle (strict)

Same Origin Policy (relaxed) Only the site that stores some information in the browser may later read or modify that information, unless it is shared. What is sharing? No strict definition Relies on expectations of developer/user

Sharing Browser State Pass information in query parameters Modify document.domain User permission (IEs trusted zones, Mozillas UniversalBrowserRead) Stylesheets Scripts Image size JSONRequest (not XMLHttpRequest) <!-- google_ad_client = "pub "; google_ad_width = 110; google_ad_height = 32; google_ad_format = "110x32_as_rimg"; google_cpa_choice = "CAAQ_-KZzgEaCHfyBUS9wT0_KOP143Q"; //--> <script type="text/javascript" src= "

Inappropriate State Sharing Common developer/user expectation: browser history is secret Options? –Change expectations –Change browser Visited links Cookies JavaScript Cache CSS

SafeCache Browser extension for Firefox Intercept requests to browser cache If no referrer, allow request If URL has referrer: –Store referrer host with cache entry –Cache hit only on referrer host match

SafeHistory Intercept requests to browser history database For each history entry, record referrers Color visited link if: –Its a same-site link, or –Cross-site link was visited from this site

Site of embedded image can build history of visitors activities where image appears. IP address is no longer sufficient for tracking Solution: Block access to sites own cookies if the domain of the embedding page does not match Site accesses own state – not same origin issue Third Party Cookies

A site may only store or read some persistent information in the browser if it is the same site as the top level page. Alternate definition: referrer is same site Top level page is the primary interaction Storing or reading allows tracker to build full record of users history. Third Party Blocking Policy

If setting is allowed: –Tracker site sets different cookie at every participating site –When user visits tracker site in first party context, entire history is visible If reading is allowed: –Tracker site sets unique user identifier cookie when user visits tracker in first party context –When user visits any participating site, tracker updates history database entry on server Block on set or read?

Broken Cookie Blocking Ideal Read 3 rd -party cookies AllowBlockAllowBlock Set 3 rd -party cookies BlockAllowBlockAllowBlock

Offsite script included with Script generated dynamically and cached Unique identifier now appended to all links Third Party Cache: Example

General Third Party Blocking SafeCache: Disallow cache for offsite content SafeHistory: Show links as unvisited in cross-site frames

Protects sites from each other Many covert channels if sites cooperate –JavaScript redirection –Meta refresh –Popup windows –Cross-site hyperlinks Certain techniques are implicit cooperation –Frames, scripts, CSS can have active content Defense: Disable or clear persistent state Bypassing Third Party Blocking

Same origin policy: critical for security –Restricts cross-site state access Third party blocking: additional privacy –Restricts sites access to its own state –Incorrectly implemented in all major browsers –Most effective for images Neither technique stops cooperative sharing safecache.com safehistory.com Summary

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.