1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.

Slides:

Advertisements

Similar presentations

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.

Advertisements

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

Research and Innovation Participant Portal How to register for an ECAS account NEXT.

Chrome Extentions Vulnerabilities. Introduction Google Chrome Browser Chrome OS Platform Chrome Web Store Applications Open Source Platform.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

Password Managers: Attacks and Defenses David SilverSuman JanaDan Boneh Stanford University Eric ChenCollin Jackson Carnegie Mellon University Usenix Security.

Session Hijacking Why web security depends on communications security and how TLS everywhere is the only solution. Scott Helme - 6th Aug scotthel.me.

The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems San-Tsai Sun and Konstantin Beznosov University of British Columbia.

An Evaluation of the Google Chrome Extension Security Architecture

Password Managers: Attacks and Defenses David Silver, Suman Jana, Dan Boneh, Stanford University Eric Chen, Collin Jackson, Carnegie Mellon University.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

Security Issues and Challenges in Cloud Computing

Context-Aware Phishing Attacks and Client-Side Defenses Collin Jackson Stanford University.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Towards a Formal Foundation of Web Security devdatta akhawe / adam barth / peifung eric lam john mitchell / dawn song.

HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

JSProxy: Safety from Javascript Benjamin Prosnitz, Tang Yi, Yinzhi Cao.

Lecture 16 Page 1 CS 236 Online SQL Injection Attacks Many web servers have backing databases –Much of their information stored in a database Web pages.

Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.

CSC-682 Advanced Computer Security Analyzing Websites for User-Visible Security Design Flaws Pompi Rotaru Based on an article by : Laura Falk, Atul Prakash,

Robust Defenses for Cross-Site Request Forgery

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Understanding Computer Viruses: What They Can Do, Why People Write Them and How to Defend Against Them Computer Hardware and Software Maintenance.

COOKIES and SESSIONS. COOKIES A cookie is often used to identify a user. A cookie is a small file that the server embeds on the user's computer. Each.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.

I STILL KNOW WHAT YOU VISITED LAST SUMMER User Interaction And Side Channel Attacks On Browser History Zachary Weinberg Eric Y. Chen Pavithra Ramesh Jayaraman.

THE DEVIL IS IN THE (IMPLEMENTATION) DETAILS: AN EMPIRICAL ANALYSIS OF OAUTH SSO SYSTEMS SAN-TSAI SUN & KONSTANTIN BEZNOSOV PRESENTED BY: NAZISH KHAN COMPSCI.

Yuchen Zhou and David Evans Presented by Simon du Preez Compsci 726 SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities.

Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Michael Dalton, Christos Kozyrakis, and Nickolai Zeldovich MIT, Stanford University USENIX 09’ Nemesis: Preventing Authentication & Access Control Vulnerabilities.

Xinyu Xing, Wei Meng, Dan Doozan, Georgia Institute of Technology Alex C. Snoeren, UC San Diego Nick Feamster, and Wenke Lee, Georgia Institute of Technology.

1 State and Session Management HTTP is a stateless protocol – it has no memory of prior connections and cannot distinguish one request from another. The.

Computer Security By Duncan Hall.

Cookies Lack Integrity: Real-World Implications

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.

Powerpoint presentation on Drive-by download attack -By Yogita Goyal.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Penetration Testing Social Engineering Attack and Web-based Exploitation CIS 6395, Incident Response Technologies Fall.

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

SQL Injection Attacks Many web servers have backing databases

E-commerce Application Security

SSOScan: Automated Testing of Web Applications for Single Sign-On Vulnerabilities Yuchen Zhou, and David Evans 23rd USENIX Security Symposium, August,

Cross-Site Request Forgeries: Exploitation and Prevention

Password Managers: Attacks and Defenses

Dangerous Types Of Malware. What is Malware Malware is a term used to denote the different types of intrusive software that are installed with the intent.

Welcome and thank you for choosing SharkGate

Riding Someone Else’s Wave with CSRF

CSC 495/583 Topics of Software Security Intro to Web Security

Lecture 2 - SQL Injection

Web Programming Language

How to Submit your Booking Requests?

Active Man in the Middle Attacks

Protecting Against Common Web Application Vulnerabilities

Exploring DOM-Based Cross Site Attacks

Protecting Browsers from Extension Vulnerabilities

Presentation transcript:

1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings of the 23rd USENIX Security Symposium Password Managers

SUMMARY 2 1 Authors begin with analyzing the autofill policies of 10 popular password managers. 2 Then they present some corner cases in autofill policies which can lead to attacks enabling attackers to extract password remotely without user’s knowledge. 3 Provide recommendations for strengthening the credential security of password managers, Forcing User Interaction and Secure Filling I will be focusing on one of their recommendations.

THREAT MODEL 3 VictimWiFi RouterWebsite Request for login page User credentials Login page content Malicious JS Script sends credentials

ATTACKS 4 Attack Successful Tampering:  The attacker injects malicious JS by tampering with the network traffic Make the victim visit a website:  The target/victim is redirected to a vulnerable webpage of the site. Exfiltration of the password:  Stealth : Use JS to pass user credentials.  Form Action : Modify form’s action. Secure Filling

SECURE FILLING 5 1 PMs store the form action present in the login form along with username and password. 2 During autofill, the password field becomes unreadable by JavaScript. A dummy value is shown in the field but when submitting the form, the dummy value is replaced by the real value. 3 Any changes in username or password fields while an autofill is in progress, the autofill will abort and password field will be cleared out. The authors propose : 4 Once autofill is done and all JavaScript has run, the PM checks that the form’s action matches the domain of the action it has stored.

SECURE FILLING 6 1 Many websites frequently update/change form action. In this case, if form action is changed, autofill gets aborted. Also, susceptible to self-exfiltration attacks. 2 Making password field unreadable by JS, authors have just implemented this on Chrome browser. While implementing this on other browsers might be straightforward, implementation on third-party PMs would require some API. 3 AJAX-based logins are incompatible with Secure Filling. They propose two workarounds but both would require the websites to make changes in their login mechanism. Limitations of Secure Filling: 4 HTML doesn’t distinguish between password fields on registration pages and login forms. Most registration pages use JS to evaluate entries, therefore JS will have access to passwords during registration process.

CONCLUSION 7 1 Secure Filling may seem like a better defense against autofill attacks, but implementation might be difficult and would require extended HTML support and websites to change their login systems. 2 Most password managers autofill other information like name, phone number, credit card info etc. which can be equally harmful as stealing passwords. 3 While Secure Filling does make PMs secure to the attacks they’ve mentioned in the paper, authors acknowledge that other threat models and attack vectors can still exfiltrate password or other autofill information.

THANK YOU!

Q&A SESSION