Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security Advanced Network Security Peter Reiher August, 2014

Published byAdi Kurniawan Modified over 5 years ago

Similar presentations

Presentation on theme: "Web Security Advanced Network Security Peter Reiher August, 2014"— Presentation transcript:

1 Web Security Advanced Network Security Peter Reiher August, 2014

2 Outline Cross site scripting threats Cryptography in the web

3 Cross-Site Scripting XSS Many sites allow users to upload information
Blogs, photo sharing, Facebook, etc. Which gets permanently stored And displayed Attack based on uploading a script Other users inadvertently download it And run it . . .

4 The Effect of XSS Arbitrary malicious script executes on user’s machine In context of his web browser At best, runs with privileges of the site storing the script Often likely to run at full user privileges

5 Non-Persistent XSS Embed a small script in a link pointing to a legitimate web page Following the link causes part of it to be echoed back to the user’s browser Where it gets executed as a script Never permanently stored at the server

6 Persistent XSS Upload of data to a web site that stores it permanently
Generally in a database somewhere When other users request the associated web page, They get the bad script

7 Some Examples Twitter had a bug allowing XSS in 2010
Other XSS vulnerabilities discovered on sites run by eBay, Symantec, PayPal, Facebook, Amazon, Adobe, Microsoft, Google Gmail, LinkedIn, the Scientology website, thousands of others D-Link router flaw exploitable through XSS

8 Why Is XSS Common? Use of scripting languages widespread
For legitimate purposes Most users leave them enabled in their browsers Sites allowing user upload are very popular Only a question of getting user to run your script

9 Typical Effects of XSS Attack
Most commonly used to steal personal information That is available to legit web site User IDs, passwords, credit card numbers, etc. Such information often stored in cookies at client side

10 Solution Approaches Don’t allow uploading of anything
Don’t allow uploading of scripts Provide some form of protection in browser

11 Disallowing Data Uploading
Does your web site really need to allow users to upload stuff? Even if it does, must you show it to other users? If not, just don’t take any user input Problem: Not possible for many important web sites

12 Don’t Allow Script Uploading
A no-brainer for most sites Few web sites want users to upload scripts, after all So validate user input to detect and remove scripts Problem: Rich forms of data encoding make it hard to detect all scripts Good tools can make it easier

13 Protect the User’s Web Browser
Basically, the same solutions as for any form of protecting from malicious scripts With the same problems: Best solutions cripple functionality

14 Cross-Site Request Forgery
CSRF Works the other way around An authenticated and trusted user attacks a web server Usually someone posing as that user Generally to fool server into believing that the trusted user made a request

15 CSRF in Action Attacker puts link to (say) a bank on his web page
Unsuspecting user clicks on the link His authentication cookie goes with the HTTP request Since it’s for the proper domain Bank authenticates him and transfers his funds to the attacker

16 Issues for CSRF Attacks
Not always possible or easy Attacks sites that don’t check referrer header Indicating that request came from another web page Attacked site must allow use of web page to allow something useful (e.g., bank withdrawal) Must not require secrets from user Victim must click link on attacker’s web site And attacker doesn’t see responses

17 Data Transport Issues The web is inherently a network application
Thus, all issues of network security are relevant And all typical network security solutions are applicable Where do we see problems?

18 (Non-) Use of Data Encryption
Much web traffic is not encrypted Or signed As a result, it can be sniffed Allowing eavesdropping, MITM attacks, alteration of data in transit, etc. Why isn’t it encrypted?

19 Why Web Sites Don’t Use Encryption
Primarily for cost reasons Crypto costs cycles For high-volume sites, not encrypting messages lets them buy fewer servers They are making a cost/benefit analysis decision And maybe it’s right?

20 Problems With Not Using Encryption
Sensitive data can pass in the clear Passwords, credit card numbers, SSNs, etc. Attackers can get information from messages to allow injection attacks Attackers can readily profile traffic Especially on non-secured wireless networks

21 Firesheep Many wireless networks aren’t encrypted
Many web services don’t use end-to-end encryption for entire sessions Firesheep was a demo of the dangers of those in combination Simple Firefox plug-in to scan unprotected wireless nets for unencrypted cookies Allowing session hijacking attacks When run in that environment, tended to be highly successful

22 Why Does Session Hijacking Work?
Web sites try to avoid computation costs of encryption So they only encrypt login Subsequent HTTP messages “authenticated” with a cookie Anyone who has the cookie can authenticate The cookie is sent in the clear . . . So attacker can “become” legit user

23 Using Encryption on the Web
Some web sites support use of HTTPS Which permits encryption of data Based on TLS/SSL Performs authentication and two-way encryption of traffic Authentication is certificate-based HSTS (HTTP Strict Transport Security) requires browsers to use HTTPS

24 Increased Use of Web Encryption
These and other problems have led more major web sites to encrypt traffic E.g., Google announced in 2014 it would encrypt all search requests Facebook and Twitter adopted HSTS in 2014 Arguably, all web interactions should be encrypted

25 Sometimes Encryption Isn’t Enough
Especially powerful “attackers” can subvert this process Man-in-the-middle attacks by ISPs NSA compromised key management NSA also spied on supposedly private links Usually impossible for typical criminal Hard or impossible for a user to know if this is going on

26 Conclusions Web 2.0 has made web security more difficult, by allowing users to upload content Many problems result, such as cross site scripting Crypto cannot solve all of the web security problems, but it can solve many of them But only if web sites choose to use it

Download ppt "Web Security Advanced Network Security Peter Reiher August, 2014"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Similar presentations

Ads by Google