Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 201 Web Browser Security Fall 2015. CSCE 201 - Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

Published byDominick Byrd Modified over 8 years ago

Similar presentations

Presentation on theme: "CSCE 201 Web Browser Security Fall 2015. CSCE 201 - Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human."— Presentation transcript:

1 CSCE 201 Web Browser Security Fall 2015

2 CSCE 201 - Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human and some automated usage – Interactive Web pages – Web Services (WSDL, SOAP, SAML) – Semantic Web (RDF, OWL, RuleML, Web databases) – XML technology (data exchange, data representation) Future: Semantic Web Services

3 CSCE 201 - Farkas3 ARE THE EXISTING SECURITY MECHANISMS SUFFICIENT TO PROVIDE DATA AND APPLICATION SECURITY OF THE NEXT GENERATION WEB?

4 CSCE 201 - Farkas4 Information Assurance Inference Control Privacy Security Trust Applications Policy making Formal models Negotiation Protocol Analysis Anonymity Access control Semantic web security Encryption Information hiding Data mining Computer epidemic Data provenance Fraud Biometrics

5 CSCE 522 - Farkas 5 Web Browser Software with simple role:  Connect to a web address  Fetch and display content from that address  Send data from a user to that address

6 CSCE 522 - Farkas 6 Security Issues for Browsers  Often connect to many addresses instead of only the address show in address bar  Fetching data have to access many locations to obtain pictures, audio or linked content.  Browser can be malicious or can be corrupted to have malicious functionality  Many browsers support add-ins to add new feature but these add-ins can include malicious code

7 CSCE 522 - Farkas 7 Security Issues for Browsers  Data display involve many commands that control rendering, positioning, motion, layering and even invisibility  Browser can access any data on user’s computer, it generally run with the same privileges as the user  Browsers connect users to outside networks, but few users can monitor what is transmitted  Browser’s effect is immediate and transitory

8 CSCE 522 - Farkas 8 Browser Attacks There are 3 attack vectors:  Target the operating system so it will obstruct the browser’s correct and secure functioning  Target the browser or its component, add-ons or plug-ins, so the browser’s activity is altered  Intercept or modify communication to or from the browser

9 CSCE 201 - Farkas9 Internet Attacks Download browser code Privacy attack Web site attack during surfing Email

10 Download browser code JavaScript, Java, ActiveX CSCE 201 - Farkas10 Web Server User’s computer Internet HTML document With JavaScript Download HTML document With JavaScript Run JavaScript

11 JavaScript Not for standalone applications -- Resides inside HTML documents Interpreted into machine understandable code Can be downloaded automatically – Cannot read, write, create, delete, or list files – Has no networking capabilities – Can: capture and send user information CSCE 201 - Farkas11

12 Java Complete programming language – standalone applications Java applets: downloaded with HTML Can perform processing – May harm computer Defense: sandbox Signed vs. unsigned Java applets CSCE 201 - Farkas12

13 ActiveX Rules defining how applications under the Windows OS should share information ActiveX controls (ad-ons): – Specific ways of implementing ActiveX – Can be activated through scripting languages or by HTML commands Can perform functions similar to Java applets but directly access OS Signed vs. unsigned CSCE 201 - Farkas13

14 Privacy Attacks Cookies: Web site to track whether a user has previously visited the site – User specific information, stored on the user’s computer – First-party cookie vs. third-party cookie – Can reveal browsing habits of the individuals Adware: delivers unsolicitated advertising content – Pop-up windows CSCE 201 - Farkas14

15 Attacks while surfing Safe surfing? Passive surfing? Redirecting web traffic: – Typing mistakes – Attacker: registering “wrong” URLs Drive-by downloads – Use scripting to download malicious content – Spreading at an alarming rate CSCE 201 - Farkas15

16 Internet Defenses Popup blocker Browser settings, e.g., IE Web browser: – Configure your browser’s security and privacy settings – Keep your browser updated – Sign up for alerts – Be cautious when installing plug-ins – Install security plug-ins CSCE 201 - Farkas16

17 Next Class Application Security M. Mimoso, XcodeGhost Malware Stirring Up More Trouble, https://threatpost.com/xcodeghost-malware- stirring-up-more-trouble/114778/ https://threatpost.com/xcodeghost-malware- stirring-up-more-trouble/114778/ CSCE 201 - Farkas17

Download ppt "CSCE 201 Web Browser Security Fall 2015. CSCE 201 - Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human."

Similar presentations

The Internet and the Web

The Internet and the Web
Overview Environment for Internet database connectivity

Overview Environment for Internet database connectivity
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.

Copyright © 2012 Certification Partners, LLC -- All Rights Reserved Lesson 4: Web Browsing.
DT228/3 Web Development WWW and Client server model.

DT228/3 Web Development WWW and Client server model.
Lesson 4: Web Browsing.

Lesson 4: Web Browsing.
Unit 12 Using the Internet & Browsing the Web.  Understand the difference between the Internet and the World Wide Web  Identify items on a web page.

Unit 12 Using the Internet & Browsing the Web.  Understand the difference between the Internet and the World Wide Web  Identify items on a web page.
XP Browser and E-mail Basics1. XP Browser and E-mail Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.

XP Browser and Basics1. XP Browser and Basics2 Learn about Web browser software and Web pages The Web is a collection of files that reside.
Web Security A how to guide on Keeping your Website Safe. By: Robert Black.

Web Security A how to guide on Keeping your Website Safe. By: Robert Black.
ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.

ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.
INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.

INTERNET DATABASE Chapter 9. u Basics of Internet, Web, HTTP, HTML, URLs. u Advantages and disadvantages of Web as a database platform. u Approaches for.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.

Week 2 IBS 685. Static Page Architecture The user requests the page by typing a URL in a browser The Browser requests the page from the Web Server The.
INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.

INTERNET DATABASE. Internet and E-commerce Internet – a worldwide collection of interconnected computer network Internet – a worldwide collection of interconnected.
Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE

Active X Microsoft’s Answer to Dynamic Content Reference: Using Active X by Brian Farrar QUE
Technologies for EC/EB Walt Scacchi FEMBA 290 Winter 2003.

Technologies for EC/EB Walt Scacchi FEMBA 290 Winter 2003.
Security+ Guide to Network Security Fundamentals, Third Edition

Security+ Guide to Network Security Fundamentals, Third Edition
Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.

Mobile Code and Worms By Mitun Sinha Pandurang Kamat 04/16/2003.
Computer Security and Penetration Testing

Computer Security and Penetration Testing
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 15: Internet Explorer and Remote Connectivity Tools.

Similar presentations

Ads by Google