Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Published byKelley McCoy Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher."— Presentation transcript:

1 Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

2 Lecture 16 Page 2 CS 236 Online Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow around web applications An obvious target for attackers

3 Lecture 16 Page 3 CS 236 Online The Web Security Problem Many users interact with many servers Most parties have little other relationship Increasingly complex things are moved via the web No central authority Many developers with little security experience Many critical elements originally designed with no thought to security Sort of a microcosm of the overall security problem

4 Lecture 16 Page 4 CS 236 Online Aspects of the Web Problem

5 Lecture 16 Page 5 CS 236 Online Who Are We Protecting? The server From the client The client From the server The clients From each other A client’s interaction with one server From his interaction with another server Everyone From the network

6 Lecture 16 Page 6 CS 236 Online What Are We Protecting? The client’s private data The server’s private data The integrity (sometimes also secrecy) of their transactions The client and server’s machines Possibly server availability –For particular clients?

7 Lecture 16 Page 7 CS 236 Online Some Real Threats Buffer overflows and other compromises –Client attacks server SQL injection –Client attacks server Malicious downloaded code –Server attacks client

8 Lecture 16 Page 8 CS 236 Online More Threats Cross-site scripting –Clients attack each other Threats based on non-transactional nature of communication –Client attacks server Denial of service attacks –Threats on server availability (usually)

9 Lecture 16 Page 9 CS 236 Online Yet More Threats Browser security –Protecting interactions from one site from those with another –One server attacks client’s interactions with another Data transport issues –The network attacks everyone else Certificates and trust issues –Varied, but mostly server attacks client

10 Lecture 16 Page 10 CS 236 Online Compromise Threats Much the same as for any other network application Web server might have buffer overflow –Or other remotely usable flaw Not different in character from any other application’s problem –And similar solutions

11 Lecture 16 Page 11 CS 236 Online What Makes It Worse Web servers are complex They often also run supporting code –Which is often user-visible Large, complex code base is likely to contain such flaws Nature of application demands allowing remote use

12 Lecture 16 Page 12 CS 236 Online Solution Approaches Patching Use good code base Minimize code that the server executes Maybe restrict server access –When that makes sense Lots of testing and evaluation –Many tools for web server evaluation

13 Lecture 16 Page 13 CS 236 Online Compromising the Browser Essentially, the browser is an operating system –You can do almost anything through a browser –It shares resources among different “processes” But it does not have most OS security features While having some of the more dangerous OS functionality –Like arbitrary extensibility –And supporting multiple simultaneous mutually untrusting processes

14 Lecture 16 Page 14 CS 236 Online But My Browser Must Be OK... After all, I see the little lock icon at the bottom of the page Doesn’t that mean I’m safe? Alas, no What does that icon mean, and what is the security implication?

15 Lecture 16 Page 15 CS 236 Online The Lock Icon This icon is displayed by your browser when a digital certificate checks out A web site provided a certificate attesting to its identity The certificate was properly signed by someone your browser trusts That’s all it means

16 Lecture 16 Page 16 CS 236 Online What Are the Implications? All you know is that the web site is who it claims to be –Which might not be who you think it is –Maybe it’s amozon.com, not amazon.com –Would you notice the difference? Only to the extent that a trusted signer hasn’t been careless or compromised –Some have been, in the past

17 Lecture 16 Page 17 CS 236 Online Another Browser Security Issue What if you’re accessing your bank account in one browser tab And a site showing silly videos of cats in another? What if one of those videos contains an attack script? Can the evil cat script steal your bank account number?

18 Lecture 16 Page 18 CS 236 Online Same Origin Policy Meant to foil such attacks Built into many web scripting languages Basically, pages from a single origin can access each other’s stuff Pages from a different origin cannot Particularly relevant to cookies

19 Lecture 16 Page 19 CS 236 Online Web Cookies Essentially, data a web site asks your browser to store Sent back to that web site when you ask for another service from it Used to set up sessions and maintain state (e.g., authentication status) Lots of great information about your interactions with sites in the cookies

20 Lecture 16 Page 20 CS 236 Online Same Origin Policy and Cookies Script from one domain cannot get the cookies from another domain –Prevents the evil cat video from sending authenticated request to empty your bank account Domain defined by DNS domain name, application protocol –Sometimes also port

Download ppt "Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.

Topic 8: Secure communication in mobile devices. Choice of secure communication protocols, leveraging SSL for remote authentication and using HTTPS for.
Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.

Lecture 9 Page 1 CS 236 Online Denial of Service Attacks that prevent legitimate users from doing their work By flooding the network Or corrupting routing.
Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.

Cloud Computing Part #3 Zigmunds Buliņš, Mg. sc. ing 1.
Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.

Lecture 18 Page 1 CS 236 Online DNS Security The Domain Name Service (DNS) translates human-readable names to IP addresses –E.g., thesiger.cs.ucla.edu.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.

Privacy and Security on the Web Part 1. Agenda Questions? Stories? Questions? Stories? IRB: I will review and hopefully send tomorrow. IRB: I will review.
CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 16 Jonathan Katz.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.

Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
1 Enabling Secure Internet Access with ISA Server.

1 Enabling Secure Internet Access with ISA Server.
Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.

Lecture 7 Page 1 CS 236 Online Password Management Limit login attempts Encrypt your passwords Protecting the password file Forgotten passwords Generating.
Lecture 4 Page 1 CS 236 Online Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Lecture 4 Page 1 CS 236 Online Prolog to Lecture 4 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.

Lecture 29 Page 1 Advanced Network Security Privacy in Networking Advanced Network Security Peter Reiher August, 2014.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may. 2010 University of Palestine.

Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.
JavaScript, Fourth Edition

JavaScript, Fourth Edition

Similar presentations

Ads by Google