CLICK HERE TO DOWNLOAD PPT ON WEB SECURITY
Web Security Presentation Transcript
1.Web Security
2.Vulnerability Stats: web is “winning”
3.Web security: two sides
Web browser (this and next lecture)
Can be attacked by any web site it visits
Attacks result in:
Malware installation (keyloggers, bot-nets)
Document theft from corporate network
Loss of private data
Web application code: (next Thursday)
Runs at web site, e.g. banks, e-merchants, blogs
Written in PHP, ASP, JSP, Ruby, …
Many potential bugs: XSS, XSRF, SQL injection
Attacks lead to stolen CC#, defaced sites, mayhem
Web browser (this and next lecture)
Can be attacked by any web site it visits
Attacks result in:
Malware installation (keyloggers, bot-nets)
Document theft from corporate network
Loss of private data
Web application code: (next Thursday)
Runs at web site, e.g. banks, e-merchants, blogs
Written in PHP, ASP, JSP, Ruby, …
Many potential bugs: XSS, XSRF, SQL injection
Attacks lead to stolen CC#, defaced sites, mayhem
4.Web Threat Models
Web attacker
Control attacker.com
Can obtain SSL/TLS certificate for attacker.com ($0)
User visits attacker.com
Network attacker
Passive: Wireless eavesdropper
Active: Evil router, DNS poisoning
Malware attacker
Attacker escapes browser sandbox
Web attacker
Control attacker.com
Can obtain SSL/TLS certificate for attacker.com ($0)
User visits attacker.com
Network attacker
Passive: Wireless eavesdropper
Active: Evil router, DNS poisoning
Malware attacker
Attacker escapes browser sandbox
5.Malware attacker
Browsers (like any software) contain exploitable bugs
Often enable remote code execution by web sites
Google study: [the ghost in the browser 2007]
Found Trojans on 300,000 web pages (URLs)
Found adware on 18,000 web pages (URLs)
NOT OUR FOCUS THIS WEEK
Today: even if browsers were bug-free, still lots of vulnerabilities on the web
Browsers (like any software) contain exploitable bugs
Often enable remote code execution by web sites
Google study: [the ghost in the browser 2007]
Found Trojans on 300,000 web pages (URLs)
Found adware on 18,000 web pages (URLs)
NOT OUR FOCUS THIS WEEK
Today: even if browsers were bug-free, still lots of vulnerabilities on the web
6.Address Bar
7.URLs
8.Mixed content and network attacks
9.Lock Icon 2.0
10.Picture-in-picture attacks
11.Finally: the status Bar
12.iGoogle
13.Windows Live.com
14.Cookies
15.Cookie authentication
16.Weak authenticators: security risk
17.Cookie Security Policy
Uses:
User authentication
Personalization
User tracking: e.g. Doubleclick (3rd party cookies)
Browser will store:
At most 20 cookies/site, 3 KB / cookie
Origin is the tuple <domain, path>
Can set cookies valid across a domain suffix
18.Cookie Security Policy
Uses:
User authentication
Personalization
User tracking: e.g. Doubleclick (3rd party cookies)
Browser will store:
At most 20 cookies/site, 3 KB / cookie
Origin is the tuple <domain, path>
Can set cookies valid across a domain suffix
Uses:
User authentication
Personalization
User tracking: e.g. Doubleclick (3rd party cookies)
Browser will store:
At most 20 cookies/site, 3 KB / cookie
Origin is the tuple <domain, path>
Can set cookies valid across a domain suffix
18.Cookie Security Policy
Uses:
User authentication
Personalization
User tracking: e.g. Doubleclick (3rd party cookies)
Browser will store:
At most 20 cookies/site, 3 KB / cookie
Origin is the tuple <domain, path>
Can set cookies valid across a domain suffix
19.Secure Cookies
20.httpOnly Cookies
21.Storing data on browser?
22.Frames
23.Frame Busting
24.Correct Frame Busting
Posts
0 comments