Ben Livshits and Úlfar Erlingsson Microsoft Research.

Slides:

Advertisements

Similar presentations

MFA for Business Banking – Security Questions with Reset Multifactor Authentication: Quick Tip Sheets Note to Financial Institutions: We are providing.

Advertisements

Nick Feamster CS 6262 Spring 2009

SecuBat: An Automated Web Vulnerability Detection Framework

7 Copyright © 2005, Oracle. All rights reserved. Maintaining State in J2EE Applications.

6 Copyright © 2005, Oracle. All rights reserved. Using Advanced Techniques in Servlets.

List and Search Grants Chapter 2. List and Search Grants 2-2 Objectives Understand the option My Grants List Grant Screen Viewing a Grant Understand the.

SUBTRACTING INTEGERS 1. CHANGE THE SUBTRACTION SIGN TO ADDITION

MULT. INTEGERS 1. IF THE SIGNS ARE THE SAME THE ANSWER IS POSITIVE 2. IF THE SIGNS ARE DIFFERENT THE ANSWER IS NEGATIVE.

Cross Site Scripting (XSS)

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

Cross-site Request Forgery (CSRF) Attacks

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Overview Environment for Internet database connectivity

Shauvik Roy Choudhary, Alex Orso Georgia Institute of Tech nology.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

Fawaz Ghali AJAX: Web Programming's Toy.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Addition 1’s to 20.

JavaScript and AJAX Jonathan Foss University of Warwick

Test B, 100 Subtraction Facts

Xiao Zhang and Wenliang Du Dept. of Electrical Engineering & Computer Science Syracuse University.

Chapter 13 – Introduction to Classes

WaveMaker Visual AJAX Studio 4.0 Training

Presenter: James Huang Date: Sept. 29,  HTTP and WWW  Bottle Web Framework  Request Routing  Sending Static Files  Handling HTML  HTTP Errors.

CIS 4004: Web Based Information Technology Spring 2013

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

Presented by Vaibhav Rastogi.  Advent of Web 2.0 and Mashups  Inclusion of untrusted third party content a necessity  Need to restrict the functionality.

Ben Livshits and Weidong Cui Microsoft Research Redmond, WA.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Preventing Web Application Injections with Complementary Character Coding Raymond Mui Phyllis Frankl Polytechnic Institute of NYU Presented at ESORICS.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Crash Course in Web Hacking

Vaibhav Rastogi and Yi Yang.  SOP is outdated  Netscape introduced this policy when most content on the Internet was static  Differences amongst different.

Implementing and Using the SIRWEB Interface Setup of the CGI script and web procfile Connecting to your database using HTML Retrieving data using the CGI.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Spectator: Detection and Containment of JavaScriptWorms

Towards Client Side HTML Security Policies Joel Weinberger, Adam Barth, Dawn Song.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Javascript worms By Benjamin Mossé SecPro

Building Secure ColdFusion Applications

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

Security in Django.

Riding Someone Else’s Wave with CSRF

CSC 495/583 Topics of Software Security Intro to Web Security

…and web frameworks in general

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Exploring DOM-Based Cross Site Attacks

Cross-Site Scripting Attack (XSS)

Presentation transcript:

Ben Livshits and Úlfar Erlingsson Microsoft Research

Web application vulnerabilities more widespread than ever The usual suspects from Web 1.0 SQL injection Cross site scripting (XSS) Cross-site request forgery (CSRF) etc. Ajax adds new capabilities, which can be exploited JavaScript worms [Samy worm 05, Yahoo worm 06, etc.] Prototype hijacking [Chess et. al., 2007] 2

String username = req.getParameter(username); ServletResponseStream out = resp.getOutputStream(); out.println(" Hello, " + username + ". "); String username = req.getParameter(username); ServletResponseStream out = resp.getOutputStream(); out.println(" Hello, " + username + ". "); location = + escape(document.cookie) location = + escape(document.cookie) 3 Most vulnerabilities are coding bugs Making a mistake is very easy: default is often unsafe Getting things right requires non-trivial effort Can you blame the developer for getting it wrong?

Must deal with problem complexity Filter input to remove,, etc. To see how complex this is, check out XSS Cheat Sheet for filter evasion: Need to find all ways that malicious input can propagate through the application 4

Secure code should be easier to write It should be the default, not an exception Developer has to go out of her way to get it wrong How to get there? Most applications rely on frameworks Exploit frameworks to achieve better security Applications built on top of frameworks get better security properties by construction for free 5

Per-widget safe defaults Per-widget safe defaults Per-widget safe defaults Per-widget safe defaults Client-side enforcement Framework libraries Application code Web application 6 Sounds great… but how? BEEP [Jim et.al., WWW07] JavaScript rewriting [Yu et.al., POPL07] METS [Erlingsson et.al., HotOS07] MashupOS [Howell et.al., HotOS07] Extending same-origin policy [Livshits et.al., PLAS07] Sounds great… but how? BEEP [Jim et.al., WWW07] JavaScript rewriting [Yu et.al., POPL07] METS [Erlingsson et.al., HotOS07] MashupOS [Howell et.al., HotOS07] Extending same-origin policy [Livshits et.al., PLAS07]

GUI widgets: units of screen real estate Explore following options for safe defaults: 1. Disallow JavaScript within a widget: no code, only data 2. Isolate content and JavaScript within a widget by default 3. Isolate content and JavaScript belonging to a set of widgets within a page by default 7

8

Dont want to allow JavaScript here (this is how Samy and other woms propagate) Dont want to allow JavaScript here (this is how Samy and other woms propagate) 9

Dont want to allow JavaScript, either (this is how Yahoo! worm came about) Dont want to allow JavaScript, either (this is how Yahoo! worm came about) 10

<div id="contentPane" dojoType="ContentPane" sizeMin="20" sizeShare="80" href="Mail/MailAccount.html protection=noscript> <div id="contentPane" dojoType="ContentPane" sizeMin="20" sizeShare="80" href="Mail/MailAccount.html protection=noscript> Type of widget HTML contents Desired type of protection 11 > How to implement this? Modify the browser [BEEP]

12

orchid 13

feed injection steal data from secure feed steal data from secure feed 14

<div id="contentPane" dojoType="ContentPane" sizeMin="20" sizeShare="80" protection=isolation> Hurricane outlook is ominous... <div id="contentPane" dojoType="ContentPane" sizeMin="20" sizeShare="80" protection=isolation> Hurricane outlook is ominous... Type of widget HTML contents Desired type of protection 15 > How to implement? Modify same-origin policy implementation

16

Context menu is a different widget declared separately from the tree Isolation goals to accomplish: 1. To Copy Inbox, context menu has to have access to the tree 2. Inbox messages are not given tree access 17

18 1 listenTree : function(tree) { 2 var nodes = tree.getDescendants(); 3 for (var i = 0; i < nodes.length; i++) { 4 if (!nodes[i].isTreeNode) { 5 continue; 6 } 7 this.bindDomNode(nodes[i].labelNode); 8 } this.listenedTrees.push(tree); this.setAttribute(principal, tree.getAttribute(principal )); 13 } 1 listenTree : function(tree) { 2 var nodes = tree.getDescendants(); 3 for (var i = 0; i < nodes.length; i++) { 4 if (!nodes[i].isTreeNode) { 5 continue; 6 } 7 this.bindDomNode(nodes[i].labelNode); 8 } this.listenedTrees.push(tree); this.setAttribute(principal, tree.getAttribute(principal )); 13 } Must explicitly allow context menu to access the tree Need to explicitly encode access control: set is as a property on object Change framework functions to maintain it and check before allowing access Connect context menu and tree Give context menu the ability to access the underlying tree

Modern Ajax-based Web 2.0 applications often require fine-grained security guarantees New breed of client-side enforcement technologies require that somebody specify what to enforce Frameworks provide a great opportunity to inject safe programming defaults for free 19