Auditing Etsy The Security of Etsy

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Google Docs is a free, web-based office suite offered by Google within its Google Drive service. It was formerly a storage service as well, but has since.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Chapter 6: Hostile Code Guide to Computer Network Security.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Prevent Cross-Site Scripting (XSS) attack
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Robust Defenses for Cross-Site Request Forgery CS6V Presented by Saravana M Subramanian.
®® Microsoft Windows 7 Windows Tutorial 5 Protecting Your Computer.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
By William Cook.  How the internet works  How companies pay their bills  How to privately browse the internet.
Security+ Guide to Network Security Fundamentals, Fourth Edition
Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.
Protecting Students on the School Computer Network Enfield High School.
Robust Defenses for Cross-Site Request Forgery
Using Wikis in Education Caroline County Educational Technology Workshop August 1, kispaces.com/
Cookies and Sessions IDIA 618 Fall 2014 Bridget M. Blodgett.
Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Module: Software Engineering of Web Applications Chapter 2: Technologies 1.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
ONLINE SAFETY AND SECURITY Computer Basics 1.5. INFAMOUS CYBER ATTACKS IN 2014 Sony Pictures: Attackers stole just about everything in the corporate network,
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Basic Security Networking for Home and Small Businesses – Chapter 8.
Protecting your search privacy A lesson plan created & presented by Maria Bernhey (MLS) Adjunct Information Literacy Instructor
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Unit 2 Personal Cyber Security and Social Engineering Part 2.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
CS 115: COMPUTING FOR THE SOCIO-TECHNO WEB TECHNOLOGIES FOR PRIVATE (AND NOT-SO-PRIVATE) COMMUNICATIONS.
The Apple Privacy Policy zakiya mitchell
Database and Cloud Security
Facebook privacy policy
Module: Software Engineering of Web Applications
Building Secure ColdFusion Applications
Tonga Institute of Higher Education IT 141: Information Systems
IT Security  .
API Security Auditing Be Aware,Be Safe
Host of Troubles : Multiple Host Ambiguities in HTTP Implementations
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Cyber Security By: Pratik Gandhi.
Latest Updates on BlackHawk Mines Music : Privacy Policy
Cross-Site Request Forgeries: Exploitation and Prevention
What is Cookie? Cookie is small information stored in text file on user’s hard drive by web server. This information is later used by web browser to retrieve.
Tonga Institute of Higher Education IT 141: Information Systems
Web Systems Development (CSC-215)
Riding Someone Else’s Wave with CSRF
Cross-Site Request Forgery (CSRF) Attack Lab
Web Privacy Chapter 6 – pp 125 – /12/9 Y K Choi.
Computer Security.
Tonga Institute of Higher Education IT 141: Information Systems
E-commerce Infrastructure Web Servers / Web Clients / Web Browsers
Cross Site Request Forgery New Attacks and Defenses
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Exploring DOM-Based Cross Site Attacks
Security and JavaScript
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Presentation transcript:

Auditing Etsy The Security of Etsy Etsy employs good security practices. After visiting 50+ Etsy pages, we have found that Etsy: 1. Always uses HTTPS, never sending any information in the clear. No mixed content. 2. Offers two-factor authentication. 3. Offers users the option of being notified whenever a login from a new device occurs. 4. Enables users to view a history of past logins, including IP address and user agent. 5. Protects against CSRF attacks using nonces. (contained in the HTML itself, not in a cookie) 6. Protects against XSS attacks by using HTTP headers. 7. Has no external ads. 8. Images in private messages are accompanied by a MAC. 9. Sanitizes most input data, such as image meta-data. (However, it should be noted that the image content is not sanitized - see potential exploit (A).) 10. Blocks many throwaway emails, preventing some spam. How Etsy tracks its users: Cookies: used to store the necessary user personal information. Clear gifs, web beacons and web plugins: no user personal information stored. Flash cookies and other locally stored objects: solely for fraud prevention. No user personal information stored. Potential Vulnerabilities / Exploits (B) Text Bomb An automated script could be written to repeatedly send text messages to a given number. This could: 1. Result in potentially high expenses for the victim, who may have a pay-per-message plan 2. Result in a denial of service attack if the messages arrive at such a frequency that the victim cannot use his phone for other tasks (C) Click Fraud A user can have his merchandise advertised in response to a given search query, and must pay per click generated by that store. An automated script could be written to generate large numbers of clicks, resulting in potentially high expenses for the victim. (D) Side Channels The “search” field (as well as username registration and zip code fields) issues HTTP requests for every letter typed; an analysis of the frequency of such requests can reveal the search keyword! Auditing Etsy Wil Koch, Nikolaj Volgushev, Sophia Yakoubov #1! Etsy privacy policy: The Etsy privacy policy states that Etsy will not share user data with external organizations without explicitly getting the user’s permission. However, it appears that an exception to this is complying with legal requirements. Potential Vulnerabilities / Exploits (A) Malicious Payloads While image meta-data is sanitized, image content is not. Since images are public and never deleted, this can be exploited to store malicious payloads. For instance, consider the following image: It actually has a message embedded!