Security and JavaScript

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Prevent Cross-Site Scripting (XSS) attack
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Server-side Scripting Powering the webs favourite services.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
16-1 The World Wide Web The Web An infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that information.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
JavaScript, Fourth Edition
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Working with Files. Learning Objectives By the end of this lecture, you should be able to: – Examine a file that contains code with unfamiliar material,
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
Chapter 12: How Private are Web Interactions?. Why we care? How much of your personal info was released to the Internet each time you view a Web page?
Organisations and Data Management 1 Data Collection: Why organisations & individuals acquire data & supply data via websites 2Techniques used by organisations.
XP 1 Charles Edeki AIU Live Chat for Unit 2 ITC0381.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Windows Vista Configuration MCTS : Internet Explorer 7.0.
Hyperlinks Links for Other Pages. Hyperlink (aka Link) Text (or image) user can click Takes user to different location In general, location can be: On.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
JavaScript Part 1 Introduction to scripting The ‘alert’ function.
ArcGIS for Server Security: Advanced
Javascript worms By Benjamin Mossé SecPro
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Group 18: Chris Hood Brett Poche
Module: Software Engineering of Web Applications
Building Secure ColdFusion Applications
XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)
Unit 20 - Client Side Customisation of Web Pages
Technologies and Applications
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Static Detection of Cross-Site Scripting Vulnerabilities
Data Virtualization Tutorial… CORS and CIS
Intro to JavaScript CS 1150 Spring 2017.
Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.
Lesson #8 MCTS Cert Guide Microsoft Windows 7, Configuring Chapter 8 Configuring Applications and Internet Explorer.
Auditing Etsy The Security of Etsy
CSC 495/583 Topics of Software Security Intro to Web Security
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Security: Attacks & Countermeasures
Exploring DOM-Based Cross Site Attacks
Cross-Site Scripting Attack (XSS)
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
The W3C More on images Entity codes Remote vs Local Computers
Introduction to scripting
* Web Servers/Clients * The HTTP Protocol
Presentation transcript:

Security and JavaScript

Learning Objectives By the end of this lecture, you should be able to: Describe what is meant by JavaScript’s same-origin security policy Explain using an example how a Cross-Domain Scripting attack might work

Security and JavaScript One of the most important considerations for the people who developed the JavaScript language was the issue of security. As a programming (okay, ‘scripting’) language, there is quite a bit of power available to the skilled developer. For this reason, the standards group charged with creating JS standards required that the language adhere to certain security parameters. Arguably, the two most important security considerations in web scripting involve files and browser windows. Files: JavaScript does not allow the programmer to open up files on a user’s computer unless given explicit permission to do so. Windows: Another important standard is that JavaScript does not allow one browser window to access a different window. Also note that each tab in a browser is considered to be a different window. This will be discussed further when we touch on the “Same-Origin” security policy next.

JavaScript’s “Same-Origin” Security policy Imagine that you have Amazon.com open in one tab , and are about to finalize a purchase an expensive piece of stereo equipment. Before confirming your purchase, you open a new tab where a quick Google search shows a site you've never heard of offering a 1-hour flash sale on the same item. Turns out, though, that the "sale" page is, in fact, a malicious site that has script embedded in it. The programmer of that site uses scripting code to access your Amazon.com window. The programmer allows the Amazon window to go ahead and finalize your purchase. However, the site also changes the shipping address to a location in Slovenia. For good measure, they tack on a few additional items, and, as an afterthought, a new boat. This scenario might indeed be possible to the clever programmer were it not for JavaScript’s “same origin” security policy. This policy ensures that JavaScript disallow communication between windows that have different domains, protocols or ports. Therefore, since the Amazon window is on the domain ‘amazon.com’, and the malicious site is ‘badstuffhere.si’, scripts originating in the latter would be unable to access the Amazon window.

“Same-Origin” Security policy Ensures that there is no communication via script between pages that have different domains, protocols or ports. Protects against snooping from one domain on another domain. Even within the pages residing in same domain there are limitations. For example, if your domain is: http://www.somecompany.com , then any JavaScript running on your page would not be allowed to communicate with any of the following: http://othercompany.com  Different domain altogether https://www.somecompany.com  Different protocol (https) http://www.somecompany.com:8080  Different port (default is 80) http://other.somecompany.com  Different host There are techniques for allowing pages within the same domain to communicate with each other, provided that the server is configured to allow it.

Cross-Domain Communication The JavaScript standard does allow for some communication to span domains. For example, the <img> tag is allowed to access certain resources from other domains. This is why a student on a server in the ‘depaul.edu’ domain can have an image tag that looks like this: <img src=“http://www.someStrangeSite.com/images/firetruck.jpg”>

Cross-Site Scripting (“XSS”) Attacks XSS attacks are a classic JavaScript vulnerability in which malicious script is injected in such a way that it fools the victim site into believing that the script is local, and may therefore be trusted and executed. These attacks bypass the same-origin policy because browsers trust all of the code that shows up on a page as being a legitimate part of that page. So if a malicious programmer has a way of injecting code into a naïve or ‘unsanitised’ page, then real-damage may occur. Cross-site scripting is a major issue that any competent JavaScript programmer will be attuned to. Example: Suppose you have a text field asking the user for their name. Your script then outputs: “You’re name is “ followed by the information the user entered. Now imagine that the user entered for their “name”: <script>alert(navigator.userAgent)</script> "Sanitising" Input: The above example demonstrates a situation in which the user’s input is not properly “sanitised”. It is very important to take all free-text input from the user and ensure that there are no characters or symbols that should not be there. We will discuss techniques for sanitising user-input when we talk about Regular Expressions. See: script_injection.htm

Content Security Policy The W3C maintains an ongoing response to JavaScript’s security vulnerabilities. One of the most active defenses being moderated by the W3C comes in the form of the ‘Content Security Policy’ or ‘CSP’. A link to the discussion and whitepaper of the CSP standard can be found here: https://w3c.github.io/webappsec/specs/content-security-policy/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.