Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Dynamic Pharming Attacks and Locked Same-Origin Policies For Web Browsers Chris Karlof, J.D. Tygar, David Wagner, Umesh Shankar.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
1 Software Testing and Quality Assurance Lecture 32 – SWE 205 Course Objective: Basics of Programming Languages & Software Construction Techniques.
XP Tutorial 9 New Perspectives on JavaScript, Comprehensive1 Working with Cookies Managing Data in a Web Site Using JavaScript Cookies.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.
Principles of Computer Security: CompTIA Security + ® and Beyond, Third Edition © 2012 Principles of Computer Security: CompTIA Security+ ® and Beyond,
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
16-1 The World Wide Web The Web An infrastructure of distributed information combined with software that uses networks as a vehicle to exchange that information.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
JavaScript, Fourth Edition
Working with Cookies Managing Data in a Web Site Using JavaScript Cookies* *Check and comply with the current legislation regarding handling cookies.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
CGI Security COEN 351. CGI Security Security holes are exploited by user input. We need to check user input against Buffer overflows etc. that cause a.
Chapter 8 Cookies And Security JavaScript, Third Edition.
Cross-Site Attacks James Walden Northern Kentucky University.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Working with Files. Learning Objectives By the end of this lecture, you should be able to: – Examine a file that contains code with unfamiliar material,
Cross Site Scripting and its Issues By Odion Oisamoje.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
The Module Road Map Assignment 1 Road Map We will look at… Internet / World Wide Web Aspects of their operation The role of clients and servers ASPX.
Protecting Browsers from Extension Vulnerabilities Paper by: Adam Barth, Adrienne Porter Felt, Prateek Saxena at University of California, Berkeley and.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Organisations and Data Management 1 Data Collection: Why organisations & individuals acquire data & supply data via websites 2Techniques used by organisations.
Website Design, Development and Maintenance ONLY TAKE DOWN NOTES ON INDICATED SLIDES.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
Configuring, Managing and Maintaining Windows Server® 2008 Servers Course 6419A.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
XP 1 Charles Edeki AIU Live Chat for Unit 2 ITC0381.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
Windows Vista Configuration MCTS : Internet Explorer 7.0.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
JavaScript Part 1 Introduction to scripting The ‘alert’ function.
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Module: Software Engineering of Web Applications
Static Detection of Cross-Site Scripting Vulnerabilities
Whether you decide to use hidden frames or XMLHttp, there are several things you'll need to consider when building an Ajax application. Expanding the role.
Auditing Etsy The Security of Etsy
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Exploring DOM-Based Cross Site Attacks
Security and JavaScript
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

Security and JavaScript

Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security policy – Explain using an example how a Cross-Domain Scripting attack might work

Security and JavaScript Perhaps the most important consideration for the people who developed the JavaScript language, is the issue of security. As a programming (okay, ‘scripting’) language, there is quite a bit of power available to the skilled developer. For this reason, the standards group charged with creating JS standards required that the language adhere to certain security parameters. Perhaps the two most important considerations involve files and browser windows. Files: JavaScript does not allow the programmer to open up files on a user’s computer unless given explicit permission to do so. “Same-Origin” Policy: Another very important standard is that JavaScript does not allow one browser window to access a different window. - Also note that each tab in a browser is considered to be a different window.

JavaScript’s “Same-Origin” Security policy Imagine that you have Amazon.com open in one tab, and are about to finalize a purchase an expensive piece of stereo equipment. Before confirming your purchase, you open a new tab where a quick Google search shows a site you've never heard of offering a 1-hour flash sale on the same item. Unfortunately, that page is, in fact, a malicious site that has script embedded in it. The malicious programmer accesses your Amazon.com window. The site goes ahead and finalizes your purchase, but then changes the address to a location in Slovenia. For good measure, they tack on a few additional items, and, as an afterthought, a new boat. This scenario might indeed be possible to the clever programmer were it not for JavaScript’s “same origin” security policy. This policy requires that JavaScript does not allow communication via script between windows that have different domains, protocols or ports. Therefore, since the Amazon window is on the domain ‘ amazon.com ’, and the malicious site is ‘ badstuffhere.si ’, scripts originating in the latter would be unable to access the Amazon window.

“Same-Origin” Security policy Ensures that there is no communication via script between pages that have different domains, protocols or ports. Protects against snooping from one domain on another domain. Even within the pages residing in same domain there are limitations. For example, if your domain is: then none of the following sites would be allowed to communicate with each other via JavaScript: –  Different domain altogether –  Different protocol (https) –  Different port (default is 80) –  Different host – There are techniques for allowing pages within the same domain to communicate with each other, provided that the server is configured to allow it.

Cross-Domain Communication The JavaScript standard does allow for some communication to span domains. For example, the tag is allowed to access certain resources from other domains. This is why a student on a server in the ‘depaul.edu’ domain can have an image tag that looks like this:

Cross-Site Scripting (“XSS”) Attacks XSS attacks are a classic JavaScript vulnerability in which malicious script is injected in such a way that it fools the victim site into believing that the script is local, and may therefore be trusted and executed. These attacks bypass the same-origin policy because browsers trust all of the code that shows up on a page as being a legitimate part of that page. So if a malicious programmer has a way of injecting code into a naïve or ‘unsanitised’ page, then real-damage may occur. Cross-site scripting is a major issue that skilled JavaScript programmers must be attuned to. Example: Suppose you have a text field asking the user for their name. Your script then outputs: “You’re name is “ followed by the information the user entered. Now imagine that the user entered for their “name”: alert(navigator.userAgent) This is an example in which the user’s input is not properly “sanitised”. It is very important to take all free-text input from the user and ensure that there are no characters or symbols that should not be there. We will discuss techniques for sanitising user-input when we talk about Regular Expressions. See: script_injection.htm

Content Security Policy The W3C maintains an ongoing response to JavaScript’s security vulnerabilities. One of the most active defenses being moderated by the W3C comes in the form of the ‘Content Security Policy’ or ‘CSP’. A link to the discussion and whitepaper of the CSP standard can be found here:

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.