JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

The following 10 questions test your knowledge of client site assignment in Configuration Manager Configuration Manager 2007 Client Site Assignment.

Symantec Education Skills Assessment SESA 3.0 Feature Showcase

ForceHTTPS: Protecting High-Security Web Sites from Network Attacks Collin Jackson and Adam Barth.

IT Analytics for Symantec Endpoint Protection

HiveMind Distributed File Storage Using JavaScript Botnets Copyright 2013 Sean T. Malone.

How the Internet Works Course Objectives Introduce the various web browsers Introduce some new terms Explain the basic Internet to PC hookup  ISP  Wired.

S. Stamm, Z. Ramzan, and M. Jakobsson Presented by Anh Le.

ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.

1 When Cloud Networking meets Cloud Computing: Software-Defined Networking (SDN) Customer Application Faan DeSwardt Infrastructure Architecture Manager.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Virtual Machine Management

When Good Services Go Wild: Reassembling Web Services for Unintended Purposes Feng Lu, Jiaqi Zhang, Stefan Savage UC San Diego.

var site="s15gizmodo" var site="s15gizmodo"

Web Design Basic Concepts.

Norman SecureSurf Protect your users when surfing the Internet.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Security and Risk Management. Who Am I Matthew Strahan from Content Security Principal Security Consultant I look young, but I’ve been doing this for.

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

The Next Phase of Virtual Infrastructure Kevin Bailey Director - Product Marketing EMEA Symantec Corporation.

Architecture Of ASP.NET. What is ASP?  Server-side scripting technology.  Files containing HTML and scripting code.  Access via HTTP requests.  Scripting.

T U T O R I A L  2009 Pearson Education, Inc. All rights reserved Bookstore Web Application Introducing Visual Web Developer 2008 Express and the.

Copyright © cs-tutorial.com. Introduction to Web Development In 1990 and 1991,Tim Berners-Lee created the World Wide Web at the European Laboratory for.

HTML5 Application Development Fundamentals

Databases and the Internet. Lecture Objectives Databases and the Internet Characteristics and Benefits of Internet Server-Side vs. Client-Side Special.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

Open Web App. Purpose To explain Open Web Apps To explain Open Web Apps To demonstrate some opportunities for a small business with this technology To.

Wyatt Pearsall November  HyperText Transfer Protocol.

Symantec Managed Security Services The Power To Protect Duncan Evans Director, Cyber Security Services 1.

ASP.NET Web Application and Development Digital Media Department Unit Credit Value : 4 Essential Learning time : 120 hours Digital.

WEB 304 An Overview of ASP.NET and Windows Workflow Foundation Kashif Alam Program Manager Developer Division Microsoft Corporation.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

1 Safely Using Shared Computers Amanda Grady December 2013.

Protecting Students on the School Computer Network Enfield High School.

Building Rich Web Applications with Ajax Linda Dailey Paulson IEEE – Computer, October 05 (Vol.38, No.10) Presented by Jingming Zhang.

The current state of Cybersecurity Targeted and In Your Pocket Dale “Dr. Z” Zabriskie CISSP CCSK Symantec Evangelist.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Applications Testing By Jamie Rougvie Supported by.

Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.

Sid Stamm, Zulfikar Ramzan and Markus Jokobsson Erkang Xu.

NASRULLAH KHAN.  Lecturer : Nasrullah   Website :

Copy to Tape TOI. 2 Copy to Tape TOI Agenda Overview1 Technical Feature Implementation2 Q&A3.

JavaScript 101 Introduction to Programming. Topics What is programming? The common elements found in most programming languages Introduction to JavaScript.

Configuring and Deploying Web Applications Lesson 7.

Modern Challenges for IT Governance, Risk, and Compliance in the Enterprise Brian Robison Product Manager McAfee Eric Fredericksen, PhD Solutions Architect.

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

IS Infrastructure Managing Infrastructure and Services Copyright © 2016 Curt Hill.

Role Of Network IDS in Network Perimeter Defense.

Optimized Synthetics 1 OpenStorage Optimized Synthetics.

Partner Proctored Assessment Registration Process Ajit Jha 1 Partner Assessment.

Cyber Security in the Post-AV Era Amit Mital Chief Technology Officer General Manager, Emerging Endpoints Business Unit.

Tips and Tricks for Debugging ASP.NET Web Applications and Services Habib Heydarian TLNL05 Program Manager Microsoft Corporation.

IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.

IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.

Network and Server Basics. Learning Objectives After viewing this presentation, you will be able to: Understand the benefits of a client/server network.

Lecture 19 Page 1 CS 236 Online 6. Application Software Security Why it’s important: –Security flaws in applications are increasingly the attacker’s entry.

ArcGIS for Server Security: Advanced

David Hatten Developer, UrbanCode 17 October 2013

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Web Application.

Li Yang, Carson Woods (University of Tennessee at Chattanooga

Riding Someone Else’s Wave with CSRF

Web Security Advanced Network Security Peter Reiher August, 2014

Agenda OAuth Concepts Programming OAuth.

Implementing Client Security on Windows 2000 and Windows XP Level 150

6. Application Software Security

In the attack index…what number is your Company?

Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago

Presentation transcript:

JavaScript Breaks Free Zulfikar Ramzan Symantec Security Response Joint w/ Markus Jakobsson, Sid Stamm (Indiana Univ)

Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 2 Outline The Web 2.0 Security Picture1 Position: Boundary Challenges2 Example: Drive-by Pharming3 Other Examples and Parting Thoughts4

Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 3 The Web 2.0 Picture WEB SERVER CLIENT MACHINE WEB SERVER 3 Intranet web devices 4 Plug-ins / Extensions 5 Multiple Browsers 6 Local online apps 2 Content aggregation 1 User-driven content

Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 4 What Makes it Hard Unprecedented amount of content (not always trustworthy) Aggregation of content on local client and also by intermediaries (same-origin policy workarounds) Intranet devices often have web servers (internet/intranet boundary issues) Web browsers augmented with plug-ins (not always trustworthy & complicate interactions) Machines may have many local web browsers that communicate over HTTP, render HTML, and emulate JavaScript (increased attack surface). Some local client applications can interact with web browser and provide combined online / offline capabilities (compromises can lead to machine ownership). 4

Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 5 Main Position Points and Examples There are many pieces in the puzzle. The policies governing boundaries between these pieces needs to be better understood and better enforced. If we get this wrong, *-script code running in one context, can affect another. Example: Drive-by Pharming. 5

Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 6 Drive-by Pharming Overview Attack concept developed by Sid Stamm, Markus Jakobsson, and me that strongly leverages prior work on JavaScript host scanning presented by Grossman at BlackHat. Local broadband routers (both wired and wireless) offer a web management interface for device configuration –Consequently, these devices contain a web server that runs a web app The web app is often susceptible to cross-site request forgeries (made easier since there is usually a default password that users often fail to change) Broadband routers govern DNS settings… Can change these settings from a remote location; victim only has to view web page containing malicious JavaScript to become infected 6

Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 7 Drive-by Pharming Flow Home broadband / wireless router Web Browser Good DNS Server Rogue DNS Server Your Bank Not Your Bank Web site with JavaScript Malware Click Me!!!

Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 8 Drive-by Pharming Current Status Working proof of concept code for various Linksys, Netgear,and DLINK routers No known instances In the Wild yet Similar concept can be used to upgrade router firmware Solutions –Simple bandaid: change password on home router –More fundamental: protect the web app on the router from Cross-Site Request Forgeries –Way to implement second soln: web app requires and validates unpredictable value hidden somewhere on web page containing config. management interface 8

Copyright © 2007, Symantec. All Rights Reserved. Zulfikar Ramzan, JavaScript Breaks Free 9 Other Examples and Parting Thoughts Other Examples: –Overtaking Google Desktop (Amit, Allan & Sharabani) –Universal XSS (Di Paola & Fedon) Not understanding boundaries associated with the plethora of component and failing to understand and enforce policies governing boundaries can have devastating consequences Things are getting more complex! New technologies like Silverlight, etc., are looming. 9 © 2007 Symantec Corporation. All rights reserved. THIS DOCUMENT IS PROVIDED FOR INFORMATIONAL PURPOSES ONLY AND IS NOT INTENDED AS ADVERTISING. ALL WARRANTIES RELATING TO THE INFORMATION IN THIS DOCUMENT, EITHER EXPRESS OR IMPLIED, ARE DISCLAIMED TO THE MAXIMUM EXTENT ALLOWED BY LAW. THE INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITHOUT NOTICE.