Host and Application Security Lesson 20: How the Web Does not Work.

Slides:

Advertisements

Similar presentations

Runtime Prevention & Recovery Protect existing applications Advantages: Prevents vulnerabilities from doing harm Safe mode for Web application execution.

Advertisements

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

1 A Test Automation Tool For Java Applets Testing of Web Applications TATJA Program Demonstration Conclusions By Matthew Xuereb.

Web Toolkit Julie George & Ronald Lopez 1. Requirements  Java SDK version 1.5 or later  Apache Ant is also necessary to run command line arguments 

Web Trust Boundaries and Security Vulnerabilities Haris Volos and Hidayat Teonadi CS739 – Distributed Systems.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

Benchmark and Java Applet Test Scenario Presentation Outline Introduction to Benchmark Testing Procedure to create the test Benchmark Playback Results.

EECS 354 Network Security Cross Site Scripting (XSS)

Google Web Toolkit - Gufran Mohammed. Google Web Toolkit (GWT) is an open source Java software development framework that makes writing AJAX applications.

ACTIVE X By Ethan Huang. OUTLINE What is ActiveX? Component of ActiveX Why ActiveX? ActiveX and Java Security Issue.

New Computer Security Threat - ClickJacking Ehab Ashary CS591-F2010 University of Colorado, Colorado Springs Dr. C.Edward Chow.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

Define objects and their relationships to multimedia Explain the fundamentals of C, C++, Java, JavaScript, JScript, C#, ActiveX and VBScript Discuss security.

Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

Server Side Scripting Norman White. Where do we do processing? Client side – Javascript (embed code in html) – Java applets (send java program to run.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

Web Browser Security Prepared By Mohammed EL-Batta Mohammed Soubih Supervised By Eng. Eman alajrami Explain Date 10. may University of Palestine.

Web Site Security Andrew Cormack JANET-CERT ©The JNT Association, 1999.

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

3-Protecting Systems Dr. John P. Abraham Professor UTPA.

Patroklos Patroklou George Antoniou Constantinos Kyprianou.

Client Side Vulnerabilities Aka, The Perils of HTTP Lesson 14.

Weekend MS CS Program Internet and Web Technologies COT 5930 Web Project Development - Ajax Dr. Roy Levow, Associate Chair & Professor

An Introduction to JavaScript Summarized from Chapter 6 of “Web Programming: Building Internet Applications”, 3 rd Edition.

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 14 Database Connectivity and Web Technologies.

Active Web Technology Alan Dix

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Cross Site Scripting and its Issues By Odion Oisamoje.

An Intro to Webhackery Parisa Tabriz. How the web was born Stage 1 : Network Protocols Stage 2 : HTTP Stage 3 : Server Side Scripting Stage 4 : Client.

An Introduction to JavaScript By: John Coliton Tuesday, November 10, 1998 Center for Teaching and Learning.

Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Web application architecture1 Based on Jim Conallen: Web Applications with UML.

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

Javascript JavaScript is what is called a client-side scripting language:  a programming language that runs inside an Internet browser (a browser is also.

Database Systems: Design, Implementation, and Management Eighth Edition Chapter 14 Database Connectivity and Web Technologies.

JavaScript Dynamic Active Web Pages Client Side Scripting.

Java Script. What is JavaScript ? It is an scripting language, developed by Netscape Navigator. It can be used to replace CGI scripts for client-side.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

1 Figure 9-3: Webserver and E-Commerce Security Browser Attacks  Take over a client via the browser Interesting information on the client Can use browser.

Beginning JavaScript 4 th Edition. Chapter 1 Introduction to JavaScript and the Web.

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM.

Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.

Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.

How to Use Safe Money in Kaspersky? Help Desk Number.

Secure Operating Systems

An Introduction to Web Application Security

Tonga Institute of Higher Education IT 141: Information Systems

Web Concepts Lesson 2 ITBS2203 E-Commerce for IT.

World Wide Web policy.

Google Web Toolkit - Gufran Mohammed

Michael Robertson Yuta Takayama Google Closure Tools.

BTEC NCF Dip in Comp - Unit 15 Website Development Lesson 05 – Website Performance Mr C Johnston.

Section 10.1 YOU WILL LEARN TO… Define scripting

Cross-Site Request Forgeries: Exploitation and Prevention

Security of web applications.

Tonga Institute of Higher Education IT 141: Information Systems

Riding Someone Else’s Wave with CSRF

Petko D. Petkov Senior IT Security Consultant

Unit 6 part 3 Test Javascript Test.

Unit 6 part 2 Test Javascript Test.

Tonga Institute of Higher Education IT 141: Information Systems

Web Design and Development

Unit 6 part 6 Test Javascript Test.

Presentation transcript:

Host and Application Security Lesson 20: How the Web Does not Work

Remind me…  Precisely how does the web work?

Web Vulns  This is host and application security, so we’re focusing on the host issues

Simple  Simple buffer overruns/security vulns in the browser or in its plugins  Determining the list of plugins is harder than it probably needs to be

Javascript  Pretty powerful language  History of different classes of vulnerabilites… perhaps most famous is cross site scripting

Java Applets  Tell me about Java Applets and their security model  Isn’t that good enough? Why? Why not?

ActiveX  “Safe for scripting”?  ActiveX: Pros and Cons?

Clickjacking  A really neat exploit – get the user to click on one thing when they think they are clicking on another  Example: a one click bank transfer  Cross-frame issues make life very interesting

To Do  Find and read the ACM Queue paper “Browser Security: Lessons from Google Chrome”  Write a demonstration of a cross site scripting attack. Do this in essay form, showing the code you would have on both ends and how it would work. What is the future for XSS attacks?