1. Web Security (cont.) 1

2. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is clicked  Page that shows an image r Usage  Pay for referral  Limit access to certain pages (e.g. login pages)  Limit deep linking (e.g. bypassing advertising)  Limit CSRF r Risks:  Spam (if referral is rewarded) and spoofing  Sensitive information (i.e. session ID) in query string 2

3. Redirection r HTTP uses redirection for  Similar domain names  Moved sites  Referral masking – before leaving site, redirect through less sensitive page r Implementation: several methods  Usually, 3xx HTTP status (e.g. 301 or 302) followed by location tag r Malicious uses  Phishing  Ad clicking and other malicious sites 3

4. XSS r Cross Site Scripting r Attacker, target, web server scenario r Target executes client-side script crafted by attacker r Types  Reflected – browser to server to same browser  Stored – browser to server to any browser  DOM – do not necessarily reach web browser r Delivery – reflected or stored. DOM is typically reflected. 4

5. XSS DOM r DOM – Document Object Model  Objects in page r Examples  document.URL  document.location  document.cookie  document.referrer r Javascript can access and manipulate these objects and properties r Problems:  HTML page can be static (independent of parameters)  Script in page runs on DOM objects 5

6. XSS DOM (cont.) r The XSS attack may not reach the server  Server side filtering won’t detect attack r URL format  HTTP://domain/path?query#fragment HTTP://domain/path?query#fragment r Fragment does not reach server 6

7. Example – DOM XSS I r Welcome page r Welcome! Hi var pos=document.URL.indexOf("name=")+5; document.write(document.URL.substring(pos,document.URL.l ength)); Welcome to our system … 7

8. Example – DOM XSS II r Attack that doesn’t go through server  www.vulnerable.site/welcome.html#name= alert(do cument.cookie) r What happens if the Javascript checks that all characters in name are alphanumeric? Here is an attack  http://www.vulnerable.site/welcome.html?notname= alert(document.cookie) &name=Joe r Defenses  Manipulate objects in server side scripts and sanitize them.  Or, sanitize carefully in client-side script. 8

9. Browser separation model r Separation from OS  Scripts cannot manipulate data and processes outside the browser context, e.g. local files r Same origin policy  Separation of domains  Suppose two pages interact  If the host name matches, i.e. www.cse.bgu.ac.il (possibly other matches such as port number) then the pages interactwww.cse.bgu.ac.il  Page can set document.domain to higher domain, e.g. bgu.ac.il  Two pages with the same domain can interact (but all others with the same domain can also interact) 9

10. More on same origin r Behavior on high level domains (.com) not defined r Behavior on file:// not defined  Depending on browser(e.g. all IE versions), local files may access other local file r Same-origin for cookies  Based on identical host name  May be changed by DOMAIN or PATH headers r There are similar same origin requirements for Flash, Java and other technologies r What’s not same origin  Multimedia - or  Remote scripts 10

11. SQL Injection 11

12. SQL r Common database language r Database organized in schema r Data is organized in tables r Tables organized in rows of data fields r SQL enables  Table creation, data insertion, deletion  Queries to the database r Implementation issues and checks outside the scope of the language 12

13. Tidbits of SQL syntax r Table creation  CREATE TABLE users( UserName VARCHAR(50), CreditCard VARCHAR(30), ExpirationDate VARCHAR(8), PRIMARY KEY (username); r Row insertion  INSERT INTO users (UserName, CreditCard ) VALUES (‘Bob', ‘6510….'); 13

14. More syntax r Deletion  Delete users WHERE UserName = ‘Bob’;  DROP users; 14

15. SQL queries r SELECT UserName, CreditCard  FROM users  WHERE UserName = ‘Bob’; r WHERE evaluates a logical statement to true or false r SELECT UserName, CreditCard  FROM users  WHERE UserName = ‘Bob’ AND ExpirationDate < $date; 15

16. More queries r Queries can be prepared in statements, which are executed by parameter r statement =  "SELECT UserName, CreditCard FROM users WHERE name = '" + userName + "';“ 16

17. Usage scenario in web server r E-commerce web server stores user data in SQL database r Registration process  User enters name and credit card number  Database adds row to database r Shopping process  User authenticates to web server (e.g. TLS and HTTP authentication)  User selects products  Database retrieves user data and web server shows it to user  User clicks “buy” and process ends 17

18. Example continued r Username passed by browser in  http://www.site.com/store/username.asp?usern ame=Bob http://www.site.com/store/username.asp?usern ame=Bob r Attack  http://www.site.com/store/username.asp?usern ame=‘or '1'='1 r SQL interprets as  SELECT UserName, CreditCard FROM users WHERE UserName = ‘‘or '1'='1’; r WHERE evaluates to true. 18