Presentation is loading. Please wait.

Presentation is loading. Please wait.

Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Published byMadeleine Baker Modified over 9 years ago

Similar presentations

Presentation on theme: "Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University"— Presentation transcript:

1 Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University http://adamdoupe.com

2 Adam Doupé, Security and Vulnerability Analysis Overview We've studied the technologies that make up the web, including the underlying technologies, server-code code, and client-side code Let's hack all the things! –But first, we need to understand the security of web applications –Otherwise, how do we know if we're successful

3 Adam Doupé, Security and Vulnerability Analysis Web Ecosystem HTTP Request HTTP Response Web Server Client Web Application

4 Adam Doupé, Security and Vulnerability Analysis Client

5 Adam Doupé, Security and Vulnerability Analysis Client

6 Adam Doupé, Security and Vulnerability Analysis Client

7 Adam Doupé, Security and Vulnerability Analysis Who's Security is it Anyways?

8 Adam Doupé, Security and Vulnerability Analysis Client

9 Adam Doupé, Security and Vulnerability Analysis HTML Frames Ability to tie multiple separate URLs together on one page Used in the early days to provide a banner or navigation element

10 Adam Doupé, Security and Vulnerability Analysis frameset Text to be displayed in browsers that do not support frames

11 Adam Doupé, Security and Vulnerability Analysis The Frames frame1.html –I am frame 1 frame2.html –I am frame two

12 Adam Doupé, Security and Vulnerability Analysis

13 iframes Inline frames Similar to frames, but does not need a frameset

14 Adam Doupé, Security and Vulnerability Analysis

15 JavaScript Security Browsers are downloading and running foreign (JavaScript) code, sometimes concurrently The security of JavaScript code execution is guaranteed by a sandboxing mechanism (similar to what we saw in Java applets) –No access to local files –No access to (most) network resources –No incredibly small windows –No access to the browser's history –…–… The details of the sandbox depend on the browser

16 Adam Doupé, Security and Vulnerability Analysis Same Origin Policy (SOP) Standard security policy for JavaScript across browsers –Incredibly important to web security If you learn only one thing from this class, let it be the Same Origin Policy Every frame or tab in a browser's window is associated with a domain –A domain is determined by the tuple: from which the frame content was downloaded Code downloaded in a frame can only access the resources associated with that domain If a frame explicitly includes external code, this code will execute within the SOP –On adamdoupe.com, the following JavaScript code has access to the SOP –

17 Adam Doupé, Security and Vulnerability Analysis Web Security Model Same Origin Policy (SOP)

18 Adam Doupé, Security and Vulnerability Analysis Technologies URI Percent Encoding HTTP Request HTTP Response HTTP Authentication HTML HTML Character References Form Urlencoding Cookies CGI ASP Servlets JSP PHP SQL SOP

Download ppt "Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University"

Similar presentations

Introduction to JavaScript

Introduction to JavaScript
Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.

Creating WordPress Websites. Creating a site on your computer Local server Local WordPress installation Setting Up Dreamweaver.
Apache Tomcat Server – installation & use Server-side language-- use Java Server Pages Contrast Client-side languages HTML Forms Servers & Server-side.

Apache Tomcat Server – installation & use Server-side language-- use Java Server Pages Contrast Client-side languages HTML Forms Servers & Server-side.
Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 2.

Outline IS400: Development of Business Applications on the Internet Fall 2004 Instructor: Dr. Boris Jukic Server Side Web Technologies: Part 2.
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
Multiple Tiers in Action

Multiple Tiers in Action
Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.

Introduction to Web Based Application. Web-based application TCP/IP (HTTP) protocol Using WWW technology & software Distributed environment.
Apache Tomcat Server Typical html Request/Response cycle

Apache Tomcat Server Typical html Request/Response cycle
1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.

1 CS6320 – Why Servlets? L. Grewe 2 What is a Servlet? Servlets are Java programs that can be run dynamically from a Web Server Servlets are Java programs.
Introduction to Web Interface Technology (CSE2030)

Introduction to Web Interface Technology (CSE2030)
Java Server Team 8. Overview What is a Java Server? History Architecture Advantages Disadvantages Current Technologies Conclusion.

Java Server Team 8. Overview What is a Java Server? History Architecture Advantages Disadvantages Current Technologies Conclusion.
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
Java Servlets. What Are Servlets? Basically, a java program that runs on the server Basically, a java program that runs on the server Creates dynamic.

Java Servlets. What Are Servlets? Basically, a java program that runs on the server Basically, a java program that runs on the server Creates dynamic.
ITM352 Javascript and Dynamic Web Pages: Client Side Processing.

ITM352 Javascript and Dynamic Web Pages: Client Side Processing.
159.339 Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.

Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.
 What I hate about you things people often do that hurt their Web site’s chances with search engines.

 What I hate about you things people often do that hurt their Web site’s chances with search engines.
Server-side Technologies

Server-side Technologies
Overview of JSP Technology. The need of JSP With servlets, it is easy to – Read form data – Read HTTP request headers – Set HTTP status codes and response.

Overview of JSP Technology. The need of JSP With servlets, it is easy to – Read form data – Read HTTP request headers – Set HTTP status codes and response.

Similar presentations

Ads by Google