CS 253 Web Security Youtube Pt2

Question 1

What is the purpose of UI Denial-of-service attacks?

Answer 1

1. You override the browser defaults - This is in order to make it harder to escape from the site.
2. You implement scareware - Implementing threats of virus or something to make the user buy a product or trapping them.
3. Trolling

Question 2

How many levels are the web APIs divided in when we talk about the level of restrictions they have?

Answer 2

Level 0, 1, 2 and 3

Question 3

What are the restrictions for Level 0 web APIs?

Answer 3

No restrictions. APIs can be used immediately and indiscriminately.

Question 4

What are some examples of web APIs with Level 0?

Answer 4

DOM, CSS,
window.move()
file download
hide mouse cursor

Question 5

What are the restrictions for Level 1 web APIs?

Answer 5

User interaction is required.

API cannot be used unless it is in response to a user’s action, like a click or a keypress.
Scrolling does not count for example.

Question 6

What are some examples of web APIs with Level 1?

Answer 6

Element.requestFullscreen()
navigator.vibrate()
Copy text to clipboard
Speech synthesis API
window.open()

Question 7

What are the restrictions for Level 2 web APIs?

Answer 7

User “engagement” is required.

API cannot be used until user demonstrates high engagement with a website.

Question 8

What are some examples of web APIs with Level 2?

Answer 8

Autoplay sound
Prompt to install website to homescreen

Question 9

What are the restrictions for Level 3 web APIs?

Answer 9

User permission is required.
API cannot be used until user grants explicit permission.

Question 10

What are some examples of web APIs with Level 3?

Answer 10

Camera, microphone, geolocation, USB, MIDI device access.

Question 11

What is tabnabbing?

Answer 11

Its an attack that consists in reloading the original tab after opening a new tab. This is possible because of the way window.open() works, which still points to the original tab.

When reloading that tab one can reload said tab into any given URL. This is specially useful for phishing attacks, because you can replace the previous page with an exact copy and simulate a logout scenario and showing a login form to the user.

Question 12

What are some tabnabbing defenses you can set up?

Answer 12

1. Add rel=”noopener” attribute to all a tag elements with target=”_blank” attribute

This will make window.opener to be null instead of pointing to our window.

2.Add the new HTTP header: Cross-Origin-Opener-Policy: same-origin

This makes it so the browser will use a separate OS Process to load the site.
This prevents cross-window attacks an process side-channel attacks by severing references to other browsing contexts.

Question 13

What is phishing?

Answer 13

It is acting like a reputable entity to trick the user into divulging sensitive information such as login credentials or account information.

It is easier than attacking the security of a system directly since it consists of jus making the user give their credentials willingly.

Question 14

What is Punycode?

Answer 14

Punycode is a representation of Unicode with the limited ASCII character subset used for internet hostnames.

Therefore a url like this:

müller-büromöbel.com

becomes thi

xn–mller-brombel-rmb4fg.

Question 15

What is the advantage of using punycode?

Answer 15

It allows to a certain extent to help against IDN homograph attacks

Question 16

What is domain typosquatting?

Answer 16

It consists of using a similar-looking name to an established domain to fool the user.
As the name implies this relies on typos.
For example if the target domain name is santander.com then the domain typosquatting alternatives could be:

santnder.com
sntander.com
satnander.com
santnader.coom

etc

Question 17

What is an IDN homograph attack?

Answer 17

IDN stands for Internationalized Domain Name

An Internationalized Domain Name homograph attack consists in taking advantage of the fact that in Unicode there are a lot of codes that represent different letters but visually they look very similar to the users.

By using these other letters from other alphabets, attacker can host domain names that looks similar to the real ones and redirect the user to their own servers. Usually for phising purposes.

Question 18

What can be done against IDN homograph attacks?

Answer 18

Browsers use puny code and as a user you can use a password manager, since the password manager won’t be fooled by the domain name.

Make sure you are connecting through https.

Question 19

What kind of techniques exist to fool the user into thinking they navigated to the webpage they wanted but in reality redirect them to another?

Answer 19

Domain typosquatting

IDN homograph attacks

Use subdomains to confuse the users, since users do not know how to read the domain name.
For example: paypal.com-webapp12233122sexample.com

Picture in picture attack - Use a picture of the website as background and control that as a new window. Most users do not notice that it is a fake.

Question 20

Other noteworthy attacks that can be done to users?

Answer 20

Cookiejacking

File jacking - Upload data but instruct the user as if they were downloading

Question 21

What are some examples of client side, denial of service attacks?

Answer 21

Infinite alert loop

Question 22

What was the browser’s solution to the infinite alert loop attack?

Answer 22

Browsers are multiprocess now, so even if an infinite loop runs , the browser’s tab close button is not blocked by it, and this user can close it whenever he likes.

Question 23

What is Google Safe Browsing?

Answer 23

Its a list maintained by Google which contains known malware/phising URLs.

The idea is that the browser queries this list on every navigation, and in case it finds anything in shows a warning by Google about the risks of navigating to said page.

Question 24

What is the Google Safe Browsing Lookup API?

Answer 24

Its the public API Google provides precisely to send URLs to the Google Safe Browsing server to check their status.

Question 25

What are the drawbacks of using the Google Safe Browsing Lookup API?

Answer 25

Sent URLs are not hashed, so the server knows which URLs you look up.

Additionally, since every lookup request is processed by the server, there are no guarantees provided on lookup response time.

Question 26

What is the Google Safe Browsing Update API?

Answer 26

Its a public API Google provides that allows you get a list of hash prefixes.

When Google sees a suspicious URL, it takes that endpoint and hashes it. It first chops off the end path and leaves the prefixes, then it hashes it and sends the lists of prefixes to al browsers.

With that list you can take a URL, chop the end path and hash the prefixes the same way Google does and then you can compare your prefix hash with the list provided by Google.

Question 27

What is a cryptographic hash function?

Answer 27

Its an algorithm that maps data of arbitrary size to a bit string of a fixed size.
The source data is commonly referred to as “the message”.
The resulting bit string is commonly referred to as “the hash value”

Question 28

What are some characteristics a cryptographic function must meet in order to be considered one?

Answer 28

• It must be a a “one-way function”. Meaning you cannot calculate the origin string based on the resulting one.
• It must be deterministic. Meaning the same message always results in the same hash value.
• It must be quick to compute. Since hash functions are called thousands of times.
• It must not have collisions. Meaning it is infeasible to find different messages with the same hash value.
• It must have an avalanche effect. Meaning that even a small change to a message must change the hash value extensively.

Question 29

What is a side channel attack?

Answer 29

Its an attack based on information gained from the implementation of a computer system, rather than from the weaknesses in the implemented algorithm itself.

Some possible sources of leaks of this information are:
- Timing Information
- Power Consumption
- Electromagnetic Leaks
- Sound

Question 30

What is an example of a side channel attack (non-web based)?

Answer 30

Imagine there is a soundproof room made of glass. The glass has been adequately tested and there is absolutely no way sound leaks out of it.
However sound works by emitting vibrations in the air. This vibrations can then interact with objects within the room and if they are light enough (like the leaves of a plant or an empty bag of chips, or some earbuds playing music while on the table), they can move them. Of course this movement is so small that it is imperceptible to the naked eye.

So if you were to record a video from outside this room, even if the video does not capture any sound, you could analyze it afterwards and extract an approximation of the sounds within the soundproof room. All just based on the imperceptible movements that the vibrations have on the objects within the room.

Question 31

What is a classic CSS side channel attack and what does it consists in?

Answer 31

CSS History Leak

It consists on checking the color of the links displayed on a user’s pc in order to determine which sites have already been visited.

Question 32

How were the CSS History Leaks fixed?

Answer 32

1. Preventing layout-based attacks
   This was done by makin the CSS pseudo-selector :visited unable to load a resource, change position or change size.
2. Preventing some timing attacks
   By making the code paths for visited and unvisited links the same length
3. Preventing computed style attacks
   The DOM APis always report link styles as if link was unvisited.

Question 33

How can you detect visited links on a PC based on redraw timing?

Answer 33

Visited links in theory will take less to redraw since they already have information on cache. So by measuring the timing of the drawing of the page in each case you could estimate which links were already visited.

Question 34

How can cross-origin images can leak data?

Answer 34

For example if there is an image that changes whether you are logged in or not. Maybe it changes width or height.

As an attacker you can analyze how is the layout affected by that element and use that information to know if you are logged in or not.

Question 35

What is a side channel attack that existed based on ambient lightning and that is useful for getting the browser history?

Answer 35

With the use of an ambient lightning API you could detect the ambien lightning in the room. This was done by showing first a white screen and detecting the lightning and then showing a black screen and calibrating based on that.

Then the API could show a white/black screen based on whether the a link was visited or not.
You don’t get the actual visited links, but you get the urls alongside the color variations, which in practice will be the same.

Question 36

What is a side channel attack based on QR codes and ambient lightning?

Answer 36

You can generate a QR code for the user with private information. You cannot query that image or information but what you can do is zoom in to each pixel of the QR code and use the ambient lightning API to detect whether the pixel is black or white. This will let you reconstruct the full QR code image.

Question 37

What is a side channel attack that was discovered through the gyroscope of the mobile phones?

Answer 37

It was discovered that the gyroscopes found on modern smartphones were so sensitive that they could measure acoustic signals in the vicinity of the phone. Even if a site did not have mic permissions this could be achieved.

Using this data with signal processing and machine learning, the attacker could identify speaker information and even parse speech.
Since iOS and Android require no special permissions to access gyro this means that any apps and active web content can use the gyro to eavesdrop on any speech that is on the vicinity of the phone.

This has been updated in later years and permission is now required to access the gyroscope.

Question 38

What is command injection?

Answer 38

Its when an attacker attempts to pass unsafe user supplied data (forms, cookies, HTTP Headers, etc) to a system shell.

This is done with the goal of executing arbitrary command on the host operating system.

Question 39

What is an example of command injection through a request?

Answer 39

Let’s say you have a form with some inputs and you use those inputs to run code directly on the shell. An example would be queryng for a file by receiving the filename as an input.

Then this form could be used to inject undesired code to be run in the shell.
Example:

Windows

1234.txt & echo. > attacker_was_here.txt

Linux

1234.txt;touch attacker_was_here.txt

In this examples the shell would receive the filename and then process an additional command. Which in this case is the creation of a txt file.

Question 40

What is the solution to avoid command injection when you need to run the user’s inputs on the terminal?

Answer 40

You need to escape the provided string. The way to do this differs from language to language, but the idea is to omit unwanted characters.

Question 41

What is SQL Injection?

Answer 41

Its an injection attack that executes arbitrary queries to the database via a vulnerable application

Question 42

What is the most common way to test if a site is vulnerable to SQL injection?

Answer 42

Try to inject the command:

SELECT * FROM users WHERE username = “” OR 1=1

Question 43

What is Blind SQL Injection?

Answer 43

It occurs when the database does not output data to a webpage or app. Said web app may be configured to show generic error messages instead of returning useful data to the user. However it may still be vulnerable to SQL injection.

The goal of the attacker is to find out more information based on “yes or no” questions. This “yes or no” questions can be approached via 2 methods>

Content-based
See if the page reacts differently depending on if a query matches something or not.

Time-bases
Make the database pause for a specified amount of time when the query matches something and otherwise return immediately.

Question 44

What is an example of a time-based blind SQL injection?

Answer 44

SELECT 123=LIKE(‘ABCDEFG’, UPPER(HEX(RANDOMBLOB(100000/2))))

The idea is that the query takes a noticeable amount of time

Question 45

What are the common defenses against SQL Injection?

Answer 45

Using parameterized SQL
Using Object Relational Mappers (ORMs)