Module 13 Flashcards

1
Q

frame

A

a way to embed a page within a page

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

what do we specify in frame isolation?

A

outer page can specify only size and placement of other page
outer page cannot change content of inner page
inner page cannot change contents of outer page

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

same origin policy (SOP)

A

one origin should not be able to access resources of another origin

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

what resources does SOP pertain to?

A
cookies
DOM tree
DOM storage
JS namespace
visual display area
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

what is an origine?

A

granularity of protection from SOP
origine = protocol + hostname + port

http://cis.upenn.edu:80/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what is an origine?

A

granularity of protection from SOP
origine = protocol + hostname + port

http://cis.upenn.edu:80/

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

how is origin determined?

A

string matching (having a different path is fine)
http vs https NOT FINE
not different ports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

origins of different objects

A

images inherit origin of site that loads them
JS inherits the origin of site that loads it
DOM nodes get origin of surrounding frame
cookies are URL + path
frames are more complicated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

frames do not adopt origine or outer side t/f

A

true / frame’s origin is its URL

unless

you change part to suffix of its domain

  • frame for cis.upenn.edu can change its origin to upenn.edu via document.domain
  • but not to top-level domain such as .edu
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

two frames can access each other’s resources if:

A

both frames set document.domain to same value

neither has changed document.domain (and there is a match)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

when is cross domain allowed?

A

if both origins optin in

  • -> postMessage interface
  • -> one site has an event listener that waits for messages
  • -> other site is a client and issues messages
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

what is clickjacking?

A

attacker makes an inner frame invsiible

attack buts another web element underneath, tricking the user doing things they don’t want to do

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

defenses

A
user confirmation (pop up)
UI randomization (move dialogue / forms around so it is hard for attacker to align content)
x-frame-options-heads (server can tell browser: "do not allow my content to be shown in a frame")
framebusting code (code that prevents a page from being loaded into a frame)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

framebusting code

A

if (self != top) {
top.location = self.location;
}

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

HTML5 screen capture / screen sharing

A

if a frame takes a screenshot it can take a screenshot of entire page
can see content in all other frames
–including sensitive info
solution: stop using your computer

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

cross-site request forgery

A

attack that causes a user to execute an unwanted action in a web site in which they are currently authenticated (e.g. via cookies)

exploitable via:

  • frames
  • links (sent in emails, whatsapp/wechat messages, etc)
  • javascript
  • XMLHttpRequest
17
Q

how to prevent CSRF?

A

csrf tokens
server sends a random token when form is submitted
and if user doesn’t provide token, the request will not be accepted

why does this work?
the attacker cannot see the html of the inner frame so the attacker will not be able to send token

18
Q

XSS cross site scripting

A

problem: parsing/escaping bugs
XSS exploits ambiguity between what is code and what is data
similarly to how in buffer overflow attacks the attacker injects data (shellcode) that is then interpreted as code

19
Q

setup of xss attack

A

attacker does not target victim directly
attacker exploits a vulnerability in a website that the victim visits

idea:
- attacker injects JS code as if it were data into the website
- when the victim’s browser downloads the content, it will misinterpret data as JS that is part of the website and run it

20
Q

how to inject code

A

persistent xss
tricks browser into into interpreting data as code
injected code runs with origin of buggy website
-code can access piazza’s cookie (cookie theft)
-code can prompt user for password then send password to other server
-code can track what user does on website (keylogging/spying)

21
Q

reflected xss

A

Alice is accidentally providing the script

malicious string is part of the victim’s request to the website
website sends back the string with the response
browser interprets it as code

22
Q

DOM-based xss

A

malicious string is part of victim’s request, but it need not be sent to the server
so server cannot sanitize the script

23
Q

how to defend against xss?

A

encoding
idea: escape user input to ensure browser interprets it as data
limitations: possible to input malicious strings in some contexts
document.querySelector(“a”).href = user_input
a URL beginning with “javascript”: will cause browser to execute javascript embedded un url

validation: filter input so that browser interprets it as code without malicious commands
- blacklisting: forbids certain patterns
- examples: do not allow URLs that start with the “javascript:”protocol
- limitation: hard to describe all possible malicious strings
- whitelisting: allow only certain patterns. everything else is invalid
- example: URL must start with http: or https:

24
Q

SQL Injection

A

attacks that exploit incorrect parsing/handling of user inputs
attacks can extract information (SELECT)
attacks can corrupt database (DROP, INSERT, UPDATE)

25
Q

how to prevent SQL injections attacks

A
write bug free code!
lol
sanitize user inputs
- escape inputs
- blacklist / whitelist

avoid building SQL statements from raw user input
- use a framework like django (escapes inputs for you)

use prepared sql statements

warning: don’t write it yourself; use a library that supports prepared statements