Module 13 Flashcards
frame
a way to embed a page within a page
what do we specify in frame isolation?
outer page can specify only size and placement of other page
outer page cannot change content of inner page
inner page cannot change contents of outer page
same origin policy (SOP)
one origin should not be able to access resources of another origin
what resources does SOP pertain to?
cookies DOM tree DOM storage JS namespace visual display area
what is an origine?
granularity of protection from SOP
origine = protocol + hostname + port
http://cis.upenn.edu:80/
what is an origine?
granularity of protection from SOP
origine = protocol + hostname + port
http://cis.upenn.edu:80/
how is origin determined?
string matching (having a different path is fine)
http vs https NOT FINE
not different ports
origins of different objects
images inherit origin of site that loads them
JS inherits the origin of site that loads it
DOM nodes get origin of surrounding frame
cookies are URL + path
frames are more complicated
frames do not adopt origine or outer side t/f
true / frame’s origin is its URL
unless
you change part to suffix of its domain
- frame for cis.upenn.edu can change its origin to upenn.edu via document.domain
- but not to top-level domain such as .edu
two frames can access each other’s resources if:
both frames set document.domain to same value
neither has changed document.domain (and there is a match)
when is cross domain allowed?
if both origins optin in
- -> postMessage interface
- -> one site has an event listener that waits for messages
- -> other site is a client and issues messages
what is clickjacking?
attacker makes an inner frame invsiible
attack buts another web element underneath, tricking the user doing things they don’t want to do
defenses
user confirmation (pop up) UI randomization (move dialogue / forms around so it is hard for attacker to align content) x-frame-options-heads (server can tell browser: "do not allow my content to be shown in a frame") framebusting code (code that prevents a page from being loaded into a frame)
framebusting code
if (self != top) {
top.location = self.location;
}
HTML5 screen capture / screen sharing
if a frame takes a screenshot it can take a screenshot of entire page
can see content in all other frames
–including sensitive info
solution: stop using your computer
cross-site request forgery
attack that causes a user to execute an unwanted action in a web site in which they are currently authenticated (e.g. via cookies)
exploitable via:
- frames
- links (sent in emails, whatsapp/wechat messages, etc)
- javascript
- XMLHttpRequest
how to prevent CSRF?
csrf tokens
server sends a random token when form is submitted
and if user doesn’t provide token, the request will not be accepted
why does this work?
the attacker cannot see the html of the inner frame so the attacker will not be able to send token
XSS cross site scripting
problem: parsing/escaping bugs
XSS exploits ambiguity between what is code and what is data
similarly to how in buffer overflow attacks the attacker injects data (shellcode) that is then interpreted as code
setup of xss attack
attacker does not target victim directly
attacker exploits a vulnerability in a website that the victim visits
idea:
- attacker injects JS code as if it were data into the website
- when the victim’s browser downloads the content, it will misinterpret data as JS that is part of the website and run it
how to inject code
persistent xss
tricks browser into into interpreting data as code
injected code runs with origin of buggy website
-code can access piazza’s cookie (cookie theft)
-code can prompt user for password then send password to other server
-code can track what user does on website (keylogging/spying)
reflected xss
Alice is accidentally providing the script
malicious string is part of the victim’s request to the website
website sends back the string with the response
browser interprets it as code
DOM-based xss
malicious string is part of victim’s request, but it need not be sent to the server
so server cannot sanitize the script
how to defend against xss?
encoding
idea: escape user input to ensure browser interprets it as data
limitations: possible to input malicious strings in some contexts
document.querySelector(“a”).href = user_input
a URL beginning with “javascript”: will cause browser to execute javascript embedded un url
validation: filter input so that browser interprets it as code without malicious commands
- blacklisting: forbids certain patterns
- examples: do not allow URLs that start with the “javascript:”protocol
- limitation: hard to describe all possible malicious strings
- whitelisting: allow only certain patterns. everything else is invalid
- example: URL must start with http: or https:
SQL Injection
attacks that exploit incorrect parsing/handling of user inputs
attacks can extract information (SELECT)
attacks can corrupt database (DROP, INSERT, UPDATE)
how to prevent SQL injections attacks
write bug free code! lol sanitize user inputs - escape inputs - blacklist / whitelist
avoid building SQL statements from raw user input
- use a framework like django (escapes inputs for you)
use prepared sql statements
warning: don’t write it yourself; use a library that supports prepared statements
