Module 13

Question 1

frame

Answer 1

a way to embed a page within a page

Question 2

what do we specify in frame isolation?

Answer 2

outer page can specify only size and placement of other page
outer page cannot change content of inner page
inner page cannot change contents of outer page

Question 3

same origin policy (SOP)

Answer 3

one origin should not be able to access resources of another origin

Question 4

what resources does SOP pertain to?

Answer 4

cookies
DOM tree
DOM storage
JS namespace
visual display area

Question 5

what is an origine?

Answer 5

granularity of protection from SOP
origine = protocol + hostname + port

http://cis.upenn.edu:80/

Question 6

what is an origine?

Answer 6

granularity of protection from SOP
origine = protocol + hostname + port

http://cis.upenn.edu:80/

Question 7

how is origin determined?

Answer 7

string matching (having a different path is fine)
http vs https NOT FINE
not different ports

Question 8

origins of different objects

Answer 8

images inherit origin of site that loads them
JS inherits the origin of site that loads it
DOM nodes get origin of surrounding frame
cookies are URL + path
frames are more complicated

Question 9

frames do not adopt origine or outer side t/f

Answer 9

true / frame’s origin is its URL

unless

you change part to suffix of its domain

• frame for cis.upenn.edu can change its origin to upenn.edu via document.domain
• but not to top-level domain such as .edu

Question 10

two frames can access each other’s resources if:

Answer 10

both frames set document.domain to same value

neither has changed document.domain (and there is a match)

Question 11

when is cross domain allowed?

Answer 11

if both origins optin in

• -> postMessage interface
• -> one site has an event listener that waits for messages
• -> other site is a client and issues messages

Question 12

what is clickjacking?

Answer 12

attacker makes an inner frame invsiible

attack buts another web element underneath, tricking the user doing things they don’t want to do

Question 13

defenses

Answer 13

user confirmation (pop up)
UI randomization (move dialogue / forms around so it is hard for attacker to align content)
x-frame-options-heads (server can tell browser: "do not allow my content to be shown in a frame")
framebusting code (code that prevents a page from being loaded into a frame)

Question 14

framebusting code

Answer 14

if (self != top) {
top.location = self.location;
}

Question 15

HTML5 screen capture / screen sharing

Answer 15

if a frame takes a screenshot it can take a screenshot of entire page
can see content in all other frames
–including sensitive info
solution: stop using your computer

Question 16

cross-site request forgery

Answer 16

attack that causes a user to execute an unwanted action in a web site in which they are currently authenticated (e.g. via cookies)

exploitable via:

• frames
• links (sent in emails, whatsapp/wechat messages, etc)
• javascript
• XMLHttpRequest

Question 17

how to prevent CSRF?

Answer 17

csrf tokens
server sends a random token when form is submitted
and if user doesn’t provide token, the request will not be accepted

why does this work?
the attacker cannot see the html of the inner frame so the attacker will not be able to send token

Question 18

XSS cross site scripting

Answer 18

problem: parsing/escaping bugs
XSS exploits ambiguity between what is code and what is data
similarly to how in buffer overflow attacks the attacker injects data (shellcode) that is then interpreted as code

Question 19

setup of xss attack

Answer 19

attacker does not target victim directly
attacker exploits a vulnerability in a website that the victim visits

idea:
- attacker injects JS code as if it were data into the website
- when the victim’s browser downloads the content, it will misinterpret data as JS that is part of the website and run it

Question 20

how to inject code

Answer 20

persistent xss
tricks browser into into interpreting data as code
injected code runs with origin of buggy website
-code can access piazza’s cookie (cookie theft)
-code can prompt user for password then send password to other server
-code can track what user does on website (keylogging/spying)

Question 21

reflected xss

Answer 21

Alice is accidentally providing the script

malicious string is part of the victim’s request to the website
website sends back the string with the response
browser interprets it as code

Question 22

DOM-based xss

Answer 22

malicious string is part of victim’s request, but it need not be sent to the server
so server cannot sanitize the script

Question 23

how to defend against xss?

Answer 23

encoding
idea: escape user input to ensure browser interprets it as data
limitations: possible to input malicious strings in some contexts
document.querySelector(“a”).href = user_input
a URL beginning with “javascript”: will cause browser to execute javascript embedded un url

validation: filter input so that browser interprets it as code without malicious commands
- blacklisting: forbids certain patterns
- examples: do not allow URLs that start with the “javascript:”protocol
- limitation: hard to describe all possible malicious strings
- whitelisting: allow only certain patterns. everything else is invalid
- example: URL must start with http: or https:

Question 24

SQL Injection

Answer 24

attacks that exploit incorrect parsing/handling of user inputs
attacks can extract information (SELECT)
attacks can corrupt database (DROP, INSERT, UPDATE)

Question 25

how to prevent SQL injections attacks

Answer 25

write bug free code!
lol
sanitize user inputs
- escape inputs
- blacklist / whitelist

avoid building SQL statements from raw user input
- use a framework like django (escapes inputs for you)

use prepared sql statements

warning: don’t write it yourself; use a library that supports prepared statements