Protecting Browser State from Web Privacy Attacks. Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University

Similar documents
Protecting Browser State from Web Privacy Attacks

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Network Security Web Security

Security Model for the Client-Side Web Application Environments

Project 2: Web Security Pitfalls

Login with Amazon. Getting Started Guide for Websites. Version 1.0

Dawn Song

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Relax Everybody: HTML5 Is Securer Than You Think

DNS REBINDING DENIS BARANOV, POSITIVE TECHNOLOGIES

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Cross Site Scripting Prevention

A Tale of the Weaknesses of Current Client-Side XSS Filtering

Infor Xtreme Browser References

Criteria for web application security check. Version

Breaking the Myths of Extended Validation SSL Certificates

Tools to Protect Against Identity Theft

Subspace: Secure Cross-Domain Communication for Web Mashups

Recent Advances in Web Application Security

Attacks on Clients: Dynamic Content & XSS

Breaking the Security Myths of Extended Validation SSL Certificates

Exposing Private Information by Timing Web Applications

Magento Security and Vulnerabilities. Roman Stepanov

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

SUBJECT CODE : 4074 PERIODS/WEEK : 4 PERIODS/ SEMESTER : 72 CREDIT : 4 TIME SCHEDULE UNIT TOPIC PERIODS 1. INTERNET FUNDAMENTALS & HTML Test 1

Login with Amazon. Developer Guide for Websites

Feasibility and Real-World Implications of Web Browser History Detection

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Sichere Webanwendungen mit Java

Cross-Site Scripting

Protection, Usability and Improvements in Reflected XSS Filters

Understanding Home Network Security

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

A Practical Attack to De Anonymize Social Network Users

Privacy Policy. The Read Privacy Policy was created on June 11, 2015

Advanced XSS. Nicolas Golubovic

Web Application Security

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Preparing for the Cross Site Request Forgery Defense

Exposing Private Information by Timing Web Applications

Robust Defenses for Cross-Site Request Forgery

EECS 398 Project 2: Classic Web Vulnerabilities


RTC-Web Security Considerations

Subspace: Secure Cross-Domain Communication for Web Mashups

Web-Application Security

How to Monitor and Identify Website Issues. 2013, SolarWinds Worldwide, LLC. All rights reserved. Share:

AIRTEL WEBSITE BUILDER

Social Application Guide

Course Information Course Number: IWT 1229 Course Name: Web Development and Design Foundation

Web Security: SSL/TLS

AMIT KLEIN, FORMER DIRECTOR OF SECURITY AND RESEARCH, SANCTUM

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

Portals and Hosted Files

Browser Settings for Optimal Site Performance

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense

Defending against XSS,CSRF, and Clickjacking David Bishop

Spectrum Technology Platform

How To Understand The History Of The Web (Web)

An Insight into Cookie Security

Cookie Same Origin Policy

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 20

Barracuda Networks Web Application Firewall

Analysis of Browser Defenses against XSS Attack Vectors

Developing ASP.NET MVC 4 Web Applications MOC 20486

Checklist of Best Practices in Website

SSL BEST PRACTICES OVERVIEW

CS 558 Internet Systems and Technologies

MyReports Recommended Browser Settings MYR-200a

Weird New Tricks for Browser Fingerprinting. yan ToorCon 2015

Scriptless Timing Attacks on Web Browser Privacy

McAfee Certified Assessment Specialist Network

Phishing by data URI

Tagging Guide: Website and Implementation. Contents

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Table of Contents Recommendation Summary... 3 Introduction... 4 Formatting Recommendations... 5 Creative:... 7 Deliverability & Infrastructure:...

WEB SITE SECURITY. Jeff Aliber Verizon Digital Media Services

Sage ACT! Premium 2013 Web Administrator's Guide

Web Application Worms & Browser Insecurity

Setup The package simply needs to be installed and configured for the desired CDN s distribution server.

Dan Hubbard VP Security Research

Initial Access and Basic IPv4 Internet Configuration

Stopping SQL Injection and. Manoranjan (Mano) Paul. Track: Operating Systems Security - Are we there yet?

Short notes on webpage programming languages

Preparing Internet Explorer 7 & 8 for erequest & estores

USG40HE Content Filter Customization

McAfee Web Gateway Administration Intel Security Education Services Administration Course Training

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

Exploitation of Cross-Site Scripting (XSS) Vulnerability on Real World Web Applications and its Defense

IMRG Peermap API Documentation V 5.0

WompMobile Technical FAQ

Check list for web developers

RSA Authentication Agent 7.1 for Web for IIS 7.0 and 7.5 Installation and Configuration Guide

Urchin Demo (12/14/05)

An introduction to creating Web 2.0 applications in Rational Application Developer Version 8.0

Network Monitoring using MMT:

GSM Security Camera EYE-02 Publishing pictures from EYE-02 camera on your website

AJAX and JSON Lessons Learned. Jim Riecken, Senior Software Engineer, Blackboard Inc.

Developing ASP.NET MVC 4 Web Applications

Transcription:

Protecting Browser State from Web Privacy Attacks Collin Jackson, Andrew Bortz, Dan Boneh, John Mitchell Stanford University

Context-aware Phishing Bank of America customers see: Wells Fargo customers see: Works in all major browsers Design issue, not a just bug

Example Attacks Query visited links: <style>a#visited { background: url(track.php?example.com); }</style><a href="http://example.com/">hi</a> Time browser cache: <script>start = new Date();</script> <img src="http://example.com/logo.gif" onload="end = new Date(); if (end.gettime() start.gettime() < 5) { // image was in cache }"> Can we block script, background image?

Chameleon Pages No JavaScript required No server involvement Even works in Outlook 2002

Perspectives Phisher: Where do you bank? China: Have you been to subversive sites? Amazon: Can I show contexual ads? Phished site: Can I check history against phishing blacklist? PayPal: Can I use history as 2 nd factor? Sensitive website: Can I protect visitors? Browser vendor: Can I protect users at every site?

Same Origin Principle (strict) Only the site that stores some information in the browser may later read or modify that information. Site: protocol + port + host Too restrictive to use in practice Web relies on site interconnections

Same Origin Policy (relaxed) Only the site that stores some information in the browser may later read or modify that information, unless it is shared. What is sharing? No strict definition Relies on expectations of developer/user

Sharing Browser State Pass information in query parameters Modify document.domain User permission (IE s trusted zones, Mozilla s UniversalBrowserRead) Stylesheets Scripts Image size JSONRequest (not XMLHttpRequest) <script type="text/javascript"><!-- google_ad_client = "pub-2966125433144242"; google_ad_width = 110; google_ad_height = 32; google_ad_format = "110x32_as_rimg"; google_cpa_choice = "CAAQ_-KZzgEaCHfyBUS9wT0_KOP143Q"; //--></script> <script type="text/javascript" src= "http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script>

Inappropriate State Sharing Common developer/user expectation: browser history is secret Visited links Cache Cookies JavaScript CSS Options? 93 94 95 96 97 Change expectations Change browser

SafeCache Browser extension for Firefox Intercept requests to browser cache If no referrer, allow request If URL has referrer: Store referrer host with cache entry Cache hit only on referrer host match

SafeHistory Intercept requests to browser history database For each history entry, record referrers Color visited link if: It s a same-site link, or Cross-site link was visited from this site

Third Party Cookies Site of embedded image can build history of visitor s activities where image appears. IP address is no longer sufficient for tracking Solution: Block access to site s own cookies if the domain of the embedding page does not match Site accesses own state not same origin issue

Third Party Blocking Policy A site may only store or read some persistent information in the browser if it is the same site as the top level page. Alternate definition: referrer is same site Top level page is the primary interaction Storing or reading allows tracker to build full record of user s history.

Block on set or read? If setting is allowed: Tracker site sets different cookie at every participating site When user visits tracker site in first party context, entire history is visible If reading is allowed: Tracker site sets unique user identifier cookie when user visits tracker in first party context When user visits any participating site, tracker updates history database entry on server

Broken Cookie Blocking Ideal Read 3 rd -party cookies Allow Block Allow Block Block Set 3 rd -party cookies Block Allow Block Allow Block

Third Party Cache: Example Offsite script included with <script src="..."> Script generated dynamically and cached Unique identifier now appended to all links

General Third Party Blocking SafeCache: Disallow cache for offsite content SafeHistory: Show links as unvisited in cross-site frames

Bypassing Third Party Blocking Protects sites from each other Many covert channels if sites cooperate JavaScript redirection Meta refresh Popup windows Cross-site hyperlinks Certain techniques are implicit cooperation Frames, scripts, CSS can have active content Defense: Disable or clear persistent state

Summary Same origin policy: critical for security Restricts cross-site state access Third party blocking: additional privacy Restricts site s access to its own state Incorrectly implemented in all major browsers Most effective for images Neither technique stops cooperative sharing safecache.com safehistory.com

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information