ebook img

Primer on Client-Side Web Security PDF

119 Pages·2014·1.867 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview Primer on Client-Side Web Security

SpringerBriefs in Computer Science SeriesEditors StanZdonik ComputerScienceDepartment BrownUniversity Providence,RhodeIsland,USA ShashiShekhar UniversityofMinnesotaDept.ComputerScience&Engineering Minneapolis,Minnesota,USA JonathanKatz Dept.ComputerScience UniversityofMaryland CollegePark,Maryland,USA XindongWu UniversityofVermontDept.ComputerScience Burlington,Vermont,USA LakhmiC.Jain SchoolofElectricalandInformationEngineering UniversityofSouthAustralia Adelaide,SouthAustralia,Australia DavidPadua UniversityofIllinoisUrbana-ChampaignSiebelCenterforComputerScience Urbana,Illinois,USA Xuemin(Sherman)Shen DepartmentofElectronicandComputerEngineering UniversityofWaterloo Waterloo,Ontario,Canada BorkoFurht FloridaAtlanticUniversity BocaRaton,Florida,USA V.S.Subrahmanian ComputerScienceDepartment UniversityofMaryland CollegePark,Maryland,USA MartialHebert CarnegieMellonUniversity Pittsburgh,Pennsylvania,USA KatsushiIkeuchi Tokyo,Japan BrunoSiciliano Napoli,Napoli,Italy SushilJajodia GeorgeMasonUniversity Fairfax,Virginia,USA NewtonLee NewtonLeeLaboratories,LLC Tujunga,California USA SpringerBriefs present concise summaries of cutting-edge research and practical applicationsacrossawidespectrumoffields. Featuringcompactvolumesof50to 125pages,theseriescoversarangeofcontentfromprofessionaltoacademic Typicaltopicsmightinclude: • Atimelyreportofstate-of-theartanalyticaltechniques • A bridge between new research results, as published in journal articles, and a contextualliteraturereview • Asnapshotofahotoremergingtopic • Anin-depthcasestudyorclinicalexample • Apresentationofcoreconceptsthatstudentsmustunderstandinordertomake independentcontributions Briefsallowauthorstopresenttheirideasandreaderstoabsorbthemwithminimal time investment. Briefs will be published as part of Springer’s eBook collection, withmillionsofusersworldwide. Inaddition, Briefswillbeavailableforindivid- ualprintandelectronicpurchase.Briefsarecharacterizedbyfast,globalelectronic dissemination, standard publishing contracts, easy-to-use manuscript preparation and formatting guidelines, and expedited production schedules. We aim for publi- cation8-12weeksafteracceptance.Bothsolicitedandunsolicitedmanuscriptsare consideredforpublicationinthisseries. Moreinformationaboutthisseriesathttp://www.springer.com/series/10028 Philippe De Ryck • Lieven Desmet Frank Piessens • Martin Johns Primer on Client-Side Web Security 2123 PhilippeDeRyck FrankPiessens iMinds-DistriNet iMinds-DistriNet KULeuven KULeuven Heverlee Heverlee Belgium Belgium LievenDesmet MartinJohns iMinds-DistriNet SAPResearch KULeuven Karlsruhe Heverlee Germany Belgium ISSN2191-5768 ISSN2191-5776(electronic) ISBN978-3-319-12225-0 ISBN978-3-319-12226-7(eBook) DOI10.1007/978-3-319-12226-7 SpringerChamHeidelbergNewYorkDordrechtLondon LibraryofCongressControlNumber:2014953777 © PhilippeDeRyck,LievenDesmet,FrankPiessens,MartinJohns2014 Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartofthe materialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation, broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology nowknownorhereafterdeveloped.Exemptedfromthislegalreservationarebriefexcerptsinconnection withreviewsorscholarlyanalysisormaterialsuppliedspecificallyforthepurposeofbeingenteredand executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this publicationorpartsthereofispermittedonlyundertheprovisionsoftheCopyrightLawofthePublisher’s location,initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Permissions forusemaybeobtainedthroughRightsLinkattheCopyrightClearanceCenter.Violationsareliableto prosecutionundertherespectiveCopyrightLaw. Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant protectivelawsandregulationsandthereforefreeforgeneraluse. Whiletheadviceandinformationinthisbookarebelievedtobetrueandaccurateatthedateofpublication, neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityforanyerrorsor omissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,withrespecttothe materialcontainedherein. Printedonacid-freepaper SpringerispartofSpringerScience+BusinessMedia(www.springer.com) Preface Have you ever wondered why all of a sudden, normal users start posting strange messagesonsocialnetworks?Howwirelessrouterscanbecontrolledremotely?Why eBayaccountscouldbehijackedwithasingleHTTPrequest?OrwhyanewsWebsite suddenlyshowsapagefromtheSyrianElectronicArmy?Alloftheseincidentswere possibleduetoattackerscontrollingsomecodewithinthevictim’sbrowser,aresult ofthecurrentstateofpracticeinWebsecurity,whichislessthanstellar.Assecurity researchers, we are concerned by the large gap between the state of practice and the currently available security technologies, which are often inspired by security research. In an effort to improve this situation, we have written this book, which givesadetailedviewontheclient-sideWebsecuritylandscape.Weexplicitlyfocus onclient-sidesecurityvulnerabilities,whichareexploitedfromwithinabrowseror explicitlytargetthebrowser,becausetheygenerallyreceivelessattentioncompared totheirserver-sidecounterparts.Intotal,wecover13attacks,forwhichwegivea detailed description, an overview of traditional mitigation techniques, and current state-of-the-artresearch.Foreachattack,wealsodescribethecurrentstateofpractice inWebapplications,anddefinethebestpracticestodefendagainsttheseattacksin themodernage. Wehavewrittenthisbookwithseveraltargetaudiencesinmind.Itoffersstudents, teachers,andtrainersanintroductionintothefieldofclient-sideWebsecurity,with anextensivereferencelistforlearningmoreabouteachtopic.Thebestpracticescan be translated into teaching material for secure software development courses. The bookhelpsjuniorresearcherstoquicklygetuptospeedinthefield, andoffersan overviewofthecurrentstate-of-the-artforexperiencedresearchers, whoarelook- ingfornewopportunitiestoexplore.Finally,developersandsecuritypractitioners get an overview of the current state of practice, and the upcoming state-of-the-art technologies.Theyshouldusethebestpracticesinthebooktoimprovethestateof practice,whichisbeneficialforallusersontheWeb. v vi Preface This book grew from our experience as security researchers1 working on Web security, with a strong focus on client-side Web security topics such as cross-site request forgery, cross-site scripting, session management problems, and click- jacking. We also actively participate in European Web security projects, such as STREWS2,WebSand3,andNESSoS4,andcollaboratewiththeW3CandIETFstan- dardizationcommittees,furtherexpandingourviewonthecurrentstateofpractice, state-of-the-art,andbestpractices. WewouldliketoexplicitlyacknowledgethesupportoftheAgencyforInnova- tionbyScienceandTechnology(IWT),theSTREWSproject,whereapreliminary version of this book was written as a first deliverable, and the IWT-SBO project SPION5, which provided valuable insights in the privacy and security concerns of contemporaryWebapplications. 1PhilippeDeRyck,LievenDesmet,andFrankPiessensareaffiliatedwiththeiMinds-DistriNet researchgroupatKULeuvenUniversity(Belgium),andMartinJohnsisaffiliatedwithSAPResearch (Germany). 2https://www.strews.eu/. 3https://www.websand.eu/. 4http://www.nessos-project.eu/. 5http://www.spion.me/. Contents 1 TheRelevanceofClient-SideWebSecurity....................... 1 1.1 TheWebataGlance....................................... 2 1.2 Client-SideWebSecurity ................................... 6 1.3 PurposeofthisBook....................................... 8 References.................................................... 9 2 TraditionalBuildingBlocksoftheWeb .......................... 11 2.1 TraditionalWebTechnology ................................ 11 2.1.1 LoadingWebContent .............................. 12 2.1.2 AuthenticationandAuthorization..................... 12 2.1.3 CookiesandSessionManagement .................... 13 2.2 BrowserSecurityPolicies................................... 14 2.2.1 Same-OriginPolicy ................................ 14 2.2.2 SecurityModelforThird-PartyContentInclusion ....... 15 2.2.3 ContextNavigationPolicy........................... 17 2.3 ExtendingtheClient-SideFeatures........................... 18 2.3.1 PluginsforArbitraryContent ........................ 19 2.3.2 BrowserExtensions ................................ 20 2.4 EnhancingtheUser’sWindowontheWeb..................... 21 References.................................................... 23 3 TheBrowserasaPlatform ..................................... 25 3.1 TheSynergyBetweenBrowsersandDevices .................. 25 3.2 FromRenderingEnginetoFeature-RichPlatform .............. 27 3.2.1 Client-SideStorage ................................ 27 3.2.2 CommunicationMechanisms ........................ 28 3.2.3 MobileFeatures ................................... 29 3.2.4 RegisteringDefaultApplications ..................... 29 3.3 TransformingtheBrowserintoanOperatingSystem ............ 29 References.................................................... 31 vii viii Contents 4 HowAttackersThreatentheWeb ............................... 33 4.1 ThreatModelsinLiterature ................................. 33 4.1.1 ForumPoster...................................... 34 4.1.2 WebAttacker...................................... 34 4.1.3 GadgetAttacker ................................... 34 4.1.4 Related-DomainAttacker ........................... 35 4.1.5 Related-PathAttacker .............................. 35 4.1.6 PassiveNetworkAttacker ........................... 36 4.1.7 ActiveNetworkAttacker ............................ 36 4.2 ThreatModelsasConcreteAttackerCapabilities ............... 37 4.2.1 SendRequeststoanApplication...................... 37 4.2.2 RegisterOwnDomain .............................. 37 4.2.3 HostContentUnderOwnDomain .................... 39 4.2.4 RespondtoRequestsfromOwnDomain............... 39 4.2.5 RegisteraValidTLSCertificateforOwnDomain ....... 39 4.2.6 ManipulateTarget’sDomain-basedData............... 40 4.2.7 ManipulateTarget’sClient-SideContext............... 40 4.2.8 EavesdroponNetworkTraffic........................ 40 4.2.9 GenerateNetworkTraffic ........................... 40 4.2.10 InterceptandManipulateNetworkTraffic.............. 43 4.3 Conclusion............................................... 41 References.................................................... 42 5 AttacksontheNetwork ........................................ 43 5.1 EavesdroppingAttacks ..................................... 43 5.1.1 Description ....................................... 44 5.1.2 MitigationTechniques .............................. 44 5.1.3 StateofPractice ................................... 45 5.1.4 BestPractices ..................................... 46 5.2 Man-in-the-MiddleAttacks(MitM) .......................... 46 5.2.1 Description ....................................... 47 5.2.2 MitigationTechniques .............................. 48 5.2.3 StateofPractice ................................... 49 5.2.4 BestPractices ..................................... 50 5.3 Protocol-levelAttacksonHTTPS ............................ 50 5.3.1 OverviewofAttacks................................ 51 5.3.2 StateofPractice ................................... 52 References.................................................... 53 6 AttacksontheBrowser’sRequests .............................. 57 6.1 Cross-SiteRequestForgery ................................. 57 6.1.1 Description ....................................... 58 6.1.2 MitigationTechniques .............................. 60 6.1.3 StateofPractice ................................... 62 6.1.4 BestPractices ..................................... 62 Contents ix 6.2 UIRedressing ............................................ 62 6.2.1 Description ....................................... 63 6.2.2 MitigationTechniques .............................. 65 6.2.3 StateofPractice ................................... 66 6.2.4 BestPractices ..................................... 66 References.................................................... 66 7 AttacksontheUser’sSession ................................... 69 7.1 SessionHijacking ......................................... 69 7.1.1 Description ....................................... 69 7.1.2 MitigationTechniques .............................. 71 7.1.3 StateofPractice ................................... 73 7.1.4 BestPractices ..................................... 73 7.2 SessionFixation .......................................... 73 7.2.1 Description ....................................... 74 7.2.2 MitigationTechniques .............................. 75 7.2.3 StateofPractice ................................... 76 7.2.4 BestPractices ..................................... 76 7.3 AuthenticatingWithStolenCredentials ....................... 76 7.3.1 Description ....................................... 77 7.3.2 MitigationTechniques .............................. 77 7.3.3 StateofPractice ................................... 79 7.3.4 BestPractices ..................................... 79 References.................................................... 79 8 AttacksontheClient-SideContext .............................. 83 8.1 Cross-SiteScripting ....................................... 83 8.1.1 Description ....................................... 84 8.1.2 MitigationTechniques .............................. 85 8.1.3 StateofPractice ................................... 86 8.1.4 BestPractices ..................................... 87 8.2 ScriptlessInjectionAttacks ................................. 87 8.2.1 Description ....................................... 87 8.2.2 MitigationTechniques .............................. 88 8.2.3 BestPractices ..................................... 89 8.3 CompromisedScriptInclusions.............................. 89 8.3.1 Description ....................................... 90 8.3.2 MitigationTechniques .............................. 90 8.3.3 StateofPractice ................................... 91 8.3.4 BestPractices ..................................... 91 References.................................................... 92 9 AttacksontheClientDevice.................................... 95 9.1 Drive-ByDownloads ...................................... 95 9.1.1 Description ....................................... 96

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.