CS计算机代考程序代写 scheme javascript Java flex js cache Topic 4 – Client-Side

Topic 4 – Client-Side
COMP6443 – WEEK 7

COMP6443 – Week 3 – Injection

A NOTE ON ETHICS…
This course will teach both attacker and defender mindsets
UNSW hosting this course is an extremely important step forward.
We expect a high standard of professionalism from you, meaning:
Respect the property of others and the university
Always abide by the law and university regulations
Be considerate of others to ensure everyone has an equal learning experience
Always check that you have written permission before performing a security test on a system

COMP6443 – Week 3 – Injection

Client-Side Attacks

Introduction
Same Origin vs Same Site
CSRF
Clickjacking
Reference

COMP6443 – Week 3 – Injection

What is client-side?

COMP6443 – Week 3 – Injection

Client-side attack surface?

COMP6443 – Week 3 – Injection

What is valuable in client-side?

COMP6443 – Week 3 – Injection

Does browser provide protection?
Browser protection is minimal
Same Origin Policy
Same-site restrictions

COMP6443 – Week 3 – Injection

Are “site” and “Origin” same?
Is a careful distinction between “origin” and “site” warranted, here?
Is it just a distinction without a difference?
Is a cross-site request no different from a cross-origin request?
Could the cookie attribute have as well been named “SameOrigin”, then?
Or, if there is indeed a real difference between “site” and “origin”, does it matter to practitioners?
And, if the difference does matter, how so?

COMP6443 – Week 3 – Injection

What do we mean by “origin”?
Two URIs are part of the same origin, if they have the same scheme, host and port.

https://www.example.org:443

https://www.mypage.example.org:443

Scheme
Scheme
Host
Port (implicit)
Port (implicit)
Host

Origin

Origin

COMP6443 – Week 3 – Injection

Same Origin vs Cross Origin
Same Origin
https://foo.example.org -> https://foo.exmaple.org/mypage

Cross Origin
https://foo.github.io -> https://bar.github.io

Cross Origin
https://bar.example.org -> https://example.org

COMP6443 – Week 3 – Injection

Cross-Origin in SOP world
Web forms:
scripts, images, etc. which remain constant.
E.g.

COMP6443 - Week 3 - Injection

CSRF- Examine Payload

POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=bwyeEnu5bcDH34w43553nYns6Sj

email=pwned@evil-user.net

COMP6443 - Week 3 - Injection

[DEFENSIVE] CSRF Mitigation
Adding synchronizer token for mitigation:
unpredictable with high entropy for every request
tied to user session
strictly validated

POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=bwyeEnu5bcDH34w43553nYns6Sj

csrf=Wyb362SHUIshd63b23Dh8e4dehed&D&email=

COMP6443 - Week 3 - Injection

[DEFENSIVE] CSRF Mitigation
Double Submit cookie for mitigation:
unpredictable with high entropy token
tied to user session cookie
no need to store csrf token server-side.

POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=bwyeEnu5bcDH34w&csrf=Wyb362SHUIshd63b23Dh8e4dehed&D

csrf=Wyb362SHUIshd63b23Dh8e4dehed&D&email=

COMP6443 - Week 3 - Injection

[DEFENSIVE] CSRF Mitigation
Encrypted csrf token for mitigation:
unpredictable with high entropy with encryption
encrypt with private key and decrypt with public key.
very useful for micro-service architecture.

POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Cookie: session=bwyeEnu5bcDH34w

csrf=Wyb362SHUIshd63b23Dh8e4dehed&D
&email=

COMP6443 - Week 3 - Injection

[DEFENSIVE] CSRF Mitigation
CSRF token in header for mitigation:
unpredictable with high entropy token
tied to user session
useful for APIs and microservice architecture.

POST /email/change HTTP/1.1
Host: vulnerable-website.com
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Csrf-Token: Wyb362SHUIshd63b23Dh8e4dehed&D
Cookie: session=bwyeEnu5bcDH34w

email=

COMP6443 - Week 3 - Injection

CSRF Demo
time to trick user

COMP6443 - Week 3 - Injection

Yes, if it is cross-site and cross-origin and SameSite is set to “strict” or “lax*”.
https://attacker.com -> https://vulnerable.com

If the attacker is same-site and cross-origin, SameSite settings would not help.
https://attacker.vulnerable.com -> https://vulnerable.com

Does SameSite protect against CSRF?

COMP6443 - Week 3 - Injection

Clickjacking
trick user into click hidden content
css used to manipulate layers
iframes used to create hidden content

COMP6443 - Week 3 - Injection

Clickjacking Demo
time to trick user

COMP6443 - Week 3 - Injection

Frame Busting
clickjacking attacks possible by framing websites
users using frame busting scripts
frame busters are JS eg. NoScript
behaviors of these script include:
enforce current app window as top window
make all frames visible
prevent clicking on invisible frames
intercept and flag potential attacks to users

COMP6443 - Week 3 - Injection

Busting the Frame Buster
frame busting techniques are browser and platform dependent
browser security settings could disable JS
frame buster can be neutralised using allow-script or allow-forms

allow-forms permit specified actions within iframe

COMP6443 - Week 3 - Injection

[DEFENSIVE] X-Frame-Options
prevents framing of your site as iframe in another website
header provides control over the use of iframes

X-Frame-Options: deny
X-Frame-Options: sameorigin
X-Frame-Options: allow-from https://normal-website.com

allow-from is deprecated in favour of CSP

COMP6443 - Week 3 - Injection

HTML Injection
Aim: Trick victim to perform an operation on webapp to benefit attacker.

Pre-conditions for successful attack:
Application accepting HTML input
Any user input reflected or stored without validation

COMP6443 - Week 3 - Injection

HTML Anatomy

COMP6443 - Week 3 - Injection

HTML Injection

COMP6443 - Week 3 - Injection

HTML Injection vs XSS
Very similar, but HTML does not include JS.
Applicable for
HTML only websites
JS heavily restricted
Also called as “virtual defacement”

COMP6443 - Week 3 - Injection

[DEFENSIVE] HTML Injection
Validate user input and ensure that there is no HTML or encoded HTML values being passed
Use allow list of acceptable values for user input
What if application expects HTML user input?

COMP6443 - Week 3 - Injection

READING MATERIAL (REFERENCE)
Same Origin Policy
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
CORS
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
CSRF
https://www.troyhunt.com/understanding-csrf-video-tutorial/

COMP6443 - Week 3 - Injection

READING MATERIAL (REFERENCE)
Clickjacking
https://portswigger.net/web-security/clickjacking

COMP6443 - Week 3 - Injection

questions? slack / email / come talk to us
thankyou: varun
THANKS FOR LISTENING TO US RANT!

COMP6443 - Week 3 - Injection