Topic 4 – Client-Side
COMP6443 – WEEK 7
COMP6443 – Week 3 – Injection
A NOTE ON ETHICS…
This course will teach both attacker and defender mindsets
UNSW hosting this course is an extremely important step forward.
We expect a high standard of professionalism from you, meaning:
Respect the property of others and the university
Always abide by the law and university regulations
Be considerate of others to ensure everyone has an equal learning experience
Always check that you have written permission before performing a security test on a system
COMP6443 – Week 3 – Injection
Client-Side Attacks
Introduction
Same Origin vs Same Site
CSRF
Clickjacking
Reference
COMP6443 – Week 3 – Injection
What is client-side?
COMP6443 – Week 3 – Injection
Client-side attack surface?
COMP6443 – Week 3 – Injection
What is valuable in client-side?
COMP6443 – Week 3 – Injection
Does browser provide protection?
Browser protection is minimal
Same Origin Policy
Same-site restrictions
COMP6443 – Week 3 – Injection
Are “site” and “Origin” same?
Is a careful distinction between “origin” and “site” warranted, here?
Is it just a distinction without a difference?
Is a cross-site request no different from a cross-origin request?
Could the cookie attribute have as well been named “SameOrigin”, then?
Or, if there is indeed a real difference between “site” and “origin”, does it matter to practitioners?
And, if the difference does matter, how so?
COMP6443 – Week 3 – Injection
What do we mean by “origin”?
Two URIs are part of the same origin, if they have the same scheme, host and port.
https://www.example.org:443
https://www.mypage.example.org:443
Scheme
Scheme
Host
Port (implicit)
Port (implicit)
Host
Origin
Origin
COMP6443 – Week 3 – Injection
Same Origin vs Cross Origin
Same Origin
https://foo.example.org -> https://foo.exmaple.org/mypage
Cross Origin
https://foo.github.io -> https://bar.github.io
Cross Origin
https://bar.example.org -> https://example.org
COMP6443 – Week 3 – Injection
Cross-Origin in SOP world
Web forms:
scripts, images, etc. which remain constant.
E.g.