Lecture #18 - #20: Web Browser and Web Application Security

djlogo.jpg
Lecture #18-20: Web Applications Security
Dr.Ramchandra Mangrulkar
September 14, 2020
Dr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 1 / 25

djlogo.jpg
Contents
OWASP
Web- A User Side
Web Browser : Architecture, Vulnerabilities and Attacks
Web Application Security

djlogo.jpg
OWASP
Source1
1
https://owasp.org

djlogo.jpg
Web-User/Client Side
The browser is the core client-side component. Its counterpart is
the web server.
Web- A User Side
Cookies
HTTPS and SSL
Web Browser : Working and Attacks
Web Application Security

djlogo.jpg
The Browser Architecture: Overview
Overview of the
communication between the
web servers and web browsers.
The web server and a browser
typically running in separate
machines.
Only the web server has
access to the local disk.
The browser only has access
to the local disk by asking the
user for permission
The web server and the
browser communicate over
the network.

djlogo.jpg
The Web Browser architecture

djlogo.jpg
The Web Browser architecture cont...
The User Interface subsystem
-provides features such as toolbars, visual page-load progress,
smart download handling, preferences, and printing.
-may be integrated with the desktop environment to provide
browser session management or communication with other
desktop applications.
Browser Engine
-a high-level interface to the Rendering Engine.
-loads a given URL and supports primitive browsing actions such
as forward, back, and reload.
-provides hooks for viewing various aspects of the browsing
session such as current page load progress and JavaScript alerts.
-allows the querying and manipulation of Rendering Engine
settings.

djlogo.jpg
Rendering Engine
-visual representation for a given URL.
-displaying HTML and XMLdocuments, optionally styled with
CSS, embedded content ( images)
-IE(Trident), Firefox(Gecko), Safari, Chrome and
Opera(Webkit). -Chrome runs various instances of this engine
with various tabs.
Networking subsystem
-implements ﬁle transfer protocols such as HTTP and FTP.
JavaScript Interpreter
-evaluates JavaScript code, which may be embedded in web
pages.
XML Parser subsystem
-parses XML documents into a Document Object Model (DOM)
tree2
. -The most reusable subsystems in the architecture.
2
Document Object Model (DOM) tree is a web page representation that can
be accessed and modiﬁed by the script codeDr.Ramchandra Mangrulkar Lecture #18-20: Web Applications Security September 14, 2020 8 / 25

djlogo.jpg
Display Back-end subsystem (UI Backend)
-provides drawing and windowing primitives, a set of user
interface widgets, and a set of fonts.
- may be tied closely with the operating system.
Data Persistence subsystem
- stores various data associated with the browsing session on
disk.
- high-level data such as bookmarks or toolbar settings,
- or it may be low-level data such as cookies, Preferences,
security certiﬁcates, or cache.

djlogo.jpg
The Web Browser MArket Share a
a
NetMarketShare:Marketshareformobile,browsers,operating.
..netmarketshare.com

djlogo.jpg
Home Assignment
Microsoft Edge
https://blogs.windows.com/msedgedev/2016/04/20/
building-a-more-accessible-web-platform/
Google Chrome
https://medium.com/@zicodeng/
explore-the-magic-behind-google-chrome-c3563dbd2739
Firefox
https://blog.mozilla.org/standard8/2015/06/30/
firefox-hello-desktop-behind-the-scenes-architecture/

djlogo.jpg
Why to worry for Browsers Security
A browser often connects to more than the one address
Fetching data can entail accesses to numerous locations
Browser software can be malicious or can be corrupted to
acquire malicious functionality.
Browsers support add-ins, extra code to add new features to the
browser, but these add-ins themselves can include corrupting
code.
Data display involves a rich command set that controls
rendering, positioning, motion, layering, and even invisibility.
The browser can access any data on a user’s computer.The
browser runs with the same privileges as the user.
Data transfers to and from the user are invisible, meaning they
occur without the user’s knowledge or explicit permission.

djlogo.jpg
Browser Attacks : Three Attacks Vectors
Go after the operating system so it will impede the browser’s
correct and secure functioning.
Tackle the browser or one of its components, add-ons, or
plug-ins so its activity is altered
Intercept or modify communication to or from the browser.

djlogo.jpg
Browser Attacks : Three Attacks Vectors
3
3
https://zeltser.com/targeting-web-browser-user/

djlogo.jpg
Browser Attacks
Man-in-the-Browser
Keystroke Logger
Page-in-the-Middle
Program Download Substitution
User-in-the-Middle

djlogo.jpg
Man-in-the-Browser Attack
Man-in-the-browser is a form of man-in-the-middle attack.
An attacker is able to insert himself into the communications
channel between two trusting parties by compromising a Web
browser.
Purpose is for eavesdropping, data theft and/or session
tampering.
attackers to carry out various forms of ﬁnancial fraud, typically
by manipulating Internet Banking Services.
In order to compromise the browser, adversaries can take
advantage of security vulnerabilities and/or manipulate inherent
browser functionality to change content, modify behavior, and
intercept information.
Various forms of malware,e.g. Trojan horse, can be used to carry
out the attack.

djlogo.jpg
Man-in-the-Browser Attack
4
4
https://www.kratikal.com/There are many examples for
man-in-the-browser malware and attack campaigns targeting online banking and
other internet services. Infamous names of malware used include: Zeus, Spyeye,
Bugat, Carberp, Silon, Tatanga, and more.

djlogo.jpg
Keystroke Logger
A keystroke logger (or key logger) is either hardware or software
that records all keystrokes entered. The logger either retains
these keystrokes for future use by the attacker or sends them to
the attacker across a network connection.

djlogo.jpg
Page-in-the-Middle Attack
A page-in-the-middle attack is another type of browser attack in
which a user is redirected to another page.
when the user clicks “login” to go to the login page of any site,
the attack might redirect the user to the attacker’s page, where
the attacker can also capture the user’s credentials.

djlogo.jpg
Program Download Substitution
Coupled with a page-in-the-middle attack is a download
substitution.
The attacker presents a page with a desirable and seemingly
innocuous program for the user to download, for example, a
browser toolbar or a photo organizer utility.
Attack also defeats users’ access controls that would normally
block software downloads and installations, because the user
intentionally accepts this software.

djlogo.jpg
User-in-the-Middle
Attack puts a human between two automated processes so that
the human unwittingly helps spammers register automatically for
free email accounts.
A CAPTCHA is a puzzle that supposedly only a human can
solve, so a server application can distinguish between a human
who makes a request and an automated program generating the
same request repeatedly.

djlogo.jpg
Web Applications Security vulnerabilities (Risks)
Injection
-Injection flaws, such as SQL, NoSQL, OS, and LDAP injection
Broken Authentication
-Application functions implemented incorrectly
-allowing attackers to compromise passwords, keys, or session
tokens
Sensitive Data Exposure
-applications do not properly protect sensitive data, such as
financial, healthcare.
XML External Entities (XXE)
- disclose internal files using the file URI handler
-internal file shares, internal port scanning, remote code
execution, and denial of service attacks.

djlogo.jpg
Broken Access Control
- Restrictions on what authenticated users are allowed if not
properly enforced.
-exploit these flaws to access unauthorized functionality and/or
data
Security Misconfiguration
- result of insecure default configurations
- frameworks, libraries, and applications be securely configured &
must be patched/upgraded in a timely fashion.

djlogo.jpg
Cross-Site Scripting XSS
-includes untrusted data in a new web page without proper
validation or escaping, or updates an existing web page with
user-supplied data using a browser API that can create HTML or
JavaScript. -to execute scripts in the victim’s browser which can
hijack user sessions, deface web sites, or redirect the user to
malicious sites.
Insecure Deserialization
-remote code execution.
-used to perform attacks, including replay attacks, injection
attacks, and privilege escalation attacks.
Using Components with Known Vulnerabilities
-Components, such as libraries, frameworks, and other software
modules, run with the same privileges as the application. -an
attack can facilitate serious data loss or server takeover.

djlogo.jpg
Insuﬃcient Logging Monitoring
-allows attackers to further attack systems, maintain persistence,
pivot to more systems, and tamper, extract, or destroy data.

Lecture #18 - #20: Web Browser and Web Application Security

Recommended

More Related Content

What's hot (20)

Similar to Lecture #18 - #20: Web Browser and Web Application Security (20)

More from Dr. Ramchandra Mangrulkar (20)

Recently uploaded (20)

Lecture #18 - #20: Web Browser and Web Application Security