Scribd
Upload
43 views19 pages

Lecture 20

This document discusses security issues related to web browsers and the web. It covers topics like the same origin policy, cookies, browser architecture, and sandboxing. The same origin policy is the main security model enforced in browsers to isolate scripts from different origins so they cannot access each other's resources. Cookies are used to add state to the stateless HTTP protocol and for authentication. Browsers run untrusted code from different domains so use sandboxing and the same origin policy to separate them.

Uploaded by

tamannasharma1848
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
43 views19 pages

Lecture 20

This document discusses security issues related to web browsers and the web. It covers topics like the same origin policy, cookies, browser architecture, and sandboxing. The same origin policy is the main security model enforced in browsers to isolate scripts from different origins so they cannot access each other's resources. Cookies are used to add state to the stateless HTTP protocol and for authentication. Browsers run untrusted code from different domains so use sandboxing and the same origin policy to separate them.

Uploaded by

tamannasharma1848
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 19

Computer System Security (TCS591)

B. Tech CSE V Semester

Instructor:
Dr. Mohammad Wazid

Associate Professor, Department of


CSE
Graphic Era (Deemed to be University), Dehradun, India
Email: wazidkec2005@gmail.com
Homepage: https://sites.google.com/site/mwazidiiith/home
1
• Web security- Same origin policy

2
Background
• Many sensitive tasks are done through web
– Online banking, online shopping
– Database access
– System administration

• Web applications and web users are targets of


many attacks
– Cross site scripting
– SQL injection
– Cross site request forgery
– Information leakage
– Session hijacking
3
Web Browser and Network
request
Browser Web
reply site
OS
Hardware Network

• Browser sends requests


• Web site sends response pages, which may include code
• Interaction susceptible to network attacks

4
Web Security/Privacy Issues

• Secure communications between client & server


– HTTPS (HTTP over Secure Socket Layer)
• User authentication & session management
– Cookies & other methods
• Active contents from different websites
– Protecting resources maintained by browsers
• Web application security
• Web site authentication (e.g., anti-phishing)
• Privacy concerns

5
HTTP: HyperText Transfer Protocol
• Browser sends HTTP requests to the server
– Methods: GET, POST, …
– GET: to retrieve a resource (html, image, script, css,…)
– POST: to submit a form (login, register, …)

• Server replies with a HTTP response


• Stateless request/response protocol
– Each request is independent of previous requests
– Statelessness has a significant impact on design and
implementation of applications

6
Use Cookies to Store State Info

• Cookies
– A cookie is a name/value pair created by a website to
store information on your computer
Enters form data
Browser
Server
Response + cookies

Request + cookies
Browser
Server
Returns data

Http is stateless protocol; cookies add state


7
Cookies Fields

• An example cookie from my browser


– Name session-token
– Content "s7yZiOvFm4YymG….”
– Domain .amazon.com
– Path /
– Send For Any type of connection
– Expires Monday, September 08, 2031 7:19:41 PM

8
Cookies
• Stored by the browser
• Used by the web applications
– used for authenticating, tracking, and maintaining
specific information about users
• e.g., site preferences, contents of shopping carts
– data may be sensitive
– may be used to gather information about specific
users

• Cookie ownership
– Once a cookie is saved on your computer, only the
website that created the cookie can read it

9
Web Authentication via Cookies

• HTTP is stateless
– How does the server recognize a user who has signed in?

• Servers can use cookies to store state on client


– After client successfully authenticates, server computes
an authenticator and gives it to browser in a cookie
• Client cannot forge authenticator on his own (session id)
– With each request, browser presents the cookie
– Server verifies the authenticator

10
A Typical Session with Cookies
client server

POST /login.cgi
Verify that this
client is authorized
Set-Cookie:authenticator

GET /restricted.html
Cookie:authenticator Check validity of
authenticator

Restricted content

Authenticators must be unforgeable and tamper-proof


(malicious clients shouldn’t be able to modify an existing authenticator)

11
Browser as an Operating System
• Web users visit multiple websites simultaneously
• A browser serves web pages (which may contain
programs) from different web domains
– i.e., a browser runs programs provided by mutually untrusted
entities
– Running code one does not know/trust is dangerous
– A browser also maintains resources created/updated by web
domains
• Browser must confine (sandbox) these scripts so
that they cannot access arbitrary local resources
• Browser must have a security policy to manage/protect
browser-maintained resources and to provide separation
among mutually untrusted scripts
12
Sandbox

• A security mechanism for separating/limiting


running programs
– Running untrusted programs.
• E.g., javascripts in webpages, mobile apps
– Running programs that are likely to be exploited.
• E.g., network daemon programs
• Implementation: Clearly identify what resources a
program needs and cut off the rest

13
Same Origin Policy

• The same-origin policy is an important


concept in the web application security
model.
• Under the policy, a web browser permits
scripts contained in a first web page to
access data in a second web page, but
only if both web pages have the same
origin.

14
Same Origin Policy

• The basic security model enforced in the browser


• SoP isolates the scripts and resources downloaded
from different origins
– E.g., evil.org scripts cannot access bank.com resources
• Use origin as the security principal
– Note that the concept of user accounts does not apply
here as security principals
• Origin = domain name + protocol + port
– all three must be equal for origin to be considered the
same

15
Same Original Policy: What it Controls

• Same-origin policy applies to the following


accesses:
– manipulating browser windows
– manipulating frames (including inline
frames)
– manipulating documents (included using
the object tag)
– manipulating cookies

17
Problems with S-O Policy
• Poorly enforced on some browsers
– Particularly older browsers
• Limitations if site hosts unrelated pages
– Example: Web server often hosts sites for unrelated
parties
• http://www.example.com/account/
• http://www.example.com/otheraccount/
– Same-origin policy allows script on one page to
access properties of document from another
• Can be bypassed in Cross-Site-Scripting attacks
• Usability: Sometimes prevents desirable cross-origin
resource sharing

18
Browser Architecture: One Process
versus Multiple Processes
• Most processes (e.g., Firefox, Internet Explorer) use one
process for a web browser
– Multiple threads are used for rendering different webpages
• Chrome uses multiple processes
– Use OS protection mechanism to ensure that webpages from
different sites cannot easily interact
• Because they run in different processes
– Reliability advantage: crashing in rendering one website doesn’t
affect another
– Security advantage: vulnerability in rendering does not
compromise other sites; isolate plug-ins
– Uses 3 types of processes: browser, renderers, plug-
ins
19
References

• https://www.cs.purdue.edu

20

You might also like