Web Security
Presentation: WhatsApp Public Key
- A UC Berkeley Student found a vulnerability that allows anyone to impersonate recipients of a message.
- Note: anyone is italicized because one is required access to a piece of technology that is difficult to obtain
- That machine is a SS7 Hub which allows an adversary to impersonate a GSM cell tower and record information such as phone number and IMEI
- Using that information and while the target recipient is offline, the adversary can redirect messages to an alternate device
- Has forward secrecy because old messages will not be seen, however future communication is easily deciphered.
- Whether this exposed a vulnerability or backdoor is hotly debated. Still this bring up an important tradeoff between secrecy and usability with product design
Web Security
HTTP vs. HTTPS
- HTTPS: browser communication uses TLS to encrypt communication
- the S represents the layers of key exchange and encryption & authentication that sit on top of HTTP
- HTTP sent over TCP
Threat models
- Man in the Middle (MITM)
- Double sided arrows from Alice to Eve and from Eve to Bob
- Eve can see everything between A, B. (ex. send, add, drop, modify, receive communication)
Alice <--> Eve <--> Bob
- Remote Attacker (Off-path)
- Double sided arrows from Alice to Bob and unidirectional arrows to Alice and Bob from Eve
- Eve can not see anything between the browser and server. Only send messages to each like a normal computer
Alice <--> Bob ^-- Eve --^
- On Path Attacker
- Double sided arrows from Alice to Bob and that is tapped by Eve. Unidirectional arrows to Alice and Bob from Eve
- Attacker can see anything between the browser and server but not able to modify or drop traffic from Alice to Bob.
Alice <--.--> Bob ^-----|-----^ Eve
- Summary from easiest to hardest attack to do once have access
- MITM – Most access to information, easiest to do, Most powerful
- On Path
- Off-Path – Least access, hardest to do, Least powerful
If you were a MITM you could also do a ‘lesser’ attack
HTTP
ex. http://bu.edu:81/class?name=cs558#homework
Protocol | Domain | Port | Path | Query | Fragment |
---|---|---|---|---|---|
http | bu.edu | 81 | class | ?name=cs558 | #homework |
HTTP Request Components:
- Method ex. GET, POST
- File
- HTTP version
- User-agent
- Referrer Exposes user information
HTTP Responses Components:
1xx | 2xx | 3xx | 4xx | 5xx |
---|---|---|---|---|
Informational | Success | Redirect | Client Error | Server Error |
ex. 404 - Page not found!
HTML and DOM
Example of tags:
<p></p> <!–select with '<element>' –>
<a class=""></a> <!–select with .<class_name> –>
<img id=""> <!–select with #<class_name> –>
- Security issues
- embedding images: if from external server can include single pixel tracking
- allows second server to view the same information as the first
Cookies
In the past, servers did not know anything about you from a single request… it was stateless
POST
Client ------------> Server
Cookie(w/state)
Client <------------ Server
.... user goes to another page
Cookie
Client ------------> Server
state
Client <------------ Server
Now services can use cookies can look up information about a user
Cookie Ingredients:
- domain (domain specific– ie. Facebook doesn’t use Google’s cookies)
- expiration, security settings, SSL
Cookie Authentication
- Browser — POST, login username, pw —–> Web Server
- Web Server — Validate —–> Auth Server
- Auth Server — auth = val —–> Web Server
- Web Server — set -cookies, auth = val —–> Browser
- Browser — GET restricted.html, cookie: auth= val —–> Web Server
- Web Server — restricted.html, auth = val —–> Auth Server
- Auth Server — YES/NO —–> Web Server
- Web Server — if YES, restricted.html —–> Browser
Security = Browser only sends cookies over HTTPS
Cross-site Scripting
JavaScript can modify DOM, set cookies, etc
ex. visit hackers.com what prevents it from reading bank.com cookies
—> Same Origin Policy (SOP), hackers.com can only access cookies from hackers.com
SOP: if A.com has image that includes script from somewhere else, that script should not be able to have access to page elements
Stored XSS:
- inject malware script
- user makes request
- user receives malware script
- performs attack