• Home

  • Documents

  • CS526Topic 9: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2
7
CS526 Topic 9: Web Security (2) 1 Information Security CS 526 Topic 9 Web Security Part 2

CS526Topic 9: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2

Embed Size (px)

Citation preview

Page 1: CS526Topic 9: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2

CS526 Topic 9: Web Security (2) 1

Information Security CS 526Topic 9

Web Security Part 2

Page 2: CS526Topic 9: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2

CS526 Topic 9: Web Security (2) 2

Readings for This Lecture

• Optional Reading– Bandhakavi et al.:

CANDID : Preventing SQL Injection Attacks Using Dynamic Candidate Evaluations

– Chen et al.: Side-Channel Leaks in Web Applications: a Reality Today, a Challenge Tomorrow

http://www.cs.uic.edu/~venkat/research/papers/candid-sql-injection-ccs07.pdf
http://www.cs.uic.edu/~venkat/research/papers/candid-sql-injection-ccs07.pdf
http://www.cs.uic.edu/~venkat/research/papers/candid-sql-injection-ccs07.pdf
http://research.microsoft.com/pubs/119060/WebAppSideChannel-final.pdf
http://research.microsoft.com/pubs/119060/WebAppSideChannel-final.pdf
http://research.microsoft.com/pubs/119060/WebAppSideChannel-final.pdf
Page 3: CS526Topic 9: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2

Other Web Threats

• SQL Injection– See slides by Venkat

• Side channel leakages – See slides from MSR

• Web browsing privacy: third-party cookies

CS526 Topic 9: Web Security (2) 3

Page 4: CS526Topic 9: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2

Browser Cookie Management

• Cookie Same-origin ownership– Once a cookie is saved on your computer, only the Web site that

created the cookie can read it.

• Variations– Temporary cookies

• Stored until you quit your browser– Persistent cookies

• Remain until deleted or expire– Third-party cookies

• Originates on or sent to a web site other than the one that provided the current page

CS526 Topic 9: Web Security (2) 4

Page 5: CS526Topic 9: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2

Third-party cookies

• Get a page from merchant.com– Contains <img src=http://doubleclick.com/advt.gif>– Image fetched from DoubleClick.com

• DoubleClick knows IP address and page you were looking at

• DoubleClick sends back a suitable advertisement– Stores a cookie that identifies "you" at DoubleClick

• Next time you get page with a doubleclick.com image– Your DoubleClick cookie is sent back to DoubleClick– DoubleClick could maintain the set of sites you viewed – Send back targeted advertising (and a new cookie)

• Cooperating sites– Can pass information to DoubleClick in URL, …

CS526 Topic 9: Web Security (2) 5

Page 6: CS526Topic 9: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2

Cookie issues

• Cookies maintain record of your browsing habits– Cookie stores information as set of name/value pairs– May include any information a web site knows about you– Sites track your activity from multiple visits to site

• Sites can share this information (e.g., DoubleClick)• Browser attacks could invade your “privacy”

CS526 Topic 9: Web Security (2) 6

Page 7: CS526Topic 9: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2

CS526 Topic 9: Web Security (2) 7

Coming Attractions …

• Secure communication & key distribution


Computer Security CS 526 Topic 5

Computer Security CS 526 Topic 5

Documents
CS526Topic 18: Network Security1 Information Security CS 526 Network Security (1)

CS526Topic 18: Network Security1 Information Security CS 526 Network Security (1)

Documents
Nuclear Associates 06-526 & 06-526-2200 - Fluke …assets.fluke.com/manuals/06_526__omeng0000.pdfNuclear Associates 06-526 & 06-526-2200 RAD-CHECK™ PLUS Operators Manual ... 1.57

Nuclear Associates 06-526 & 06-526-2200 - Fluke …assets.fluke.com/manuals/06_526__omeng0000.pdfNuclear Associates 06-526 & 06-526-2200 RAD-CHECK™ PLUS Operators Manual ... 1.57

Documents
CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers

CS526Topic 2: Classical Cryptography1 Information Security CS 526 Topic 2 Cryptography: Terminology & Classic Ciphers

Documents
CS555Topic 41 Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes

CS555Topic 41 Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes

Documents
Information Security CS 526 Topic 2

Information Security CS 526 Topic 2

Documents
CS5261 Information Security CS 526 Topic 15 Malware Defense Topic 15: Malware Defense

CS5261 Information Security CS 526 Topic 15 Malware Defense Topic 15: Malware Defense

Documents
Hypra multipins connectors 526 50 to 526 58, 526 … · 2019. 10. 12. · Technical sheet: F00148EN/07 Cat. Nos.: 526 00 to 526 27, 526 30 to 526 36, 526 40 to 526 48..... - . -

Hypra multipins connectors 526 50 to 526 58, 526 … · 2019. 10. 12. · Technical sheet: F00148EN/07 Cat. Nos.: 526 00 to 526 27, 526 30 to 526 36, 526 40 to 526 48..... - . -

Documents
CS526Topic 3: Ciphers and Cipher Security 1 Information Security CS 526 Topic 3 Ciphers and Cipher Security: Stream Ciphers, Block Ciphers, Perfect Secrecy,

CS526Topic 3: Ciphers and Cipher Security 1 Information Security CS 526 Topic 3 Ciphers and Cipher Security: Stream Ciphers, Block Ciphers, Perfect Secrecy,

Documents
ENOC RX SYSTEM€¦ · 8 ENOC RX SYSTEM. 526 526 37 600 37 20 20 600 600 526 74 74 74 74 137 526 137 526 137 137 68,5 663 663 663 68,5 526 137 526 274 526 274 137 800 800 800 526

ENOC RX SYSTEM€¦ · 8 ENOC RX SYSTEM. 526 526 37 600 37 20 20 600 600 526 74 74 74 74 137 526 137 526 137 137 68,5 663 663 663 68,5 526 137 526 274 526 274 137 800 800 800 526

Documents
CS5261 Information Security CS 526 Topic 10 Malwares Topic 10: Malware

CS5261 Information Security CS 526 Topic 10 Malwares Topic 10: Malware

Documents
CS526Topic 20: TCSEC and Common Criteria 1 Information Security CS 526 Topic 20: TCSEC and Common Criteria

CS526Topic 20: TCSEC and Common Criteria 1 Information Security CS 526 Topic 20: TCSEC and Common Criteria

Documents
Defensive Travel Briefing Cheryl L. Wieser Regional Security Officer US Department of Commerce (206) 526-6653 (206) 526-4543 Fax Updated 10/03/11 Security

Defensive Travel Briefing Cheryl L. Wieser Regional Security Officer US Department of Commerce (206) 526-6653 (206) 526-4543 Fax Updated 10/03/11 Security

Documents
Folder API Series 526 NEW 7/13/04 4:37 PM Page 1 API Seri e s · PDF fileType 526 T ype 526 Plain lever H3 T e 526 Open bonnet Type 526 Balanced bellows design Folder API Series 526

Folder API Series 526 NEW 7/13/04 4:37 PM Page 1 API Seri e s · PDF fileType 526 T ype 526 Plain lever H3 T e 526 Open bonnet Type 526 Balanced bellows design Folder API Series 526

Documents
CS5261 Information Security CS 526 Topic 12-13 Software Vulnerabilities Topic 12-13: Software Vulnerabilities

CS5261 Information Security CS 526 Topic 12-13 Software Vulnerabilities Topic 12-13: Software Vulnerabilities

Documents
CS5261 Information Security CS 526 Topic 8: Operating Systems Security Basics & Unix Access Control Topic 8: Operating System Security Basics

CS5261 Information Security CS 526 Topic 8: Operating Systems Security Basics & Unix Access Control Topic 8: Operating System Security Basics

Documents
Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication

Topic 14: Secure Communication1 Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication

Documents
Information Security CS 526 Topic 6: User Authentication

Information Security CS 526 Topic 6: User Authentication

Documents
Information Security CS 526

Information Security CS 526

Documents
Web Security Modelpages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-14-websec.pdf · Goals of Web Security security should be provided even if the user visits both a good and bad

Web Security Modelpages.cpsc.ucalgary.ca/~joel.reardon/526/notes/slide-14-websec.pdf · Goals of Web Security security should be provided even if the user visits both a good and bad

Documents
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2

Documents
Information Security CS 526...–HTTPS (HTTP over Secure Socket Layer) •User authentication & session management ... (ASP.NET) •ASP.NET 1.1: ... •More Web Security Issues –SQL

Information Security CS 526...–HTTPS (HTTP over Secure Socket Layer) •User authentication & session management ... (ASP.NET) •ASP.NET 1.1: ... •More Web Security Issues –SQL

Documents
Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261

Symbolic and Concolic Execution of Programs Information Security, CS 526 Omar Chowdhury 10/7/2015Information Security, CS 5261

Documents
Hypra multipins connectors 526 50 to 526 58, 526 … · 2018. 8. 10. · Technical sheet: F00148EN/07 Cat. Nos.: 526 00 to 526 27, 526 30 to 526 36, 526 40 to 526 48..... - . -

Hypra multipins connectors 526 50 to 526 58, 526 … · 2018. 8. 10. · Technical sheet: F00148EN/07 Cat. Nos.: 526 00 to 526 27, 526 30 to 526 36, 526 40 to 526 48..... - . -

Documents
CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream

CS526Topic 3: One-time Pad and Perfect Secrecy 1 Information Security CS 526 Topic 3 Cryptography: One-time Pad, Information Theoretic Security, and Stream

Documents
CS526Topic 7: User Authentication1 Information Security CS 526 Topic 7: User Authentication

CS526Topic 7: User Authentication1 Information Security CS 526 Topic 7: User Authentication

Documents
CS5261 Information Security CS 526 Topic 1 Overview of the Course Topic 1

CS5261 Information Security CS 526 Topic 1 Overview of the Course Topic 1

Documents
CS526Topic 8: Web Security Part 11 Information Security CS 526 Topic 8 Web Security Part 1

CS526Topic 8: Web Security Part 11 Information Security CS 526 Topic 8 Web Security Part 1

Documents
WESTERN REGION SECURITY OFFICE CHERYL L. WIESER REGIONAL SECURITY OFFICER 206-526-6653 Office 206-571-5774 Cell 206-526-4543 FAX 206-525-3967 ROBERT H

WESTERN REGION SECURITY OFFICE CHERYL L. WIESER REGIONAL SECURITY OFFICER 206-526-6653 Office 206-571-5774 Cell 206-526-4543 FAX 206-525-3967 ROBERT H

Documents
Sensitive Compartmented Information Facilities (SCIF) Cheryl L. Wieser, RSO Western Region Security Office 206-526-6653

Sensitive Compartmented Information Facilities (SCIF) Cheryl L. Wieser, RSO Western Region Security Office 206-526-6653

Documents