Week 7

Good Faith Policy

“These courses expects a high standard of professionalism from its students with regard to how security testing is conducted. We expect all students to act in good faith at all times […]”

TL;DR Don’t be mean

https://sec.edu.au/good-faith-policy

Current Leaderboard

✅ Report 1

teehee report 2 is out

Origin vs Site

What is an origin?

http://www.website.com:80

origin = scheme + host + port

What is a site?

http://www.website.com:80
https://mobile.website.com:443
ftp://f.website.com:21

site = private_domain + public_suffix

  • Scheme doesn’t matter
  • Port doesn’t matter
  • Just the domain!

http://www.website.com:80

 

origin = scheme + host + port

 

site = private_domain + public_suffix
site = domain

Cross-Origin Policy

  • Blocks external resource requests from/to a site
    • Why?
      • Security
      • Enforce usage limits
  • Enforces a “Same Origin Policy”
    • Only pages from the same origin (scheme + host + port) are allowed to use the response content
    • Unless the remote resource has the right Access-Control-* headers

test-cors.org

“Only pages from the same origin are allowed to use the response content”

  • Can I still make the request?
    • What does the server receive?
  • GET? POST? PUT?
  • OPTIONS?

"If I need to be on the allow list, then will my Python / Node.js / etc script still work?“

  • 🤷‍♂️ idk try it
    • Why does/doesn’t it work?
  • Browser - CORS Proxy
    • i.e. CORS Anywhere

Q. Does every program respect CORS?
(A. no)

Cookie - SameSite attribute

  • Strict - No cookie is sent
  • Lax - Only on navigation
    • No iframe
    • Only GET/HEAD
  • None - Cookies always sent

CSRF

“Heyyyy, look here 🥺 👉👈”

Tricking a user into performing an operation that they don’t intend

e.g Lecture Slide 25

CSRF Tokens

Stop CSRF attempts by supplying the user with a single-use ‘nonce’ value.

  • When the page loads, a nonce is included
    • e.g. cookie, header, HTML form
  • The nonce must be passed in the request

Can’t forge a request if you don’t know the nonce before hand… sort of…

CSRF Token Attacks
  • Better hope the server is handling CSRF tokens properly
  • Single. Use. grr.
  • Forge?
  • Override?

CSRF vs XSS

  • XSS - The JavaScript method
  • CSRF - The HTML method

Generally XSS is performed in the background
(since it’s a script exploit)

Clickjacking

Click

on

Jack

?

🙄

An overlay (possibly hidden or transparent) with a higher z-index than a form control (i.e. submit button)

When the user “clicks” on the button, they instead click on something else.

  • Trigger a script?
  • Redirect?
  • etc..

Or maybe the other way around?

A fake form that sits on top of a form. Causes the user to unintentionally interact with the legitimate form.

i.e. switch the Yes / No buttons around?

(pointer-events)

Note: The legitimate form can be in an iframe

Defense

Some extensions / JS magic can help to prevent clickjacking attempts.

Defense 2

X-Frame-Options

HTML Injection

  • XSS

  • HTML Injection

    • <script> –> JS injection

  • Some element tags are paired - <div>...</div>

  • Some are not… <img>

  • What if just added <s> without closing it?

  • Mitigation?

Deliverables

Nothing for this week :)

  • This topic’s challenges due next week
Home