Sec24_03_WebAttacks.pdf

Threat Model

• Web Security
• Network Security

Web Attacker

• Controls attacker.com
• Can obtain SSL/TLS cert

Network Attacker

• Listening on network

Types of Web Attacks

• HTTP
• Document Object Model
  • Browser Object Models
• Image Tag
  • Use another URL
  • Hide resulting image
  • Spoof other sites

Comparison to Operating Systems

• Primitives
  • Syscalls
  • Processes
  • Disk
• Primitives (Web)
  • DOM
  • Frames
  • Cookies/localstorage
• Principals: Users
  • Discretionary access control
• Principles: Origins (Web)
  • Cross/same origin

Browser Security Mechanism

• Each frame has an origin