Table Of ContentSpringerBriefs in Computer Science
SeriesEditors
StanZdonik
ComputerScienceDepartment
BrownUniversity
Providence,RhodeIsland,USA
ShashiShekhar
UniversityofMinnesotaDept.ComputerScience&Engineering
Minneapolis,Minnesota,USA
JonathanKatz
Dept.ComputerScience
UniversityofMaryland
CollegePark,Maryland,USA
XindongWu
UniversityofVermontDept.ComputerScience
Burlington,Vermont,USA
LakhmiC.Jain
SchoolofElectricalandInformationEngineering
UniversityofSouthAustralia
Adelaide,SouthAustralia,Australia
DavidPadua
UniversityofIllinoisUrbana-ChampaignSiebelCenterforComputerScience
Urbana,Illinois,USA
Xuemin(Sherman)Shen
DepartmentofElectronicandComputerEngineering
UniversityofWaterloo
Waterloo,Ontario,Canada
BorkoFurht
FloridaAtlanticUniversity
BocaRaton,Florida,USA
V.S.Subrahmanian
ComputerScienceDepartment
UniversityofMaryland
CollegePark,Maryland,USA
MartialHebert
CarnegieMellonUniversity
Pittsburgh,Pennsylvania,USA
KatsushiIkeuchi
Tokyo,Japan
BrunoSiciliano
Napoli,Napoli,Italy
SushilJajodia
GeorgeMasonUniversity
Fairfax,Virginia,USA
NewtonLee
NewtonLeeLaboratories,LLC
Tujunga,California
USA
SpringerBriefs present concise summaries of cutting-edge research and practical
applicationsacrossawidespectrumoffields. Featuringcompactvolumesof50to
125pages,theseriescoversarangeofcontentfromprofessionaltoacademic
Typicaltopicsmightinclude:
• Atimelyreportofstate-of-theartanalyticaltechniques
• A bridge between new research results, as published in journal articles, and a
contextualliteraturereview
• Asnapshotofahotoremergingtopic
• Anin-depthcasestudyorclinicalexample
• Apresentationofcoreconceptsthatstudentsmustunderstandinordertomake
independentcontributions
Briefsallowauthorstopresenttheirideasandreaderstoabsorbthemwithminimal
time investment. Briefs will be published as part of Springer’s eBook collection,
withmillionsofusersworldwide. Inaddition, Briefswillbeavailableforindivid-
ualprintandelectronicpurchase.Briefsarecharacterizedbyfast,globalelectronic
dissemination, standard publishing contracts, easy-to-use manuscript preparation
and formatting guidelines, and expedited production schedules. We aim for publi-
cation8-12weeksafteracceptance.Bothsolicitedandunsolicitedmanuscriptsare
consideredforpublicationinthisseries.
Moreinformationaboutthisseriesathttp://www.springer.com/series/10028
Philippe De Ryck • Lieven Desmet
Frank Piessens • Martin Johns
Primer on Client-Side Web
Security
2123
PhilippeDeRyck FrankPiessens
iMinds-DistriNet iMinds-DistriNet
KULeuven KULeuven
Heverlee Heverlee
Belgium Belgium
LievenDesmet MartinJohns
iMinds-DistriNet SAPResearch
KULeuven Karlsruhe
Heverlee Germany
Belgium
ISSN2191-5768 ISSN2191-5776(electronic)
ISBN978-3-319-12225-0 ISBN978-3-319-12226-7(eBook)
DOI10.1007/978-3-319-12226-7
SpringerChamHeidelbergNewYorkDordrechtLondon
LibraryofCongressControlNumber:2014953777
© PhilippeDeRyck,LievenDesmet,FrankPiessens,MartinJohns2014
Thisworkissubjecttocopyright.AllrightsarereservedbythePublisher,whetherthewholeorpartofthe
materialisconcerned,specificallytherightsoftranslation,reprinting,reuseofillustrations,recitation,
broadcasting,reproductiononmicrofilmsorinanyotherphysicalway,andtransmissionorinformation
storageandretrieval,electronicadaptation,computersoftware,orbysimilarordissimilarmethodology
nowknownorhereafterdeveloped.Exemptedfromthislegalreservationarebriefexcerptsinconnection
withreviewsorscholarlyanalysisormaterialsuppliedspecificallyforthepurposeofbeingenteredand
executed on a computer system, for exclusive use by the purchaser of the work. Duplication of this
publicationorpartsthereofispermittedonlyundertheprovisionsoftheCopyrightLawofthePublisher’s
location,initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer.Permissions
forusemaybeobtainedthroughRightsLinkattheCopyrightClearanceCenter.Violationsareliableto
prosecutionundertherespectiveCopyrightLaw.
Theuseofgeneraldescriptivenames,registerednames,trademarks,servicemarks,etc.inthispublication
doesnotimply,evenintheabsenceofaspecificstatement,thatsuchnamesareexemptfromtherelevant
protectivelawsandregulationsandthereforefreeforgeneraluse.
Whiletheadviceandinformationinthisbookarebelievedtobetrueandaccurateatthedateofpublication,
neithertheauthorsnortheeditorsnorthepublishercanacceptanylegalresponsibilityforanyerrorsor
omissionsthatmaybemade.Thepublishermakesnowarranty,expressorimplied,withrespecttothe
materialcontainedherein.
Printedonacid-freepaper
SpringerispartofSpringerScience+BusinessMedia(www.springer.com)
Preface
Have you ever wondered why all of a sudden, normal users start posting strange
messagesonsocialnetworks?Howwirelessrouterscanbecontrolledremotely?Why
eBayaccountscouldbehijackedwithasingleHTTPrequest?OrwhyanewsWebsite
suddenlyshowsapagefromtheSyrianElectronicArmy?Alloftheseincidentswere
possibleduetoattackerscontrollingsomecodewithinthevictim’sbrowser,aresult
ofthecurrentstateofpracticeinWebsecurity,whichislessthanstellar.Assecurity
researchers, we are concerned by the large gap between the state of practice and
the currently available security technologies, which are often inspired by security
research. In an effort to improve this situation, we have written this book, which
givesadetailedviewontheclient-sideWebsecuritylandscape.Weexplicitlyfocus
onclient-sidesecurityvulnerabilities,whichareexploitedfromwithinabrowseror
explicitlytargetthebrowser,becausetheygenerallyreceivelessattentioncompared
totheirserver-sidecounterparts.Intotal,wecover13attacks,forwhichwegivea
detailed description, an overview of traditional mitigation techniques, and current
state-of-the-artresearch.Foreachattack,wealsodescribethecurrentstateofpractice
inWebapplications,anddefinethebestpracticestodefendagainsttheseattacksin
themodernage.
Wehavewrittenthisbookwithseveraltargetaudiencesinmind.Itoffersstudents,
teachers,andtrainersanintroductionintothefieldofclient-sideWebsecurity,with
anextensivereferencelistforlearningmoreabouteachtopic.Thebestpracticescan
be translated into teaching material for secure software development courses. The
bookhelpsjuniorresearcherstoquicklygetuptospeedinthefield, andoffersan
overviewofthecurrentstate-of-the-artforexperiencedresearchers, whoarelook-
ingfornewopportunitiestoexplore.Finally,developersandsecuritypractitioners
get an overview of the current state of practice, and the upcoming state-of-the-art
technologies.Theyshouldusethebestpracticesinthebooktoimprovethestateof
practice,whichisbeneficialforallusersontheWeb.
v
vi Preface
This book grew from our experience as security researchers1 working on Web
security, with a strong focus on client-side Web security topics such as cross-site
request forgery, cross-site scripting, session management problems, and click-
jacking. We also actively participate in European Web security projects, such as
STREWS2,WebSand3,andNESSoS4,andcollaboratewiththeW3CandIETFstan-
dardizationcommittees,furtherexpandingourviewonthecurrentstateofpractice,
state-of-the-art,andbestpractices.
WewouldliketoexplicitlyacknowledgethesupportoftheAgencyforInnova-
tionbyScienceandTechnology(IWT),theSTREWSproject,whereapreliminary
version of this book was written as a first deliverable, and the IWT-SBO project
SPION5, which provided valuable insights in the privacy and security concerns of
contemporaryWebapplications.
1PhilippeDeRyck,LievenDesmet,andFrankPiessensareaffiliatedwiththeiMinds-DistriNet
researchgroupatKULeuvenUniversity(Belgium),andMartinJohnsisaffiliatedwithSAPResearch
(Germany).
2https://www.strews.eu/.
3https://www.websand.eu/.
4http://www.nessos-project.eu/.
5http://www.spion.me/.
Contents
1 TheRelevanceofClient-SideWebSecurity....................... 1
1.1 TheWebataGlance....................................... 2
1.2 Client-SideWebSecurity ................................... 6
1.3 PurposeofthisBook....................................... 8
References.................................................... 9
2 TraditionalBuildingBlocksoftheWeb .......................... 11
2.1 TraditionalWebTechnology ................................ 11
2.1.1 LoadingWebContent .............................. 12
2.1.2 AuthenticationandAuthorization..................... 12
2.1.3 CookiesandSessionManagement .................... 13
2.2 BrowserSecurityPolicies................................... 14
2.2.1 Same-OriginPolicy ................................ 14
2.2.2 SecurityModelforThird-PartyContentInclusion ....... 15
2.2.3 ContextNavigationPolicy........................... 17
2.3 ExtendingtheClient-SideFeatures........................... 18
2.3.1 PluginsforArbitraryContent ........................ 19
2.3.2 BrowserExtensions ................................ 20
2.4 EnhancingtheUser’sWindowontheWeb..................... 21
References.................................................... 23
3 TheBrowserasaPlatform ..................................... 25
3.1 TheSynergyBetweenBrowsersandDevices .................. 25
3.2 FromRenderingEnginetoFeature-RichPlatform .............. 27
3.2.1 Client-SideStorage ................................ 27
3.2.2 CommunicationMechanisms ........................ 28
3.2.3 MobileFeatures ................................... 29
3.2.4 RegisteringDefaultApplications ..................... 29
3.3 TransformingtheBrowserintoanOperatingSystem ............ 29
References.................................................... 31
vii
viii Contents
4 HowAttackersThreatentheWeb ............................... 33
4.1 ThreatModelsinLiterature ................................. 33
4.1.1 ForumPoster...................................... 34
4.1.2 WebAttacker...................................... 34
4.1.3 GadgetAttacker ................................... 34
4.1.4 Related-DomainAttacker ........................... 35
4.1.5 Related-PathAttacker .............................. 35
4.1.6 PassiveNetworkAttacker ........................... 36
4.1.7 ActiveNetworkAttacker ............................ 36
4.2 ThreatModelsasConcreteAttackerCapabilities ............... 37
4.2.1 SendRequeststoanApplication...................... 37
4.2.2 RegisterOwnDomain .............................. 37
4.2.3 HostContentUnderOwnDomain .................... 39
4.2.4 RespondtoRequestsfromOwnDomain............... 39
4.2.5 RegisteraValidTLSCertificateforOwnDomain ....... 39
4.2.6 ManipulateTarget’sDomain-basedData............... 40
4.2.7 ManipulateTarget’sClient-SideContext............... 40
4.2.8 EavesdroponNetworkTraffic........................ 40
4.2.9 GenerateNetworkTraffic ........................... 40
4.2.10 InterceptandManipulateNetworkTraffic.............. 43
4.3 Conclusion............................................... 41
References.................................................... 42
5 AttacksontheNetwork ........................................ 43
5.1 EavesdroppingAttacks ..................................... 43
5.1.1 Description ....................................... 44
5.1.2 MitigationTechniques .............................. 44
5.1.3 StateofPractice ................................... 45
5.1.4 BestPractices ..................................... 46
5.2 Man-in-the-MiddleAttacks(MitM) .......................... 46
5.2.1 Description ....................................... 47
5.2.2 MitigationTechniques .............................. 48
5.2.3 StateofPractice ................................... 49
5.2.4 BestPractices ..................................... 50
5.3 Protocol-levelAttacksonHTTPS ............................ 50
5.3.1 OverviewofAttacks................................ 51
5.3.2 StateofPractice ................................... 52
References.................................................... 53
6 AttacksontheBrowser’sRequests .............................. 57
6.1 Cross-SiteRequestForgery ................................. 57
6.1.1 Description ....................................... 58
6.1.2 MitigationTechniques .............................. 60
6.1.3 StateofPractice ................................... 62
6.1.4 BestPractices ..................................... 62
Contents ix
6.2 UIRedressing ............................................ 62
6.2.1 Description ....................................... 63
6.2.2 MitigationTechniques .............................. 65
6.2.3 StateofPractice ................................... 66
6.2.4 BestPractices ..................................... 66
References.................................................... 66
7 AttacksontheUser’sSession ................................... 69
7.1 SessionHijacking ......................................... 69
7.1.1 Description ....................................... 69
7.1.2 MitigationTechniques .............................. 71
7.1.3 StateofPractice ................................... 73
7.1.4 BestPractices ..................................... 73
7.2 SessionFixation .......................................... 73
7.2.1 Description ....................................... 74
7.2.2 MitigationTechniques .............................. 75
7.2.3 StateofPractice ................................... 76
7.2.4 BestPractices ..................................... 76
7.3 AuthenticatingWithStolenCredentials ....................... 76
7.3.1 Description ....................................... 77
7.3.2 MitigationTechniques .............................. 77
7.3.3 StateofPractice ................................... 79
7.3.4 BestPractices ..................................... 79
References.................................................... 79
8 AttacksontheClient-SideContext .............................. 83
8.1 Cross-SiteScripting ....................................... 83
8.1.1 Description ....................................... 84
8.1.2 MitigationTechniques .............................. 85
8.1.3 StateofPractice ................................... 86
8.1.4 BestPractices ..................................... 87
8.2 ScriptlessInjectionAttacks ................................. 87
8.2.1 Description ....................................... 87
8.2.2 MitigationTechniques .............................. 88
8.2.3 BestPractices ..................................... 89
8.3 CompromisedScriptInclusions.............................. 89
8.3.1 Description ....................................... 90
8.3.2 MitigationTechniques .............................. 90
8.3.3 StateofPractice ................................... 91
8.3.4 BestPractices ..................................... 91
References.................................................... 92
9 AttacksontheClientDevice.................................... 95
9.1 Drive-ByDownloads ...................................... 95
9.1.1 Description ....................................... 96
