Copyright 2007 © The OWASP FoundationPermission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.
The OWASP Foundationhttp://www.owasp.org
Safe Browsing
OWASP
Safe Browsing: Class Outline
Web Browsers – How they work generally speaking. Over view of how browsers work How many think they work vs how they really work Live group participation demo - maybe
Browsers – What's available out there? Current state of affairs Cornucopia of browsers Outlook = IE??
Making browsing safer, better and more anonymous. Online hazards overview BHO and other add-ons Browser Security Checks Multiple browser ninjutsu Tor – hiding in plain sight (well sort of)
OWASP
Web Browsers – How they work generally speaking. Web Browser: a software application used to locate
and display web pages and other online content. The two most popular browsers are Internet Explorer (IE) by Microsoft, Safari by Apple and Firefox (FF) by Mozilla.com. Browsers read HTML files and render the text, images, videos, etc. for the user and provide a mechanism to link various web pages together.
Browser Market Share as of July 2007:IE 7 20.1% IE 6 36.9%FF 34.5%Safari 1.5%Opera 1.9%
OWASP
Web Browsers – Lies and Statistics
See Also: http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
From: http://marketshare.hitslink.com/report.aspx?qprid=0
From: http://www.w3schools.com/browsers/browsers_stats.asp
OWASP
How browsers work (or so you'd think)
1. Enter URL into your browser
2. Server sends you a web page
OWASP
How browsers really work
Enter a URL into a browser Breaks the URL into a host + path
Asks a DNS server for an IP address for the host DNS server returns a IP address for that host
Browser sends a request to the IP address If no port is given, port 80 is used Path is used to determine what file to send Server replies to the request – usually sends a HTML file
Browser reads the HTML file and asks for all the files referenced in the original HTML file
These additional files could be images, more HTML, or other types on content.
Additional files could reside on different hosts requiring more DNS requests
After browser gets all the pieces, it renders a single “page”
OWASP
What is this IP business anyway?
Every computer on the Internet (or any network) will have a special number associated with it called the IP address. By using this number, network traffic can be directed from its origin to the destination.
How can I tell what my IP address is? IP Chicken!
http://www.ipchicken.com
OWASP
Browsers: What's out there?
Even though Windows XP will label IE “Internet”, there are many, many ways to view the web
OWASP
OK, so who are the real contenders?
IE and FF are the two leaders in the web browser space as they account for somewhere slightly greater then 90% of web browsers, depending on who you ask. An independent researcher compared IE to FF looking at
how many days each browser had a known vulnerability and there wasn't a patch available.
98% unsafe orthere we only 7 days in 2006 where IE was vulnerability free
15% unsafe (7% unsafe on Windows) orthere were 309 days in 2006 where FF was vulnerability free (30 days were Mac only)
OWASP
Hurray, FF 3!
Mozilla.com just released Firefox version 3!http://www.mozilla.com/en-US/firefox/features/
http://www.mozilla.com/en-US/firefox/security/
OWASP
Don't forget about third party candidates.
Opera is a really nice browser as wellDoesn't have the market share of the big 2
(that could be a good thing)Runs on Windows / Mac / LinuxHas a ton of unique featuresDoesn't have as many
plugins/add ons as FFGood track record on
security patchingSpeed dial is pretty slickBecoming a favorite of
mine for 'general browsing'
OWASP
So, should I switch? How painful will that be?
OWASP
Which is which?
OWASP
By the way...
Outlook = IE (more in our Email security class)
OWASP
Making browsing a better place
Browsers work by asking a server for files and then rendering the end result of the request(s).
There are a ton of browsers out there with IE and FF the most popular. FF edges out IE historically for features and security. Opera is a good option too.
Making browsing safer, better and more anonymous. Online hazards overview BHO and other add-ons Browser Security Checks Multiple browser ninjutsu Tor – hiding in plain sight (well sort of)
Quick Review:
So now we know about browsers, what's next
OWASP
SSL: Browsers security issues solved
HTTP vs HTTPS HTTP is very similar to email in its evolution HTTP is by design insecure, particularly to eavesdropping
and interception/modification of content HTTPS was developed to mitigate this risk
HTTPS does Keeps communication between browser and server
hidden from view Provides some verification of the server you are talking to
HTTPS doesn't Stop malicious traffic from passing between browsers and
servers Stop XSS, XSRF, SQL-I, application logic flaws..
Not really...
OWASP
HTTPS / SSL / TLS Illustrated
Demo “Good” and “Bad” certificates
OWASP
The Internet is a pretty rough place at times...
As web browsing has increased in popularity and other security weakness have been addressed, browsers are now a very likely target
Making browsers behave badly Phishing - an attempt to criminally and fraudulently acquire
sensitive information, such as usernames, passwords and credit card details, by masquerading as a trustworthy entity online
Browser Hijacking - the modification of a web browser's settings by malware. The term "hijacking" is used as the changes are performed without the user's permission. Can be difficult to reverse.
Drive by Installs – When web site uses a browser flaw to install software of their choice when a user views a specially crafted web page.
OWASP
Phishing Illustrated
Thursday, July 3rd: http://www.f-secure.com/weblog/archives/00001466.html
OWASP
If that's not scary enough...
Browsers are only where online attacks start With the wide variety of content online, users have come to
rely on additional programs to make more and varied content available inside the browser
A vulnerability in one of these helper applications can lead to the compromise of the browser and likely the computer system itself.
Recent popular choices Adobe Acrobat
Vulnerability published 2008-06-24 Flash/Shockwave
Vulnerability published 2008-05-28 Java
Vulnerability published 2008-07-09
OWASP
Helper Applications aren't the only ones
HTML is a static language – originally meant to display text and some simple images People wanted web pages which did more
At the time, Netscape was the dominant browser and they came up with something called LiveScript LiveScript allowed a programming language to be included
with HTML so that computer processing could happen within the browser
LiveScript was renamed JavaScript after Sun launched the Java language. Sadly, JavaScript has no real connection to Java except the name.
XSS, XSRF, Phishing sites and many other attack vectors rely on using/breaking Javascript to the advantage of the attacker
OWASP
Hacking: Now commercially supported with updates
MPack is a web application designed to exploit known web browser vulnerabilities Primarily focuses on IE but FF & Opera are also targets An automated system to try exploit after exploit in an
attempt to find a vulnerable browser Commercial software costing from $500 to $1000 Estimated to have infected ~160,000 computers Includes a management console which enumerates the
browsers which have been compromised New versions are released each month and additional
modules can be installed to increase its functionality
Browser hacking has reached new levels of sophistication with the introduction of tools like MPack
OWASP
OK, I'm scared. Can you stop talking?
The general IT security stuff Keep your computer OS patched Keep your other software updated to the most recent
version (Java, Acrobat, Flash...) Install and keep updated
Anti-Virus software Anti-Spyware software
Keep out of the bad 'neighborhoods' on the Internet Be careful about downloading programs you're not
100% familiar with or that are email'ed to you. Consider attending the other security classes
Luckily there are things you can do to not be a victim
OWASP
And how do I keep all my stuff updated???
http://secunia.com/software_inspector/
OWASP
Browser Specific Recommendations
Firefox is the smart choice for your web browser Has had a better track record of addressing security issues Has a built in update mechanism so keeping the browser
updated is rather painless Tons of add-ons which can greatly increase security
Watch out for “Toolbars” - particularly for IE Many of the tool bars will add many handy functions to your
browsing experience However, many of them will “phone home” and report on
your browser habits – a definite privacy concern You can bury your browser under multiple toolbars
Some web sites won't work with FF, so keep another browser around for those (Windows Update)
OWASP
When Toolbars go bad
OWASP
Still scared? Have a cookie!
Brief overview of cookies and their reason for being (at least web browser cookies)
Cookies can make your browsing experience much richer but can also be used to track your as you travel from site to site
In and of themselves, they are just some text stored on your computer, you just have to decide how much privacy you want
Can also have security ramificationsRecent Gmail cookie hackOWA and its cookie
OWASP
Making Firefox even better
No-Script Gives you the option to decide who you trust (and don't)
while browsing online Defaults to dis-allowing scripts and other programs from
running unless you says its OK. You will find pages which this breaks (until you allow them to
run scripts) https://addons.mozilla.org/en-US/firefox/addon/722
User-Agent :For sites which check what browser you are using Many of these will work fine with FF but you've got to trick
the web site first https://addons.mozilla.org/en-US/firefox/addon/59
This barely scratches the surface. Poke around Mozilla's add-on site for many, many more
OWASP
Click by click security
For almost any browser, some simple security settings can go a long way to getting you safe.
http://www.cert.org/tech_tips/securing_browser/ Instead of adding a zillion slides
with screenshots, a great page with blow-by-blow instructions is at the link above.
For the more paranoid using FF, delete all your private data while browsing.
OWASP
Why stop at just one
Another trick is to use one browser for your “important” surfing and another for “casual” browsing. That way data from one can't leak to the other (generally speaking)
Tor – Geeky stuff to keep your surfing anonymous Tor stands for The Onion Router Using Tor, your traffic enters the Tor network and is
encrypted The Tor network bounces your traffic inside it self
enough that determining where you originated from is very difficult.
You exit the Tor network at an 'Exit Node' and are decrypted and flow over the Internet as normal
FF users can easily combine Tor with FoxyProxy add-on
OWASP
Links, Links and more Links
Web browser definedhttp://en.wikipedia.org/wiki/Web_browser
Site dedicated to helping the average PC user safe on the Internethttp://surfthenetsafely.com/
Great site for explicit instructions on how to secure the browser of your choice.http://www.cert.org/tech_tips/securing_browser/
Microsoft article on how to secure web browsing (IE only)http://www.microsoft.com/protect/computer/advanced/browsing.mspx
Article on browser security in generalhttp://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=197700134
Article comparing IE to FFhttp://itmanagement.earthweb.com/secu/article.php/3698606
More browser vs. browser comparisonhttp://www.pcworld.com/article/id,118959-page,1/article.html
Article on how IE in particular is becoming a popular target of attackshttp://www.pcworld.com/article/id,134949-page,1-c,browsersecurity/article.html
OWASP
Links, Links and more Links
Article on the MPack Attack Kithttp://www.pcworld.com/article/id,136286-page,1-c,browsersecurity/article.html
Article on the rise of the malicious web serverhttp://www.darkreading.com/document.asp?doc_id=131584
Blog post about the Phishing example used in this classhttp://www.f-secure.com/weblog/archives/00001288.html
Article on hacking 2.0 – (Ab)using interactivity http://isc.sans.org/diary.html?storyid=3106
Web page which discusses alternative browsers (where a lot of the icons I used came from)http://www.alternativebrowseralliance.com/browsers.html
No-Script Firefox add-onhttps://addons.mozilla.org/en-US/firefox/addon/722
User-Agent Switcher Firefox add-onhttps://addons.mozilla.org/en-US/firefox/addon/59
OWASP
Links, Links and more Links
Password Maker Firefox add-on (I've not tried this one, yet)https://addons.mozilla.org/en-US/firefox/addon/469
Tor Network for anonymous browsinghttp://tor.eff.org/
Browser Statisticshttp://www.w3schools.com/browsers/browsers_stats.asp
http://marketshare.hitslink.com/report.aspx?qprid=0
http://en.wikipedia.org/wiki/Usage_share_of_web_browsers
Blog with Phishing Example:http://www.f-secure.com/weblog/archives/00001466.html
Secunia Software Inspector Online Scanner:http://secunia.com/software_inspector/
Firefox 3: http://www.mozilla.com/en-US/firefox/
OWASP
Questions?