CS155: Computer and Network Security

CS155: Homework #2

Spring 2012

Due: Saturday, May 26

Problem 1: Same-origin policy

The browser same-origin policy (SOP) consists of several different policies, including an SOP for DOM access and an SOP for cookie access. The SOP for DOM access is based on the triple (protocol, host, port), while the SOP for sending cookies to sites involves the domain and path. Cookies designated "secure" are sent by the browser over HTTPS only. In current browsers, reading document.cookie in an HTTP context does not reveal secure cookies.

Suppose the SOP for DOM access was defined using only host and port (as was the case in Safari until Safari 3.0) and did not include the protocol.

  1. Explain how a network attacker could steal facebook.com cookies that are designated "secure".
    Hint: A facebook user may login using a form served over https, but then receive a facebook.com page served over http. Try injecting Javascript into the page served over http.
  2. Under the same assumptions, is it possible for a web attacker to steal facebook.com cookies that are designated "secure"? Describe an attack or explain why you believe none exists. Recall that a web attacker can set up a malicious web site and operate a browser to visit any site, but cannot intercept or forge network packets. Assume the user is willing to visit any site set up by the web attacker, but the web attacker can only set up web sites at domains other than facebook.com. For this part let's assume that the facebook.com site has no XSS vulnerabilities.

Problem 2: User tracking

Most popular browsers let users block 3rd party cookies. This makes it more difficult for 3rd party sites, such as ad networks, to track users across connections. In class we described the HSTS header: a security mechanism that lets a domain specify that all connections to that domain must be over HTTPS. Typically, browsers will record HSTS headers even when they are provided by 3rd party domains. Explain how a 3rd party can use HSTS to track a user across connections even when the user's browser blocks 3rd party cookies. Your goal is to identify when two independent HTTP requests sent one day apart (over independent TCP connections) are originating from the same browser. Assume that the user is behind a proxy servicing many machines so that the request's source IP address cannot be used to track the user.

Problem 3: Secure open redirects

Many sites use public scripts that take a URL as a parameter and send the browser to that URL. For example, on LinkedIn, the following link is used to redirect the browser to a user's personal homepage:
http://www.linkedin.com/redirect?url=http://crypto.stanford.edu/cs155
Sites use redirects to learn that the user clicked on an external link. Search engines, for example, use redirects to learn what search result the user clicked on. While open redirects are widely used, they pose a security risk. A phisher, for example, can create a LinkedIn phishing page and trick the user into clicking on
http://www.linkedin.com/redirect?url=http://phisher.com
Clicking on this link will lead to the phishing page, but users may think are clicking on a link to LinkedIn. Your goal is to design a secure redirect script that will only redirect to URLs that the site approves. Note that it is unreasonable for the redirect script to maintain a whitelist of all allowed redirect targets. First, external links are frequently added and removed. Second, in the case of a search engine, all links are valid links.
  1. A first idea is to rely on the Referer header. In the case of LinkedIn, the redirect script would check that the Referer header is a LinkedIn page, and ignore all other redirect requests. Explain why this approach does not work.
  2. Propose a secure method. That is, a single redirect script that will only redirect to URLs authorized by the site. Make sure to describe your method in sufficient detail.
    Hint: use cryptography.

Problem 4: Cookies

  1. Explain what are httpOnly cookies.
  2. What attack are httpOnly cookies intended to prevent? Give an example attack that does not work if the site uses httpOnly cookies, but works with normal cookies. Make sure to provide a sketch of the vulnerable code and the attack URL (ignoring URL encoding, e.g., do not encode spaces)
  3. Give an example XSS exploit where httpOnly cookies do not improve security.

Problem 5: DNS Rebinding

DNS rebinding is an attack that uses DNS to subvert the same-origin policy in web browsers. In effect, a limitation of the same-origin policy is that it depends on domain names. Therefore, if an attacker is able to manipulate the meaning of domain names, the attacker can overcome restrictions imposed by the same-origin policy. There is an illustration of DNS rebinding in the lecture slides. The information you need about DNS is covered in the assigned reading called A Security Evaluation of DNSSEC with NSEC3.

In the example shown in the lecture slide, a web user wants to visit a site www.evil.com whose web page and DNS server are controlled by a malicious attacker. The malicious DNS server for evil.com returns an IP address 171.64.7.115 for www.evil.com. An unusual part of the RR from the DNS server is that it has a short Time To Live (TTL) of 0. Based on the response from the DNS server, the web user retrieves a web page from 171.64.7.115 that may contain malicious JavaScript. The web user then requests the page at www.evil.com again. This time, the evil.com DNS server returns 192.168.0.100. If the web browser implements the same-origin policy as we have discussed in class, then web browser will let JavaScript downloaded from www.evil.com access content associated with 192.168.0.100.

  1. This attack assumes that the web user visits a malicious site. Give three ways that an attacker may attract honest users to their site. (Do not assume that the malicious site is actually called evil.com.)
  2. How can the content from 171.64.7.115 cause the user's browser send the second http request to www.evil.com.
  3. Why does the second request for www.evil.com cause a second request to the evil.com DNS server?
  4. Suppose that the page at 192.168.0.100 contains names and addresses of the corporate employees, organized in a systematic way. How can the attacker controlling evil.com send this information back to evil.com ?
  5. Is blocking RRs with TTL=0 at the firewall an effective defense against DNS rebinding? Explain briefly.
  6. What firewall rule will prevent this particular attack? (Assume a DNS RR is contained in a single packet.)

Problem 6: Firewalls

Consider three kinds of firewalls: (1) stateless packet-filter firewalls, (2) stateful packet-filter firewalls, and (3) application-layer gateways. For each of the following attacks, state the simplest form of firewall that can be placed between an enterprise network and the external Internet to detect and significantly mitigate the attack. If none of the three kinds will work, write 0. Explain each answer briefly.
  1. Port sweep
  2. Syn flooding (too many SYN packets with no matching ACK)
  3. DNS cache poisoning
  4. viruses in incoming email addressed to enterprise users
  5. unrequested streaming video
  6. preventing an external network attacker from setting a secure cookie using HTTP