September 2, 2016

Web Exploitation 101

We cover the internals of most modern web browsers and web server architectures to present deep overview of the massive attack surface associated with web applications and web browsing. The big picture is revisited and we discuss how modern binary exploitation techniques still heavily apply to each attack vector. Then we examine the growing security problem of indirect/background queries and the sharp rise of malicious 3rd party content and advertisements.

We introduce HTTP proxies, and demonstrate BurpSuite tool for intercepting web traffic. The final half of the lecture focuses on client-side web attack and defense. We examine the Data Object Model (DOM), javascript and how it can change the DOM, the Same-origin-Policy (SOP) and several SOP bypass techniques, and how this all applies for various Cross Site Scripting (XSS) family techniques (XSRF, CSRF, etc). We discuss meta-character injection and how it encompasses XSS and other techniques. Finally defenses are demonstrated.

[ Slides ] [ Discussion ]

Interested in having your homework graded? Contact us to learn about grading options. The release schedule for this course is available here.

No comments:

Post a Comment

Note: Please keep comments academic in nature.