Web Security: Attacks & Defenses

Goals

  • Understand attacks from a malicious server
  • Begin to master attacks on multi-server web applications
  • Apply principles and lessons from earlier in the course to WebAssembly

Web Frameworks

  • What security benefits do web frameworks offer?
  • What security risks do they introduce?
  • What is a remote-file inclusion vulnerability?
  • What is a mass-assignment vulnerability?

Malicious Servers

  • How can a web server learn about your browsing history?
  • How do iframes work?
  • How does the “Like” button work?
  • What is clickjacking?
    • What makes it effective?
    • How can click-jacking be mitigated?
  • How can iframes be used for evil?
    • How do benign websites try to mititgate this?

Multi-Party Web Applications

  • Give three examples of protocol design flaws that can allow a malicious client to manipulate a multi-party web application.
  • Which network-protocol-design principles do these flaws violate?
  • What steps can a developer take to prevent such attacks?
  • What is a session fixation attack?
    • What’s a general technique for preventing them?

WebAssembly

  • What goals do developers and end users have for code execution on the Web?
  • Give some historical examples of attempts to meet those goals and why they succeed or failed
  • What is WebAssembly?
  • What are the goals for WebAssembly’s semantics and representation?
  • What lessons did WebAssembly incorporate from security flaws in previous languages like C?
  • How have formal methods been applied to WebAssembly?
    • What resulted?
  • Why and how is WebAssembly useful beyond the Web?