Web Security: Attacks & Defenses

Goals

• Understand attacks from a malicious server
• Begin to master attacks on multi-server web applications
• Apply principles and lessons from earlier in the course to WebAssembly

Malicious Servers

• How can a web server learn about your browsing history?
• How do iframes work?
• How does the “Like” button work?
• What is clickjacking?
  • What makes it effective?
  • How can click-jacking be mitigated?
• How can iframes be used for evil?
  • How do benign websites try to mititgate this?

Multi-Party Web Applications

• Give three examples of protocol design flaws that can allow a malicious client to manipulate a multi-party web application.
• Which network-protocol-design principles do these flaws violate?
• What steps can a developer take to prevent such attacks?
• What is a session fixation attack?
  • What’s a general technique for preventing them?

WebAssembly

• What goals do developers and end users have for code execution on the Web?
• Give some historical examples of attempts to meet those goals and why they succeed or failed
• What is WebAssembly?
• What are the goals for WebAssembly’s semantics and representation?
• What lessons did WebAssembly incorporate from security flaws in previous languages like C?
• How have formal methods been applied to WebAssembly?
  • What resulted?
• Why and how is WebAssembly useful beyond the Web?