Web Security: Attacks & Defenses
Goals
- Understand attacks from a malicious server
- Begin to master attacks on multi-server web applications
- Apply principles and lessons from earlier in the course to WebAssembly
Web Frameworks
- What security benefits do web frameworks offer?
- What security risks do they introduce?
- What is a remote-file inclusion vulnerability?
- What is a mass-assignment vulnerability?
Malicious Servers
- How can a web server learn about your browsing history?
- How do iframes work?
- How does the “Like” button work?
- What is clickjacking?
- What makes it effective?
- How can click-jacking be mitigated?
- How can iframes be used for evil?
- How do benign websites try to mititgate this?
Multi-Party Web Applications
- Give three examples of protocol design flaws that can allow a malicious
client to manipulate a multi-party web application.
- Which network-protocol-design principles do these flaws violate?
- What steps can a developer take to prevent such attacks?
- What is a session fixation attack?
- What’s a general technique for preventing them?
WebAssembly
- What goals do developers and end users have for code execution on the Web?
- Give some historical examples of attempts to meet those goals and why they succeed or failed
- What is WebAssembly?
- What are the goals for WebAssembly’s semantics and representation?
- What lessons did WebAssembly incorporate from security flaws in previous languages like C?
- How have formal methods been applied to WebAssembly?
- Why and how is WebAssembly useful beyond the Web?