web security
Summary
Threat models
- Malicious end system
- malicious web server that the victim is lured to
- compromised client with access to target server
- MITM
- impersontation
- phishing
Misleading the user
- typosquatting
- delimeter abuse
- address bar spoofing, trick brower to display fake URL
Concept
Hypertext Transfer Protocol(HTTP)
- occurs at the application layer
- relies on PKI to create a secure channel
HTTPS is HTTP on top of TLS
Browser
- runs with user privileges
- can access local files
- handles user secrets in cookies
- support 3rd party addons - expands attack surface
- Uniform Resource Locator
Other attacks
- tracking
- new bugs/beacons
- cookies
- drive-by-download - automatic download/execution
- pixel stealing - steel visual data from display
- clickjacking - manipulate UI, invisible buttons