WebFund 2014W Lecture 21

The video from the lecture given on March 28, 2014 is available:

• Small from screencast.com
• Large from screencast.com
• Original from CUOL

Notes

• Browser security
  • content-provider conflict
  • click fraud: fraud against advertisers, not ad networks
  • facilitated by cross-site scripting vulnerabilities (XSS)
  • also, cross-site request forgery (XSRF or CSRF)

XSS is just adding JavaScript to a page when you shouldn't be able to (from user-generated content).

XSRF is "confused deputy"

• one tab: malware.com
• another tab: bank.com, logged in
• bank has RESTful API (e.g., POST, GET) for money transfers
• what if malware.com does the same money transfer POST?
  • how can the bank server tell the difference?
• defenses: SSL, Origin: or Referer: headers

SQL Injection

Solution: input sanitization using whitelists when possible.