WebFund 2014W Lecture 21: Difference between revisions
Created page with "* Browser security ** content-provider conflict ** click fraud: fraud against advertisers, not ad networks ** facilitated by cross-site scripting vulnerabilities (XSS) ** also..." |
No edit summary |
||
| (One intermediate revision by the same user not shown) | |||
| Line 1: | Line 1: | ||
The video from the lecture given on March 28, 2014 is available: | |||
* [http://www.screencast.com/t/jQhGZ5JGw4 Small from screencast.com] | |||
* [http://www.screencast.com/t/Gypsm1VoYfM Large from screencast.com] | |||
* [http://dl.cuol.ca/capture/Anil.Somayaji/COMP_2406_2014W_Lecture_21_-_20140328_142413_27.mp4 Original from CUOL] | |||
==Notes== | |||
* Browser security | * Browser security | ||
** content-provider conflict | ** content-provider conflict | ||
| Line 15: | Line 24: | ||
* defenses: SSL, Origin: or Referer: headers | * defenses: SSL, Origin: or Referer: headers | ||
SQL Injection | <tt>SQL Injection</tt> | ||
Solution: input sanitization using whitelists when possible. | |||
Latest revision as of 20:45, 28 March 2014
The video from the lecture given on March 28, 2014 is available:
Notes
- Browser security
- content-provider conflict
- click fraud: fraud against advertisers, not ad networks
- facilitated by cross-site scripting vulnerabilities (XSS)
- also, cross-site request forgery (XSRF or CSRF)
XSS is just adding JavaScript to a page when you shouldn't be able to (from user-generated content).
XSRF is "confused deputy"
- one tab: malware.com
- another tab: bank.com, logged in
- bank has RESTful API (e.g., POST, GET) for money transfers
- what if malware.com does the same money transfer POST?
- how can the bank server tell the difference?
- defenses: SSL, Origin: or Referer: headers
SQL Injection
Solution: input sanitization using whitelists when possible.