Difference between revisions of "WebFund 2014W Lecture 21"
Jump to navigation
Jump to search
(Created page with "* Browser security ** content-provider conflict ** click fraud: fraud against advertisers, not ad networks ** facilitated by cross-site scripting vulnerabilities (XSS) ** also...") |
(No difference)
|
Revision as of 14:08, 28 March 2014
- Browser security
- content-provider conflict
- click fraud: fraud against advertisers, not ad networks
- facilitated by cross-site scripting vulnerabilities (XSS)
- also, cross-site request forgery (XSRF or CSRF)
XSS is just adding JavaScript to a page when you shouldn't be able to (from user-generated content).
XSRF is "confused deputy"
- one tab: malware.com
- another tab: bank.com, logged in
- bank has RESTful API (e.g., POST, GET) for money transfers
- what if malware.com does the same money transfer POST?
- how can the bank server tell the difference?
- defenses: SSL, Origin: or Referer: headers
SQL Injection
- HTML5