WebFund 2014W Lecture 21

From Soma-notes
Revision as of 14:08, 28 March 2014 by Soma (talk | contribs) (Created page with "* Browser security ** content-provider conflict ** click fraud: fraud against advertisers, not ad networks ** facilitated by cross-site scripting vulnerabilities (XSS) ** also...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search
  • Browser security
    • content-provider conflict
    • click fraud: fraud against advertisers, not ad networks
    • facilitated by cross-site scripting vulnerabilities (XSS)
    • also, cross-site request forgery (XSRF or CSRF)

XSS is just adding JavaScript to a page when you shouldn't be able to (from user-generated content).

XSRF is "confused deputy"

  • one tab: malware.com
  • another tab: bank.com, logged in
  • bank has RESTful API (e.g., POST, GET) for money transfers
  • what if malware.com does the same money transfer POST?
    • how can the bank server tell the difference?
  • defenses: SSL, Origin: or Referer: headers

SQL Injection


  • HTML5
Retrieved from "https://homeostasis.scs.carleton.ca/wiki/index.php?title=WebFund_2014W_Lecture_21&oldid=18951"