lecture2.html

<!DOCTYPE html>
<!--
	Web 2.0, CTU course slides
	(cc) 2010-2013 Tomas Vitvar, tomas@vitvar.com
-->
<html>

<head>
	<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
	<meta name="course" content="Web 2.0" />
	<meta name="lecture" content="Lecture 2" />
	<meta name="keywords" content="JSON, JSONP, JavaScript, AJAX, CORS" />

	<link type="text/css" rel="stylesheet" href="css/meta.css">
	</link>
	<link type="text/css" rel="stylesheet" href="css/ctu-fit.css">
	</link>
	<link type="text/css" rel="stylesheet" href="humla/lib/core/humla.css">
	</link>

	<script type="text/javascript" src="humla/lib/humla.js"></script>
	<title>Browser Networking</title>
</head>

<body>

	<footer>
		<p><b>#META_LECTURE#: #TITLE#</b>,&nbsp;<span class="meta_semester" />,&nbsp;
			<span class="meta_twitter" />
		</p>
		<p><b>&#8210; #SLIDE_NO# &#8210;</b></p>
	</footer>

	<div class="slide intro">
		<hgroup>
			<h1><span class="meta_course" /></h1>
			<h2>#META_LECTURE#: #TITLE#</h2>
		</hgroup>
		<div class="author">
			<p class="meta_author" />
			<p><span class="meta_email" /> &bull; <span class="meta_twitter" /> &bull;
				<span class="meta_web" />
			</p>
		</div>
		<center>
			<div class="meta_logo"></div>
		</center>
		<div class="org">
			<p class="meta_org" />
			<p><span class="meta_orgfac" /> &bull; <span class="meta_field" />
				&bull; <span class="meta_orgweb" /></p>
		</div>
		<div class="etc">
			<div class="text-info">
				Modified: #LAST_MODIFIED#<br />
				Humla v#HUMLA_VERSION#
			</div>
			<a href="http://creativecommons.org/licenses/by-sa/3.0/">
				<div class="license"></div>
			</a>
			<div class="oppa"></div>
		</div>
	</div>

	<div class="slide outline"></div>

	<section>
		<header>Browser Networking</header>

		<div class="slide">
			<hgroup>
				<h1>Browser Networking</h1>
			</hgroup>
			<ul class="x-small">
				<li>Browser</li>
				<ul>
					<li>Platform for fast, efficient and secure delivery of Web apps</li>
					<li>Many components</li>
					<ul>
						<li>parsing, layout, style calculation of HTML and CSS, JavaScript execution speed, rendering
							pipelines, and <b>networking stack</b></li>
					</ul>
					<li>When network is slow, e.g. waiting for a resource to arrive</li>
					<ul>
						<li>all other steps are blocked</li>
					</ul>
				</ul>
				<img src="img/browser-networking-api.png" style="height: 270px"></img>
			</ul>
		</div>

		<div class="slide">
			<hgroup>
				<h1>Connection Management</h1>
			</hgroup>
			<ul class="x-small">
				<li>Network socket management and optimization</li>
				<ul>
					<li>Socket reuse</li>
					<li>Request prioritization</li>
					<li>Protocol negotiation</li>
					<li>Enfocring connection limits</li>
				</ul>
				<li>Socket manager</li>
				<ul>
					<li>Sockets organized in pools (connection limits and security constraints)</li>
					<li>origin = (protocol, domain, port number)</li>
				</ul>
				<img src="img/socket-manager.png" style="height: 240px"></img>
			</ul>
		</div>

		<div class="slide">
			<hgroup>
				<h1>Network Security</h1>
			</hgroup>
			<ul class="x-small">
				<li>No raw socket access for app code</li>
				<ul>
					<li>Prevents apps from initiating any connection to host</li>
					<li>For example port scan, connect to mail server, etc.</li>
				</ul>
				<li>Network security</li>
				<ul>
					<li><b>Connection limits</b></li>
					<ul>
						<li>protect both client and server from resource exhaustion</li>
					</ul>
					<li><b>Request formatting and response processing</b></li>
					<ul>
						<li>Enforcing well-formed protocol semantics of outgoing requests</li>
						<li>Response decoding to protect user from malicious servers</li>
					</ul>
					<li><b>TLS negotiation</b></li>
					<ul>
						<li>TLS handshake and verification checks on certificates</li>
						<li>User is warned when verification fials, e.g. self-signed cert is used</li>
					</ul>
					<li><b>Same-origin policy</b></li>
					<ul>
						<li>Constraints on requests to be initiated and to which origin</li>
					</ul>
				</ul>
			</ul>
		</div>

		<div class="slide">
			<hgroup>
				<h1>Mashups</h1>
			</hgroup>
			<ul class="x-small">
				<li>Web application hybrid</li>
				<ul>
					<li>App uses APIs of two or more applications</li>
				</ul>
				<li>Types</li>
				<ul>
					<li>Data mashup &ndash; integration/aggregation of data (read only)</li>
					<li>Service mashup &ndash; more sophisticated workflows (read, write)</li>
					<li>Visualization &ndash; involves UI</li>
					<ul>
						<li>For example, third-party data displayed on the Google map</li>
					</ul>
				</ul>
				<li>Client-Server View</li>
				<ul>
					<li>client-side mashups (in a browser)</li>
					<ul>
						<li>JavaScript, Dynamic HTML, AJAX, JSON/JSONP</li>
					</ul>
					<li>server-side mashups</li>
					<ul>
						<li>server-side integration of services and data</li>
						<li>Any language</li>
					</ul>
				</ul>
			</ul>
		</div>

		<div class="slide outline"></div>

		<section>
			<header>XHR</header>

			<div class="slide">
				<hgroup>
					<h1>XMLHttpRequest (XHR)</h1>
				</hgroup>
				<ul>
					<li>Interface to utilize HTTP protocol in JavaScript</li>
					<ul>
						<li>standardized by <span id="webapps-wg" class="h-ref"></span> at W3C</li>
						<li>basis for AJAX</li>
						<ul>
							<li>Asynchronous JavaScript and XML</li>
						</ul>
					</ul>
					<li>Typical usage</li>
					<ol>
						<li>Browser loads a page that includes a script</li>
						<li>User clicks on a HTML element</li>
						<ul>
							<li>it triggers a JavaScript function</li>
						</ul>
						<li>The function invokes a service through XHR</li>
						<ul>
							<li>same origin policy, cross-origin resource sharing</li>
						</ul>
						<li>The function receives data and modifies HTML in the page</li>
					</ol>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>XHR Interface &ndash; Key Methods and Properties</h1>
				</hgroup>
				<ul class="x-small">
					<li>Method and properties of XHR object</li>
					<ul>
						<li><code>open</code>, opens the request, parameters:<br />
							&nbsp;&nbsp;&nbsp;&nbsp;<code>method</code> &ndash; method to be used (e.g. GET, PUT,
							POST),<br />
							&nbsp;&nbsp;&nbsp;&nbsp;<code>url</code> &ndash; url of the resource,<br />
							&nbsp;&nbsp;&nbsp;&nbsp;<code>asynch</code> &ndash; true to make asynchronous call,<br />
							&nbsp;&nbsp;&nbsp;&nbsp;<code>user</code>, <code>pass</code> &ndash; credentials for
							authentication.</li>
						<li><code>onReadyStateChange</code> &ndash; JavaScript function object, it is called when
							<code>readyState</code> changes (uninitialized, loading, loaded, interactive, completed).
						</li>
						<li><code>send</code>, <code>abort</code> &ndash; sends or aborts the request
							(for asynchronous calls)</li>
						<li><code>status</code>, <code>statusText</code> &ndash; HTTP status code and a
							corresponding text.</li>
						<li><code>responseText</code>, <code>responseXML</code> &ndash; response as text or
							as a DOM document (if possible).</li>
						<li><code>onload</code> &ndash; event listener to support server push.</li>
					</ul>
					<li>See <span id="xhr-w3c" class="h-ref"></span>, or
						<span id="xhr-moz" class="h-ref"></span> for a complete reference.
					</li>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>How XHR works</h1>
				</hgroup>
				<div style="height: 440px; margin-top: 20px" id="1kI3tlZl6PHZ_J_uwn_SVyT8_F05yE5Hi0B9pOEI37Z8"
					class="h-drawing"></div>
			</div>

		</section>

		<div class="slide outline"></div>

		<section>
			<header>Fetch API</header>

			<div class="slide">
				<hgroup>
					<h1>Fetch API</h1>
				</hgroup>
				<ul class="small">
					<li>XHR is callback-based, Fetch is promise-based</li>
					<li>Interface to accessing requests and responses</li>
					<ul>
						<li>Provides global <code>fetch</code> method to fetch resources asynchronously</li>
						<li>Can be easilly used in service workers</li>
						<li>Supports CORS and other extensions to HTTP</li>
					</ul>
					<li>Interfaces</li>
					<ul>
						<li><code>Request</code> &ndash; represents a request to be made</li>
						<li><code>Response</code> &ndash; represents a response to a request</li>
						<li><code>Headers</code> &ndash; represents response/request headers</li>
					</ul>
					<li>Basic usage:</li>
					<pre class="brush: javascript; class-name: 'tight'">
						async function logMovies() {
							const response = await fetch("http://example.com/movies.json");
							const movies = await response.json();
							console.log(movies);
						}</pre>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>Making request</h1>
				</hgroup>
				<ul class="x-small">
					<li>A <code>fetch</code> function is available in global <code>window</code></li>
					<li>It takes <code>path</code> and returns <code>Promise</code></li>
					<pre class="brush: javascript; class-name: 'tight'">
						fetch('https://api.github.com/users/tomvit')
							.then(response => response.json())
							.then(data => console.log(data))
							.catch(error => console.error('Error:', error));</pre>
					<li>You can make <code>no-cors</code> request</li>
					<ul>
						<li>With Fetch, the request will be handled as with putting <code>src</code> to
							<code>img</code>
						</li>
					</ul>
					<pre class="brush: javascript; class-name: 'tight'">
						fetch('https://google.com', {
							mode: 'no-cors',
						  }).then(function (response) {
							console.log(response.type); 
						  });</pre>
					<li>You can access low-level body stream</li>
					<ul>
						<li>With XHR, the whole <code>responseText</code> would be loaded into memory.</li>
						<li>With Fetch, you can read chunks of response and cancel the stream when needed.</li>
					</ul>
			</div>

		</section>
	</section>

	<div class="slide outline"></div>

	<section>
		<header>Security Mechanisms</header>

		<div class="slide" id="sameorigin">
			<hgroup>
				<h1>Same Origin Policy</h1>
			</hgroup>
			<div style="height: 310px" id="1xg_D6b_EBQDYol5Kk7b-UdhbuVsbjBHfaKaNTgH_rkY" class="h-drawing"></div>
			<ul class="xx-small">
				<li>JavaScript code can only access resources on the same domain</li>
				<ul>
					<li>XHR to GET, POST, PUT, UPDATE, DELETE</li>
					<li>Browsers apply <b>same origin policy</b></li>
				</ul>
				<li>Solutions</li>
				<ul>
					<li>JSON and JSONP (GET only)</li>
					<li>Cross-origin Resource Sharing Protocol (CORS)</li>
				</ul>
			</ul>
		</div>

		<div class="slide outline"></div>

		<section>
			<header>Scripting Attacks</header>

			<div class="slide">
				<hgroup>
					<h1>Overview of Web Threats</h1>
				</hgroup>
				<ul class="xx-small">
					<li>Scripting/Web attacks</li>
					<ul>
						<li>CSRF: attacker causes a user's browser to send an authenticated request</li>
						<li>XSS: attacker gets script to run in a trusted origin (steal data / act as user)</li>
						<li>Clickjacking: victim is tricked into clicking UI elements</li>
					</ul>
					<li>Modern context</li>
					<ul>
						<li>Single Page Apps (SPAs), APIs, OAuth logins, third-party scripts</li>
						<li>Browsers added new defenses: <code>SameSite</code> cookies, CSP, CORS, Trusted Types
						</li>
					</ul>
					<li>Roles in security scenarios</li>
					<ul>
						<li>Alice, Bob: regular users / sites</li>
						<li>Eve: passive attacker, man in the middle (MITM) (observes, phishes)</li>
						<li>Mallory: active attacker (injects content, modifies requests, drives victim browser)</li>
					</ul>
				</ul>
			</div>

			<div class="slide" id="modern-web-context">
				<hgroup>
					<h1>Modern Web Context</h1>
				</hgroup>
				<ul class="xx-small">
					<li>Single Page Apps (SPAs)</li>
					<ul>
						<li>Initial HTML shell + heavy client-side rendering</li>
						<li>Many background requests via <code>fetch</code>/XHR; History API routing</li>
						<li>More DOM manipulation ⇒ higher risk of <b>DOM-based XSS</b></li>
					</ul>
					<li>APIs (JSON/GraphQL backends)</li>
					<ul>
						<li>UI often calls <code>api.*</code> subdomain or separate origin</li>
						<li><b>CORS</b> and preflight (<code>OPTIONS</code>) become common</li>
						<li>Auth choices:</li>
						<ul>
							<li>Cookies ⇒ need CSRF defenses (<code>SameSite</code>, tokens, <code>Origin</code> check)
							</li>
							<li>Bearer tokens ⇒ no classic CSRF, but XSS can steal tokens</li>
						</ul>
					</ul>
					<li>OAuth / OpenID Connect logins</li>
					<ul>
						<li>Redirect-based flows (IdP → app) with <code>state</code>/<code>nonce</code> validation</li>
						<li>Token storage and cookie policies affect security and reliability</li>
					</ul>
					<li>Third-party scripts</li>
					<ul>
						<li>Analytics, tag managers, widgets run with <b>same privileges</b> as first-party JS</li>
						<li>Supply-chain risk; mitigate with <b>CSP</b> (<code>script-src</code>), SRI, and limiting
							<code>connect-src</code>
						</li>
					</ul>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>Recall: State, Sessions, and Cookies</h1>
				</hgroup>
				<ul class="small">
					<li>HTTP is stateless; sites add state via tokens</li>
					<ul>
						<li>Cookies (session cookies, persistent cookies)</li>
						<li>Bearer tokens (often in <code>Authorization: Bearer ...</code>)</li>
					</ul>
					<li>Session management patterns</li>
					<ul>
						<li>Stateful: server stores session data</li>
						<li>Stateless: signed tokens (e.g., JWT) stored client-side; server validates each request</li>
					</ul>
					<li>Cookie flags</li>
					<ul>
						<li><code>Secure</code>: only over HTTPS</li>
						<li><code>HttpOnly</code>: not readable by JavaScript</li>
						<ul>
							<li>Mitigates some XSS cookie theft, but not all attack scenarios</li>
						</ul>
						<li><code>SameSite</code>: limits cross-site cookie sending</li>
						<ul>
							<li>Major CSRF mitigation</li>
						</ul>
					</ul>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>Cross-site Request Forgery (CSRF)</h1>
				</hgroup>
				<ul class="xx-small">
					<li>How it works</li>
					<ul>
						<li>Victim’s browser sends a request to <b>bank.com</b> with user's credentials (cookies)</li>
						<li>Attacker cannot read the response (SOP), but the <b>side effect</b> may still happen</li>
					</ul>
					<li>CSRF today</li>
					<ul>
						<li>Many browsers now default to <code>SameSite=Lax</code> (reduces CSRF via cross-site
							navigation)
						</li>
						<li>But CSRF is still relevant</li>
						<ul>
							<li>misconfigured <code>SameSite=None</code>, legacy apps, subdomain
								issues, OAuth flows</li>
						</ul>
					</ul>
					<li>Typical attack shapes</li>
					<ul>
						<li>Cross-site <code>&lt;form method="POST"&gt;</code> submit</li>
						<li>State-changing GET is still a bug, but many frameworks avoid it now</li>
					</ul>
					<li>Modern best practice</li>
					<ul class="xx-small">
						<li>Use <b>CSRF tokens</b> (synchronizer token pattern) or <b>double-submit cookie</b></li>
						<li>Set cookies: <code>SameSite=Lax</code> (default) or <code>Strict</code> where possible</li>
						<ul>
							<li>only use <code>None; Secure</code> when required</li>
						</ul>
						<li>Validate <code>Origin</code> header for state-changing requests (often better than
							<code>Referer</code>)
						</li>
						<li>Re-auth / step-up auth for high-risk actions</li>
					</ul>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>CSRF Example</h1>
				</hgroup>
				<ul class="x-small">
					<li>Attacker page causes a victim browser to submit a form to a target origin</li>
				</ul>
				<pre class="brush: html; class-name: 'tight'">
&lt;form action="https://bank.com/transfer" method="POST"&gt;
  &lt;input type="hidden" name="to" value="mallory" /&gt;
  &lt;input type="hidden" name="amount" value="50000" /&gt;
&lt;/form&gt;
&lt;script&gt;document.forms[0].submit()&lt;/script&gt;</pre>
				<ul class="x-small">
					<li>What makes this work?</li>
					<ul>
						<li>If the browser includes cookies for <code>bank.com</code> on this cross-site POST</li>
						<li>If server does not require or validate a CSRF token (or <code>Origin</code>)</li>
					</ul>
					<li>Why attackers like it</li>
					<ul>
						<li>No need to read responses; only need the action to succeed</li>
					</ul>
				</ul>
			</div>

			<div class="slide" id="csrf-tokens">
				<hgroup>
					<h1>CSRF Tokens</h1>
				</hgroup>
				<ul class="xx-small">
					<li>Goal</li>
					<ul>
						<li>Prevent <b>cross-site request forgery</b> even when cookies are attached by the browser</li>
						<li>Server accepts a state-changing request only if it contains a <b>secret token</b></li>
					</ul>
					<li>Synchronizer Token Pattern (most common)</li>
					<ul>
						<li>Server creates a random token bound to the user session</li>
						<li>Token is embedded into HTML (form field) or sent as a header by JS</li>
						<li>On POST/PUT/DELETE: server verifies token matches the session</li>
					</ul>
					<li>Why it works</li>
					<ul>
						<li>Attacker can trigger a cross-site request (e.g., <code>&lt;form&gt;</code>)</li>
						<ul>
							<li>but cannot read
								the response page to obtain the token (prevented by SOP)</li>
						</ul>
						<li>Guessing a random token is not possible</li>
					</ul>
					<li>Implementation notes</li>
					<ul class="x-small">
						<li>Regenerate tokens periodically (or per form) and invalidate on logout</li>
						<li>Protect token delivery with HTTPS; avoid exposing it to third-party origins</li>
						<li>Use together with <code>SameSite</code> cookies and <code>Origin</code> checks</li>
					</ul>
					<pre class="brush: html; class-name: 'tight'">
						<form action="/transfer" method="POST">
							<input type="hidden" name="csrf_token" value="RANDOM_SESSION_BOUND_TOKEN"> ... 
						</form></pre>
				</ul>
			</div>

			<div class="slide" id="double-submit-cookie">
				<hgroup>
					<h1>Double-Submit Cookie</h1>
				</hgroup>
				<ul class="xx-small">
					<li>Goal</li>
					<ul>
						<li>Block CSRF by requiring a <b>token to be sent twice</b>:</li>
						<ul>
							<li>as a <b>cookie</b> (automatically attached by the browser)</li>
							<li>and as a <b>request value</b> (hidden form field or custom header)</li>
						</ul>
						<li>Server accepts the request only if the two values <b>match</b></li>
					</ul>
					<li>Typical flow</li>
					<ul>
						<li>Server generates random token <code>T</code></li>
						<li>Browser stores <code>T</code> in cookie <code>csrf=T</code></li>
						<li>POST/PUT/DELETE: <code>T</code> in <code>csrf_token</code> (form field)
							or <code>X-CSRF-Token</code> (header)</li>
						<li>Server verifies: <code>Cookie[csrf] == token_in_body_or_header</code></li>
					</ul>
					<li>Why it works</li>
					<ul>
						<li>Attacker can trigger a cross-site request that includes cookies, but cannot read victim
							cookies/pages due to <b>SOP</b></li>
						<li>Attacker cannot reliably include the matching token in the request body/header
						</li>
					</ul>
					<li>Implementation notes</li>
					<ul class="xx-small">
						<li>Used for <b>stateless</b> setups (server does not store CSRF token in session)</li>
						<li>Use with <code>Secure</code> and HTTPS; combine with <code>SameSite</code> and
							<code>Origin</code> checks
						</li>
					</ul>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>Cross-site Scripting (XSS)</h1>
				</hgroup>
				<ul class="xx-small">
					<li>How XSS works</li>
					<ul>
						<li>Attacker-controlled script runs in a trusted origin (e.g., <code>https://app.com</code>)
						</li>
						<li>Can read/modify DOM, make same-origin requests, extract data, act as the user</li>
					</ul>
					<li>Types</li>
					<ul>
						<li><b>Stored</b>: payload stored on server (posts, profiles)</li>
						<li><b>Reflected</b>: payload in request (query param) reflected into HTML</li>
						<li><b>DOM-based</b>: client-side JS inserts untrusted data into DOM unsafely</li>
					</ul>
					<li>Today's prevention</li>
					<ul>
						<li>Many apps use frameworks that reduce HTML injection</li>
						<ul>
							<li>But DOM-XSS via unsafe sinks still happens</li>
						</ul>
						<li>Third-party scripts and supply-chain risks can lead to "XSS-like" outcomes</li>
					</ul>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>XSS: What Attackers Do Today</h1>
				</hgroup>
				<ul class="xx-small">
					<li>Common impact</li>
					<ul>
						<li>Session hijack is harder if cookies are <code>HttpOnly</code>, but attackers can still:</li>
						<ul>
							<li>Perform actions as the user (same-origin <code>fetch</code>)</li>
							<li>Steal sensitive DOM data (CSRF tokens in DOM, PII rendered in page)</li>
							<li>Keylog / credential phishing overlays</li>
							<li>Token theft when apps store tokens in <code>localStorage</code></li>
						</ul>
					</ul>
					<li>Mitigations</li>
					<ul>
						<li>Output encoding + safe templating</li>
						<li>Sanitize HTML if you must render it (allowlist-based sanitizers)</li>
						<li><b>Content Security Policy (CSP)</b> (reduce exploitability)</li>
						<li><b>Trusted Types</b> (Chrome/Chromium): block DOM-XSS sinks unless explicitly allowed</li>
					</ul>
				</ul>
			</div>

			<div class="slide" id="csp">
				<hgroup>
					<h1>Content Security Policy (CSP)</h1>
				</hgroup>
				<ul class="xx-small">
					<li>Goal</li>
					<ul>
						<li>Mitigate XSS attacks by restricting what the page can load and
							execute
						</li>
						<li>Browser enforces a policy sent by the server (HTTP header or <code>&lt;meta&gt;</code>)</li>
					</ul>
					<li>Core idea</li>
					<ul>
						<li>Define allowlists for resource types (scripts, styles, images, connections, frames, ...)
						</li>
						<li>Block unexpected code execution (e.g., injected <code>&lt;script&gt;</code>, inline
							handlers)</li>
					</ul>
					<li>Common directives</li>
					<ul>
						<li><code>script-src</code>: where scripts can come from; can require <code>'nonce-...'</code> /
							hashes</li>
						<li><code>connect-src</code>: where JS can send requests (<code>fetch</code>/XHR/WebSocket)</li>
						<li><code>img-src</code>, <code>style-src</code>, <code>font-src</code>: resource allowlists
						</li>
						<li><code>object-src 'none'</code>: disable plugin content</li>
						<li><code>base-uri</code>: restrict <code>&lt;base&gt;</code> tag abuse</li>
						<li><code>frame-ancestors</code>: who may embed the page (clickjacking defense)</li>
					</ul>
				</ul>
			</div>

			<div class="slide" id="csp-example">
				<hgroup>
					<h1>Nonce-based CSP Example</h1>
				</hgroup>
				<ul class="xx-small">
					<li>Policy (sent as HTTP response header)</li>
					<ul class="x-small">
						<li>Only load scripts from <code>self</code></li>
						<li>only execute inline scripts that carry the correct <b>nonce</b></li>
						<li>Allow XHR/WebSocket only to own origin and a trusted API</li>
						<li>Prevent plugins and clickjacking</li>
					</ul>
					<pre class="brush: plain; class-name: 'tight'">
Content-Security-Policy:
  default-src 'self';
  script-src 'self' 'nonce-ABC123';
  connect-src 'self' https://api.example.com;
  object-src 'none';
  base-uri 'self';
  frame-ancestors 'none'</pre>
				</ul>
				<ul class="xx-small">
					<li>Scripts in a page</li>
					<ul>
						<li>server must inject the same nonce into allowed inline scripts</li>
					</ul>
					<pre class="brush: html">
&lt;script nonce="ABC123"&gt;
  // allowed inline script
  window.appBoot();
&lt;/script&gt;

&lt;script&gt;
  // blocked inline script (missing nonce)
  alert('XSS');
&lt;/script&gt;</pre>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>XSS Example: DOM-based</h1>
				</hgroup>
				<ul class="xx-small">
					<li>Bug pattern: untrusted data flows into a dangerous DOM sink</li>
					<pre class="brush: javascript; class-name: 'tight'">
// URL: https://app.com/welcome?name=&lt;img src=x onerror=alert(1)&gt;
const params = new URLSearchParams(location.search);
const name = params.get("name");

// Dangerous sink:
document.querySelector("#welcome").innerHTML = "Hi " + name;</pre>
				</ul>
				<ul class="xx-small">
					<li>Fix</li>
					<ul>
						<li>Use <code>textContent</code> instead of <code>innerHTML</code></li>
						<li>If HTML is required, sanitize with a proven library and strict allowlist</li>
					</ul>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>Historical XSS Examples</h1>
				</hgroup>
				<ul class="small">
					<li>Twitter in Sep 2010</li>
					<ul>
						<li>Injection of JavaScript code to a page using a tweet</li>
						<li>You posted following tweet to Twitter</li>
						<pre class="brush: plain">
								There is a great event happening at 
								http://someurl.com/@"onmouseover="alert('test xss')"/</pre>
						<li>Twitter parses the link and wraps it with <code>&lt;a></code> element</li>
						<pre class="brush: 'xml'">
								There is a great event happening at 
								&lt;a href="http://someurl.com/@"onmouseover="alert('test xss')" 
									target="_blank">http://someurl.com/@"onmouseover=
									"alert('test xss')"/&lt;/a></pre>
						<li>See details at <span id="twitter-xss" class="h-ref"></span></li>
					</ul>
					<li>Other example: Google Contacts</li>
				</ul>
			</div>

			<div class="slide" id="clickjacking">
				<hgroup>
					<h1>Clickjacking</h1>
				</hgroup>
				<ul class="xx-small">
					<li>How clickjacking works</li>
					<ul>
						<li>Attacker tricks a victim into clicking a UI element on a <b>trusted site</b></li>
						<li>Technique: embed the trusted site in an <code>&lt;iframe&gt;</code> and
							overlay it under a decoy button</li>
						<li>SOP blocks reading iframe contents, but clickjacking only needs the <b>click</b></li>
					</ul>
					<li>Example attack concept</li>
					<pre class="brush: html; class-name: 'tight'">
&lt;div id="decoy"&gt;
  Click to claim your prize
  &lt;button&gt;Claim&lt;/button&gt;
&lt;/div&gt;

&lt;!-- Invisible/transparent iframe aligned so victim's click hits "Confirm" --&gt;
&lt;iframe id="targetFrame" src="https://bank.com/transfer/confirm"&gt;&lt;/iframe&gt;

&lt;style&gt;
#targetFrame {
  position: absolute;
  top: 120px; left: 90px;   /* align target button under decoy */
  width: 1000px; height: 800px;
  opacity: 0.01; border: 0; /* nearly invisible */
}
#decoy { position: relative; z-index: 2; }
&lt;/style&gt;</pre>
				</ul>
				<ul class="xx-small">
					<li>Defenses</li>
					<ul>
						<li><code>Content-Security-Policy: frame-ancestors 'none'</code> (or allowlist trusted
							embedders)</li>
					</ul>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>Quick Comparison: CSRF vs XSS</h1>
				</hgroup>
				<ul class="small">
					<li>CSRF</li>
					<ul>
						<li>Attacker <b>cannot</b> run code in the target origin</li>
						<li>Relies on browser automatically attaching credentials (cookies)</li>
						<li>Defenses: <code>SameSite</code>, CSRF tokens, <code>Origin</code> checks</li>
					</ul>
					<li>XSS</li>
					<ul>
						<li>Attacker <b>can</b> run code in the target origin</li>
						<li>Bypasses CSRF defenses (because requests are same-origin)</li>
						<li>Defenses: encoding/sanitization, CSP, Trusted Types, reduce secrets in DOM</li>
					</ul>
				</ul>
			</div>

		</section>

		<div class="slide outline"></div>

		<section>
			<header>Cross-origin Resource Sharing Protocol (CORS)</header>

			<div class="slide" id="CORS">
				<hgroup>
					<h1>Overview</h1>
				</hgroup>
				<ul>
					<li>Increasing number of mashup applications</li>
					<ul>
						<li>client-side mashups involving multiple sites</li>
						<li>mechanism to control an access to sites from within JavaScript</li>
					</ul>
					<li>Allow for <b>cross-site HTTP requests</b></li>
					<ul>
						<li>HTTP requests for resources from a different domain than the domain of the resource
							making
							the request.</li>
					</ul>
					<li>W3C Recommendation</li>
					<ul>
						<li>see <span class="h-ref" id="cors-w3c"></span></li>
						<li>Browsers support it</li>
						<ul>
							<li>see <span class="h-ref" id="cors-moz"></span> at Mozilla</li>
						</ul>
					</ul>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>CORS Protocol &ndash; GET</h1>
				</hgroup>
				<div style="height: 280px" id="1cAgbH75PndD38nY1IJo4QfN5Yp7siHQXfNF5oD6x9SM" class="h-drawing">
				</div>
				<ul class="x-small">
					<li>Read-only resource access via HTTP GET</li>
					<li>Headers:</li>
					<ul>
						<li><code>Origin</code> &ndash; identifies the origin of the request</li>
						<li><code>Access-Control-Allow-Origin</code> &ndash; defines who can access the resource
						</li>
						<li>either the full domain name or the wildcard (*) is allowed.</li>
					</ul>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>CORS Protocol &ndash; other methods and "preflight"</h1>
				</hgroup>
				<div style="height: 320px" id="1-dVhDx5pka4BElYu0WzFkqkLQWsb8aphcy16l-bET80" class="h-drawing">
				</div>
				<ul class="xx-small">
					<li>Preflight request queries the resource using <code>OPTIONS</code> method</li>
					<ul>
						<li>requests other than GET (except POST w/o payload) or with custom headers</li>
						<li>A browser should run preflight automatically for any XHR request meeting preflight
							conditions</li>
						<li>The browser caches responses according to <code>Access-Control-Max-Age</code></li>
					</ul>
				</ul>
			</div>

		</section>
	</section>

	<div class="slide outline"></div>

	<section>
		<header>JSON and JSONP</header>

		<div class="slide">
			<hgroup>
				<h1>Recall: JSON</h1>
			</hgroup>
			<ul class="x-small">
				<li>JSON = JavaScript Object Notation</li>
				<ul>
					<li>Serialization format for data representation</li>
					<li>Very easy to use in JavaScript</li>
					<ul>
						<li>no need to use a parser explicitly</li>
					</ul>
					<li>Also great support in many programming environments</li>
				</ul>
				<li>Key constructs</li>
				<ul class="xx-small">
					<li><b>object</b> is a collection of comma-separated key/value pairs:<br />
						<code>{"name" : "tomas", "age" : 18, "student" : false, &nbsp;"car" : null}</code>
					</li>
					<li style="margin-top: 5px"><b>array</b> is an order list of values:<br />
						<code>[ "prague", "innsbruck", 45 ]</code>
					</li>
					<li style="margin-top: 5px">can be nested: objects as values in an <b>array</b>:<br />
						<code>[ { "name" : "tomas", "age" : 18 }, <br />&nbsp;&nbsp;{ "name" : "peter", "age" : 19 } ]</code>
					</li>
					<li style="margin-top: 5px">and the other way around: array as values in an <b>object</b>:<br />
						<code>{ "cities" : ["prague", "innsbruck"],<br />&nbsp;&nbsp;"states" : ["CZ", "AT"] }</code>
					</li>
					<li style="margin-top: 5px">A complete grammar see <span id="json" class="h-ref"></span></li>
				</ul>

			</ul>
		</div>

		<div class="slide">
			<hgroup>
				<h1>JSON in JavaScript</h1>
			</hgroup>
			<ul class="x-small">
				<li>Native data format</li>
				<pre class="brush: javascript; class-name: 'tight'">
					// data needs to be assigned
					var data = { "people" : ["tomas", "peter", "alice", "jana"] };
					
					// go through the list of people
					for (var i = 0; i < data.people.length; i++) {
					    var man = data.people[i];
					    // ... do something with this man
					}</pre>
				<li>Responses of service calls in JSON</li>
				<ul>
					<li>Many support JSON, how can we load that data?</li>
				</ul>
				<li>Example Request-Response</li>
				<pre class="brush: javascript; class-name: 'tight'">
						GET http://pipes.yahoo.com/pipes/pipe.run?_id=638c670c40c97b62&_render=json
						
					 	{"count":1,"value":  
						   {"title":"Web 2.0 announcements",
						    "description":"Pipes Output",
						    "link":"http:\/\/pipes.yahoo.com\/pipes\/pipe.info...",
						    "pubDate":"Mon, 07 Mar 2011 18:27:20 +0000",
						    "generator":"..."
						    ...
						   }
						}</pre>
			</ul>
		</div>

		<div class="slide">
			<hgroup>
				<h1>JSONP</h1>
			</hgroup>
			<ul class="x-small">
				<li>Service that supports JSONP</li>
				<ul>
					<li>allows to specify a query string parameter for a wrapper function
						to load the data in JavaScript code</li>
					<li>otherwise the data cannot be used in JavaScript</li>
					<ul>
						<li>they're loaded into the memory but assigned to nothing</li>
					</ul>
				</ul>
				<li>Example</li>
				<ul>
					<li>if a resource at <code style="zoom: 0.9">http://someurl.org/json_data</code> returns
						<pre class="brush: javascript; gutter: false">
							 { "people" : ["tomas", "peter", "alice", "jana"] }</pre>
						then the resource at<br />
						<code style="zoom: 0.9">http://someurl.org/json_data?_callback=loadData</code> returns
						<pre class="brush: javascript; gutter: false">
							 loadData({ "people" : ["tomas", "peter", "alice", "jana"] });</pre>
					</li>
				</ul>
				<li>A kind of workaround for the same origin policy</li>
				<ul>
					<li>only <code>GET</code>, nothing else works obviously</li>
					<li>no XHR, need to load the data through the dynamic <code>&lt;script></code> element</li>
				</ul>
			</ul>
		</div>

		<div class="slide">
			<hgroup>
				<h1>JSONP in JavaScript</h1>
			</hgroup>
			<ul class="xx-small">
				<li>JSONP example</li>
				<ul>
					<li>loads JSON data using JSONP by dynamically inserting <code>&lt;script></code>
						into the current document. This will download JSON data and triggers the script.</li>
				</ul>
				<pre class="brush: javascript">
					var TWITTER_URL = "http://api.twitter.com/1/statuses/user_timeline.json?" + 
					  "&screen_name=web2e&count=100&callback=loadData";
				
					// this needs to be loaded in window.onload
					// after all document has finished loading...
					function insertData() {
					    var se = document.createElement('script');
					    se.setAttribute("type","text/javascript");
					    se.setAttribute("src", TWITTER_URL);	
					    document.getElementsByTagName("head")[0].appendChild(se);	
					    // And data will be loaded when loadDta callback fires...
					}
				
					// loads the data when they arrive 
					function loadData(data) {
					    // we need to know the the structure of JSON data that is returned 
					    // and code it here accordingly
					    for (var i = 0; i < data.length; i++) {
					        data[i].created_at // contains date the tweet was created
					        data[i].text // contains the tweet
					    }
					}</pre>
			</ul>
		</div>

		<!--	<div class="slide">
				<hgroup>
					<h1>JSON Vulnerability</h1>
				</hgroup>
                <ul class="x-small">
                	<li>What it is</li>
                	<ul>
                		<li>JSON array data accessible via GET (normal access is via XHR)</li>
                		<li>Attacker may load the data in a <code>script</code>, redefine <code>Array</code> object,
                			and assign the data to a variable.</li>
                		<li>Attacker's page with a script that you access:</li>
                		<ul>
                			<li>your browser uses your cookies to load the resource</li>
                		</ul>
                	</ul>
                	<pre class="brush: html; highlight: [3,4]; class-name: tight">
                		&lt;script type="text/javascript">
                		var yourData;
                		Array = function() {
                			yourData = this;
                		}
                		&lt;/script>

                		&lt;script src="yourdomain.cz/yoursecretdata.json" type="text/javascript">&lt;/script></pre>
            		<li>Prevention</li>
            		<ul class="xx-small">
            			<li>Using prefix in the data &ndash; the prefix makes the JSON data invalid; the client must
            				strip the prefix before parsing the data as JSON</li>
            			<pre class="brush: javascript; class-name: tight">
            				[ "a": "account", 433, 5543 ]</pre>
            			<li>Use only POST for sensitive data</li>
            		</ul>
                </ul>					
			</div> -->

	</section>

	<!--	<div class="slide outline"></div>
	    		
		<section>
			<header>Application State</header>
			
			<div class="slide">
				<hgroup>
					<h1>Application State</h1>
				</hgroup>
				<ul class="x-small">
					<li>Application state in Web 1.0 apps</li>
					<div style="height: 260px; margin-left: -30px" 
						id="1ikPrTDmdmCzwR3OcGESteSMUnHQ-B9VRhuaOeQGki9A" class="h-drawing"></div>
					<li>Application state in Web 2.0 apps</li>
					<ul>
						<li>JavaScript code changes the state</li>
						<ul>
							<li>the URL should contain the state information</li>
						</ul>
						<li>JavaScript cannot modify the whole URL but only the hash (<code>#</code>) part</li>
						<li><code>http://seller.com/products</code> becomes <code>http://seller.com/#products</code></li>
					</ul>
				</ul>
			</div>

			<div class="slide">
				<hgroup>
					<h1>Application State and Web Crawling</h1>
				</hgroup>
				<ul class="x-small">
					<li>Obviously we want our pages to be crawlable</li>
					<ul>
						<li>JavaScript generated content on clients does not exist on the server</li>
					</ul>
					<div style="height: 250px; margin-left: -30px" id="1u-6vCrF9f6rojKEY2Dxtgrss06MckN4SV1f0YuF1ptU" 
					  class="h-drawing"></div>
					<li>Solutions</li>
					<ul>
						<li>Crawler runs headless Browser &ndash; not feasible</li>
						<ul>
							<li>high requirements for computing resources</li>
						</ul>
						<li>Server generates content according to specific rules</li>
						<ul>
							<li>Google AJAX Crawling</li>
						</ul>
					</ul>
				</ul>				
			</div>

			<div class="slide">
				<hgroup>
					<h1>Google AJAX Crawling</h1>
				</hgroup>
				<ul class="x-small">
					<li>Steps</li>
					<ol>
						<li>Web app provider exposes AJAX content with pretty URLs<br/>
						<code>http://seller.com/#!products</code></li>
						<li>Web crawler finds those URLs</li>
						<li>Web crawler transforms the pretty URL to ugly URL<br/>
						<code>http://seller.com/?_escapped_fragment_=products</code></li>
						<li>Web crawler access the content of the page at ugly URL and indexes it</li>
					</ol>
					<li>Prerequisites</li>
					<ul>
						<li>Web app provider must expose AJAX generated content at ugly URLs</li>
						<li>Options:</li>
						<ul>
							<li>uses a headless browser to generate the content at the server</li>
							<li>rewrites the JavaScript code in a server-side language</li>
						</ul>
					</ul>
					<li>Reference</li>
					<ul>
						<li>See <span id="ajax-crawling" class="h-ref"></span> for details</li>
					</ul>
				</ul>				
			</div>

		</section>	-->




</body>

</html>