CS 6431, Homework #2

1. Propose a client-side, browser-based defense that prevents a
malicious webpage from forcing the browser to issue a request to
another website P, which is "authenticated" by P's cookie and causes
P to perform some action desired by the attacker (e.g., log the
user into P as the attacker and display content from the attacker's
account to the user).

2a. Many modern Web browsers will not execute any script that appears
both in an HTTP request and the server’s response to that request.
What attack is this defense supposed to prevent? Why does this
defense work?

2b. Give a concrete example of a very similar attack that this
defense will not prevent.

3. Explain how namespace injection attacks work on the Web.

4a. What is Content Security Policy (CSP) and how can a webpage use
CSP to help prevent execution of malicious scripts?

4b. Why and how does CSP need to be relaxed when the DOM of the page
is constructed on the client side?

4c. Pick any of the common ways to relax CSP.  If a webpage relaxes
it CSP in this way, explain what kind of "gadget" must be present
in the page's trusted JavaScript code to enable injection of a
malicious script into the HTML content shown in the user's browser.

5. Gadgets in return-oriented programming often require splicing
together multiple instruction sequences found in the existing code.
This is not the case for code-reuse attacks on Web frameworks:
typically a gadget is just one piece of code.  Why?