By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
JavaScript is a client-side scripting language. Programs run in the web browser on the client's computer. (PHP, in contrast, is a server-side scripting.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Server-Side vs. Client-Side Scripting Languages
1 Chapter 12 Working With Access 2000 on the Internet.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
March Intensive: XSS Exploits
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
4.1 JavaScript Introduction
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
CSCI 6962: Server-side Design and Programming Course Introduction and Overview.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Overview of Previous Lesson(s) Over View  ASP.NET Pages  Modular in nature and divided into the core sections  Page directives  Code Section  Page.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Web 2.0 Security James Walden Northern Kentucky University.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.
JavaScript is a client-side scripting language. Programs run in the web browser on the client's computer. (PHP, in contrast, is a server-side scripting.
Extending HTML CPSC 120 Principles of Computer Science April 9, 2012.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.
Web Applications Testing By Jamie Rougvie Supported by.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.
 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.
8 Chapter Eight Server-side Scripts. 8 Chapter Objectives Create dynamic Web pages that retrieve and display database data using Active Server Pages Process.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.
JavaScript and Ajax (JavaScript Environment) Week 6 Web site:
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
DISCLAIMER  Hacking is only legal under the following circumstances: 1. You hack (penetration test) a device/network you own. 2. You gain explicit, documented.
IST 210: PHP Basics IST 210: Organization of Data IST2101.
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
By Collin Donaldson Man in the Middle Attack: Password Sniffing and Cracking.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Javascript worms By Benjamin Mossé SecPro
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Group 18: Chris Hood Brett Poche
XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)
CSCE 548 Student Presentation Ryan Labrador
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Database Driven Websites
Client-Server Model: Requesting a Web Page
Exploring DOM-Based Cross Site Attacks
Security and JavaScript
Cross-Site Scripting Attack (XSS)
Presentation transcript:

By Collin Donaldson

Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit, documented permission from an individual, assumedly a friend. 3.You acquire an Ethical Hacker Certification and perform penetration tests for a public or private sector organization with explicit permission to do so. This is the safest of the three methods. Hacking is illegal in all other circumstances. Hackers can be charged with fines, misdemeanors, and/or felonies depending on severity and accounts of hacks. For these reasons I will not be demonstrating any live hacking attempts in the wild. For more information DISCLAIMER

Cross-Site Scripting (XSS) is type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client- side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. According to Symantec (2007) 84% of computer security vulnerabilities were linked to XSS. XSS attacks can be used for a variety of purposes: stealing cookies/accounts/PII, defacing websites, injecting worms, malware attacks, DOS attacks, bypassing restriction, session hijacking, phishing attacks, etc. Definition

Persistent: The Persistent or Stored XSS attack occurs when the malicious code submitted by attacker is saved by the server in the database, and then permanently it will be run in the normal page. Reflected: The injected code will be send to the server via HTTP request. The server embed the input with the html file and return the file (HTTP Response) to browser. When the browser executes the HTML file, it also execute the embedded script. DOM (Document object model): Allows client-side-scripts to dynamically access and modify the content, structure, and style of a webpage via the document of the DOM. Like server-side scripts, client-side scripts can also accept and manipulate user input with the help of DOM. Types of XSS

Finding Vulnerable Websites: A better option than just searching random websites is using google dorks from exploit database. Google dorks are nicknames for exploits that google has inadvertently found and made known via it’s web crawler Use search terms such as "?search=" or ".php?q=" or “ 1337” If you are going to test your own site, you have to check every page in your site for the vulnerability. Step One

Testing the Exploit: First find a data entry point, like a search box or a username/password field. Type a String into the field and click view source. Look for something like “ Hello myString ” this is the format we want to see. Check to see if the input is sanitized by typing in “ ” and clicking view source. If you see something like the String example, the website is vulnerable. If we see something like this “<script&gt” than the website is not vulnerable. Step Two

Using the Exploit: As a final test of whether the exploit will work, type in a JavaScript command such as “ alert(‘myString') ” into the data field. If a pop-up appears that reads “myString” than you can further exploit the website. Further exploitation will be covered in the next presentation. Step Three

Basic Codes alert("XSS") alert("XSS"); alert('XSS') "> alert("XSS") alert(/XSS") alert(/XSS/) When inside Script tag: alert(1) ‘; alert(1); ')alert(1);// XSS Cheat Sheet

The easiest and best way to defend against an XSS attack is to sanitize all input. Few hackers will bother trying to un-sanitize input on your site when they can instead attack another website that does not have sanitized input. A lot of fields must be sanitized including but not limited too: The document.write() function The document.writeln() function The eval() function, which executes JavaScript code from a string The execScript() function, which works similarly to eval() The setInterval(), setTimeout(), and navigate() functions The.innerHTML property of a DOM element Certain CSS properties which allow URLs such as.style,.backgroundImage,.listStyleImage, etc. The event handler properties like.onClick, which take JavaScript code as their values Defending against XSS

FIN

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.