SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico
Web Security Never, ever, trust user inputs Supankar.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
EECS 354 Network Security Cross Site Scripting (XSS)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Workshop 3 Web Application Security Li Weichao March
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.
Cross-Site Attacks James Walden Northern Kentucky University.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking ASP.NET MVC SoftUni Team Technical Trainers Software University.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
S ECURE P ROGRAMMING NOTES 08 XSS 1. Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the trusted.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Some from Chapter 11.9 – “Web” 4 th edition and SY306 Web and Databases for Cyber Operations Cookies and.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Group 18: Chris Hood Brett Poche
CSCE 548 Student Presentation Ryan Labrador
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Cross-Site Scripting Travis Deyarmin.
Static Detection of Cross-Site Scripting Vulnerabilities
CSC 495/583 Topics of Software Security Intro to Web Security
Cross-Site Request Forgery (CSRF) Attack Lab
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Exploring DOM-Based Cross Site Attacks
Cross-Site Scripting Attack (XSS)
Presentation transcript:

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations

How does a user input information to your site? How does your server-side code process the input? How do you store the input? Does the input later appear on your site? Verbatim? Input to your Website

Lab Exercise Teams of 3 Visit this website, and post a message! –

Lab Exercise Teams of 3 Visit this website, and post a message! – –X is your group number: 1,2,3,4,5,6,7 –Ex. group 2 is: group2/bufftalk.pyEx. group 2 is: group2/bufftalk.py Now break it to mess up the display – no JavaScript.

Displaying User Content ** Dangerous, but necessary in all social media! Bare Minimum Security Options 1.Check all strings for HTML tags, reject them 2.Replace characters with > and < 3.(need a lot more if databases are involved)

Injection: HTML vs Javascript HTML injection can ruin a page’s display, but not much else Javascript injection can steal information –It can read your cookies –Redirect to other (fake) websites

Lab Exercise 1.Inject Javascript, but do not break the page. –Why would a malicious hacker not want to visibly break it? 2.Find out what cookies are stored for the page 3.Inject Javascript to display the user’s name to the screen (“I see you username”).

Cross-site Scripting (XSS) Trick client browser to execute malicious code (JS/HTML) Targets clients of Web applications, not application itself Parties involved: –Attacker –Server –Client (victim) – runs malicious code in browser

Cross-site scripting attacks 1.Victim uses a web site that sets cookies on victim’s browser 2.Victim clicks on a URL link or visits web site containing evil script 3.Victim’s browser transmits evil code to the target site as a HTTP request 4.Target site reflects the evil code back to the victim’s browser in response to the request 5.Evil script executes within victim’s browser under the security context of the target site

Reflective XSS E.g. URL link contains malicious script. Victim Attacker Application 1. Victim logs into facebook.php in and is issued cookie: Set-Cookie: sessionID=abc Victim clicks on URL: var a=new Image(); a.src=‘ 3. Victim send HTTP GET request for var a=new Image(); a.src=‘ 4 & 5. Victim executes the javascript 6. Attacker hicjacks victim’s facebook session using their sessionID

Stored XSS Malicious post on public forum contains malicious script which will execute on victim’s browser Victim Attacker Application 1. Victim logs into facebook.php in and is issued cookie: Set-Cookie: sessionID=abc Attacker posts “ document.writeln(‘ “ to Victims FB wall 3. Victim see’s FB wall and sends HTTP GET request to 4 & 5. Victim executes the javascript 6. Attacker hijacks victim’s facebook session using their sessionID

Causes of XSS Failed input validation User input is displayed back in the same form Attacker injects malicious code into non-malicious site –Client gets the code from the website, cannot distinguish between legit and malicious content

Let’s just block !! Easy enough: check all input strings for and reject them Is that good enough?

XSS Defense Input filtering Set encoding of HTML pages Output encoding More at: vention_Cheat_Sheet vention_Cheat_Sheet

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.