Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection
EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.
Workshop 3 Web Application Security Li Weichao March
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cross Site Scripting (XSS) Chaitanya Lakshmi
Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.
Cross-Site Attacks James Walden Northern Kentucky University.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.
Web Applications Testing By Jamie Rougvie Supported by.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Cross Site Scripting and its Issues By Odion Oisamoje.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
COMP9321 Web Application Engineering Semester 2, 2017
Javascript worms By Benjamin Mossé SecPro
Module: Software Engineering of Web Applications
CSCE 548 Student Presentation Ryan Labrador
An Introduction to Web Application Security
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Cross-Site Scripting Travis Deyarmin.
Security of web applications.
CSC 495/583 Topics of Software Security Intro to Web Security
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Security: Exploits & Countermeasures
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Exploring DOM-Based Cross Site Attacks
Security and JavaScript
Cross-Site Scripting Attack (XSS)
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Contents Brief Technical Overview Cross-Site Scripting (XSS) Google’s Gruyere Examples of XSS using Google’s Gruyere Detection Methods & Prevention Conclusion References

Technical Overview: XSS XSS Vulnerabilities Permits attacker to inject code (typically HTML or JavaScript) into contents of a website Injected Code subsequently executes in a victim's browser when victim views the page Bypasses browser's Same Origin Policy, permitting attacker to steal victim's private information associated with website in question The result of improper "sanitizing"/ filtering of user input Common method of attack is to enter random text into input fields and look at how it gets rendered in the response page's HTML source

Technical Overview: XSS Flavors of XSS Attacks: Stored XSS Attacker places malicious code within the application (e.g., in a text snippet) and the victim triggers the attack by browsing to the page on the server that renders the attack File Upload XSS Attacker places malicious code in a file, which a victim unwittingly triggers when the file is accessed Reflected XSS Attacker places malicious code in a request itself (frequently a URL) and the vulnerability occurs when the server inserts the attack in a response verbatim (or incorrectly sanitized). Victim triggers the attack by browsing to the malicious URL created by the attacker

Technical Overview: Google Gruyere Why Google Gruyere? A deliberately vulnerable teaching web application Modeled after a basic social networking application, where users can... Post "snippets“ (for public consumption) Upload files (for public consumption) Sandboxed - meant to be exploited in a consequence-free environment Intended to illustrate: How an application can be attacked using common web security vulnerabilities How to detect and avoid these common vulnerabilities Penetration Testing - Don your Black Hat & prepare to do some Black Box (Abuse Case) hacking...

Example: Stored XSS Attacker’s Challenge: Place malicious code within the application (e.g., in a text snippet) which a victim would trigger when browsing to the page on the server that renders the attack Web Application http://google-gruyere.appspot.com/462526305993/ Illustrations: Note: alert() function – a simple, useful JavaScript function for hacking Not Activated2 : <script type="text/javascript">alert('hey!')</script> Using Innocuous Tags: <a onmouseover="alert('hey!')" href="#">read this!</a> More Dangerous: <a onmouseover="alert(document.cookie)" href="#">read this too!</a>

Example: File Upload XSS Attacker’s Challenge: Place malicious code within a file, which a victim unwittingly triggers when the file is accessed Web Application http://google-gruyere.appspot.com/462526305993/ Illustration: Note: alert() function – a simple, useful JavaScript function for hacking File: fileupload.html <script> alert(document.cookie); </script>

Example: Reflected XSS Attacker’s Challenge: Place malicious code in a request itself (frequently a URL). Server echoes the attack in its response, verbatim. Victim triggers the attack by browsing to the malicious URL Hypothetical Scenario: 1. Suppose URL http://www.google.com/search?q=flowers returns a page containing the HTML fragment <p>Your search for 'flowers‘ returned the following results:</p> (i.e., “q” rendered verbatim)* 2. Attacker could craft a link that looks like this http://www.google.com/search?q=flowers+%3Cscript%3Eevil_script()%3C/script%3E 3. When victim clicks this link (is tricked), page is loaded & “evil script” is executed within the victim’s browser.

XSS Detection Methods & Avoidance A difficult problem Easy to fix – apply correct sanitizing functions/filters to user input Hard to get right – best practices often not followed No Magic Defense Developers need to sanitize input using templates (centralizes & standardizes filtering) Code Reviews Automated Web Vulnerability scans (Tools) Employing good Testing Practices with respect to XSS OWASP XSS Prevention Cheat Sheet3

Conclusion XSS vulnerabilities are some of the most common found in web applications Huge number of XSS Attack Vectors Google Gruyere is a useful tool for Learning how hackers locate & exploit common web application security vulnerabilities (beyond XSS) Learning how to avoid them Honing your own Penetration Test skills using both White Box & Black Box techniques Practicing in a consequence-free environment Site provides Attack Challenges, with associated Hints & Solutions

References [1] Bruce Leban, Mugdha Bendre, and Parisa Tabriz. Web Application Exploits and Defenses. https://google-gruyere.appspot.com/, 2010. [2] Joe Marshall. A Gentle Guide to Cross-Site Scripting (XSS). https://www.airpair.com/security/posts/a-gentle-guide-to-crosssite-scripting-xss, 2015. [3] OWASP: XSS (Cross Site Scripting) Prevention Cheat Sheet. https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet, Last Revised 3/27/16.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.