An Introduction to Web Application Security

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico
Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Prevent Cross-Site Scripting (XSS) attack
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.
Cross-Site Attacks James Walden Northern Kentucky University.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
Building Secure Web Applications With ASP.Net MVC.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking ASP.NET MVC SoftUni Team Technical Trainers Software University.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Securing Angular Apps Brian Noyes
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
Intro to Web Application Security. iHostCodex Web Services - CEO Project-AG – CoFounder OWASP Panay -Chapter Leader -Web Application Pentester -Ethical.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
COMP9321 Web Application Engineering Semester 2, 2017
Group 18: Chris Hood Brett Poche
CSCE 548 Student Presentation Ryan Labrador
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:
World Wide Web policy.
Cross-Site Scripting Travis Deyarmin.
API Security Auditing Be Aware,Be Safe
Example – SQL Injection
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Cross-Site Request Forgeries: Exploitation and Prevention
An Introduction to Web Application Security
An Introduction to Web Application Security
Riding Someone Else’s Wave with CSRF
امنیت نرم‌افزارهای وب تقديم به پيشگاه مقدس امام عصر (عج) عباس نادری
CSC 495/583 Topics of Software Security Intro to Web Security
Cross-Site Request Forgery (CSRF) Attack Lab
Developing Secure Web Applications
CSC 482/582: Computer Security
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Exploring DOM-Based Cross Site Attacks
Cross Site Request Forgery (CSRF)
Presentation transcript:

An Introduction to Web Application Security Class 4: Cross Site Scripting December 18th 2014 Daniel Somerfield Lead Consulting Developer ThoughtWorks

This Week’s Agenda December 15th: Introduction to AppSec December 16th: Injection December 17th: Vulnerable Authentication & Session Management December 18th: Cross-Site Scripting December 19th: Secure Development Process

What is XSS? Cross-site scripting (XSS) occurs when an attacker maliciously submits data that the application renders to users in a context that alters the behavior or presentation of the site in a way not intended by the application developer.

What is XSS? The simple definition. JavaScript, HTML, or CSS where it doesn’t belong messing with your app.

What’s the threat? Confidentiality ✓ Integrity ✓ Availability

Types of XSS Persistent XSS Server Reflected XSS Client Reflected or DOM-based XSS

Persistent XSS Attacker User Server DB 1. POST <script>myEvilJS();</script> 3. GET /corrupted-page.html 5. RENDER <script>myEvilJS();</script> Server 2. INSERT <script>myEvilJS();</script> 4. SELECT <script>myEvilJS();</script> DB

Reflected XSS Attacker User Server 1. Send URL: http://example.com?param=<script>myEvilJS();</script> Attacker User 3. RENDER <script>myEvilJS();</script> 2. GET http://example.com?param=<script>myEvilJS();</script> Server

https://github.com/danielsomerfield/app-sec-demo Authentication Demo Demo pages: http://appsec-demo.herokuapp.com/AppSecDemo/demo/ https://appsec-demo.herokuapp.com/AppSecDemo/demo/entry/?entryId=<entryid> Source code: https://github.com/danielsomerfield/app-sec-demo

XSS Demo: Reflected XSS

XSS Demo: Reflected XSS https://appsec-demo.herokuapp.com/AppSecDemo/demo/entry/?entryId=0

XSS Demo: Reflected XSS https://appsec-demo.herokuapp.com/AppSecDemo/demo/entry/?entryId=%3Cscript%3Ealert(%22gotcha!%22)%3C/script%3E Google\ Chrome --user-data-dir=/tmp/dummy --disable-xss-auditor

Defending against XSS Input validation Output encoding Safe script includes Avoid mixed contexts Avoid "unsafe" JavaScript like eval() and innerHTML

Input Validation, Basic Case Decimal to hex converter Input Output 42 2a 2001 7da <script>alert(“gotcha”);</script> ???

“Foo bar” is not an acceptable input. Please enter a decimal number. Being too helpful “Foo bar” is not an acceptable input. Please enter a decimal number. OK

More complex cases A web-based email client A web-based ssh client Or, heaven help you, a web-based HTML editor

Browser Rendering Contexts HTML context HTML attribute context JavaScript context JavaScript string context CSS context JSON entity context URL context

What is Output Encoding Escaping characters and sequences so they do not render in the wrong context

HTML Output Encoding $attackerInput = "<img src='http://evil.org/deface.gif'>" <p>$attackerInput</p> Un-encoded: <p><img src='http://evil.org/deface.gif'></p> Encoded: <p>lt;img src='http://evil.org/deface.gif';></p>

JavaScript String Output Encoding $attackerInput="\"); alert('gotcha');//" <script> doSomething("$attackerInput"); </script> Unescaped doSomething(""); alert('gotcha');//"); Escaped doSomething("\x22\x29\x3B\x20alert\x28\x27gotcha\x27\x29\x3B\x2F\x2F");

What is CSRF? Cross Site Request Forgery: using the existing browser session to perform a privileged operation the user doesn't intend or expect.

Defending Against CSRF Tokenizer pattern Built in CSRF protection is included in many frameworks Double submission Avoid POST, GET for modifying operations

References OWASP XSS Cheat Sheethttps://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet OWASP CSRF Cheat Sheethttps://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet OWASP Top 10 - A3 – Cross-Site Scriptinghttps://www.owasp.org/index.php/Top_10_2013-A3-Cross-Site_Scripting_(XSS) OWASP Top 10 - A8 – Cross-Site Request Forgeryhttps://www.owasp.org/index.php/Top_10_2013-A8-Cross-Site_Request_Forgery_(CSRF)

This Week’s Agenda December 15th: Introduction to AppSec December 16th: Injection December 17th: Vulnerable Authentication & Session Management December 18th: Cross-Site Scripting December 19th: Secure Development Process

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.