Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Slides:



Advertisements
Similar presentations
Nick Feamster CS 6262 Spring 2009
Advertisements

Webgoat.
Past, Present and Future By Eoin Keary and Jim Manico
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
CMSC 414 Computer and Network Security Lecture 19 Jonathan Katz.
EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
How the web works: HTTP and CGI explained
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Introduction to Application Penetration Testing
Workshop 3 Web Application Security Li Weichao March
Cookies Cross site scripting
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
HTTP and Server Security James Walden Northern Kentucky University.
Web Technologies Computer Security Lecture 9 Tom Chothia.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
CS526Topic 8: Web Security Part 11 Information Security CS 526 Topic 8 Web Security Part 1.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
Cross Site Scripting (XSS) Chaitanya Lakshmi
Cross-Site Attacks James Walden Northern Kentucky University.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Cross Site Scripting and its Issues By Odion Oisamoje.
Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/18/2015.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
XSS VULNERABILITIES Nicole Coppola. XSS - Capabilities Cookie Theft – Session Hijacking Keylogging – addEventListener; passwords, credit cards, etc. Phishing.
Sessions and cookies (part 2) MIS 3501, Fall 2015 Brad N Greenwood, PhD Department of MIS Fox School of Business Temple University 11/19/2015.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
SECURE DEVELOPMENT. SEI CERT TOP 10 SECURE CODING PRACTICES Validate input Use strict compiler settings and resolve warnings Architect and design for.
UKUUG Linux 2008 Introduction to Web Application Security Flaws Jake Edge LWN.net URL for slides:
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
TOPIC: Web Security (Part-4)
World Wide Web policy.
API Security Auditing Be Aware,Be Safe
Cookies Cross site scripting
Vulnerability Chaining Every Low Issue Has its big impact
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Exploring DOM-Based Cross Site Attacks
Presentation transcript:

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014

Doupé - 11/24/14

Ethics Only hack into sites you own –Or you have permission Popular sites may have bug bounty program –Facebook –github –Google You will get caught Doupé - 11/24/14

Tech HTTP HTML CSS JavaScript SQL Server-Side Code (Python/PHP/Ruby) Doupé - 11/24/14

Many Vulnerabilities Cross-Site Scripting (XSS) SQL Injection Cross-Site Request Forgery (XSRF) HTTP Parameter Pollution (HPP) Command Injection Parameter Manipulation File Exposure Directory Traversal Forced Browsing Logic Flaws Execution After Redirect (EAR) Doupé - 11/24/14

Many Vulnerabilities Cross-Site Scripting (XSS) SQL Injection Cross-Site Request Forgery (XSRF) HTTP Parameter Pollution (HPP) Command Injection Parameter Manipulation File Exposure Directory Traversal Forced Browsing Logic Flaws Execution After Redirect (EAR) Doupé - 11/24/14

Tech HTTP HTML CSS JavaScript SQL Server-Side (Python/PHP/Ruby) Doupé - 11/24/14

HTTPSQL Web Applications

Doupé - 11/24/14 JavaScript HTTPSQL Web Applications

Doupé - 11/24/14 JavaScript HTTPSQL Web Applications

HTTP Client Request GET / HTTP/1.1 User-Agent: curl/ Host: Accept: */* Doupé - 11/24/14

HTTP Server Response HTTP/ OK Expires: Sat, 01 Jan :00:00 GMT Set-Cookie: datr=cohyVEAwQmq5jJh2cWZ9pZc9; expires=Wed, 23-Nov :22:58 GMT; Max-Age= ; path=/; domain=.facebook.com; httponly Set-Cookie: reg_ext_ref=deleted; expires=Thu, 01-Jan :00:01 GMT; Max-Age=0; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8... Welcome to Facebook - Log In, Sign Up or Learn More Doupé - 11/24/14

JavaScript Makes the page dynamic Full control over page –Layout –Asynchronous requests –Event handlers Code from the website running on your browser Doupé - 11/24/14

Same Origin Policy Browser JavaScript Security Policy (protocol, host, port) (https, 443) (http, 80) Doupé - 11/24/14

Same Origin Policy Cookies (document.cookie) DOM localStorage XMLHttpRequests img Doupé - 11/24/14

Cross-Site Scripting (XSS) Malicious JavaScript running in the context of your web application Doupé - 11/24/14

XSS – Example Hello Doupé - 11/24/14

Hello

Doupé - 11/24/14 Hello adam

Doupé - 11/24/14 Hello adam

Doupé - 11/24/14

alert(‘xss’) Hello

Doupé - 11/24/14 Hello alert(‘xss’) alert(‘xss’)

Doupé - 11/24/14 Hello alert(‘xss’) alert(‘xss’)

Doupé - 11/24/14

Doupé - 11/24/14 HTTP JavaScript Reflected XSS

Doupé - 11/24/14 SQL

Doupé - 11/24/14 HTTPSQL JavaScript Stored XSS

Exploits – Phishing Malicious JavaScript can completely control the DOM Change current page to login page where the login sends credentials to the attacker Doupé - 11/24/14

Exploits – Session Theft HTTP is session-less –No HTTP-native way to tie requests to the same user Web applications typically use cookies to create a session –Session describes who the user is, if they’ve passed authentication JavaScript has access to cookies… Doupé - 11/24/14

JavaScript Doupé - 11/24/14 HTTPSQL Exploits – Session Theft

Exploits – Unauthorized Actions JavaScript can make requests to the web application –Browser sends cookies –Appears as if the user made the request (clicked the link or filled out the form) Malicious JavaScript can make requests to the web application on your behalf Doupé - 11/24/14

JavaScript Doupé - 11/24/14

Exploits – Worms Stored XSS vulnerability + Unauthorized Actions –Self-propagating worm Social networks particularly susceptible –“samy is my hero” (2005) –Tweetdeck (2014) Doupé - 11/24/14

XSS – Detection Understand how input is used in HTML source Input “forbidden” characters – –‘ “ ; / Understand what sanitization is performed Doupé - 11/24/14

XSS – Prevention Sanitize all user inputs using known sanitization routine Depends on where output is in HTML page – necessary in HTML –Only need ‘ in JavaScript Doupé - 11/24/14

var test = “ ”; > < < < %27 onload=“javascript:alert(xss);” “”alert(‘xss’);//” Doupé - 11/24/14

Tools Browser Developer Tools Wireshark Burp Proxy SQLMap OWASP Broken Web Apps Project Google Gruyere Doupé - 11/24/14

Questions? Doupé - 11/24/14

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.