Presentation is loading. Please wait.

Presentation is loading. Please wait.

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Published byMilton Jones Modified over 6 years ago

Similar presentations

Presentation on theme: "Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory"— Presentation transcript:

1 Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

2 Contents Brief Technical Overview Cross-Site Scripting (XSS)
Google’s Gruyere Examples of XSS using Google’s Gruyere Detection Methods & Prevention Conclusion References

3 Technical Overview: XSS
XSS Vulnerabilities Permits attacker to inject code (typically HTML or JavaScript) into contents of a website Injected Code subsequently executes in a victim's browser when victim views the page Bypasses browser's Same Origin Policy, permitting attacker to steal victim's private information associated with website in question The result of improper "sanitizing"/ filtering of user input Common method of attack is to enter random text into input fields and look at how it gets rendered in the response page's HTML source

4 Technical Overview: XSS
Flavors of XSS Attacks: Stored XSS Attacker places malicious code within the application (e.g., in a text snippet) and the victim triggers the attack by browsing to the page on the server that renders the attack File Upload XSS Attacker places malicious code in a file, which a victim unwittingly triggers when the file is accessed Reflected XSS Attacker places malicious code in a request itself (frequently a URL) and the vulnerability occurs when the server inserts the attack in a response verbatim (or incorrectly sanitized). Victim triggers the attack by browsing to the malicious URL created by the attacker

5 Technical Overview: Google Gruyere
Why Google Gruyere? A deliberately vulnerable teaching web application Modeled after a basic social networking application, where users can... Post "snippets“ (for public consumption) Upload files (for public consumption) Sandboxed - meant to be exploited in a consequence-free environment Intended to illustrate: How an application can be attacked using common web security vulnerabilities How to detect and avoid these common vulnerabilities Penetration Testing - Don your Black Hat & prepare to do some Black Box (Abuse Case) hacking...

6 Example: Stored XSS Attacker’s Challenge:
Place malicious code within the application (e.g., in a text snippet) which a victim would trigger when browsing to the page on the server that renders the attack Web Application Illustrations: Note: alert() function – a simple, useful JavaScript function for hacking Not Activated2 : <script type="text/javascript">alert('hey!')</script> Using Innocuous Tags: <a onmouseover="alert('hey!')" href="#">read this!</a> More Dangerous: <a onmouseover="alert(document.cookie)" href="#">read this too!</a>

7 Example: File Upload XSS
Attacker’s Challenge: Place malicious code within a file, which a victim unwittingly triggers when the file is accessed Web Application Illustration: Note: alert() function – a simple, useful JavaScript function for hacking File: fileupload.html <script> alert(document.cookie); </script>

8 Example: Reflected XSS
Attacker’s Challenge: Place malicious code in a request itself (frequently a URL). Server echoes the attack in its response, verbatim. Victim triggers the attack by browsing to the malicious URL Hypothetical Scenario: 1. Suppose URL returns a page containing the HTML fragment <p>Your search for 'flowers‘ returned the following results:</p> (i.e., “q” rendered verbatim)* 2. Attacker could craft a link that looks like this 3. When victim clicks this link (is tricked), page is loaded & “evil script” is executed within the victim’s browser.

9 XSS Detection Methods & Avoidance
A difficult problem Easy to fix – apply correct sanitizing functions/filters to user input Hard to get right – best practices often not followed No Magic Defense Developers need to sanitize input using templates (centralizes & standardizes filtering) Code Reviews Automated Web Vulnerability scans (Tools) Employing good Testing Practices with respect to XSS OWASP XSS Prevention Cheat Sheet3

10 Conclusion XSS vulnerabilities are some of the most common found in web applications Huge number of XSS Attack Vectors Google Gruyere is a useful tool for Learning how hackers locate & exploit common web application security vulnerabilities (beyond XSS) Learning how to avoid them Honing your own Penetration Test skills using both White Box & Black Box techniques Practicing in a consequence-free environment Site provides Attack Challenges, with associated Hints & Solutions

11 References [1] Bruce Leban, Mugdha Bendre, and Parisa Tabriz. Web Application Exploits and Defenses [2] Joe Marshall. A Gentle Guide to Cross-Site Scripting (XSS) [3] OWASP: XSS (Cross Site Scripting) Prevention Cheat Sheet. Last Revised 3/27/16.

Download ppt "Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.
Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.

Security and JavaScript. Learning Objectives By the end of this lecture, you should be able to: – Describe what is meant by JavaScript’s same-origin security.
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack

Similar presentations

Ads by Google