Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Published byTaylor Maher Modified over 10 years ago

Similar presentations

Presentation on theme: "Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems."— Presentation transcript:

1 Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems

2 Cross-Site Scripting in a Nutshell Consider a web site that gathers user input User input is displayed back to user Validate address, search results, etc. Attacker crafts URL with a script in it and sends to victim Victim clicks on link Script in the URL is sent to server as user input User input displayed; script "reflected" back to client Script runs on client Which state do I live in? I am a resident of: alert ("You are vulnerable to cross-site scripting!");

3 © 2002, Predictive Systems Cross-Site Scripting Overview Attacker intends to obtain sensitive data from victim user that is only accessible from within a valid session with the target site Attacker has analyzed the target site and identified a vulnerable CGI script (one that does not properly filter user supplied input, such as HTML tags) The site displays back to the user something the user types in, such as a name, account number, or anything, really Attacker has written a specialized browser script (most likely in JavaScript) that performs an action as a victim user on the target site

4 © 2002, Predictive Systems Ways of Launching Cross-Site Scripting Attacks Attacker's script must be sent to the victim Inter-user communication within the target site (i.e., message board, etc.) URL provided on a third-party web site (either clicked on by victim user or automatically loaded when visiting a malicious web site) URL embedded in an email or newsgroup posting

5 © 2002, Predictive Systems How Cross-Site Scripting Attacks Work 1)Victim logs into the target site Could occur through social engineering by attacker Log in to your account to get this special offer!!! 2)Victim then clicks on a URL or visits a web site that includes the malicious code 3)Victim users browser transmits malicious code to the vulnerable script on the target site as a web request 4)Target site reflects the malicious code back to the victim users browser in the response to the request 5)Malicious code executes within victim users browser under the security context of the target site

6 © 2002, Predictive Systems How It Works (continued) target site Attacker NORMAL VALID SESSION security context: target site MALICIOUS CODE security context: target site From: Malicious User To: Victim User CLICK HERE browser window email client normal interaction malicious code reflected code 1 2 3 4 5

7 © 2002, Predictive Systems When Will The Attack Be Successful? User must be convinced to click on a URL or visit a malicious web site AND User must be currently logged into the target site and have a valid session (that has not timed out) Both conditions can be accomplished through social engineering via e-mail or telephone

8 © 2002, Predictive Systems Cross-Site Scripting Defenses Remove from user input all characters that are meaningful in scripting languages: =<>"'(); You must do this filtering on the server side You cannot do this filtering using Javascript on the client, because the attacker can get around such filtering More generally, on the server-side, your application must filter user input to remove: Quotes of all kinds (', ", and `) Semicolons (;), Asterisks (*), Percents (%), Underscores (_) Other shell/scripting metacharacters (=&\|*?~<>^()[]{}$\n\r ) Your best bet – define characters that are ok (alpha and numeric), and filter everything else out

Download ppt "Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?

WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
In this lecture, you will learn: ❑ How to link between pages of your site ❑ How to link to other sites ❑ How to structure the folders on your web site.

In this lecture, you will learn: ❑ How to link between pages of your site ❑ How to link to other sites ❑ How to structure the folders on your web site.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Active Server Pages Chapter 1. Introduction Understand how browsers and servers interacted when the Web was young Understand what early Internet and intranet.

Active Server Pages Chapter 1. Introduction Understand how browsers and servers interacted when the Web was young Understand what early Internet and intranet.
Using Entities & Creating Forms Jill R. Sommer Institute for Applied Linguistics Kent State University.

Using Entities & Creating Forms Jill R. Sommer Institute for Applied Linguistics Kent State University.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Exploits: XSS, SQLI, Buffer Overflow

Exploits: XSS, SQLI, Buffer Overflow
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
Presented by Paul Gilzow Web Communications University of Missouri #hew08xss.

Presented by Paul Gilzow Web Communications University of Missouri #hew08xss.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google