Reliable Mitigation of DOM-based XSS

Size: px
Start display at page:

Download "Reliable Mitigation of DOM-based XSS"

Transcription

1 Intro XSS Implementation Evaluation Q&A Reliable Mitigation of DOM-based XSS Tobias Mueller / 39

2 Intro XSS Implementation Evaluation Q&A About me The results Motivation about:me MSc. cand. Dipl. Inf. presenting results of diploma thesis / USENIX paper 45 min. presentation ask immediately, Q&A afterwards 2 / 39

3 Intro XSS Implementation Evaluation Q&A About me The results Motivation Spoiler Is it possible to reliably defend against DOM-based XSS without breaking the Web? recognise new code from attacker-provided strings modified V8 s scanner, WebKit s strings, and the bindings for Chromium evaluated protection, compatibility, and speed yes, with some exceptions 3 / 39

4 Intro XSS Implementation Evaluation Q&A About me The results Motivation 1 Intro Motivation 2 Cross-Site Scripting (XSS) Reflected XSS Stored XSS DOM-based XSS Protection 3 Implementation Taint Tracking Compilation Chromiums Architecture V8 4 Evaluation Protection Compatibility Execution Speed 5 Q&A 4 / 39

5 Motivation feet

6 Intro XSS Implementation Evaluation Q&A About me The results Motivation Severity of XSS 2004: OWASP Top : OWASP Top : OWASP Top : OWASP Top 3 6 / 39

7 Intro XSS Implementation Evaluation Q&A About me The results Motivation Severity of XSS - 10% of CVEs are XSS 7 / 39

8 Intro XSS Implementation Evaluation Q&A About me The results Motivation Severity of XSS XSS is very common and dangerous 8 / 39

9 Intro XSS Implementation Evaluation Q&A About me The results Motivation Severity of XSS - 2 mio user records 9 / 39

10 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Overview of section 2 1 Intro Motivation 2 Cross-Site Scripting (XSS) Reflected XSS Stored XSS DOM-based XSS Protection 3 Implementation Taint Tracking Compilation Chromiums Architecture V8 4 Evaluation Protection Compatibility Execution Speed 5 Q&A 10 / 39

11 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Cross-Site Scripting (XSS) Code Execution in the victim s browser (JavaScript) Code execution use all browser APIs use Web app in the name of the user obtain credentials spy on behaviour 11 / 39

12 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Reflected XSS <?php // returning unsanitised data echo $_GET[ bar ];?> Attack: 12 / 39

13 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Reflected XSS Victim Browser 2 Sensitive Data 4 GET vuln/?param=xss <html>... XSS... </html> 1 3 Attacker Web Server 13 / 39

14 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Reflected XSS Victim Browser 2 Sensitive Data 4 GET vuln/?param=xss <html>... XSS... </html> 1 3 Attacker Web Server 13 / 39

15 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Reflected XSS Victim Browser 2 Sensitive Data 4 GET vuln/?param=xss <html>... XSS... </html> 1 3 Attacker Web Server 13 / 39

16 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Reflected XSS Victim Browser 2 Sensitive Data 4 GET vuln/?param=xss <html>... XSS... </html> 1 3 Attacker Web Server 13 / 39

17 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Stored XSS <?php // store.php store_in_db ( some_key, $_POST[ bar ]);?> <?php // retrieve.php // returning unsanitised data echo get_from_db ( some_key );?> Attack: 1 POST / 39

18 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Stored XSS Victim Browser 3 5 <html>... XSS... </html> Sensitive Data GET / POST vuln/?param=xss Attacker Web Server 15 / 39

19 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Stored XSS Victim Browser 3 5 <html>... XSS... </html> Sensitive Data GET / POST vuln/?param=xss Attacker Web Server 15 / 39

20 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Stored XSS Victim Browser 3 5 <html>... XSS... </html> Sensitive Data GET / POST vuln/?param=xss Attacker Web Server 15 / 39

21 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Stored XSS Victim Browser 3 5 <html>... XSS... </html> Sensitive Data GET / POST vuln/?param=xss Attacker Web Server 15 / 39

22 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Stored XSS Victim Browser 3 5 <html>... XSS... </html> Sensitive Data GET / POST vuln/?param=xss Attacker Web Server 15 / 39

23 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-based XSS <HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos = document.url.indexof("name=")+5; document.write(document.url.substring(pos,document.url.length)); </SCRIPT> <BR> Welcome to our system... </HTML> Attack: 16 / 39

24 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-based XSS Neither Stored- nor Reflected-XSS!!111elfeins Client-side vulnerability Read from (attacker controlled) properties of the loaded document document.location, window.name, etc... Write to security sensitive sinks eval, document.write, etc... eval(document.location.hash.substring(1)) 17 / 39

25 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-based XSS Victim Browser 2 Sensitive Data 4 GET / <html>... <script>... </html> 1 3 Attacker Web Server 18 / 39

26 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-based XSS Victim Browser 2 Sensitive Data 4 GET / <html>... <script>... </html> 1 3 Attacker Web Server 18 / 39

27 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-based XSS Victim Browser 2 Sensitive Data 4 GET / <html>... <script>... </html> 1 3 Attacker Web Server 18 / 39

28 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-based XSS Victim Browser 2 Sensitive Data 4 GET / <html>... <script>... </html> 1 3 Attacker Web Server 18 / 39

29 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection DOM-XSS protection mechanisms server-side solutions inappropriate as data does not leave the client turn off JavaScript... breaks the Web WebKit s XSS Auditor Only smarter string matching inherent weaknesses, e.g. in WebKit, not V8 eval Block tainted JavaScript code too coarse grained, breaks the Web: var name=d.url.substring(d.url.indexof("name=")) use knowledge of data flows to only allow data values and forbid code 19 / 39

30 Intro XSS Implementation Evaluation Q&A Reflected XSS Stored XSS DOM-based XSS Protection Interlude: Recap XSS is a problem DOM-XSS is a client-side problem The client is the appropriate place for a fix The idea is to observe data flows to allow literals but block new code 20 / 39

31 Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Overview of section 3 1 Intro Motivation 2 Cross-Site Scripting (XSS) Reflected XSS Stored XSS DOM-based XSS Protection 3 Implementation Taint Tracking Compilation Chromiums Architecture V8 4 Evaluation Protection Compatibility Execution Speed 5 Q&A 21 / 39

32 Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Taint Tracking Annotate data and track it throughout perl -T navigator.taintenabled() 22 / 39

33 Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Automated data flow detection WebKit DOM Tree Initialize v8 with JS code Tainted value t1 V8 Javascript Engine x = document.location.hash Store taint t1 in node document.title Tainted value t1 V8 Bindings Pass on taint inside v8 document.title = x y = document.title We still know the actual, unsecure source! (document.location.hash) 23 / 39

34 Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Compilation Source Code Compiler Lexer var foo = bar ; Parser Code Generator Program 24 / 39

35 Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Compilation Source Code Compiler Lexer var foo = bar ; VAR ID EQ STR SEMI Parser Code Generator Program 24 / 39

36 Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Compilation Source Code Compiler Lexer Parser var foo = bar ; VAR ID EQ STR SEMI VariableStatement: var VariableDeclarationList Code Generator Program 24 / 39

37 Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Compilation Source Code Compiler Lexer Parser var foo = bar ; VAR ID EQ STR SEMI VariableStatement: var VariableDeclarationList Code Generator sub esp, 4 Program 24 / 39

38 Intro XSS Implementation Evaluation Q&A Taint Tracking Compilation Architecture V8 Architecture Chromium 12,000k SLoC WebKit HTML Rendering 800k SLoC C++ V8 JavaScript Execution 700k SLoC C++ 25 / 39

39

40 Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Overview of section 4 1 Intro Motivation 2 Cross-Site Scripting (XSS) Reflected XSS Stored XSS DOM-based XSS Protection 3 Implementation Taint Tracking Compilation Chromiums Architecture V8 4 Evaluation Protection Compatibility Execution Speed 5 Q&A 30 / 39

41 Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Evaluation Protection: Test cases and vulnerable top Web apps ( 8% vuln.) Compatibility: Test cases and top Execution speed: standard benchmarks against baseline 31 / 39

42 Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Protection - Setup in vitro (test suite) Pre-existing test suite in vivo (real world large-scale study) Find existing vulnerability + Sites with DOM-based XSS vulnerabilities Regression test + Create witness inputs Test with proposed implementation # rejections ˆ= protection capability 32 / 39

43 Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Protection - Results Without XSS Auditor Taint Aware browser Exploitable Domains Protection Rate 0% 28.01% 100% Table : Protection Capabilities of the XSS Auditor and the taint browser 33 / 39

44 Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Compatibility - Setup Obtain list of top Web sites Browse Web sites Collect block reports #rejects ˆ= compatibility 34 / 39

45 Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Compatibility - Results 8 (out of 10000) wrongfully blocked Web apps: al.com, blogger.com, elpais.com, google.com, ixian.cn, miami.com, mlive.com, toyota.jp 35 / 39

46 Intro XSS Implementation Evaluation Q&A Protection Compatibility Execution Speed Execution Speed - Setup Run Experiment Select Browser Chromium Vanilla Chromium Taint Firefox Internet Explorer Opera Select Benchmark Kraken Sunspider Dromaeo Octane Run Benchmark create fresh profile 10 times 20 times run benchmark collect results 36 / 39

47 Execution Speed - Results - 23% vs. 39%, 49%, and 63% Patched Chrome Firefox Internet Explorer Epiphany Opera Slowdown factor Kraken Sunspider Dromaeo Octane v2

48 Intro XSS Implementation Evaluation Q&A Overview of section 5 1 Intro Motivation 2 Cross-Site Scripting (XSS) Reflected XSS Stored XSS DOM-based XSS Protection 3 Implementation Taint Tracking Compilation Chromiums Architecture V8 4 Evaluation Protection Compatibility Execution Speed 5 Q&A 38 / 39

49 Intro XSS Implementation Evaluation Q&A Q&A Client-side protection mechanism against DOM-XSS Thorough evaluation of the proposed implementation Review of existing XSS protection mechanisms to be read in Precise Client-side Protection against DOM-based XSS, in: 23rd USENIX Security Symposium (USENIX Security 14). Questions? 39 / 39

A Tale of the Weaknesses of Current Client-Side XSS Filtering

A Tale of the Weaknesses of Current Client-Side XSS Filtering Call To Arms: A Tale of the Weaknesses of Current Client-Side XSS Filtering Martin Johns, Ben Stock, Sebastian Lekies About us Martin Johns, Ben Stock, Sebastian Lekies Security Researchers at SAP, Uni

More information

25 Million Flows Later Large- scale Detec6on of DOM- based XSS. Published at ACM CCS 2013 Sebas5an Lekies, Ben Stock, Mar6n Johns

25 Million Flows Later Large- scale Detec6on of DOM- based XSS. Published at ACM CCS 2013 Sebas5an Lekies, Ben Stock, Mar6n Johns 25 Million Flows Later Large- scale Detec6on of DOM- based XSS Published at ACM CCS 2013 Sebas5an Lekies, Ben Stock, Mar6n Johns Me, myself and I Dr. Martin Johns Background in software engineering Academic

More information

A Tale of the Weaknesses of Current Client-side XSS Filtering

A Tale of the Weaknesses of Current Client-side XSS Filtering A Tale of the Weaknesses of Current Client-side XSS Filtering Sebastian Lekies (@sebastianlekies), Ben Stock (@kcotsneb) and Martin Johns (@datenkeller) Attention hackers! These slides are preliminary!

More information

Precise client-side protection against DOM-based Cross-Site Scripting

Precise client-side protection against DOM-based Cross-Site Scripting Precise client-side protection against DOM-based Cross-Site Scripting Ben Stock FAU Erlangen-Nuremberg ben.stock@cs.fau.de Patrick Spiegel SAP AG patrick.spiegel@sap.com Sebastian Lekies SAP AG sebastian.lekies@sap.com

More information

Detection of DOM-based Cross-Site Scripting by Analyzing Dynamically Extracted Scripts

Detection of DOM-based Cross-Site Scripting by Analyzing Dynamically Extracted Scripts Detection of DOM-based Cross-Site Scripting by Analyzing Dynamically Extracted Scripts Suman Saha 1, Shizhen Jin 2,3 and Kyung-Goo Doh 3 1 LIP6-Regal, France Suman.Saha@lip6.fr 2 GTOne, Seoul, Korea jinshzh@gmail.com

More information

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011 Cross Site Scripting (XSS) and PHP Security Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011 What Is Cross Site Scripting? Injecting Scripts Into Otherwise Benign and Trusted Browser Rendered

More information

Relax Everybody: HTML5 Is Securer Than You Think

Relax Everybody: HTML5 Is Securer Than You Think Relax Everybody: HTML5 Is Securer Than You Think Martin Johns (@datenkeller) SAP AG Session ID: ADS-W08 Session Classification: Advanced Motivation For some reason, there is a preconception that HTML5

More information

25 Million Flows Later - Large-scale Detection of DOM-based XSS

25 Million Flows Later - Large-scale Detection of DOM-based XSS 25 Million Flows Later - Large-scale Detection of DOM-based XSS Sebastian Lekies SAP AG sebastian.lekies@sap.com Ben Stock FAU Erlangen-Nuremberg ben.stock@cs.fau.de Martin Johns SAP AG martin.johns@sap.com

More information

Secure Coding. External App Integrations. Tim Bach Product Security Engineer salesforce.com. Astha Singhal Product Security Engineer salesforce.

Secure Coding. External App Integrations. Tim Bach Product Security Engineer salesforce.com. Astha Singhal Product Security Engineer salesforce. Secure Coding External App Integrations Astha Singhal Product Security Engineer salesforce.com Tim Bach Product Security Engineer salesforce.com Safe Harbor Safe harbor statement under the Private Securities

More information

Project 2: Web Security Pitfalls

Project 2: Web Security Pitfalls EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course

More information

Example. Represent this as XML

Example. Represent this as XML Example INF 221 program class INF 133 quiz Assignment Represent this as XML JSON There is not an absolutely correct answer to how to interpret this tree in the respective languages. There are multiple

More information

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Illinois Institute Of Technology Prateek Saxena UC Berkeley Dawn Song UC Berkeley 1 A Cross-Site Scripting Attack

More information

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.

More information

Analysis of Browser Defenses against XSS Attack Vectors

Analysis of Browser Defenses against XSS Attack Vectors Analysis of Browser Defenses against XSS Attack Vectors Shital Dhamal Department of Computer Engineering Lokmanya Tilak College of Engineering Koparkhairne,Navi Mumbai,Maharashtra,India Manisha Mathur

More information

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most

More information

Network Security Web Security

Network Security Web Security Network Security Web Security Anna Sperotto, Ramin Sadre Design and Analysis of Communication Systems Group University of Twente, 2012 Cross Site Scripting Cross Side Scripting (XSS) XSS is a case of (HTML)

More information

Protection, Usability and Improvements in Reflected XSS Filters

Protection, Usability and Improvements in Reflected XSS Filters Protection, Usability and Improvements in Reflected XSS Filters Riccardo Pelizzi System Security Lab Department of Computer Science Stony Brook University May 2, 2012 1 / 19 Riccardo Pelizzi Improvements

More information

A tale of the weaknesses of current client-side XSS filtering

A tale of the weaknesses of current client-side XSS filtering A tale of the weaknesses of current client-side XSS filtering Sebastian Lekies SAP AG sebastian.lekies@sap.com @sebastianlekies Martin Johns SAP AG martin.johns@sap.com @datenkeller Ben Stock FAU Erlangen-Nuremberg

More information

Alhambra: A System for Creating, Enforcing, and Testing Browser Security Policies

Alhambra: A System for Creating, Enforcing, and Testing Browser Security Policies Alhambra: A System for Creating, Enforcing, and Testing Browser Security Policies ABSTRACT Shuo Tang University of Illinois, Urbana-Champaign, IL stang6@illinois.edu Onur Aciicmez Samsung Advanced Institute

More information

Web-Application Security

Web-Application Security Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011 Overview Web Applications SQL Injection XSS Bad Practice

More information

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht (http://cs.uic.edu/~pbisht) Joint work with : V.N. Venkatakrishnan Systems and Internet Security Laboratory Department

More information

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke EVALUATING COMMERCIAL WEB APPLICATION SECURITY By Aaron Parke Outline Project background What and why? Targeted sites Testing process Burp s findings Technical talk My findings and thoughts Questions Project

More information

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS Ben Stock, Martin Johns, Sebastian Lekies Browser choices Full disclosure: Ben was an intern with Microsoft

More information

Server-Side JavaScript Injection Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team July 2011

Server-Side JavaScript Injection Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team July 2011 Server-Side JavaScript Injection Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team July 2011 Abstract This whitepaper is presented in support of the BlackHat USA 2011 talk,

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

The Past, Present and Future of XSS Defense Jim Manico. HITB 2011 Amsterdam

The Past, Present and Future of XSS Defense Jim Manico. HITB 2011 Amsterdam The Past, Present and Future of XSS Defense Jim Manico HITB 2011 Amsterdam 0 Jim Manico Managing Partner, Infrared Security Web Developer, 15+ Years OWASP Connections Committee Chair OWASP ESAPI Project

More information

Universal XSS via IE8s XSS Filters

Universal XSS via IE8s XSS Filters Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides: http://p42.us/ie8xss/ About Us Eduardo Vela Nava aka sirdarckcat http://sirdarckcat.net http://twitter.com/sirdarckcat

More information

Advanced XSS. Nicolas Golubovic

Advanced XSS. Nicolas Golubovic Advanced XSS Nicolas Golubovic Image courtesy of chanpipat / FreeDigitalPhotos.net Today's menu 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course:

More information

AMIT KLEIN, FORMER DIRECTOR OF SECURITY AND RESEARCH, SANCTUM

AMIT KLEIN, FORMER DIRECTOR OF SECURITY AND RESEARCH, SANCTUM AMIT KLEIN, FORMER DIRECTOR OF SECURITY AND RESEARCH, SANCTUM A whitepaper from Watchfire TABLE OF CONTENTS Introduction 1 Full Explanation The XSS Technique. 1 Scope and Feasibility.. 3 Variations on

More information

Client Side Cross Site Scripting

Client Side Cross Site Scripting Client Side Cross Site Scripting 1 Client Side Cross Site Scripting CLIENT SIDE XSS - DI PAOLA 2 Soluzioni e sicurezza per applicazioni mobile e payments Consorzio Triveneto, azienda leader nei sistemi

More information

HTML5. Eoin Keary CTO BCC Risk Advisory. www.bccriskadvisory.com www.edgescan.com

HTML5. Eoin Keary CTO BCC Risk Advisory. www.bccriskadvisory.com www.edgescan.com HTML5 Eoin Keary CTO BCC Risk Advisory www.bccriskadvisory.com www.edgescan.com Where are we going? WebSockets HTML5 AngularJS HTML5 Sinks WebSockets: Full duplex communications between client or server

More information

Cross-site site Scripting Attacks on Android WebView

Cross-site site Scripting Attacks on Android WebView IJCSN International Journal of Computer Science and Network, Vol 2, Issue 2, April 2013 1 Cross-site site Scripting Attacks on Android WebView 1 Bhavani A B 1 Hyderabad, Andhra Pradesh-500050, India Abstract

More information

Finding XSS in Real World

Finding XSS in Real World Finding XSS in Real World by Alexander Korznikov nopernik@gmail.com 1 April 2015 Hi there, in this tutorial, I will try to explain how to find XSS in real world, using some interesting techniques. All

More information

Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)

Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06

More information

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications Journal of Basic and Applied Engineering Research pp. 50-54 Krishi Sanskriti Publications http://www.krishisanskriti.org/jbaer.html Client vs. Server Implementations of Mitigating XSS Security Threats

More information

JavaScript static security analysis made easy with JSPrime

JavaScript static security analysis made easy with JSPrime JavaScript static security analysis made easy with JSPrime Nishant Das Patnaik & Sarathi Sabyasachi Sahoo nishant.dp@gmail.com & sarathisahoo@gmail.com JavaScript is the lingua-franca of Web 2.0 and, recently,

More information

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il

Application Security Testing. Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Application Security Testing Erez Metula (CISSP), Founder Application Security Expert ErezMetula@AppSec.co.il Agenda The most common security vulnerabilities you should test for Understanding the problems

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

HTTPParameter Pollution. ChrysostomosDaniel

HTTPParameter Pollution. ChrysostomosDaniel HTTPParameter Pollution ChrysostomosDaniel Introduction Nowadays, many components from web applications are commonly run on the user s computer (such as Javascript), and not just on the application s provider

More information

Cross Site Scripting Prevention

Cross Site Scripting Prevention Project Report CS 649 : Network Security Cross Site Scripting Prevention Under Guidance of Prof. Bernard Menezes Submitted By Neelamadhav (09305045) Raju Chinthala (09305056) Kiran Akipogu (09305074) Vijaya

More information

2009-12-26 PST_WEBZINE_0X04. How to solve XSS and mix user's HTML/JavaScript code with your content with just one script

2009-12-26 PST_WEBZINE_0X04. How to solve XSS and mix user's HTML/JavaScript code with your content with just one script ACS - Active Content Signatures By Eduardo Vela Nava ACS - Active Content Signatures How to solve XSS and mix user's HTML/JavaScript code with your content with just one script Eduardo Vela Nava (sirdarckcat@gmail.com)

More information

Attacks on Clients: Dynamic Content & XSS

Attacks on Clients: Dynamic Content & XSS Software and Web Security 2 Attacks on Clients: Dynamic Content & XSS (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Recap from last lecture Attacks on web server: attacker/client

More information

Are AJAX Applications Vulnerable to Hack Attacks?

Are AJAX Applications Vulnerable to Hack Attacks? Are AJAX Applications Vulnerable to Hack Attacks? The importance of Securing AJAX Web Applications This paper reviews AJAX technologies with specific reference to JavaScript and briefly documents the kinds

More information

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India Volume 5, Issue 12, December 2015 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com Investigation

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

Seminar: Cryptographic Protocols Staged Information Flow for JavaScript

Seminar: Cryptographic Protocols Staged Information Flow for JavaScript Seminar: Cryptographic Protocols Staged Information Flow for JavaScript Sebastian Wild 1 Introduction JavaScript is an important component of modern web applications since it is possible to execute code

More information

Web Application Security

Web Application Security Web Application Security A Beginner's Guide Bryan Sullivan Vincent Liu Mc r New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Contents

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Uploaded images filter evasion for carrying out XSS attacks

Uploaded images filter evasion for carrying out XSS attacks February 25, 2007 Uploaded images filter evasion for carrying out XSS attacks Digitаl Security Research Group (DSecRG) Alexander Polyakov a.polyakov@dsec.ru http://dsecrg.ru Table of contents Introduction...3

More information

Exploitation of Cross-Site Scripting (XSS) Vulnerability on Real World Web Applications and its Defense

Exploitation of Cross-Site Scripting (XSS) Vulnerability on Real World Web Applications and its Defense Exploitation of Cross-Site Scripting (XSS) Vulnerability on Real World Web Applications and its Defense Shashank Gupta Lecturer in Department of Information Technology, Model Institute of Engineering and

More information

Chapter 1 Web Application (In)security 1

Chapter 1 Web Application (In)security 1 Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is

More information

Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch

Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Thomas Röthlisberger IT Security Analyst thomas.roethlisberger@csnc.ch Compass Security AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch What

More information

1000 Projects later. Security Code Scans at SAP

1000 Projects later. Security Code Scans at SAP 1000 Projects later Security Code Scans at SAP About Us Ruediger Bachmann is a Development Architect at SAP AG working, as member of the central code analyses team, in the areas application security and

More information

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000) Security What about MongoDB? Even though MongoDB doesn t use SQL, it can be vulnerable to injection attacks db.collection.find( {active: true, $where: function() { return obj.credits - obj.debits < req.body.input;

More information

elearning for Secure Application Development

elearning for Secure Application Development elearning for Secure Application Development Curriculum Application Security Awareness Series 1-2 Secure Software Development Series 2-8 Secure Architectures and Threat Modeling Series 9 Application Security

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Recent Web Security Technology. Lieven Desmet iminds-distrinet-ku Leuven 3th February 2015 B-CCENTRE closing workshop Lieven.Desmet@cs.kuleuven.

Recent Web Security Technology. Lieven Desmet iminds-distrinet-ku Leuven 3th February 2015 B-CCENTRE closing workshop Lieven.Desmet@cs.kuleuven. Recent Web Security Technology Lieven Desmet iminds-distrinet-ku Leuven 3th February 2015 B-CCENTRE closing workshop Lieven.Desmet@cs.kuleuven.be About myself: Lieven Desmet Research manager at KU Leuven

More information

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.

More information

Sidste chance for Early Bird! Tilmeld dig før d. 30. juni og spar 4.000 DKK. Læs mere og tilmeld dig på www.gotocon.

Sidste chance for Early Bird! Tilmeld dig før d. 30. juni og spar 4.000 DKK. Læs mere og tilmeld dig på www.gotocon. Sidste chance for Early Bird! Tilmeld dig før d. 30. juni og spar 4.000 DKK. Læs mere og tilmeld dig på www.gotocon.com/aarhus-2012 SIKKERHED I WEBAPPLIKATIONER Anders Skovsgaard Hackavoid anders@hackavoid.dk

More information

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS Published by Tony Porterfield Feb 1, 2015. Overview The intent of this test plan is to evaluate a baseline set of data security practices

More information

A Survey on Threats and Vulnerabilities of Web Services

A Survey on Threats and Vulnerabilities of Web Services A Survey on Threats and Vulnerabilities of Web Services A Thesis submitted in partial fulfillment of the requirements for the degree of Master of Computer Science and Engineering of Jadavpur University

More information

Security in Offline Web Applications

Security in Offline Web Applications Security in Offline Web Applications Anja Svartberg Master of Science in Communication Technology Submission date: November 2009 Supervisor: Danilo Gligoroski, ITEM Co-supervisor: Kåre Presttun, Mnemonic

More information

Web attacks and security: SQL injection and cross-site scripting (XSS)

Web attacks and security: SQL injection and cross-site scripting (XSS) Web attacks and security: SQL injection and cross-site scripting (XSS) License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike

More information

A Study on Dynamic Detection of Web Application Vulnerabilities

A Study on Dynamic Detection of Web Application Vulnerabilities A Study on Dynamic Detection of Web Application Vulnerabilities A Dissertation Presented by Yuji Kosuga Submitted to the School of Science for Open and Environmental Systems in partial fulfillment of the

More information

Towards Automated Malicious Code Detection and Removal on the Web

Towards Automated Malicious Code Detection and Removal on the Web Towards Automated Malicious Code Detection and Removal on the Web Dabirsiaghi, Arshan Open Web Application Security Project Aspect Security, Inc., 2007 Abstract The most common vulnerability in web applications

More information

Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code

Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code Anastasios Stasinopoulos, Christoforos Ntantogian, Christos Xenakis Department of Digital Systems, University of Piraeus {stasinopoulos,

More information

Intrusion detection for web applications

Intrusion detection for web applications Intrusion detection for web applications Intrusion detection for web applications Łukasz Pilorz Application Security Team, Allegro.pl Reasons for using IDS solutions known weaknesses and vulnerabilities

More information

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS

Spigit, Inc. Web Application Vulnerability Assessment/Penetration Test. Prepared By: Accuvant LABS Web Application Vulnerability Assessment/enetration Test repared By: Accuvant LABS November 20, 2012 Web Application Vulnerability Assessment/enetration Test Introduction Defending the enterprise against

More information

Web Application Security

Web Application Security Web Application Security The OWASP Foundation Securing the application Input validation Authorization Session mgmt Config mgmt Authenticatio n Error handling Web server App server DB server Secure storage

More information

xjs: Practical XSS Prevention for Web Application Development

xjs: Practical XSS Prevention for Web Application Development xjs: Practical XSS Prevention for Web Application Development Elias Athanasopoulos, Vasilis Pappas, Antonis Krithinakis, Spyros Ligouras, Evangelos P. Markatos Institute of Computer Science, Foundation

More information

Penetration Test Report

Penetration Test Report Penetration Test Report Acme Test Company ACMEIT System 26 th November 2010 Executive Summary Info-Assure Ltd was engaged by Acme Test Company to perform an IT Health Check (ITHC) on the ACMEIT System

More information

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014

QualysGuard WAS. Getting Started Guide Version 3.3. March 21, 2014 QualysGuard WAS Getting Started Guide Version 3.3 March 21, 2014 Copyright 2011-2014 by Qualys, Inc. All Rights Reserved. Qualys, the Qualys logo and QualysGuard are registered trademarks of Qualys, Inc.

More information

Enhancing JavaScript Engine to Detect and Prevent XSS

Enhancing JavaScript Engine to Detect and Prevent XSS The Interdisciplinary Center, Herzliya Efi Arazi School of Computer Science Enhancing JavaScript Engine to Detect and Prevent XSS M.Sc. Thesis Submitted by Tsvi Cherny-Shahar Under the supervision of Dr.

More information

Challenges of Automated Web Application Scanning

Challenges of Automated Web Application Scanning 1 Challenges of Automated Web Application Scanning "Why automated scanning only solves half the problem." Blackhat Windows 2004 Seattle, WA Jeremiah Grossman (CEO) WhiteHat Security, Inc. 2 Speaker Bio

More information

Øredev 2006. Web application testing using a proxy. Lucas Nelson, Symantec Inc.

Øredev 2006. Web application testing using a proxy. Lucas Nelson, Symantec Inc. Øredev 2006 Web application testing using a proxy Lucas Nelson, Symantec Inc. Agenda What is a proxy? Setting up your environment Pre-login tests Post-login tests Conclusion A man in the middle proxy The

More information

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details

ANNEXURE-1 TO THE TENDER ENQUIRY NO.: DPS/AMPU/MIC/1896. Network Security Software Nessus- Technical Details Sub: Supply, Installation, setup and testing of Tenable Network Security Nessus vulnerability scanner professional version 6 or latest for scanning the LAN, VLAN, VPN and IPs with 3 years License/Subscription

More information

Smart (and safe) Lighting:

Smart (and safe) Lighting: Smart (and safe) Lighting: An Overview of Cyber Security October 29, 2015 Jason Brown CISO, Merit Network Agenda 2 The New Normal Discuss Methodologies of Security Recap Q & A Target Hack 3 40,000 credit

More information

Web Application Vulnerability Scanning. VITA Commonwealth Security & Risk Management. April 8, 2016

Web Application Vulnerability Scanning. VITA Commonwealth Security & Risk Management. April 8, 2016 Web Application Vulnerability Scanning VITA Commonwealth Security & Risk Management April 8, 2016 1 Terms Threat A thing that can cause harm Vulnerability A flaw that can be exploited to cause bad things

More information

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com SAINT Integrated Network Vulnerability Scanning and Penetration Testing www.saintcorporation.com Introduction While network vulnerability scanning is an important tool in proactive network security, penetration

More information

Security Tools - Hands On

Security Tools - Hands On Security Tools - Hands On SecAppDev 2014 Ken van Wyk, @KRvW! Leuven, Belgium 10-14 February 2014 Caveats and Warnings This is not a sales pitch for any product(s) If you want to talk to a sales person,

More information

Security features of ZK Framework

Security features of ZK Framework 1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures

More information

Security Model for the Client-Side Web Application Environments

Security Model for the Client-Side Web Application Environments Security Model for the Client-Side Web Application Environments May 24, 2007 Sachiko Yoshihama, Naohiko Uramoto, Satoshi Makino, Ai Ishida, Shinya Kawanaka, and Frederik De Keukelaere IBM Tokyo Research

More information

AjaxScope: Remotely Monitoring Client-side Web-App Behavior

AjaxScope: Remotely Monitoring Client-side Web-App Behavior AjaxScope: Remotely Monitoring Client-side Web-App Behavior Emre Kıcıman emrek@microsoft.com Ben Livshits livshits@microsoft.com Internet Services Research Center Microsoft Research Runtime Analysis &

More information

External Network & Web Application Assessment. For The XXX Group LLC October 2012

External Network & Web Application Assessment. For The XXX Group LLC October 2012 External Network & Web Application Assessment For The XXX Group LLC October 2012 This report is solely for the use of client personal. No part of it may be circulated, quoted, or reproduced for distribution

More information

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young

ArcGIS Server Security Threats & Best Practices 2014. David Cordes Michael Young ArcGIS Server Security Threats & Best Practices 2014 David Cordes Michael Young Agenda Introduction Threats Best practice - ArcGIS Server settings - Infrastructure settings - Processes Summary Introduction

More information

Robust Defence against XSS through Context Free Grammar

Robust Defence against XSS through Context Free Grammar Robust Defence against XSS through Context Free Grammar 1 Divya Rishi Sahu, 2 Deepak Singh Tomar 1,2 Dept. of CSE, MANIT, Bhopal, MP, India Abstract JavaScript is one of the world s most widely adopted

More information

Web Application Exploits

Web Application Exploits Monday, November 10, 2014 Resources: see final slide CS342 Computer Security Department of Computer Science Wellesley College Web Evolution o Static content: Server serves web pages created by people.

More information

Watch What You Write: Preventing Cross-Site Scripting by Observing Program Output

Watch What You Write: Preventing Cross-Site Scripting by Observing Program Output Watch What You Write: Preventing Cross-Site Scripting by Observing Program Output Matias Madou, Edward Lee, Jacob West and Brian Chess Fortify Software 2215 Bridgepointe Pkwy, Suite 400 San Mateo, CA,

More information

Performance Testing for Ajax Applications

Performance Testing for Ajax Applications Radview Software How to Performance Testing for Ajax Applications Rich internet applications are growing rapidly and AJAX technologies serve as the building blocks for such applications. These new technologies

More information

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS Hacking Web Apps Detecting and Preventing Web Application Security Problems Mike Shema Technical Editor Jorge Blanco Alcover AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO

More information

A Multi agent Scanner to Detect Stored XSS Vulnerabilities

A Multi agent Scanner to Detect Stored XSS Vulnerabilities A Multi agent Scanner to Detect Stored XSS Vulnerabilities E. Galán, A. Alcaide, A. Orfila, J. Blasco University Carlos III of Madrid, UC3M Leganés, Spain {edgalan,aalcaide,adiaz,jbalis}@inf.uc3m.es Abstract

More information

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications

More information

Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis

Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Secure Systems Lab Technical

More information

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2 Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 Table of Contents Cross Site Request Forgery - CSRF Presentation

More information

How to Build a Trusted Application. John Dickson, CISSP

How to Build a Trusted Application. John Dickson, CISSP How to Build a Trusted Application John Dickson, CISSP Overview What is Application Security? Examples of Potential Vulnerabilities Strategies to Build Secure Apps Questions and Answers Denim Group, Ltd.

More information

Complete Cross-site Scripting Walkthrough

Complete Cross-site Scripting Walkthrough Complete Cross-site Scripting Walkthrough Author : Ahmed Elhady Mohamed Email : ahmed.elhady.mohamed@gmail.com website: www.infosec4all.tk blog : www.1nfosec4all.blogspot.com/ [+] Introduction wikipedia

More information

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research National Information Security Group The Top Web Application Hack Attacks Danny Allan Director, Security Research 1 Agenda Web Application Security Background What are the Top 10 Web Application Attacks?

More information

Cross-Site Scripting

Cross-Site Scripting Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some

More information

JVA-122. Secure Java Web Development

JVA-122. Secure Java Web Development JVA-122. Secure Java Web Development Version 7.0 This comprehensive course shows experienced developers of Java EE applications how to secure those applications and to apply best practices with regard

More information

NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team

NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team NoSQL, But Even Less Security Bryan Sullivan, Senior Security Researcher, Adobe Secure Software Engineering Team Agenda Eventual Consistency REST APIs and CSRF NoSQL Injection SSJS Injection NoSQL databases

More information