XSS Cross Site Scripting

Size: px
Start display at page:

Download "XSS Cross Site Scripting"

Transcription

1 XSS Cross Site Scripting Jörg Schwenk Horst Görtz Institute Ruhr-University Bochum Dagstuhl 2009

2 Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same origin policy. Cross-site scripting carried out on websites accounted for roughly 80.5% of all security vulnerabilities documented by Symantec as of [1] Their effect may range from a petty nuisance to a significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner.

3 Overview 1. Web Origins, Browser DOM and the Same Origin Policy 2. Reflected XSS 3. Stored XSS 4. DOM XSS 5. Classical Countermeasures 6. JSAgents

4 Browser-based protocols DNS Internet Webserver Application Server Database PDF Malware Rendering Javascript AJAX engine Flash Real PKI

5 Browser-based protocols Rendering Javascript AJAX engine Internet Webserver Application Server Database

6 Browser-based protocols 3 4: CSS Rendering Javascript AJAX engine 1 2: HTML+JS 5 6: JS-Lib library.js.net

7 Web Origins and Browser DOM window document body document.location defines HTML JS loaded from loaded from grants access rights to origin CSS loaded from JS-Lib loaded from library.js.net

8 Browser-based Cryptographic protocols: SOP (Same Origin Policy) Document1 Document2 Cookies Form Script1 Name Account Amount Script1: GetCookie Script2: Modify Account Script3: Send/ Request data Schwenk ,43 Origin: https://banking.bank.com:443 Origin: Access Denied SOP

9 Overview 1. Web Origins, Browser DOM and the Same Origin Policy 2. Reflected XSS 3. Stored XSS 4. DOM XSS 5. Classical Countermeasures 6. JSAgents

10 Reflected XSS (non-persistent) Angreifer übergibt Skriptcode über einen eigens präparierten Hyperlink an das Opfer Typisches Angriffsziel: Suchfunktionen in Webseiten

11 Reflected XSS (non-persistent) Normale URL, die eine Suche auf der Webseite triggert: Resultat: <p>sie suchten nach: Suchbegriff</p> Präparierte URL: type="text/javascript">alert("xss")</script> Resultat: <p>sie suchten nach: <script type="text/javascript">alert("xss")</script></p>

12 Reflected XSS (non-persistent) 3: GET+ JS-XSS victim.com Rendering Javascript AJAX engine 4: HTML + JS-XSS (active) 1 2: HTML + JS-XSS (inactive) attacker.org

13

14 Overview 1. Web Origins, Browser DOM and the Same Origin Policy 2. Reflected XSS 3. Stored XSS 4. DOM XSS 5. Classical Countermeasures 6. JSAgents

15 Stored XSS (persistent) Beispiel ebay Phisher erstellt Angebot Bettet im Angebot bösartigen Code ein Code kompromittiert Bieten- Button Benutzer wird zur Eingabe seiner Zugangsdaten aufgefordert, wobei diese Seite vom Angreifer stammt Benutzer gibt seine Zugangsdaten preis Quelle:

16 Stored XSS (persistent) 2: GET victim.com Rendering Javascript AJAX engine 3: HTML + JS-XSS 1: HTML + JS-XSS 1 attacker.org

17 Overview 1. Web Origins, Browser DOM and the Same Origin Policy 2. Reflected XSS 3. Stored XSS 4. DOM XSS 5. Classical Countermeasures 6. JSAgents

18 DOM based XSS (Local XSS) Consider the following webpage located at <HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.url.indexof("name=")+5; document.write(document.url.substring(pos, document.url.length)); </SCRIPT> <BR> Welcome to our system </HTML> Amit Klein,

19 DOM based XSS (Local XSS) Typical use: <HTML> <TITLE>Welcome!</TITLE> Hi <SCRIPT> var pos=document.url.indexof("name=")+5; document.write(document.url.substring(pos, document.url.length)); </SCRIPT> <BR> Welcome to our system </HTML> Amit Klein,

20 DOM based XSS (Local XSS) Result of: <HTML> <TITLE>Welcome!</TITLE> Hi Joe <BR> Welcome to our system </HTML> Amit Klein,

21 DOM based XSS (Local XSS) Result of: <script>alert(document.cookie)</script> <HTML> <TITLE>Welcome!</TITLE> Hi <script>alert(document.cookie)</script> <BR> Welcome to our system </HTML> Amit Klein,

22 DOM based XSS (Local XSS) Avoid detection by server side filtering: <script>alert(document.cookie)</script> # indicates that the string following this character is a fragment identifier, i.e. it is only an indication to the browser which part of the document to display The string following # is thus never sent to the server, but it is stored in DOM-properties like document.location or document.url Amit Klein,

23 DOM based XSS (Local XSS) GET welcome.html 3: GET HTTP 1.1 host: victim.com Rendering Javascript AJAX engine 4: HTML 1: GET 5: XSS executed during (local) rendering 2: HTML + <a href= JS-XSS name= <script>alert(document.cookie)</script> >Klick (inactive) me!</a> attacker.org

24 Overview 1. Web Origins, Browser DOM and the Same Origin Policy 2. Reflected XSS 3. Stored XSS 4. DOM XSS 5. Classical Countermeasures 6. JSAgents

25 Server Side: Blocking If unsolicited content (e.g. Overlong cookies) is detected, processing of the http request is blocked. Instead, e.g. A static webpage can be displayed. Can be misused to perform DoS attacks: Vela 2009: Overlong Google Analytics tracking code snippets

26 Server Side: Stripping and Replacing PHP strip_tags() removes potentially dangerous characters from user input If this seems too rigid, $allowable_tags can be defined; this may open doors for XSS in single web applications Stripping substrings is complex: e.g. Stripping fromcharcode from fromcfromcharcodeharcode Character replacement is more reliable, but can nebertheless be circumvented (Amazon AWS attack)

27 Server Side: Escaping Potentially dangerous characters like < are prepended with a backslash character: \< Potential problems with unicode characters may lead to SQLi innerhtml and CSS attacks

28 Server Side: Encoding PHP htmlentities() and htmlspecialchars() encode potentially dangerous characters May be bypassed with e.g. UTF7 encoding of attack vectors: +Adw-script+AD4-alert(1)+Adw-/script+AD4-

29 Server Side: Rewriting HTMLPurifier for PHP, AntiSamy for Java, SafeHTML for Windows Server environments Web application want to allow posting of harmless HTML Different approaches: Only regular expressions: broken HTMLPurifier: Build new DOM tree, match this tree aganinst XHTML DTD, remove non-matching elements Google Caja: rewrites Javascript (+HTMl + CSS) code, may result in code expansion (1 line -> 130 lines)

30 Client Side Filtering Server does not see complete code that is rendered by the browser innerhtml DOM XSS Flash Parameters Therefore, client side filtering is applied

31 Client Side: IE XSS Filter Checks for matches between Request URL fragments and the resulting HTML markup Problems with detecting fragmented attack vectors (because they are only completed by the markup parser) Markup Parser Request URL IE XSS Filter HTML Markup Network Stack

32 Client Side: Webkit/Google Chrome XSS Auditor Works similar to IE XSS Filter Different position HTML Parser Webkit XSS Auditor Javascript Engine Network Stack

33 Client Side: NoScript XSS Filter (Firefox) Rewrites URL parameters if URL request goes to a trusted site insecure.php?a="><img/ src= onerror=alert(1) Is changed to insecure.php?a=> img%2fsrc= ONERROR=ALERT 1 #some_random_number HTML Parser Request URL to Trusted Site NoScript Rewritten URL to Trusted Site Network Stack

34 Content Security Policy https://wiki.mozilla.org/security/csp/specification Example 2: Auction site wants to allow images from anywhere, plugin content from a list of trusted media providers (including a content distribution network), and scripts only from its server hosting sanitized JavaScript: X-Content-Security-Policy: allow 'self'; img-src *; object-src media1.com media2.com *.cdn.com; script-src trustedscripts.example.com Example 4: Online payments site wants to ensure that all of the content in its pages is loaded over SSL to prevent attackers from eavesdropping on requests for insecure content: X-Content-Security-Policy: allow https://*:443

35 IFrame Sandboxing Sandboxed Iframes: New feature in HTML5 No script execution No plugin execution No top oder parent access No form submissions... Only display static HTML... But this can of course be relaxed

36 Javascript Sandboxing JSReg: purely written in Javascript, uses regular expressions, often broken. Dojo Sandbox: blocks access to sensitive DOM properties, broken in 2010 (e.g. Unicode escapes) Rhino and LiveConnect: Run Javascript inside an Java applet, which has its own Javascript parser should be safe, broken by Heiderich et.al. JSAgents/IceShield: see below

37 Overview 1. Web Origins, Browser DOM and the Same Origin Policy 2. Reflected XSS 3. Stored XSS 4. DOM XSS 5. Classical Countermeasures 6. JSAgents

38 Ausblick: Cross Site Request Forgery Schritt 2: Einloggen des Opfers bei Hotmail. 1: Login auf NY Times Webseite 3: http-link (z.b. in einem <img>-tag) enthält Query-String mit dem Befehl, eine an zu senden. nytimes.com Victim 2: Anschauen der Webseite des Angreifers 38 Microsoft Identity Managment Jörg Schwenk Lehrstuhl für Netz- und Datensicherheit attacker.org

39 Ausblick: Cross Site Request Forgery 1. ING Direct (ingdirect.com) Status: Fixed 2. YouTube (youtube.com) Status: Fixed 3. MetaFilter (metafilter.com) Status: Fixed 4. The New York Times (nytimes.com) Status: Fixed. 39 Microsoft Identity Managment Jörg Schwenk Lehrstuhl für Netz- und Datensicherheit

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework Detecting and Exploiting XSS with Xenotix XSS Exploit Framework ajin25@gmail.com keralacyberforce.in Introduction Cross Site Scripting or XSS vulnerabilities have been reported and exploited since 1990s.

More information

A Tale of the Weaknesses of Current Client-Side XSS Filtering

A Tale of the Weaknesses of Current Client-Side XSS Filtering Call To Arms: A Tale of the Weaknesses of Current Client-Side XSS Filtering Martin Johns, Ben Stock, Sebastian Lekies About us Martin Johns, Ben Stock, Sebastian Lekies Security Researchers at SAP, Uni

More information

Web-Application Security

Web-Application Security Web-Application Security Kristian Beilke Arbeitsgruppe Sichere Identität Fachbereich Mathematik und Informatik Freie Universität Berlin 29. Juni 2011 Overview Web Applications SQL Injection XSS Bad Practice

More information

Cross-Site Scripting

Cross-Site Scripting Cross-Site Scripting (XSS) Computer and Network Security Seminar Fabrice Bodmer (fabrice.bodmer@unifr.ch) UNIFR - Winter Semester 2006-2007 XSS: Table of contents What is Cross-Site Scripting (XSS)? Some

More information

Attacks on Clients: Dynamic Content & XSS

Attacks on Clients: Dynamic Content & XSS Software and Web Security 2 Attacks on Clients: Dynamic Content & XSS (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Recap from last lecture Attacks on web server: attacker/client

More information

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications 1. Introduction 2. Web Application 3. Components 4. Common Vulnerabilities 5. Improving security in Web applications 2 What does World Wide Web security mean? Webmasters=> confidence that their site won

More information

Relax Everybody: HTML5 Is Securer Than You Think

Relax Everybody: HTML5 Is Securer Than You Think Relax Everybody: HTML5 Is Securer Than You Think Martin Johns (@datenkeller) SAP AG Session ID: ADS-W08 Session Classification: Advanced Motivation For some reason, there is a preconception that HTML5

More information

Cross Site Scripting Prevention

Cross Site Scripting Prevention Project Report CS 649 : Network Security Cross Site Scripting Prevention Under Guidance of Prof. Bernard Menezes Submitted By Neelamadhav (09305045) Raju Chinthala (09305056) Kiran Akipogu (09305074) Vijaya

More information

Analysis of Browser Defenses against XSS Attack Vectors

Analysis of Browser Defenses against XSS Attack Vectors Analysis of Browser Defenses against XSS Attack Vectors Shital Dhamal Department of Computer Engineering Lokmanya Tilak College of Engineering Koparkhairne,Navi Mumbai,Maharashtra,India Manisha Mathur

More information

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca)

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Bug Report Date: March 19, 2011 Reporter: Chris Jarabek (cjjarabe@ucalgary.ca) Software: Kimai Version: 0.9.1.1205 Website: http://www.kimai.org Description: Kimai is a web based time-tracking application.

More information

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011

Cross Site Scripting (XSS) and PHP Security. Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011 Cross Site Scripting (XSS) and PHP Security Anthony Ferrara NYPHP and OWASP Security Series June 30, 2011 What Is Cross Site Scripting? Injecting Scripts Into Otherwise Benign and Trusted Browser Rendered

More information

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass Security Research Advisory IBM inotes 9 Active Content Filtering Bypass Table of Contents SUMMARY 3 VULNERABILITY DETAILS 3 TECHNICAL DETAILS 4 LEGAL NOTICES 7 Active Content Filtering Bypass Advisory

More information

A Tale of the Weaknesses of Current Client-side XSS Filtering

A Tale of the Weaknesses of Current Client-side XSS Filtering A Tale of the Weaknesses of Current Client-side XSS Filtering Sebastian Lekies (@sebastianlekies), Ben Stock (@kcotsneb) and Martin Johns (@datenkeller) Attention hackers! These slides are preliminary!

More information

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications Slides by Connor Schnaith Cross-Site Request Forgery One-click attack, session riding Recorded since 2001 Fourth out of top 25 most

More information

Recent Advances in Web Application Security

Recent Advances in Web Application Security Recent Advances in Web Application Security Author: Neelay S Shah Principal Security Consultant Foundstone Professional Services Table of Contents Introduction 3 Content Security Policy 3 Best Practices

More information

HTML5. Eoin Keary CTO BCC Risk Advisory. www.bccriskadvisory.com www.edgescan.com

HTML5. Eoin Keary CTO BCC Risk Advisory. www.bccriskadvisory.com www.edgescan.com HTML5 Eoin Keary CTO BCC Risk Advisory www.bccriskadvisory.com www.edgescan.com Where are we going? WebSockets HTML5 AngularJS HTML5 Sinks WebSockets: Full duplex communications between client or server

More information

XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0. Author of OWASP Xenotix XSS Exploit Framework opensecurity.in

XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0. Author of OWASP Xenotix XSS Exploit Framework opensecurity.in THE ULTIMATE XSS PROTECTION CHEATSHEET FOR DEVELOPERS V1.0 Ajin Abraham Author of OWASP Xenotix XSS Exploit Framework opensecurity.in The quick guide for developers to protect their web applications from

More information

2009-12-26 PST_WEBZINE_0X04. How to solve XSS and mix user's HTML/JavaScript code with your content with just one script

2009-12-26 PST_WEBZINE_0X04. How to solve XSS and mix user's HTML/JavaScript code with your content with just one script ACS - Active Content Signatures By Eduardo Vela Nava ACS - Active Content Signatures How to solve XSS and mix user's HTML/JavaScript code with your content with just one script Eduardo Vela Nava (sirdarckcat@gmail.com)

More information

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications Journal of Basic and Applied Engineering Research pp. 50-54 Krishi Sanskriti Publications http://www.krishisanskriti.org/jbaer.html Client vs. Server Implementations of Mitigating XSS Security Threats

More information

Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code

Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code Bypassing XSS Auditor: Taking Advantage of Badly Written PHP Code Anastasios Stasinopoulos, Christoforos Ntantogian, Christos Xenakis Department of Digital Systems, University of Piraeus {stasinopoulos,

More information

Towards Automated Malicious Code Detection and Removal on the Web

Towards Automated Malicious Code Detection and Removal on the Web Towards Automated Malicious Code Detection and Removal on the Web Dabirsiaghi, Arshan Open Web Application Security Project Aspect Security, Inc., 2007 Abstract The most common vulnerability in web applications

More information

Revisiting XSS Sanitization

Revisiting XSS Sanitization Revisiting XSS Sanitization Ashar Javed Chair for Network and Data Security Horst Görtz Institute for IT-Security, Ruhr-University Bochum ashar.javed@rub.de Abstract. Cross-Site Scripting (XSS) around

More information

Complete Cross-site Scripting Walkthrough

Complete Cross-site Scripting Walkthrough Complete Cross-site Scripting Walkthrough Author : Ahmed Elhady Mohamed Email : ahmed.elhady.mohamed@gmail.com website: www.infosec4all.tk blog : www.1nfosec4all.blogspot.com/ [+] Introduction wikipedia

More information

Universal XSS via IE8s XSS Filters

Universal XSS via IE8s XSS Filters Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides: http://p42.us/ie8xss/ About Us Eduardo Vela Nava aka sirdarckcat http://sirdarckcat.net http://twitter.com/sirdarckcat

More information

Ruby on Rails Secure Coding Recommendations

Ruby on Rails Secure Coding Recommendations Introduction Altius IT s list of Ruby on Rails Secure Coding Recommendations is based upon security best practices. This list may not be complete and Altius IT recommends this list be augmented with additional

More information

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Illinois Institute Of Technology Prateek Saxena UC Berkeley Dawn Song UC Berkeley 1 A Cross-Site Scripting Attack

More information

Network Security Web Security

Network Security Web Security Network Security Web Security Anna Sperotto, Ramin Sadre Design and Analysis of Communication Systems Group University of Twente, 2012 Cross Site Scripting Cross Side Scripting (XSS) XSS is a case of (HTML)

More information

Criteria for web application security check. Version 2015.1

Criteria for web application security check. Version 2015.1 Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-

More information

Recent Web Security Technology. Lieven Desmet iminds-distrinet-ku Leuven 3th February 2015 B-CCENTRE closing workshop Lieven.Desmet@cs.kuleuven.

Recent Web Security Technology. Lieven Desmet iminds-distrinet-ku Leuven 3th February 2015 B-CCENTRE closing workshop Lieven.Desmet@cs.kuleuven. Recent Web Security Technology Lieven Desmet iminds-distrinet-ku Leuven 3th February 2015 B-CCENTRE closing workshop Lieven.Desmet@cs.kuleuven.be About myself: Lieven Desmet Research manager at KU Leuven

More information

The Past, Present and Future of XSS Defense Jim Manico. HITB 2011 Amsterdam

The Past, Present and Future of XSS Defense Jim Manico. HITB 2011 Amsterdam The Past, Present and Future of XSS Defense Jim Manico HITB 2011 Amsterdam 0 Jim Manico Managing Partner, Infrared Security Web Developer, 15+ Years OWASP Connections Committee Chair OWASP ESAPI Project

More information

Project 2: Web Security Pitfalls

Project 2: Web Security Pitfalls EECS 388 September 19, 2014 Intro to Computer Security Project 2: Web Security Pitfalls Project 2: Web Security Pitfalls This project is due on Thursday, October 9 at 6 p.m. and counts for 8% of your course

More information

Check list for web developers

Check list for web developers Check list for web developers Requirement Yes No Remarks 1. Input Validation 1.1) Have you done input validation for all the user inputs using white listing and/or sanitization? 1.2) Does the input validation

More information

XSS Lightsabre techniques. using Hackvertor

XSS Lightsabre techniques. using Hackvertor XSS Lightsabre techniques using Hackvertor What is Hackvertor? Tag based conversion tool Javascript property checker Javascript/HTML execution DOM browser Saves you writing code Free and no ads! Whoo hoo!

More information

Project OWASP and two most frequent vulnerabilities in web applications

Project OWASP and two most frequent vulnerabilities in web applications Project OWASP and two most frequent vulnerabilities in web applications Filip Šebesta, Wilson Tuladhar 2010 Abstract With the rapid use of the Internet, there has been a rapid growth in websites and web

More information

Web Application Hacking (Penetration Testing) 5-day Hands-On Course

Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Web Application Hacking (Penetration Testing) 5-day Hands-On Course Course Description Our web sites are under attack on a daily basis

More information

EECS 398 Project 2: Classic Web Vulnerabilities

EECS 398 Project 2: Classic Web Vulnerabilities EECS 398 Project 2: Classic Web Vulnerabilities Revision History 3.0 (October 27, 2009) Revise CSRF attacks 1 and 2 to make them possible to complete within the constraints of the project. Clarify that

More information

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000) Security What about MongoDB? Even though MongoDB doesn t use SQL, it can be vulnerable to injection attacks db.collection.find( {active: true, $where: function() { return obj.credits - obj.debits < req.body.input;

More information

Web Application Security

Web Application Security Web Application Security John Zaharopoulos ITS - Security 10/9/2012 1 Web App Security Trends Web 2.0 Dynamic Webpages Growth of Ajax / Client side Javascript Hardening of OSes Secure by default Auto-patching

More information

Web Application Security

Web Application Security Web Application Security A Beginner's Guide Bryan Sullivan Vincent Liu Mc r New York Chicago San Francisco Lisbon London Madrid Mexico City Milan New Delhi San Juan Seoul Singapore Sydney Toronto Contents

More information

Blackbox Reversing of XSS Filters

Blackbox Reversing of XSS Filters Blackbox Reversing of XSS Filters Alexander Sotirov alex@sotirov.net Introduction Web applications are the future Reversing web apps blackbox reversing very different environment and tools Cross-site scripting

More information

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure Vulnerabilities, Weakness and Countermeasures Massimo Cotelli CISSP Secure : Goal of This Talk Security awareness purpose Know the Web Application vulnerabilities Understand the impacts and consequences

More information

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011 Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011 Agenda Evolving Threats Operating System Application User Generated Content JPL s Application Security Program Securing

More information

Security starts in the head(er)

Security starts in the head(er) Security starts in the head(er) JavaOne 2014 Dominik Schadow bridgingit Policies are independent of framework and language response.addheader(! "Policy name",! "Policy value"! ); User agent must understand

More information

Proposal of Improving Web Application Security in Context of Latest Hacking Trends

Proposal of Improving Web Application Security in Context of Latest Hacking Trends Proposal of Improving Web Application Security in Context of Latest Hacking Trends RADEK VALA, ROMAN JASEK Department of Informatics and Artificial Intelligence Tomas Bata University in Zlin, Faculty of

More information

Carlos Muñoz Application Security Engineer WhiteHat Security @RTWaysea

Carlos Muñoz Application Security Engineer WhiteHat Security @RTWaysea Carlos Muñoz Application Security Engineer WhiteHat Security @RTWaysea Bypass: History Explanation: What Is Going On Process: Things To Look For Demos: alert(1) Done Live (hopefully) CSP: Content Security

More information

Bypassing Internet Explorer s XSS Filter

Bypassing Internet Explorer s XSS Filter Bypassing Internet Explorer s XSS Filter Or: Oops, that s not supposed to happen. Carlos @RTWaysea About Me Mechanical Drafting Background Engine parts, Architectural fixtures, etc. Friend said Try This

More information

Web Application Guidelines

Web Application Guidelines Web Application Guidelines Web applications have become one of the most important topics in the security field. This is for several reasons: It can be simple for anyone to create working code without security

More information

Finding XSS in Real World

Finding XSS in Real World Finding XSS in Real World by Alexander Korznikov nopernik@gmail.com 1 April 2015 Hi there, in this tutorial, I will try to explain how to find XSS in real world, using some interesting techniques. All

More information

A Survey on Threats and Vulnerabilities of Web Services

A Survey on Threats and Vulnerabilities of Web Services A Survey on Threats and Vulnerabilities of Web Services A Thesis submitted in partial fulfillment of the requirements for the degree of Master of Computer Science and Engineering of Jadavpur University

More information

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS

Hacking Web Apps. Detecting and Preventing Web Application Security Problems. Jorge Blanco Alcover. Mike Shema. Technical Editor SYNGRESS Hacking Web Apps Detecting and Preventing Web Application Security Problems Mike Shema Technical Editor Jorge Blanco Alcover AMSTERDAM BOSTON HEIDELBERG LONDON NEW YORK OXFORD PARIS SAN DIEGO SAN FRANCISCO

More information

Next Generation Clickjacking

Next Generation Clickjacking Next Generation Clickjacking New attacks against framed web pages Black Hat Europe, 14 th April 2010 Paul Stone paul.stone@contextis.co.uk Coming Up Quick Introduction to Clickjacking Four New Cross-Browser

More information

Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map

Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map Detect and Sanitise Encoded Cross-Site Scripting and SQL Injection Attack Strings Using a Hash Map Erwin Adi and Irene Salomo School of Computer Science BINUS International BINUS University, Indonesia

More information

Cross Site Scripting (XSS) Exploits & Defenses. OWASP Denver, Colorado USA. The OWASP Foundation. David Campbell Eric Duprey. http://www.owasp.

Cross Site Scripting (XSS) Exploits & Defenses. OWASP Denver, Colorado USA. The OWASP Foundation. David Campbell Eric Duprey. http://www.owasp. Cross Site Scripting (XSS) Exploits & Defenses Denver, Colorado USA David Campbell Eric Duprey Copyright 2007 The Foundation Permission is granted to copy, distribute and/or modify this document under

More information

Protecting Web Applications and Users

Protecting Web Applications and Users Protecting Web Applications and Users Technical guidance for improving web application security through implementing web browser based mitigations. Defence Signals Directorate February 2012 Contents 1

More information

DIPLOMA IN WEBDEVELOPMENT

DIPLOMA IN WEBDEVELOPMENT DIPLOMA IN WEBDEVELOPMENT Prerequisite skills Basic programming knowledge on C Language or Core Java is must. # Module 1 Basics and introduction to HTML Basic HTML training. Different HTML elements, tags

More information

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS

EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS EVADING ALL WEB-APPLICATION FIREWALLS XSS FILTERS SEPTEMBER 2015 MAZIN AHMED MAZIN@MAZINAHMED.NET @MAZEN160 Table of Contents Topic Page Number Abstract 3 Introduction 3 Testing Environment 4 Products

More information

ECE458 Winter 2013. Web Security. Slides from John Mitchell and Vitaly Shmatikov (Modified by Vijay Ganesh)

ECE458 Winter 2013. Web Security. Slides from John Mitchell and Vitaly Shmatikov (Modified by Vijay Ganesh) ECE458 Winter 2013 Web Security Slides from John Mitchell and Vitaly Shmatikov (Modified by Vijay Ganesh) Reported Web Vulnerabilities "In the Wild" Data from aggregator and validator of NVD-reported vulnerabilities

More information

(WAPT) Web Application Penetration Testing

(WAPT) Web Application Penetration Testing (WAPT) Web Application Penetration Testing Module 0: Introduction 1. Introduction to the course. 2. How to get most out of the course 3. Resources you will need for the course 4. What is WAPT? Module 1:

More information

Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff

Secure development and the SDLC. Presented By Jerry Hoff @jerryhoff Secure development and the SDLC Presented By Jerry Hoff @jerryhoff Agenda Part 1: The Big Picture Part 2: Web Attacks Part 3: Secure Development Part 4: Organizational Defense Part 1: The Big Picture Non

More information

What is Web Security? Motivation

What is Web Security? Motivation brucker@inf.ethz.ch http://www.brucker.ch/ Information Security ETH Zürich Zürich, Switzerland Information Security Fundamentals March 23, 2004 The End Users View The Server Providers View What is Web

More information

Exploiting Web 2.0 Next Generation Vulnerabilities

Exploiting Web 2.0 Next Generation Vulnerabilities Exploiting Web 2.0 Next Generation Vulnerabilities OWASP EU09 Poland Shreeraj Shah Chapter Lead Founder & Director Blueinfy Solutions shreeraj@blueinfy.com Copyright The OWASP Foundation Permission is

More information

Web Application Worms & Browser Insecurity

Web Application Worms & Browser Insecurity Web Application Worms & Browser Insecurity Mike Shema Welcome Background Hacking Exposed: Web Applications The Anti-Hacker Toolkit Hack Notes: Web Security Currently working at Qualys

More information

Sichere Webanwendungen mit Java

Sichere Webanwendungen mit Java Sichere Webanwendungen mit Java Karlsruher IT- Sicherheitsinitiative 16.07.2015 Dominik Schadow bridgingit Patch fast Unsafe platform unsafe web application Now lets have a look at the developers OWASP

More information

Security Model for the Client-Side Web Application Environments

Security Model for the Client-Side Web Application Environments Security Model for the Client-Side Web Application Environments May 24, 2007 Sachiko Yoshihama, Naohiko Uramoto, Satoshi Makino, Ai Ishida, Shinya Kawanaka, and Frederik De Keukelaere IBM Tokyo Research

More information

Sidste chance for Early Bird! Tilmeld dig før d. 30. juni og spar 4.000 DKK. Læs mere og tilmeld dig på www.gotocon.

Sidste chance for Early Bird! Tilmeld dig før d. 30. juni og spar 4.000 DKK. Læs mere og tilmeld dig på www.gotocon. Sidste chance for Early Bird! Tilmeld dig før d. 30. juni og spar 4.000 DKK. Læs mere og tilmeld dig på www.gotocon.com/aarhus-2012 SIKKERHED I WEBAPPLIKATIONER Anders Skovsgaard Hackavoid anders@hackavoid.dk

More information

The Image that called me

The Image that called me The Image that called me Active Content Injection with SVG Files A presentation by Mario Heiderich, 2011 Introduction Mario Heiderich Researcher and PhD student at the Ruhr- University, Bochum Security

More information

A Study on Dynamic Detection of Web Application Vulnerabilities

A Study on Dynamic Detection of Web Application Vulnerabilities A Study on Dynamic Detection of Web Application Vulnerabilities A Dissertation Presented by Yuji Kosuga Submitted to the School of Science for Open and Environmental Systems in partial fulfillment of the

More information

Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808)

Acunetix Website Audit. 5 November, 2014. Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Acunetix Website Audit 5 November, 2014 Developer Report Generated by Acunetix WVS Reporter (v8.0 Build 20120808) Scan of http://filesbi.go.id:80/ Scan details Scan information Starttime 05/11/2014 14:44:06

More information

Last update: February 23, 2004

Last update: February 23, 2004 Last update: February 23, 2004 Web Security Glossary The Web Security Glossary is an alphabetical index of terms and terminology relating to web application security. The purpose of the Glossary is to

More information

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER XSS-BASED ABUSE OF BROWSER PASSWORD MANAGERS Ben Stock, Martin Johns, Sebastian Lekies Browser choices Full disclosure: Ben was an intern with Microsoft

More information

Advanced XSS. Nicolas Golubovic

Advanced XSS. Nicolas Golubovic Advanced XSS Nicolas Golubovic Image courtesy of chanpipat / FreeDigitalPhotos.net Today's menu 1. Starter: reboiled XSS 2. Course: spicy blacklists & filters 3. Course: sweet content sniffing 4. Course:

More information

CS 6262 - Network Security: Web Security

CS 6262 - Network Security: Web Security CS 6262 - Network Security: Web Security Professor Patrick Traynor 4/9/2013 C Reminders Need a study group for the final? Meet after class, or use Piazza to organize a meeting! Final posters for DL students:

More information

Reliable Mitigation of DOM-based XSS

Reliable Mitigation of DOM-based XSS Intro XSS Implementation Evaluation Q&A Reliable Mitigation of DOM-based XSS Tobias Mueller 2014-09-07 1 / 39 Intro XSS Implementation Evaluation Q&A About me The results Motivation about:me MSc. cand.

More information

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant

Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant Bypassing Web Application Firewalls (WAFs) Ing. Pavol Lupták, CISSP, CEH Lead Security Consultant Nethemba All About Security Highly experienced certified IT security experts (CISSP, C EH, SCSecA) Core

More information

Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations OWASP. The OWASP Foundation. Marco Morana & Scott Nusbaum

Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations OWASP. The OWASP Foundation. Marco Morana & Scott Nusbaum Input Validation Vulnerabilities, Encoded Attack Vectors and Mitigations Marco Morana & Scott Nusbaum Cincinnati Chapter September 08 Meeting Copyright 2008 The Foundation Permission is granted to copy,

More information

Web application security

Web application security Web application security Sebastian Lopienski CERN Computer Security Team openlab and summer lectures 2010 (non-web question) Is this OK? int set_non_root_uid(int uid) { // making sure that uid is not 0

More information

Where every interaction matters.

Where every interaction matters. Where every interaction matters. Peer 1 Vigilant Web Application Firewall Powered by Alert Logic The Open Web Application Security Project (OWASP) Top Ten Web Security Risks and Countermeasures White Paper

More information

Gateway Apps - Security Summary SECURITY SUMMARY

Gateway Apps - Security Summary SECURITY SUMMARY Gateway Apps - Security Summary SECURITY SUMMARY 27/02/2015 Document Status Title Harmony Security summary Author(s) Yabing Li Version V1.0 Status draft Change Record Date Author Version Change reference

More information

Network Security Exercise #8

Network Security Exercise #8 Computer and Communication Systems Lehrstuhl für Technische Informatik Network Security Exercise #8 Falko Dressler and Christoph Sommer Computer and Communication Systems Institute of Computer Science,

More information

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet March 8, 2012 Stephen Kost Chief Technology Officer Integrigy Corporation Phil Reimann Director of Business Development

More information

Precise client-side protection against DOM-based Cross-Site Scripting

Precise client-side protection against DOM-based Cross-Site Scripting Precise client-side protection against DOM-based Cross-Site Scripting Ben Stock FAU Erlangen-Nuremberg ben.stock@cs.fau.de Patrick Spiegel SAP AG patrick.spiegel@sap.com Sebastian Lekies SAP AG sebastian.lekies@sap.com

More information

Data Breaches and Web Servers: The Giant Sucking Sound

Data Breaches and Web Servers: The Giant Sucking Sound Data Breaches and Web Servers: The Giant Sucking Sound Guy Helmer CTO, Palisade Systems, Inc. Lecturer, Iowa State University @ghelmer Session ID: DAS-204 Session Classification: Intermediate The Giant

More information

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft Finding and Preventing Cross- Site Request Forgery Tom Gallagher Security Test Lead, Microsoft Agenda Quick reminder of how HTML forms work How cross-site request forgery (CSRF) attack works Obstacles

More information

Security features of ZK Framework

Security features of ZK Framework 1 Security features of ZK Framework This document provides a brief overview of security concerns related to JavaScript powered enterprise web application in general and how ZK built-in features secures

More information

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities Thomas Moyer Spring 2010 1 Web Applications What has changed with web applications? Traditional applications

More information

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke EVALUATING COMMERCIAL WEB APPLICATION SECURITY By Aaron Parke Outline Project background What and why? Targeted sites Testing process Burp s findings Technical talk My findings and thoughts Questions Project

More information

Webapps Vulnerability Report

Webapps Vulnerability Report Tuesday, May 1, 2012 Webapps Vulnerability Report Introduction This report provides detailed information of every vulnerability that was found and successfully exploited by CORE Impact Professional during

More information

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell

State of The Art: Automated Black Box Web Application Vulnerability Testing. Jason Bau, Elie Bursztein, Divij Gupta, John Mitchell Stanford Computer Security Lab State of The Art: Automated Black Box Web Application Vulnerability Testing, Elie Bursztein, Divij Gupta, John Mitchell Background Web Application Vulnerability Protection

More information

The Top Web Application Attacks: Are you vulnerable?

The Top Web Application Attacks: Are you vulnerable? QM07 The Top Web Application Attacks: Are you vulnerable? John Burroughs, CISSP Sr Security Architect, Watchfire Solutions jburroughs@uk.ibm.com Agenda Current State of Web Application Security Understanding

More information

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding

Hack-proof Your Drupal App. Key Habits of Secure Drupal Coding Hack-proof Your Drupal App Key Habits of Secure Drupal Coding DrupalCamp CT 2010 My Modules Introductions Erich Beyrent http://twitter.com/ebeyrent http://drupal.org/user/23897 Permissions API Search Lucene

More information

Introduction. Attacks Against Websites 2. Reflected XSS. Cross-site scripting (XSS) Solution for injection: sanitization.

Introduction. Attacks Against Websites 2. Reflected XSS. Cross-site scripting (XSS) Solution for injection: sanitization. Introduction Attacks Against Websites 2 Tom Chothia Computer Security, Lecture 12 More on Web Attacks: Cross site scripting attacks (XSS) Cross-site request forgery (CSRF) OWASP top 10 web attacks. Cross-site

More information

1.5.5 Cookie Analysis

1.5.5 Cookie Analysis 1.5.5 Cookie Analysis As part of the first audit, Facebook were asked to provide an explanation of the purpose of each of the identified cookies. The information provided at the time has been reviewed

More information

Web Design Technology

Web Design Technology Web Design Technology Terms Found in web design front end Found in web development back end Browsers Uses HTTP to communicate with Web Server Browser requests a html document Web Server sends a html document

More information

25 Million Flows Later - Large-scale Detection of DOM-based XSS

25 Million Flows Later - Large-scale Detection of DOM-based XSS 25 Million Flows Later - Large-scale Detection of DOM-based XSS Sebastian Lekies SAP AG sebastian.lekies@sap.com Ben Stock FAU Erlangen-Nuremberg ben.stock@cs.fau.de Martin Johns SAP AG martin.johns@sap.com

More information

Chapter 1 Web Application (In)security 1

Chapter 1 Web Application (In)security 1 Introduction xxiii Chapter 1 Web Application (In)security 1 The Evolution of Web Applications 2 Common Web Application Functions 4 Benefits of Web Applications 5 Web Application Security 6 "This Site Is

More information

Cross-site site Scripting Attacks on Android WebView

Cross-site site Scripting Attacks on Android WebView IJCSN International Journal of Computer Science and Network, Vol 2, Issue 2, April 2013 1 Cross-site site Scripting Attacks on Android WebView 1 Bhavani A B 1 Hyderabad, Andhra Pradesh-500050, India Abstract

More information

Penny Wyatt Atlassian QA SECURING YOUR PLUGIN

Penny Wyatt Atlassian QA SECURING YOUR PLUGIN Penny Wyatt Atlassian QA SECURING YOUR PLUGIN Topics Cross-Site Scripting (XSS) Vulnerabilities Cross-Site Request Forgery (XSRF) Vulnerabilities Confluence WebSudo File Execution Vulnerabilities Random

More information