CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 1

Similar documents
Web Application Security

SESSION IDENTIFIER ARE FOR NOW, PASSWORDS ARE FOREVER

WEB ATTACKS AND COUNTERMEASURES

Recommended Practice Case Study: Cross-Site Scripting. February 2007

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Cross-Site Scripting

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

How to break in. Tecniche avanzate di pen testing in ambito Web Application, Internal Network and Social Engineering

What is Web Security? Motivation

A Tale of the Weaknesses of Current Client-Side XSS Filtering

Chapter 1 Web Application (In)security 1

Cross Site Scripting in Joomla Acajoom Component

Introduction to Computer Security

Penetration Test Report

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

External Vulnerability Assessment. -Technical Summary- ABC ORGANIZATION

MANAGED SECURITY TESTING

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Web Application Security

Web application security

Web Security Testing Cookbook*

Protection, Usability and Improvements in Reflected XSS Filters

University of Wisconsin Platteville SE411. Senior Seminar. Web System Attacks. Maxwell Friederichs. April 18, 2013

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Application security testing: Protecting your application and data

A Tale of the Weaknesses of Current Client-side XSS Filtering

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Client Side Filter Enhancement using Web Proxy

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

THE OPEN UNIVERSITY OF TANZANIA

(WAPT) Web Application Penetration Testing

SQL INJECTION IN MYSQL

The Top Web Application Attacks: Are you vulnerable?

Client logo placeholder XXX REPORT. Page 1 of 37

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Cross Site Scripting Prevention

Magento Security and Vulnerabilities. Roman Stepanov

Cross Site Scripting (XSS) Exploits & Defenses. OWASP Denver, Colorado USA. The OWASP Foundation. David Campbell Eric Duprey.

Bank Hacking Live! Ofer Maor CTO, Hacktics Ltd. ATC-4, 12 Jun 2006, 4:30PM

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

Where every interaction matters.

Penetration Testing: Lessons from the Field

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Cross-site site Scripting Attacks on Android WebView

ASL IT SECURITY BEGINNERS WEB HACKING AND EXPLOITATION

The Key to Secure Online Financial Transactions

Phishing with Super Bait

Web attacks and security: SQL injection and cross-site scripting (XSS)

SECURE APPLICATION DEVELOPMENT CODING POLICY OCIO TABLE OF CONTENTS

HOD of Dept. of CSE & IT. Asst. Prof., Dept. Of CSE AIET, Lko, India. AIET, Lko, India

Gateway Apps - Security Summary SECURITY SUMMARY

Application Security Testing. Generic Test Strategy

National Information Security Group The Top Web Application Hack Attacks. Danny Allan Director, Security Research

FSOEP Web Banking & Fraud: Corporate Treasury Attacks

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

WEB SECURITY. Oriana Kondakciu Software Engineering 4C03 Project

Course Content: Session 1. Ethics & Hacking

Understanding Web Application Security Issues

Complete Cross-site Scripting Walkthrough

Webapps Vulnerability Report

Check list for web developers

MWR InfoSecurity Security Advisory. BT Home Hub SSID Script Injection Vulnerability. 10 th May Contents

Network Security Web Security

Security Evaluation CLX.Sentinel

Web Application Attacks and Countermeasures: Case Studies from Financial Systems

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

Security Testing with Selenium

Web Application Security Considerations

Client vs. Server Implementations of Mitigating XSS Security Threats on Web Applications

Livezilla How to Install on Shared Hosting By: Jon Manning

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Nuclear Regulatory Commission Computer Security Office Computer Security Standard

Common Security Vulnerabilities in Online Payment Systems

External Network & Web Application Assessment. For The XXX Group LLC October 2012

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Discovering passwords in the memory

Next Generation Clickjacking

Last update: February 23, 2004

Secure Web Development Teaching Modules 1. Threat Assessment

Web Application Worms & Browser Insecurity

Advanced Web Security, Lab

Spyware. Summary. Overview of Spyware. Who Is Spying?

Cyber Security Workshop Ethical Web Hacking

Detailed Description about course module wise:

Transcription:

CNIT 129S: Securing Web Applications Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 1

Attacking Clients Vulnerabilities in browsers May result in session hijacking, unauthorized actions, and disclosure of personal data, keylogging, remote code execution XSS is the most prevalent web application vulnerability in the world

Varieties of XSS Reflected XSS Stored XSS DOM-Based XSS

Reflected XSS Example: an error message that takes text from user and displays it back to the user in its response 75% of all XSS vulnerabilities are this type

Persistent Cookies If user has a persistent cookie, implementing "remember me" Step 1 is not needed User need not be currently logged in

Same-Origin Policy evil.com cannot get your target.com cookies from your browser Only a page in the same domain (arget.com) But XSS lets the attacker add scripting to a page that comes from target.com Hence the name Cross-Site Scripting

Stored XSS Vulnerabilities A message is stored Executed on any user who views it May attack a large number of users

DOM-Based XSS

The Vulnerability Client-side JavaScript can access the browser's Document Object Model Can determine the URL used to load the current page A script the developer put there may extract data from the URL and display it, dynamically updating the page's contents

Example: Dynamically Generated Error Message Writes message to page Can also write script to page

Real-World XSS Attacks

Apache (2010) XSS in issue-tracking application Attacker injected code, obscured it with a URL shortener Administrator clicked the link Attacker stole the administrator's cookie Attacker altered the upload folder for the project and placed a Trojan login form there

Apache (2010) Attacker captured usernames and passwords for Apache privileged users Found passwords that were re-used on other systems within the infrastructure Fully compromised those systems, escalating the attack beyond the vulnerable Web application Link Ch 12a

MySpace (2005) Samy evaded filters intended to block XSS Added JavaScript to his user profile, that made every viewer Add Samy as a friend Copied the script to the user's profile Gained over 1 million friends within hours Link Ch 12b

Stored XSS in email allowed attackers to send a malicious email to the CEO Stealing his session cookie

Link Ch 12d Twitter (2009)

Other Payloads for XSS Virtual Defacement Add images, code, or other content to a page

Injecting Trojan Functionality Inject actual working functionality into the vulnerable application Such as a fake login form to capture credentials Or the fake Google purchase form on the next slide, from 2004

Disadvantages of Session Hijacking Attacker must monitor her server and collect cookies Then carry out actions on behalf of target users Labor-intensive Leaves traces in server logs

Inducing User Actions Use attack payload script to carry out actions directly If the goal is to perform an administrator action, each user can be forced to try it until an administrator is compromised MySpace XSS worm did this

Exploiting Trust Relationships Browsers trust JavaScript with cookies from the same website Autocomplete in the browser can fill in fields, which are then read by JavaScript Some sites require being added to Internet Explorer's "Trusted Sites"; those sites can run arbitrary code like this

Exploiting Trust Relationships ActiveX controls often contain powerful methods They may check to see that requests came from the expected site With XSS, that condition is satisfied

Escalating the Client-Side Attack Website may attack users by Logging keystrokes Capturing browsing history Port-scanning the local network

Delivery Mechanisms for XSS Attacks

Delivering Reflected and COM-Based XSS Attacks Phishing email containing a crafted URL Targeted attack with custom email Instant message containing a URL Code posted on websites that allow user to post HTML

Watering Hole Attack Attacker creates a website with content that will interest the target users Use search engine optimization to attract viewers Page contains content that causes the user's browser to make requests containing XSS payloads to the vulnerable application

Delivering Reflected and DOM-Based XSS Attacks Purchase ad space, put malicious URL in the ad The ad may appear in pages about the app you are attacking, because of keyword matches Web apps often have "tell a friend" or "send feedback" features Leverage this to deliver an XSS attack via an email that originate from the organization's server

Delivering Stored XSS Attacks In-band (most common)

Delivering Stored XSS Attacks Out-of-band (most common) Anything other than viewing the target app Such as email from its server

Chaining XSS XSS vulnerability itself may be low-risk But chaining it together with other vulnerabilities can cause serious compromise

Example XSS allows script to be inserted into user's displayed name Access control flaw lets attacker change other users' names Add token-stealing XSS to every username Gain administrator credentials: total control of application

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information