Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

Similar presentations


Presentation on theme: "© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research."— Presentation transcript:

1 © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research Group Manager OWASP IL

2 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Agenda Theoretical part: –Same Origin Policy 101 –Cross-Site Scripting 101 –HTTP sessions Practical part: –Trivial robbery –Advanced robbery

3 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Browser Scripting Capabilities What can scripts do: –Scripts can perform user interactions with the site –Scripts can seamlessly interact with the web site –Can perform any action that is related to the site –Can launch signed and safe ActiveX control

4 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Scripting Restrictions – Same Origin Policy What scripts can not do: –Scripts can only interact with the domain they came from –Scripts can see send and receive responses only from their domain –Scripts can access other browsers frames only from same domain –Scripts can issue requests to other domains (but not view the corresponding responses)

5 © 2009 IBM Corporation ILSL - IBM Israel Software Lab XSS 101 XSS occurs when user input (JavaScript) is returned by the web application: String data = request.getParameter(param); out.println(data) Simple exploit: –http://www.thebank.site/action?param= XSS breaks Same-Origin Policy –Vulnerable domain may now return arbitrary JavaScripts.

6 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Cross Site Scripting – The Exploit Process Evil.org TheBank.site User Script returned, executed by browser 3 User sends script embedded as data 2 1 Link to bank.com sent to user via E- mail or HTTPbank.com

7 © 2009 IBM Corporation ILSL - IBM Israel Software Lab The session cookie HTTP is stateless Session id makes your application stateful Session id = your identification Should not be guessable JavaScript access: document.cookie

8 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Cross Site Scripting – The Exploit Process Evil.org TheBank.site User Evil.orgEvil.org uses stolen session information to impersonate user 5 Script returned, executed by browser 3 User sends script embedded as data 2 1 Link to bank.com sent to user via E- mail or HTTPbank.com 4 Script sends users cookie and session information without the users consent or knowledge

9 © 2009 IBM Corporation IBM Rational Application Security Trivial Robbery Demo

10 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Demo Build payload Send malicious link to victim Retrieve the cookie and extract the session id Manually add session cookie to local browser Make a transaction

11 © 2009 IBM Corporation IBM Rational Application Security Advanced Robbery Demo

12 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Problems: The session id cookie is not enough HTTPOnly – Set-Cookie: = [; = ] [; expires= ][; domain= ] [; path= ][; secure][; HttpOnly] Pre-logon XSS

13 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Problems: Key-logging is not enough Second factor authentication –Dongles –Client certificates Challenge on transaction –Security questions: What is your mom s maiden name? –Time-based challenge

14 © 2009 IBM Corporation ILSL - IBM Israel Software Lab ?


Download ppt "© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research."

Similar presentations


Ads by Google