Presentation is loading. Please wait.

Presentation is loading. Please wait.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

Published byTaniya Farabee Modified over 10 years ago

Similar presentations

Presentation on theme: "© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research."— Presentation transcript:

1 © 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research Group Manager OWASP IL

2 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Agenda Theoretical part: –Same Origin Policy 101 –Cross-Site Scripting 101 –HTTP sessions Practical part: –Trivial robbery –Advanced robbery

3 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Browser Scripting Capabilities What can scripts do: –Scripts can perform user interactions with the site –Scripts can seamlessly interact with the web site –Can perform any action that is related to the site –Can launch signed and safe ActiveX control

4 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Scripting Restrictions – Same Origin Policy What scripts can not do: –Scripts can only interact with the domain they came from –Scripts can see send and receive responses only from their domain –Scripts can access other browsers frames only from same domain –Scripts can issue requests to other domains (but not view the corresponding responses)

5 © 2009 IBM Corporation ILSL - IBM Israel Software Lab XSS 101 XSS occurs when user input (JavaScript) is returned by the web application: String data = request.getParameter(param); out.println(data) Simple exploit: –http://www.thebank.site/action?param= XSS breaks Same-Origin Policy –Vulnerable domain may now return arbitrary JavaScripts.

6 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Cross Site Scripting – The Exploit Process Evil.org TheBank.site User Script returned, executed by browser 3 User sends script embedded as data 2 1 Link to bank.com sent to user via E- mail or HTTPbank.com

7 © 2009 IBM Corporation ILSL - IBM Israel Software Lab The session cookie HTTP is stateless Session id makes your application stateful Session id = your identification Should not be guessable JavaScript access: document.cookie

8 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Cross Site Scripting – The Exploit Process Evil.org TheBank.site User Evil.orgEvil.org uses stolen session information to impersonate user 5 Script returned, executed by browser 3 User sends script embedded as data 2 1 Link to bank.com sent to user via E- mail or HTTPbank.com 4 Script sends users cookie and session information without the users consent or knowledge

9 © 2009 IBM Corporation IBM Rational Application Security Trivial Robbery Demo

10 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Demo Build payload Send malicious link to victim Retrieve the cookie and extract the session id Manually add session cookie to local browser Make a transaction

11 © 2009 IBM Corporation IBM Rational Application Security Advanced Robbery Demo

12 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Problems: The session id cookie is not enough HTTPOnly – Set-Cookie: = [; = ] [; expires= ][; domain= ] [; path= ][; secure][; HttpOnly] Pre-logon XSS

13 © 2009 IBM Corporation ILSL - IBM Israel Software Lab Problems: Key-logging is not enough Second factor authentication –Dongles –Client certificates Challenge on transaction –Security questions: What is your mom s maiden name? –Time-based challenge

14 © 2009 IBM Corporation ILSL - IBM Israel Software Lab ? http://blog.watchfire.com

Download ppt "© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cookie Same Origin Policy Dan Boneh CS 142 Winter 2009 Monday: session management using cookies.

Cookie Same Origin Policy Dan Boneh CS 142 Winter 2009 Monday: session management using cookies.
Cross-Site Scripting CSCD 498/539 Secure Coding Principles Amazing Legion of Fuzzy Backdoor Intruder Worms Bryan Smith Allen Greaves Zach Moore Rebecca.

Cross-Site Scripting CSCD 498/539 Secure Coding Principles Amazing Legion of Fuzzy Backdoor Intruder Worms Bryan Smith Allen Greaves Zach Moore Rebecca.
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.

CookiesPHPMay-2007 : [‹#›] Maintaining State in PHP Part I - Cookies.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?

Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
Session Management A290/A590, Fall 2014 09/25/2014.

Session Management A290/A590, Fall /25/2014.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

Similar presentations

Ads by Google