We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byYasmin Bankes
Modified over 2 years ago
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane email@example.com
©2009 Justin C. Klein Keane Types of XSS Non-persistent (reflected) Persistent (stored) DOM-based
©2009 Justin C. Klein Keane Reflected XSS Script that is passed to the site is rendered back to the browser Like string format vulnerabilities, originally considered a harmless bug Common scenarios is a search engine that returns a value of “Your search for X returned Y records” Developers didn't care if site users cause pop- ups to appear
©2009 Justin C. Klein Keane Reflected XSS Takes Imagination Attackers quickly figured out ways to exploit reflected XSS – URL passed variables used to redirect users to other sites – Combined with e-mail or link or form on another site to create a trust compromise – Generally involves social engineering of some sort
©2009 Justin C. Klein Keane Persistent XSS Attacker injects script that is stored on the target and displayed to any user requesting the page At a minimum can cause a denial of service
©2009 Justin C. Klein Keane Typical XSRF User logs into a target site as an admin User views a page with a persistent XSS The script then calls a form or submits an AJAX request with attacker determined values Can be used to do things like change the user's password or perhaps exploit other vulnerabilities in authenticated areas of the site Attacker uses XSRF to reset SOHO router settings
©2009 Justin C. Klein Keane Protecting Against XSRF Forms contain a transitory token that is tied to the user account Token must then be passed in the form submission in order to carry out an action Even this is not foolproof as a clever XSRF can instantiate an iframe that includes a legitimate call to the form, with a valid token
©2009 Justin C. Klein Keane Other XSRF Defenses Require a user to fill in existing password in order to change it Auto complete on form fields can defeat even this protection, however
©2009 Justin C. Klein Keane Preventing XSS & XSRF Essentially a problem of validating user input Filters for “known bad” are especially dangerous with XSS – New techniques emerge regularly – Browsers change – New web browsers emerge
©2009 Justin C. Klein Keane Mitigation Strategy Disallow HTML Don't utilize user supplied input in display (including scripts) without careful sanitization DO NOT ALLOW BAD DATA INTO THE DB! – Do NOT sanitize exclusively on output! Use a library for translation – This can be useful if the library is centrally maintained as it can easily evolve – Still a broadside approach, not as effective as limiting to known good
©2009 Justin C. Klein Keane Useful PHP Functions htmlspecialchars() – '&' to '&' – “ to " – ' to ' – < to < – > to > htmlentities() – Much more thorough, all characters with HTML equivalents are translated.
©2009 Justin C. Klein Keane More PHP strip_tags() - strips out all HTML (and PHP) tags – Can optionally allow certain tags fgetss() - same as fgets(), which gets a line from a pointer, but strips tags
©2009 Justin C. Klein Keane More Useful PHP Functions ereg_replace() – Allow only characters you want eregi_replace() preg_replace()
©2009 Justin C. Klein Keane Finding XSS Tools can sometimes be useful Code analysis may not be as effective Enter text such as alert('foo'); in every possible input value and observe results
©2009 Justin C. Klein Keane Filter Evasion Techniques Alternating case:
©2009 Justin C. Klein Keane Filter Exploitation Be careful that any filters you use can't be used against you Filters that remove text might actually be used to de-mangle input: – A filter that removes the string “ ” can be defeated using the input: ipt>
©2009 Justin C. Klein Keane Other Concerns XSS in uploaded files (images, PDF, etc.) Code analysis may not be as effective Enter text such as alert('foo'); in every possible input value and observe results
Nick Feamster CS 6262 Spring 2009
CSCI 6962: Server-side Design and Programming Secure Web Programming.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
EECS 354 Network Security Cross Site Scripting (XSS)
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Prevent Cross-Site Scripting (XSS) attack
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Security Never, ever, trust user inputs Supankar.
By Sean Rose and Erik Hazzard. SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Cross-Site Attacks James Walden Northern Kentucky University.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
Team Members: Brad Stancel,
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Cross Site Scripting (XSS)
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS) Comes in several flavors: Stored Reflective DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.
COMP 321 Week 12. Overview Web Application Security Authentication Authorization Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.
Chapter 13 Security Methods Part 2. xss.php Script 13.4 on page 419 ss.php
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Cross Site Scripting (XSS) Chaitanya Lakshmi
CSRF Attacks Daniel Chen 11/18/15. What is CSRF? Cross Site Request Forgery (Sea-Surf) AKA XSRF/ One Click / Sidejacking / Session Riding Exploits.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.
©SoftMooreSlide 1 Introduction to HTML: Forms ©SoftMooreSlide 2 Forms Forms provide a simple mechanism for collecting user data and submitting it to.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
© 2017 SlidePlayer.com Inc. All rights reserved.