Presentation is loading. Please wait.

Presentation is loading. Please wait.

XSS: Cross Site Scripting Alan Geleynse. Example <?php $name = $_GET['name']; echo "Hello $name!";

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "XSS: Cross Site Scripting Alan Geleynse. Example <?php $name = $_GET['name']; echo "Hello $name!";"— Presentation transcript:

1 XSS: Cross Site Scripting Alan Geleynse

2 Example <?php $name = $_GET['name']; echo "Hello $name!";

3 /1.php?name= alert("XSS")

4  Don’t display parameters

5  User profile page  User enters their name  Other users can view their name

6 <?php $name = htmlspecialchars($_GET['name']); echo "Hello $name!";

7 <SCRIPT>alert("XSS") </SCRIPT>

8  Only way to protect against XSS is to remove:  <  >  This prevents the use of HTML as well

9

10 What do we do?  Don’t allow “ ” unless absolutely necessary  Never trust input  ALL data should be processed before display

11 Does this really happen?  9 days ago apache.org was compromised  Attackers opened a bug issue  The bug was a tinyurl directing to a XSS attack  The attack stole the user’s login cookie  This gave them access to administrator accounts  They uploaded a jsp file and could then log passwords  They sent password reset emails to convince users to log in

12 Questions

Download ppt "XSS: Cross Site Scripting Alan Geleynse. Example <?php $name = $_GET['name']; echo "Hello $name!";"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Cooperating Teachers: How to Reset Your Password in Tk20 Use this after your initial account set up if you cannot remember your TK20 password.

Cooperating Teachers: How to Reset Your Password in Tk20 Use this after your initial account set up if you cannot remember your TK20 password.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Step 1: Password Reset Email System generated “one use” password. Use this for your next login. You will then IMMEDIATELY have to change it.

Step 1: Password Reset System generated “one use” password. Use this for your next login. You will then IMMEDIATELY have to change it.
Updating User Information Password – use this field to change your own password Confirm Password – retype the new password for verification purposes To.

Updating User Information Password – use this field to change your own password Confirm Password – retype the new password for verification purposes To.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
1Computer Sciences Department Princess Nourah bint Abdulrahman University.

1Computer Sciences Department Princess Nourah bint Abdulrahman University.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Similar presentations

Ads by Google