Download presentation
Presentation is loading. Please wait.
1
XSS: Cross Site Scripting Alan Geleynse
2
Example <?php $name = $_GET['name']; echo "Hello $name!";
3
/1.php?name= alert("XSS")
4
Don’t display parameters
5
User profile page User enters their name Other users can view their name
6
<?php $name = htmlspecialchars($_GET['name']); echo "Hello $name!";
7
<SCRIPT>alert("XSS") </SCRIPT>
8
Only way to protect against XSS is to remove: < > This prevents the use of HTML as well
10
What do we do? Don’t allow “ ” unless absolutely necessary Never trust input ALL data should be processed before display
11
Does this really happen? 9 days ago apache.org was compromised Attackers opened a bug issue The bug was a tinyurl directing to a XSS attack The attack stole the user’s login cookie This gave them access to administrator accounts They uploaded a jsp file and could then log passwords They sent password reset emails to convince users to log in
12
Questions
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.