Ppt on cross site scripting example

JQuery Javascript Framework Aryo Pinandito. A Little Bit About jQuery  jQuery is an Open-Source JavaScript framework that simplifies cross-browser client.

Bit About jQuery  jQuery is an Open-Source JavaScript framework that simplifies cross-browser client side scripting.  Animations  DOM manipulation  AJAX  Extensibility through plugins  jQuery/(http://gmail.com, function(xml){ console.log(xml); }); same-origin policy  (Alas, no cross-site scripting!) Cross-site scripting Workarounds Proxy server JSONP Trusted contexts Evil.com Normal WebpageAJAX Example – Show/Hide the old way Click here to toggle visibility of #foo function toggle_visibility(id) {/


Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Traversal Forced Browsing Logic Flaws Execution After Redirect (EAR) Doupé - 11/24/14 Many Vulnerabilities Cross-Site Scripting (XSS) SQL Injection Cross-Site Request Forgery (XSRF) HTTP Parameter Pollution (HPP) Command Injection Parameter Manipulation File Exposure Directory Traversal /Cross-Site Scripting (XSS) Malicious JavaScript running in the context of your web application Doupé - 11/24/14 XSS – Example Hello Doupé - 11/24/14 http://example.com/test.php?name=adam Hello Doupé - 11/24/14 http://example/


Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.

to impersonate someone Can Lead To Session Hijacking –HTTP is stateless –Only verifies at the beginning of session Cross Site Scripting Java Script –Can be written by anyone and executed on any computer over the web –Most people have Java Script enabled making it very dangerous Cross Site Scripting Java Script Examples – –black hat search engine optimization (SEO) – –Click-fraud – –Distributed Denial of Service – –Force access of illegal content – –Hack/


Steve Souders Even Faster Web Sites Disclaimer: This content does not necessarily reflect.

( ! domscript.onloadDone ) { init(); } domscript.onloadDone = true; } document.getElementsByTagName(head)[0].appendChild(domscript); pretty nice, medium complexity what about multiple scripts that depend on each other, and inlined code that depends on the scripts? two solutions: Managed XHR DOM Element and Doc Write multiple script example: menutier.js var aRaceConditions = [[couple-normal.php, Normal...]; var aWorkarounds = [[hardcoded-callback.php, Hardcod...]; var aMultipleScripts = [[managed-xhr.php/


Steve Souders Even Faster Web Sites Disclaimer: This content does not necessarily.

( ! domscript.onloadDone ) { init(); } domscript.onloadDone = true; } document.getElementsByTagName(head)[0].appendChild(domscript); pretty nice, medium complexity what about multiple scripts that depend on each other, and inlined code that depends on the scripts? two solutions: Managed XHR DOM Element and Doc Write multiple script example: menutier.js var aRaceConditions = [[couple-normal.php, Normal...]; var aWorkarounds = [[hardcoded-callback.php, Hardcod...]; var aMultipleScripts = [[managed-xhr.php/


Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

Cross-Site Scripting? Cross-Site Scripting, or XSS (not to be confused with CSS or Cascading Style Sheets), allows attackers to inject client-side script in a web page. The attacker injects script, such as JavaScript, VBScript, ActiveX, HTML, or Flash into an application to try to get access to sensitive information Dynamic websites (using AJAX, Flex, for example/com/vulnerability-scanner/download.htm Adobe Systems Incorporated (2004). Cross Site Scripting in Flash. Retrieved from http://kb2.adobe.com/cps//


SEC835 OWASP Top Ten Project.

web application vulnerabilities – 2010 report Vulnerabilities A1 - Injection Flaws A2 - Cross Site Scripting (XSS) A3 – Broken Authentication and Session Management A4 - Insecure Direct Object Reference A5 - Cross Site Request Forgery (CSRF) A6 – Security misconfiguration A7 - Insecure Cryptographic / remote users Ensure that encrypted data stored on disk is not easy to decrypt. For example, database encryption is worthless if the database connection pool provides unencrypted access. Strong crypto mechanism/


EECS 354 Network Security Cross Site Scripting (XSS)

Server side attacks Client side attacks Exploiting users’ trust in their browser Javascript attacks on other clients Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) Browser Basics Document Object Model (DOM) An interface to access HTML elements dynamically/” are encoded XSS Basics Session Stealing Advanced XSS Injection Preventing XSS CSRF Cross Site Request Forgery Websites use URLs to specify requests for an action Example This image will cause any visitor to make a request to the image/


Team Members: Brad Stancel,

Wolf Team Members: Brad Stancel, Mark Szarka, And Benjamin Moore Presentation Overview Why its Important to Study Affected Languages Types & Examples of Attacks Proposed Solutions Methods used to circumvent XSS prevention Demo of Online Tutorial Conclusion and Questions Overview - What is Cross Site Scripting? Referred to as XSS Is a type of code injection that circumvents browser security Gains unauthorized access to sensitive information/


Securing Interaction for Sites, Apps and Extensions in the Browser Brad Miller J. D. Tygar.

financial data on this site? Example: Photo Editing Privacy tags restrict access to photos Cross-Domain XHR more cumbersome – Would require support from Facebook – Not flexible enough for long term success Facebook Photo Editor Denied Allowed Denied Contact Info Wall Posts Photos Example: Identity Theft Shopping Website Bank Website Evil or Vulnerable Installed App Credit Card Info Purchase Record Purchase Record Script injection Credit Card/


Application Security Positively False

Code review and Testing And more… Free Tools Code Analysis Web traffic inspection OWASP Top 10 A1 - Cross Site Scripting (XSS) XSS flaws occur whenever an application takes user supplied data and sends it to a web browser/interpreter into executing unintended commands or changing data. OWASP Top 10 EXAMPLE: RIAA web site cleared WHID 2008-04: Reported: 22 January 2008 Occurred: 20 January 2008 Classifications: Attack Method: Cross Site Scripting (XSS) Attack Method: SQL Injection Attack Method: Denial of /


Cross Site Collection Navigation

sites Cross Site Navigation Lots of solutions available Business Process Managed Every site collection specifies the same top level navigation items Changes need to be made at every site collection Custom Sitemap Provider XML site/ Manually configure the GUID of the Term Set Simplified Example Access Term Store Iterate through the terms Build menu / }, 100); 3. Custom Rendering Simple jQuery to handle the hide / show scripting Create onMouse and onClick handlers to hide / show the menu Create onMouse to /


CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS) Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS? XSS=CSS=Cross Site Scripting What is XSS ? XSS is one of the popular vulnerability(mainly in web applications) which allows malicious users to inject any arbitrary code into the web pages which will infect the other users(victims) who view it. The term ‘cross site script’ means foreign/


Subspace: Secure Cross-Domain Communication for Web Mashups In Proceedings of the 16th International World Wide Web Conference. (WWW), 2007 Collin Jackson,

page. –The site hosting the script could change the content of the script at any time, and could even serve different content to different users. ”http://shoeboxfullofapes.org/formprocessor.php 12 13 Browser plugins Can provide many of the cross-domain network communication /a suffix) of this name. Must occur on dot-aligned boundaries Pages on a.example.com and b.example.com can change the value of document.domain to example.com, allowing them to pass JavaScript data and code between each other at runtime. /


A Division of Health Care Service Corporation, a Mutual Legal Reserve Company, an Independent Licensee of the Blue Cross and Blue Shield Association 2012.

Examples of BCBSTX identification cards A Division of Health Care Service Corporation, a Mutual Legal Reserve Company, an Independent Licensee of the Blue Cross and/ Davis Vision  Behavioral Health by Magellan Health Services  Pharmacy benefits administered by Express Scripts, Inc. 21 CHIP Covered Benefits Some of the benefits include:  Well-child exams/ ID # 01260 104 Website Features www.magellanprovider.com Web site demonstration on home page Online provider orientation program Provider Focus /


Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

redirect user cookie data Particularly vulnerable are message boards and web forms ECE 4112 - Internetwork Security Cross Site Scripting Examples alert(document.cookie)  Can display user’s cookie which can contain session and authentication information Gmail XSS Vulnerability - Fixed  zx variable used in authentication can contain exploitable scripts Often the script text is converted to hex characters to hide its intent ECE 4112 - Internetwork Security Phishing/


MIS 5211.001 Week 9 Site:

hard to break  When encryption is broken, it is usually the implementation, not the cypher suite that is broken  Example: WEP and RC4  Regardless of encryption, the computer has to decrypt the data to act on it. Therefore, / Parameter Injection  Inject parameters when Flash object is embedded in an HTML page  Cross Domain Privilege Escalation  Access and modify DOM  Cross Site Scripting  Access and modify DOM  Cross Site Flashing  Call another flash object from flash MIS 5211.00152  Just a teaser /


Steve Souders Even Faster Web Sites Disclaimer: This content does not necessarily reflect.

( ! domscript.onloadDone ) { init(); } domscript.onloadDone = true; } document.getElementsByTagName(head)[0].appendChild(domscript); pretty nice, medium complexity what about multiple scripts that depend on each other, and inlined code that depends on the scripts? two solutions: Managed XHR DOM Element and Doc Write multiple script example: menutier.js var aRaceConditions = [[couple-normal.php, Normal...]; var aWorkarounds = [[hardcoded-callback.php, Hardcod...]; var aMultipleScripts = [[managed-xhr.php/


Session Management Dan Boneh CS 142 Winter 2009. Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.

: login over SSL, but subsequent HTTP What happens as wireless Café ? Other reasons why session token sent in the clear:  HTTPS/HTTP mixed content pages at site  Man-in-the-middle attacks on SSL Example 2: Cross Site Scripting (XSS) exploits Amplified by poor logout procedures: Logout must invalidate token on server Session fixation attacks Suppose attacker can set the user’s session token: For/


HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC or OLE DB Or ADO Common Web Application Vulnerabilities Cross-Site Scripting (XSS) SQL Injection Cross-Site Request Forgery (CSRF) Cross-Site Scripting (XSS) Attacks One user injects code/ accessed by scripts Analyze your applications for XSS vulnerabilities –Fix the errors you find Common Web Application Vulnerabilities SQL Injection SQL Injection Comic xkcd.org – a great comic Link Ch 11i SQL Injection Example HTML form /


Tavaxy User Guide.

The Node Properties Panel contain all parameters to be set. Example [params] evalue_cutoff = 1e-200 The top script is the parameter file for setting the “evalue” for “Blast/ sheet on the help tab of web-site for details of all tools and their specifications Simple Example Workflow Input Protein Sequence Alignment-Phylogeny Workflow Compute/list operation for nodes with two or more input ports: Dot Product and Cross Product These operations are executed on list elements before processing them with the /


1 Welcome, Course 63 242 Web Site Development 1 Spring 2006.

Bilkent University’s Web site. Most commonly, these sites are located in directories of folders on the server. Then within this main site, there may be several folders, which house other sections of the Web site. For example www.bilkent.edu.tr/Markup Language –Similar to HTML –Cross-Platform (Hardware/Software Independent) –Consists of rules: tags to describe data separate data from presentation layout transform data into Web forms waffles $3.95..... 39 Client-Side Scripting -Programming the behavior of an /


Cross-platform Batch Reports Waldo Library Western Michigan University.

Western Michigan University Objectives n show an implementation of automated, cross-platform, hands-off report generation in the Voyager environment n provide you with the information to do this at your site Bonus!!!!! Source code for BLOB access and a table+column schema/ PC The rest of the code closes loops and makes the script wait until the next run time occurs. Example from another script illustrating how to trigger on day of the week. This script runs early in the morning, six days a week. The Batch/


The OWASP Foundation Cross Site Scripting JavaScript Injection Contextual Output Encoding.

site regarding loading of content The OWASP Foundation http://www.owasp.org Get rid of XSS, eh? A script-src directive that doesn‘t contain ‘ unsafe-inline ’ eliminates a huge class of cross site scripting / "csp-report"=> { "document-uri"=>"http://example.com/welcome",http://example.com/welcome "referrer"=>"", "blocked-uri"=>"self", "violated-directive"=>"inline script base restriction", "source-file"=>"http://example.com/welcome",http://example.com/welcome "script-sample"=>"alert(1)", "line-number"=>81 } /


Subspace: Secure Cross-Domain Communication for Web Mashups Collin Jackson Stanford University Helen J. Wang Microsoft Research ACM WWW, May, 2007 Presenter:

9 Fragment identifier messaging – window.location object can be set (but not read) by frames of another origin. Example: http://ajaxify.com/run/crossframe/#http://ajaxify.com/run/crossframe/# – Disadvantage: Can be easily disrupted if the user /data source or gadget would pop up a new window asking the user for their authentication credentials. Input validation – Cross-site scripting 22 Related work XML access-control instruction JSONRequest – JavaScript Object Notation (JSON) is a data presentation that is/


Cross Site Integration “mashups” cross site scripting.

Cross Site Integration “mashups” cross site scripting Server Side Server code fetches data or services Has little to do with this course Can involve XML or SQL to remote servers /limitations are similar to javascripting frames Same website policy! can’t load external data server-side data relays Easy access to XML data sources XML is powerful… Examples? Libraries are always used: jQuery, etc Requires server side program Requires some XML data this could be a minimal wrapper http://www.w3schools.com/AJAX http/


What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

parse and display a page of results for and to that user, without properly sanitizing the request.( Example: Search ENGINE ) Persistent XSS The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users/


IBM Software Group WAI use of collaborative road mapping to solve access to script enabled Web applications | May 2005 © 2005 IBM Corporation Confidentiality/date.

Execute through cross-pollination and teaming  Collaborate on refinement Collaboration Process IBM Software Group WAI use of collaborative road mapping to solve access to script enabled Web/ UI or assign access keys  Alternative is inconsistent across web sites  Alternative provides little semantic information  Use of keyboard short cut/ Optional elements 31 Role/State Taxonomy Example IBM Software Group WAI use of collaborative road mapping to solve access to script enabled Web applications May 2005 © /


UKUUG 26th February 2009 1 Advanced Perl Techniques A One Day Perl Tutorial Dave Cross Magnum Solutions Ltd

::Fiction::JRRTolkien::Shire UKUUG 26th February 2009 46 Calendar Examples use DateTime::Calendar::Mayan; my $dt = DateTime::Calendar/% }}); Combinations  $rs->search({forename => { like, Dav% }, surname => Cross }); UKUUG 26th February 2009 111 Dont Repeat Yourself Theres a problem with this approach /Application We already have a working application $ CD/script/cd_server.pl... lots of output [info] CD / places to go for further information Web sites Books Magazines Mailing lists Conferences UKUUG 26th /


Advanced Perl Techniques Dave Cross Magnum Solutions Ltd

) to define Use new %+ hash to access them UKUUG 26th November 2009 32 Named Capture Example while ( ) { if (/(? [ws]+) :s+(?.+)/x) { print "$+{header} -> /Data Combinations  $rs->search({forename => { like, Dav% }, surname => Cross }); UKUUG 26th November 2009 97 Dont Repeat Yourself Theres a problem with this /We already have a working application $ CD/script/cd_server.pl... lots of output [info] / places to go for further information Web sites Books Magazines Mailing lists Conferences UKUUG 26th November/


CLIENT –server SIDE SCRIPTING

the tag we use the type attribute to define the scripting language. EXAMPLE :- < script type=“text/JavaScript”> document.write(“Hello World!”); Javascript code / technologies marketed by Microsoft. COLDFUSION :-Cross platform tag-based commercial server side scripting system. ESP:- It is a server-side scripting language that is designed to provide /server side scripting language that is embedded in HTML It is used to manage dynamic content , databases , session tracking ,even build entire commerce site. It /


for the Web (client and server applications)

http://www.ecma.ch/), where it has evolved into ECMAScript (or rather ECMA-262), "A general purpose, cross-platform programming language". Netscape then proceeded to make extensions to Javascript, which became Javascript 1.2 as supported //jsguide4/index.htm Very Good Site for Java Script: http://www.wsabstract.com/howto/ JavaScript Object Reference: http://www.htmlstuff.com/programmer/jsobjects/index.html The JavaScript Weenie - Free JavaScript tutorials, examples and reference mate http://javascriptweenie/


1 Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Prateek Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology.

Saxena UC Berkeley Yacin Nadji Illinois Institute Of Technology Dawn Song UC Berkeley 2 A Cross-Site Scripting Attack Hi Joe, Hi Joe, Cookies, Password Policy: ALLOW {a, a@href,/static document structure –Step 4: Dynamic information flow tracking »Modified semantics of client-side interpretation 18 Talk Outline Defense in Depth: Examples Design Goals Architecture Implementation Evaluation Conclusion & Related Work 19 Approach Overview: Static DSI SERIALIZER SERVERBROWSER [[ ]] imgscript DE-SERIALIZER P 20/


ISPW: Enterprise Cross-Platform SCM SHARE Anaheim: Session 9132 Thursday, March 3, 2011 Christina McGill, ISPW Craig Danielson, Commerce Bank Mark Tucker,

Cross-Platform SCM SHARE Anaheim: Session 9132 Thursday, March 3, 2011 Christina McGill, ISPW Craig Danielson, Commerce Bank Mark Tucker, Commerce Bank Pat Rosmarin, State Auto Slide 2 of 9 About the Company Privately held software products vendor, founded 1986 Customer examples/ can handle their site-specific requirements with no hard coding Centralized cross-platform auditability and /and Ownership Issues − Executable Manually Installed with Script Written by the Developers Managing Change is everyone/


JavaScript Netscapes Interpreted object-based Scripting Language for the Web (client and server applications)

to the ECMA, where it has evolved into ECMAScript (or rather ECMA-262), "A general purpose, cross-platform programming language". Netscape then proceeded to make extensions to Javascript, which became Javascript 1.2 as supported//jsguide4/index.htm Very Good Site for Java Script: –http://www.wsabstract.com/howto/ JavaScript Object Reference: –http://www.htmlstuff.com/programmer/jsobjects/index.html The JavaScript Weenie - Free JavaScript tutorials, examples and reference mate –http://javascriptweenie/


JavaScript Netscapes Interpreted object-based Scripting Language for the Web (client and server applications)

http://www.ecma.ch/), where it has evolved into ECMAScript (or rather ECMA-262), "A general purpose, cross-platform programming language". Netscape then proceeded to make extensions to Javascript, which became Javascript 1.2 as supported/jsguide4/index.htm Very Good Site for Java Script: –http://www.wsabstract.com/howto/ JavaScript Object Reference: –http://www.htmlstuff.com/programmer/jsobjects/index.html The JavaScript Weenie - Free JavaScript tutorials, examples and reference mate –http://javascriptweenie/


Cross-domain leakiness Divulging sensitive information & attacking SSL sessions Chris Evans - Google Billy Rios - Microsoft.

Valid JavaScript from remote domain will execute just fine Cant read source but can observe side effects from executing source Cross-site script inclusion XSSI: stealable constructs Function callback o e.g. "callback_func(1, data);" Setting variables o e.g."var/SSL sites Mixing Content… it shouldn’t be DONE! Find insecure script references (images may work too) FORCE the loading of insecure script references over HTTPS Now an attacker can MITM an SSL protected site without ANY WARNINGS! Real Life Examples… /


Welcome Dear Students!. The building blocks of the web:  HTML and CSS  Client Scripting - JavaScript and the DOM  Server Scripting - ASP, PHP  XML.

JavaScript is easy to learn. What is JavaScript?  JavaScript is a scripting language  A scripting language is a lightweight programming language  A JavaScript consists of lines / DOM Tree Example XML - EXtensible Markup Language  XML is a cross-platform, software and hardware independent tool for storing and transmitting information. XML Document Example Tove Jani/ navigation structure that is used by all the pages in your Web site.  Dont use hyperlinks inside each paragraph, to send visitors to /


Server Side Scripting Languages SE 362: Copyright © Steven W. Johnson October 1, 2012 Week 9: Login Management.

over time memorable (unutulmaz) definitive (kesin) simple characters that are typically used to answer http://goodsecurityquestions.com/examples.htm 35 Password security: What was your childhood nickname?* In what city did you meet your spouse//Output attacks include: A. Buffer overflow attacks B. SQL injection attacks C. Cross-site scripting attacks D. Cross-site request forgery 73 Quiz: 4. The main defense against attacks to web sites is: A. SSL B. TLS C. Validation of data D. mysqli_real_escape_string() /


Securing Against Cross-Site Request Forgery …in a Way You Won’t Regret Later JavaOne 2014 Aaron Hurst.

has embedded HTML : No visible rendering Browser Cookie Store Browser Cookie Store Example POST Attack 8 Attacker has embedded HTML: document.badform.submit(); No visible rendering Attacker has embedded HTML: document.badform.submit(); No visible rendering Launching the attack Any site: 1. Administrated by attacker 2. Allows HTML posting 3. With cross-site scripting (XSS) vulnerabilities Finding the victim Observed an interesting server request Fed/


Christine Laney Ken Ramsey Mark Servilla Information management issues and the Trends project: A drawing board for making cross-site comparisons feasible.

variables that may be important for cross-site and network-level questions, but long-term data don’t exist yet at very many sites (e.g., soil respiration, foliar/ but no markers to say so  Examples: Looks nice…but…. The nit-picky details  Dates as an example: 2-digit years range of dates in / multipurpose SQL Server & MySQL database. Documentation of deriving data and graphs  EML template  Scripts Metacat (versioning) Challenges, opportunities & solutions  Obtaining data  Quality and quantity of data /


Monday, February 24 th, 2014 Instructor: Craig Duckett Document Object Model Reading: Murachs JavaScript and DOM Scripting Chapter.

Example Files are provided for several of these properties. Note that a number of the properties use arrays to hold information. NOTE: Not all of these properties work cross/ example of setting a cookie: document.cookie = "site=homepage"; In between the two the equal sign (=) is used to help separate the site /you style attributes for two ids, div1 and div2. CONTINUED NEXT PAGE 58 Creating Dynamic Scripts Example DOM 14 Example - Two Divs #div1 { color:#330099; background-color:#C0C0C0;margin:3px;} #div2 {/


XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht (http://cs.uic.edu/~pbisht) Joint work with : V.N. Venkatakrishnan.

XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht (http://cs.uic.edu/~pbisht) Joint work with : V.N. /subtle attacks Efficient Automated Transformation Vulnerable web application Safe web application Outline of this talk Introduction Web application transformation technique Robust script identification at server side XSS-GUARD  Examples  Evaluation results Related work and summary HTML page : A web application’s view Page generated by output statements in /


Cross Site Scripting (XSS). Basic scenario: reflected XSS attack Attack Server Victim Server Victim client visit web site receive malicious link click.

Cross Site Scripting (XSS) Basic scenario: reflected XSS attack Attack Server Victim Server Victim client visit web site receive malicious link click on link echo user input 1 2 3 send valuable data 5 4 XSS example: vulnerable site search field on victim.com: http://victim.com//application Methods for injecting malicious code: Reflected XSS (“type 1”)  the attack script is reflected back to the user as part of a page from the victim site Stored XSS (“type 2”)  the attacker stores the malicious code in a /


Web Site Testing. Information Leakage Information Leakage gives attackers an advantage: HTML source code: Comments Sensitive information Server-side error.

pernicious: Attacker only needs to generate one attack. XSS Payload Cookie Stealing Insert a script that places a resource from a site under attacker control Example: document.write( Code becomes: CSRF: Cross-Site Request Forgeries Find XSS, get CSRF for free Example: Embed in html: Browser will execute iframe command Browser will send any (authentication) cookies along.... Attacking User-Supplied Input Data SQL Injection SQL Injection/


ABUSING BROWSER ADDRESS BAR FOR FUN AND PROFIT - AN EMPIRICAL INVESTIGATION OF ADD-ON CROSS SITE SCRIPTING ATTACKS Presenter: Jialong Zhang.

ABUSING BROWSER ADDRESS BAR FOR FUN AND PROFIT - AN EMPIRICAL INVESTIGATION OF ADD-ON CROSS SITE SCRIPTING ATTACKS Presenter: Jialong Zhang Roadmap  Introduction  Background and Motivation  Experiments  Discussion  Related Work  Conclusion Introduction  Add-on Cross Site Scripting (XSS) Attacks  A sentence using social engineering techniques  Javascript:codes  For Example, on April 25, 2013, over 70,000 people have been affected by one such Add-on XSS attack on/


Csci5931 Web Security1 More Web Hacking & Tools: HTML Source and Site Linkage Analysis (MSS book)

the developer/author, cross-references to files and scripts, reminders and placeholders,/Site linkage analysis (example) - Funnel web profiler csci5931 Web Security25 Site linkage analysis (example) - Funnel web profiler csci5931 Web Security26 Site linkage analysis (example) - Funnel web profiler csci5931 Web Security27 Site linkage analysis (example) - Funnel web profiler csci5931 Web Security28 Site linkage analysis (example) - Funnel web profiler csci5931 Web Security29 Site linkage analysis (example/


Script# - the.NET response to Google Web Toolkit Gojko Adzic

Intellisense, –sscorlib.js in the browser –sscompat.js provides cross-browser compatibility System.DHTML.Document, System.Script System.DHTML.Window link to the environment A very simple example Script# library project Compile C# into javascript Execute from HTML/and web sites C# editor for scriptlets (has some bugs, though) MSBuild Integration ScriptSharp target does the job for you Remember True Automatically added by the VS ScriptSharp template Scriptlets Script# webforms components –Add Script# assembly /


Year 1: Research – Education – Outreach Overview

format, va ); 264     va_end( va ); Year 1 Research Overview Example: Buffer Overrun in gzip gzip.c:593 0589     if (/ Verification of security properties TRUST Collaboration Many cross-institution collaborations underway / recently initiated Challenge applications/software Shared benchmarks: Apache (including core, plug-ins, PHP scripts, …) TCP/IP stacks Network servers? One or two key/testbed, Industrial collaboration Network researchers at all TRUST sites Drinking from a firehose Year 1 Research Overview /


Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth Outline OWASP Injection: ▫Define ▫Attacks ▫Preventions Cross-Site Scripting: ▫Define ▫Attacks ▫Preventions Open Web Application Security Project (OWASP) The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. OWASP Top 10 Application Security Risk – 2013 #1 Injection #3 Cross-Site Scripting (XSS/


Ads by Google