Cross Sight scripting: Type-2

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Nick Feamster CS 6262 Spring 2009

Cross Site Scripting (XSS)

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

EECS 354 Network Security Cross Site Scripting (XSS)

Team Members: Brad Stancel,

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

March Intensive: XSS Exploits

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Prevent Cross-Site Scripting (XSS) attack

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Ladd Van Tol Senior Software Engineer Security on the Web Part One - Vulnerabilities.

1-Vulnerabilities 2-Hackers 3-Categories of attacks 4-What a malicious hacker do? 5-Security mechanisms 6-HTTP Web Servers 7-Web applications attacks.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Cross Site Scripting (XSS) Chaitanya Lakshmi

 Two types of malware propagating through social networks, Cross Site Scripting (XSS) and Koobface worm.  How these two types of malware are propagated.

Cross-Site Attacks James Walden Northern Kentucky University.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.

Input Validation – common associated risks  ______________ user input controls SQL statements ultimately executed by a database server

Web Applications Testing By Jamie Rougvie Supported by.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Cross Site Scripting and its Issues By Odion Oisamoje.

An Intro to Webhackery Parisa Tabriz. How the web was born Stage 1 : Network Protocols Stage 2 : HTTP Stage 3 : Server Side Scripting Stage 4 : Client.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

PHP Error Handling & Reporting. Error Handling Never allow a default error message or error number returned by the mysql_error() and mysql_errno() functions.

What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Web Applications on the battlefield Alain Abou Tass.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.

Unvalidated Redirects & Forwards

XSS 101 Jason Clark 12/20.

Sabrina Wilkes-Morris CSCE 548 Student Presentation

Javascript worms By Benjamin Mossé SecPro

Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory

Module: Software Engineering of Web Applications

XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)

CSCE 548 Student Presentation Ryan Labrador

Unit 20 - Client Side Customisation of Web Pages

An Introduction to Web Application Security

Automatic Web Security Unit Testing: XSS Vulnerability Detection Mahmoud Mohammadi, Bill Chu, Heather Richter, Emerson Murphy-Hill Presenter:

Execution with Unnecessary Privileges

World Wide Web policy.

Udaya Shyama Pallathadka Ganapathi Bhat CSCE 548 Student Presentation

Static Detection of Cross-Site Scripting Vulnerabilities

Failure to protect stored data

Example – SQL Injection

SE604: Software Testing and QA Secure SW Development for QA Lecture#3

PHP: Security issues FdSc Module 109 Server side scripting and

CSC 495/583 Topics of Software Security Intro to Web Security

Web Security Advanced Network Security Peter Reiher August, 2014

HTML5 and Local Storage.

Exploring DOM-Based Cross Site Attacks

Cross-Site Scripting Attack (XSS)

Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago

Presentation transcript:

Cross Sight scripting: Type-2 By John Gill CSCE 548 Student Presentation

What is Type 2 XSS Clever manipulation of an website vulnerability, primarily html weakness Commonly written in scripting languages, a favorite being JavaScript Unlike XSS type-1, type-2 is stored within a website data base Type 2 is also known as persistent xss or stored xss, hence the necessity for storage in the database It is important to note for an attack to be persistent it is stored on the server side rather than client ²

Who is effected Common xss attacks take place in public domains where “code and data” are mixed ¹ Social engineering is not the culprit Simply visiting a webpage is enough to be infected Forums, blogs, comment sections

What is impacted Large database of unprotected or unfiltered input Unsuspecting people visiting a webpage, even if it is a common occurrence Social media is a common target for exploitation Confidentiality is breached Cookie and data theft common targets

fundamentals of a XSS type-2 attack Malicious code input webpage obtains malicious code Malicious code is executed Database Diagram 1: 24 Deadly sins

Notable Type-2 exploits and repercussions Samy worm ² Myspace, exploit Myspace was in the infancy of developing xss safeguards, obviously they still have some work to do When the profile was viewed the worm required: User to add samy sent a pop-up infected the individual This was the fastest spreading worm of its time infecting at an exponential rate

Detection of type-2 One of the basic techniques is testing a websites input parameters ¹ Understanding that the raw data must be viewed is of absolute importance scanning code for common scripting characters is an easy way to review large amounts of data quickly Common symbols include: <, >, %, =, ‘, “, &, and request commands Common tools in finding vulnerabilities include: Nikto Nexxus

Prevention ³ Rule 1: An escape from the aforementioned symbols ³ Assume all data is malicious and thus untrusted Rule 2: Encoding 4 This is why looking at raw data is important, converting foreign symbols into entities renders the malicious code in-executable Rule 3: Include HTML code within application 4 After converting user input into an entity, html code should be used to further this process, to hash, clean, and return a cleaned integer value for the compiler to express in terms of legible word

Conclusion Prevention of cross Site scripting is a matter of basic html capacity and the more advanced practices in preventing certain functionalities. In order for websites commonly under attack such as Myspace as well as facebook, google, and whom ever it is a matter of safeguarding. Xss is easily preventable in the realm of webpages so long as developers understand the necessity for prevention rather than patching. Fixing an issue presented to you is easy, forward thinking while, a hassle, can save you your job, and tens of thousands of clients in the future with proper precautionary testing.

References Howard, Michael, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. New York: McGraw-Hill, 2010. Print. Auger, Robert. "Cross Site Scripting." The Web Application Security Consortium. The Web Application Security Consortium, n.d. Web. XSS (Cross Site Scripting) Prevention Cheat Sheet. Open Web Application Security Project, n.d. Web. "Prevent Cross-site Scripting Attacks by Encoding HTML Responses." Prevent Cross- site Scripting Attacks by Encoding HTML Responses. IBM, n.d. Web. 20 July 2016.