XSS: Cross Site Scripting Alan Geleynse. Example <?php $name = $_GET['name']; echo "Hello $name!";

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

Cross-site Request Forgery (CSRF) Attacks

Web Security Never, ever, trust user inputs Supankar.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Cooperating Teachers: How to Reset Your Password in Tk20 Use this after your initial account set up if you cannot remember your TK20 password.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Step 1: Password Reset System generated “one use” password. Use this for your next login. You will then IMMEDIATELY have to change it.

Updating User Information Password – use this field to change your own password Confirm Password – retype the new password for verification purposes To.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

1Computer Sciences Department Princess Nourah bint Abdulrahman University.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Drupal Security Securing your Configuration Justin C. Klein Keane University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Logging into the Member Center Donna Lewis Data Management & Analysis.

By Daniel Siassi.  XHTML  For Structure  CSS  For Stylization of Structure  SQL Database  Store Customer, Calendar, and Order Data  PHP  Server-side.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Tutorial 10 Adding Spry Elements and Database Functionality Dreamweaver CS3 Tutorial 101.

Lecture 7 Interaction. Topics Implementing data flows An internet solution Transactions in MySQL 4-tier systems – business rule/presentation separation.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Week 7. Lecture 3 PHP Forms. PHP forms In part 2 of this course, we discussed html forms, php form is similar. Lets do a quick recap of the things we.

DocuShare Training Welcome to DocuShare Training.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Requesting a New Password on ISEE Idaho State Department of Education October 7, 2011.

Guide To Sacrificial Giving

GOLD UNIT 4 - IT SECURITY FOR USERS (2 CREDITS) Rebecca Pritchard.

In the web address box enter Enter your user ID (first and last initial 7 digit ID number) Select Log in.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

CSC 2720 Building Web Applications Server-side Scripting with PHP.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

At the Log in page enter your college provided username and password then click submit to login to Owl Link.

GOAL User Interactive Web Interface Update Pages by Club Officers Two Level of Authentication.

SharePoint Security Training Creating and Managing Users

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Part 2 Lecture 9 PHP Superglobals and Form Handling.

TCOM Information Assurance Management Software Hacking.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

Here is the log in for your control panel. Enter your user name, password and click Login.

Employer Login Setup & Password Reset. The following information is available by either going to FFGA Marketing Sharepoint site at

Online Login Security Enhancement Creating an online username & password November 2015.

INFO 344 Web Tools And Development CK Wang University of Washington Spring 2014.

Creating Forms on a Web Page. 2 Introduction  Forms allow Web developers to collect visitor feedback  Forms create an environment that invites people.

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Chapter 13 Security Methods Part 2. xss.php Script 13.4 on page 419 ss.php

Prototype Security New Feature: Send Mass & Activity Code.

New and upcoming features in Sitekit CMS

Common Methods Used to Commit Computer Crimes

Cross-Site Forgery

PHP FORM HANDLING Post Method

HOW TO MAKE YOUR GMAIL ACCOUNT SECURE…. At Google, we take account security very seriously. To protect your account, we strongly recommend following the.

Chapter 13 Security Methods Part 2.

Guide to Getting Started with

Web Security Advanced Network Security Peter Reiher August, 2014

Access your coordinator account

Web Programming Language

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

COMPUTER SAFTEY IS IMPORTANT….

Warranty screenshots.

Presentation transcript:

XSS: Cross Site Scripting Alan Geleynse

Example <?php $name = $_GET['name']; echo "Hello $name!";

/1.php?name= alert("XSS")

 Don’t display parameters

 User profile page  User enters their name  Other users can view their name

<?php $name = htmlspecialchars($_GET['name']); echo "Hello $name!";

<SCRIPT>alert("XSS") </SCRIPT>

 Only way to protect against XSS is to remove:  <  >  This prevents the use of HTML as well

What do we do?  Don’t allow “ ” unless absolutely necessary  Never trust input  ALL data should be processed before display

Does this really happen?  9 days ago apache.org was compromised  Attackers opened a bug issue  The bug was a tinyurl directing to a XSS attack  The attack stole the user’s login cookie  This gave them access to administrator accounts  They uploaded a jsp file and could then log passwords  They sent password reset s to convince users to log in

Questions