HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Nick Feamster CS 6262 Spring 2009
PHP I.
Presented by Vaibhav Rastogi. Current browsers try to separate host system from Web Websites evolved into web applications Lot of private data on the.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
An Evaluation of the Google Chrome Extension Security Architecture
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,
Languages for Dynamic Web Documents
NISNet Winter School Finse Internet & Web Security Case Study 3: Web application security Dieter Gollmann Hamburg University of Technology
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
Beware of Finer-Grained Origins
Web Same-Origin-Policy Lab Zutao Zhu 11/06/2009. Outline Background Setting SOP.
Browser Exploitation Framework (BeEF) Lab
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Is Your Website Hackable? Check with Acunetix Web Vulnerability Scanner. Acunetix Web Vulnerability Scanner V9.
Prevent Cross-Site Scripting (XSS) attack
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
Cross Site Scripting (XSS) Chaitanya Lakshmi
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
OWL Jan How Websites Work. “The Internet” vs. “The Web”?
Cross-Site Attacks James Walden Northern Kentucky University.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
School of Computing and Information Systems CS 371 Web Application Programming Security Avoiding and Preventing Attacks.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Protecting Browsers from DNS Rebinding Attacks Collin Jackson, Adam Barth, Andrew Bortz ACM CCS Systems Modeling & Simulation Lab. Kim.
University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,
Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.
1 Utkarsha MishraCOMPSCI 725 David Silver, Suman Jana, Eric Chen, Collin Jackson, and Dan Boneh. “Password Managers: Attacks and Defenses.” In Proceedings.
1 Figure 9-3: Webserver and E-Commerce Security Browser Attacks  Take over a client via the browser Interesting information on the client Can use browser.
Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.
Security Tool to Detect Vulnerabilities at Application Level Sendurr Selvaraj Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina.
Security Tool to Detect Vulnerabilities at Application Level Krishna Sai Mulpuri Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
The Postman Always Rings Twice: Attacking and Defending postMessage in HTML5 Websites Paper by Sooel Son and Vitaly Shmatikov, The University of Texas.
Powerpoint presentation on Drive-by download attack -By Yogita Goyal.
IBM Rational Application Security Group (aka Watchfire) Web Based Man In the Middle Attack © 2009 IBM Corporation 1 Active Man in the Middle Attacks The.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
XSS 101 Jason Clark 12/20.
Javascript worms By Benjamin Mossé SecPro
XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)
An Introduction to Web Application Security
Cookies Cross site scripting
Web Applications Security XSS
CSC 495/583 Topics of Software Security Intro to Web Security
Cross-Site Request Forgery (CSRF) Attack Lab
Active Man in the Middle Attacks
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Advanced Cross Site Scripting Evil XSS
Exploring DOM-Based Cross Site Attacks
Cross Site Request Forgery (CSRF)
Presentation transcript:

HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.

Contents Setup 12 Abusing Sockets, XHR 3 About DOM

Setup Domain: attacker.com IP: OS: Windows server 2012 Server: IIS 8.0 Domain: victimserver.com IP: OS: Windows server 2012 Server: IIS 8.0 Language:.Net C# Ip: OS: Windows XP Browser: Chrome 1

Abusing sockets, XHR SOP Vulnerabilities!! Script, IMG, Iframe bypasses 1 2 DNS Rebinding 3 PostMessage Mechanism 2

Script, IMG, Iframe bypasses

DNS Rebinding DNS rebinding is an exploit in which the attacker uses Javascript in a malicious Web page to gain control of the victim’s router. 4

DNS Rebinding visit Malicious Website Attacker’s DNS server bind attacker.com to attacker’s IP address (short TTL). 5

DNS Rebinding Malicious script uses XMLHttpRequest Attacker rebinds attacker.com to target’s IP address. In fact 6

DNS Rebinding 7

SOP Violation! 8

DNS Rebinding 9

10

DNS Rebinding Browser’s DNS cache DNS request flooding 11

DNS Rebinding Firewall Circumvention: -Access Machine behind firewalls -Interact with a number of internal services besides HTTP(direct socket access) 12

DNS Rebinding IP Hijacking: -Access publicly available servers from client’s IP -Take advantage of the target’s implicit or explicit trust in client’s I address 13

DOM DOM(Document Object Model) 14

DOM We all know that: ① Reflected XSS ② Stored XSS both purely inside client-side code 15

DOM The third kind of XSS: DOM Based XSS which is not depended on the malicious data send to the service at the first time 16

DOM The API may vulnerable in DOM based XSS 17

DOM 1). document.location 2). document.URL 3). document.URLUnencoded 4). document.referrer 5). window.location These API can visit DOM data through a designed URL, but this kind of jumped-out window is not really harmful, attacker has no idea if users never click on the URL. 18

DOM 1). document.write() 2). document.writeln() 3). document.boby.innerHtml 4). eval() 5). window.execScript() 6). window.setInterval() 7). window.setTimeout() These API are mostly used in form hijacking, inject a part of XSS code while users submit the forms. This is more dangerous, most of them are used in stealing cookie. 19

EXAMPLE: document.boby.innerHtml While running this code, xxx will take the value of “yyyyyy” “yyyyyy” can be replaced by something else like “ ” or Unicode like “\u003cimg src=1\u003e”. xxx document.getElementById("a").innerHTML="yyyyyy"; 20

EXAMPLE: document.boby.innerHtml Real example: qq.com (most of you should know this right? ☺ ) 21

EXAMPLE: document.boby.innerHtml URL: bin/search?libid=1&keyvalue=aaaaaaa&attr=133&stype=2&tname=star_s econd.shtml (there was some vulnerabilities, but there isn’t now, I think) search_by job1: aaaaaaa if("aaaaaaa"=="") document.getElementById("titleshow").innerHTML="search_by_place: all_stars"; if("job1"=="job1") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; if("job1"=="job2") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; if("job1"=="job3") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; 22

EXAMPLE: document.boby.innerHtml We know that “ ”would not be recognized, but “/”can be recongnized, So perhaps we should try Unicode! We see that if(“job1”==“job1”) is executed, so we focus on this two lines of code. search_by job1: aaaaaaa if("aaaaaaa"=="") document.getElementById("titleshow").innerHTML="search_by_place: all_stars"; if("job1"=="job1") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; if("job1"=="job2") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; if("job1"=="job3") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; 23

EXAMPLE: document.boby.innerHtml As we know from above, we can change “aaaaaaa” into “\u003cimg src=1 onerror=alert(1)\u003e ” search_by job1: aaaaaaa if("aaaaaaa"=="") document.getElementById("titleshow").innerHTML="search_by_place: all_stars"; if("job1"=="job1") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; if("job1"=="job2") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; if("job1"=="job3") document.getElementById("titleshow").innerHTML="search_by_job: aaaaaaa"; 24

EXAMPLE: document.boby.innerHtml This is an example we learn when we try to get a better understand on DOM based XSS, we didn’t actually attack this website, and this vulnerability has been reported! 25

DOM 1). document.location 2). document.URL 3). document.open() 4). window.location.href 5). window.navigate() 6). window.open These API are mostly used in redirection attack. The perniciousness can be big or small, but this kind of perniciousness are often eaily ignored by people. 26

DOM Differences between Standard XSS and DOM based XSS 27

DOM 28

DOM How to find DOM based XSS 29

DOM 1). Using byte level taint tracking in chromium - precise source information for every character - patched sinks (for example document. write) 2). Chrome extension to crawl given set of web site - also act as interface between taint engine and backend 3). And an exploit generator - using precise taint information - and javascript and HTML syntax rules - to generate exploits fully automatic 30

What to do next -Defend of DNS rebinding -PostMessage Mechanism -Make DOM based XSS DEMO -Find the ways to avoid the jeopardize 31

Reference s sessions/presentation/stock versalPDFXSS.ppt 32

Thank You ;) 10/

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.