Download presentation
Presentation is loading. Please wait.
1
Cross Sight scripting: Type-2
By John Gill CSCE 548 Student Presentation
2
What is Type 2 XSS Clever manipulation of an website vulnerability, primarily html weakness Commonly written in scripting languages, a favorite being JavaScript Unlike XSS type-1, type-2 is stored within a website data base Type 2 is also known as persistent xss or stored xss, hence the necessity for storage in the database It is important to note for an attack to be persistent it is stored on the server side rather than client ²
3
Who is effected Common xss attacks take place in public domains where “code and data” are mixed ¹ Social engineering is not the culprit Simply visiting a webpage is enough to be infected Forums, blogs, comment sections
4
What is impacted Large database of unprotected or unfiltered input
Unsuspecting people visiting a webpage, even if it is a common occurrence Social media is a common target for exploitation Confidentiality is breached Cookie and data theft common targets
5
fundamentals of a XSS type-2 attack
Malicious code input webpage obtains malicious code Malicious code is executed Database Diagram 1: 24 Deadly sins
6
Notable Type-2 exploits and repercussions
Samy worm ² Myspace, exploit Myspace was in the infancy of developing xss safeguards, obviously they still have some work to do When the profile was viewed the worm required: User to add samy sent a pop-up infected the individual This was the fastest spreading worm of its time infecting at an exponential rate
7
Detection of type-2 One of the basic techniques is testing a websites input parameters ¹ Understanding that the raw data must be viewed is of absolute importance scanning code for common scripting characters is an easy way to review large amounts of data quickly Common symbols include: <, >, %, =, ‘, “, &, and request commands Common tools in finding vulnerabilities include: Nikto Nexxus
8
Prevention ³ Rule 1: An escape from the aforementioned symbols ³
Assume all data is malicious and thus untrusted Rule 2: Encoding 4 This is why looking at raw data is important, converting foreign symbols into entities renders the malicious code in-executable Rule 3: Include HTML code within application 4 After converting user input into an entity, html code should be used to further this process, to hash, clean, and return a cleaned integer value for the compiler to express in terms of legible word
9
Conclusion Prevention of cross Site scripting is a matter of basic html capacity and the more advanced practices in preventing certain functionalities. In order for websites commonly under attack such as Myspace as well as facebook, google, and whom ever it is a matter of safeguarding. Xss is easily preventable in the realm of webpages so long as developers understand the necessity for prevention rather than patching. Fixing an issue presented to you is easy, forward thinking while, a hassle, can save you your job, and tens of thousands of clients in the future with proper precautionary testing.
10
References Howard, Michael, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. New York: McGraw-Hill, Print. Auger, Robert. "Cross Site Scripting." The Web Application Security Consortium. The Web Application Security Consortium, n.d. Web. XSS (Cross Site Scripting) Prevention Cheat Sheet. Open Web Application Security Project, n.d. Web. "Prevent Cross-site Scripting Attacks by Encoding HTML Responses." Prevent Cross- site Scripting Attacks by Encoding HTML Responses. IBM, n.d. Web. 20 July 2016.
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.