Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross Sight scripting: Type-2

Published byOsborne Patrick Modified over 5 years ago

Similar presentations

Presentation on theme: "Cross Sight scripting: Type-2"— Presentation transcript:

1 Cross Sight scripting: Type-2
By John Gill CSCE 548 Student Presentation

2 What is Type 2 XSS Clever manipulation of an website vulnerability, primarily html weakness Commonly written in scripting languages, a favorite being JavaScript Unlike XSS type-1, type-2 is stored within a website data base Type 2 is also known as persistent xss or stored xss, hence the necessity for storage in the database It is important to note for an attack to be persistent it is stored on the server side rather than client ²

3 Who is effected Common xss attacks take place in public domains where “code and data” are mixed ¹ Social engineering is not the culprit Simply visiting a webpage is enough to be infected Forums, blogs, comment sections

4 What is impacted Large database of unprotected or unfiltered input
Unsuspecting people visiting a webpage, even if it is a common occurrence Social media is a common target for exploitation Confidentiality is breached Cookie and data theft common targets

5 fundamentals of a XSS type-2 attack
Malicious code input webpage obtains malicious code Malicious code is executed Database Diagram 1: 24 Deadly sins

6 Notable Type-2 exploits and repercussions
Samy worm ² Myspace, exploit Myspace was in the infancy of developing xss safeguards, obviously they still have some work to do When the profile was viewed the worm required: User to add samy sent a pop-up infected the individual This was the fastest spreading worm of its time infecting at an exponential rate

7 Detection of type-2 One of the basic techniques is testing a websites input parameters ¹ Understanding that the raw data must be viewed is of absolute importance scanning code for common scripting characters is an easy way to review large amounts of data quickly Common symbols include: <, >, %, =, ‘, “, &, and request commands Common tools in finding vulnerabilities include: Nikto Nexxus

8 Prevention ³ Rule 1: An escape from the aforementioned symbols ³
Assume all data is malicious and thus untrusted Rule 2: Encoding 4 This is why looking at raw data is important, converting foreign symbols into entities renders the malicious code in-executable Rule 3: Include HTML code within application 4 After converting user input into an entity, html code should be used to further this process, to hash, clean, and return a cleaned integer value for the compiler to express in terms of legible word

9 Conclusion Prevention of cross Site scripting is a matter of basic html capacity and the more advanced practices in preventing certain functionalities. In order for websites commonly under attack such as Myspace as well as facebook, google, and whom ever it is a matter of safeguarding. Xss is easily preventable in the realm of webpages so long as developers understand the necessity for prevention rather than patching. Fixing an issue presented to you is easy, forward thinking while, a hassle, can save you your job, and tens of thousands of clients in the future with proper precautionary testing.

10 References Howard, Michael, David LeBlanc, and John Viega. 24 Deadly Sins of Software Security: Programming Flaws and How to Fix Them. New York: McGraw-Hill, Print. Auger, Robert. "Cross Site Scripting." The Web Application Security Consortium. The Web Application Security Consortium, n.d. Web. XSS (Cross Site Scripting) Prevention Cheat Sheet. Open Web Application Security Project, n.d. Web. "Prevent Cross-site Scripting Attacks by Encoding HTML Responses." Prevent Cross- site Scripting Attacks by Encoding HTML Responses. IBM, n.d. Web. 20 July 2016.

Download ppt "Cross Sight scripting: Type-2"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
March Intensive: XSS Exploits

March Intensive: XSS Exploits
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google