Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 482/582: Computer Security

Published byШпела Милошевић Modified over 5 years ago

Similar presentations

Presentation on theme: "CSC 482/582: Computer Security"— Presentation transcript:

1 CSC 482/582: Computer Security
Cross-Site Security

2 Topics Cross-Site Request Forgery Mitigating CSRF.
Cross-Site Scripting (XSS) Mitigating XSS.

3 Cross-Site Attacks Target users of application.
Web browsers cache authentication credentials and re-use them with requests to same origin. Attackers use application to reach target users. Attack obtains assets of individual users rather than assets of entire application. Most common type of attack. Cross-Site Request Forgery (CSRF) Cross-Site Scripting (XSS)

4 Cross-Site Request Forgery
A confused deputy attack. Exploits trust that application has with authentication sessions. Attack scenario: User authenticates to web application. User browses to another site containing a malicious CSRF attack link to web app. iframe, img, link, bgsound, etc. Browser accesses web app with cached credentials, performing whatever action specified by the link.

5 Example: DSL Modem Attack
Home network devices administered via web apps. Standard local IPs. Attacker inserts 1-pixel img tag on page. src is URL of form submission, giving remote admin. No password needed. Software owner assumed device on trusted local network. Of course, browser is on the local network too. <img src= " alt="" width="1" height="1" /> Image from

6 Example: POST-based CSRF
Send following HTML to user: <form name="csrfForm" action=" method="POST"> <input type="hidden" name="giveMoneyTo" value="hacker" /> <input type="hidden" name="giveAmount" value="1000" /> <input type="submit"/> </form> <script> document.csrfForm.submit(); </script>

7 Ineffective CSRF Mitigations
Require POST for data modifications, but Many frameworks automatically fetch both types of parameters or convert one to other. Hidden POST requests can be created with scripts. Check referer header. But users can block or forge referer header, so it cannot be relied on for everyone.

8 Effective CSRF Mitigations
Use nonces. Random token inserted as hidden parameter, and thus submitted with form. But XSS can read form, so a combined XSS + CSRF attack can bypass this defense. Re-authenticate for high value transactions. Use out of band authentication if possible. Expire session IDs quickly. But there will always be some time period in which a CSRF attack will work. Automate defenses with tools. CSRFGuard to insert nonces. CSRFTester to verify application.

9 Cross-Site Scripting (XSS)
Attacker causes a legitimate web server to send user executable content (Javascript, Flash ActiveScript) of attacker’s choosing. Impact of XSS Account hijacking. Browser hijacking (malware hosting.) Information leakage (stored form values, etc.) Virtual defacement.

10 XSS Examples FF.net worm (October 2018) Paypal (2018)
If you view an infected profile, your profile infected. Similar to Samy’s MySpace XSS worm in 2006. Paypal (2018) Tech support site allowed anonymous (but not authenticated) users to upload files in any format without input validation, including XSS content. Mass Defacement ( ) Billy Ribeiro Anderson pled guilty after illegally accessing and defacing 11,000 web sites, including using XSS to defect West Point’s Combating Terrorism Center web site.

11 XSS Key Steps Attacker sends code to web application.
Legitimate user accesses web app. Web app sends attacker code to user. User’s browser executes code.

12 XSS Example Client browser sends an error message to the web server.
+error+occurred

13 XSS Example The error message is “reflected” back from the Web server to the client in a web page.

14 XSS Example We can replace the error with JavaScript

15 Exploiting the Example
User logins in and is issued a cookie Attacker feed the URL to user

16 Why does XSS Work? Same-Origin Policy Vulnerable Server Program
Browser only allows Javascript from site X to access cookies and other data from site X. Attacker needs to make attack come from site X. Vulnerable Server Program Any program that returns user input without filtering out dangerous code.

17 Reflected XSS Attack Scenario Limitations User clicks on link.
Injected script returned by one-time message from vulnerable site. User browser executes injected code. Limitations Non-persistent. Only works when user clicks. Most common type of XSS (~75%).

18 Anatomy of an XSS Attack
Web Server 8. Attacker hijacks user session. 1. Login Attacker User 2. Cookie 5. XSS URL 3. XSS Attack 6. Page with injected code. 7. Browser runs injected code. 4. User clicks on XSS link. Evil site saves ID.

19 XSS Testing Strings Use strings that use JavaScript in different contexts. <script>alert(document.cookie);</script> <script src= <img src="javascript:alert(‘xss');"> <img src=# onmouseover="alert(‘xss')"> … and many other ways to run JavaScript. Use URL and other encodings to bypass input filters. See XSS_Filter_Evasion_Cheat_Sheet

20 XSS URL Examples

21 Stored XSS Injected script stored in
Post or comment. Review. Uploaded file. User views page with injected script. Malicious action is taken while user is logged into site where malware found. Not technically cross-site. Attack persists until injected code deleted.

22 DOM-based XSS Attack scenario Exploits vulnerability in client code.
User clicks on URL with crafted Javascript. Application’s client code extracts data from URL and dynamically updates page with it. User browser executes crafted Javascript that was inserted in the page. Exploits vulnerability in client code. Server does not reflect or store evil Javascript.

23 Browser Exploitation Framework
BeEF hooks browsers via XSS exploit Can use as stored or reflected XSS. Hooked browsers are bots controlled by BeEF. Exploitation modules run on hooked browsers to View browsing history. Identify authenticated sessions. Phishing and other social engineering attacks. Port scans of network browser is running on. Reverse proxy into network browser is running on. Use Metasploit.

24 BeEF Screenshot

25 Mitigating XSS Two main approaches:
Output encoding. HTML entity encode all output to remove script tags and the like. Note that output encoding is context specific. If output goes inside a <script> tag or inside tags that can call JavaScript, different encoding is needed than outside such tags., Input validation. Reject user input with HTML or reject user input that isn’t limited to a safe subset of HTML. Use encoding libraries where possible, like Microsoft Anti-Cross Site Scripting Library for .NET OWASP Java Encoder Project

26 References Daswani et. al., Foundations of Security, Apress, 2007.
Seth Fogie et. al., XSS Attacks: Cross-Site Scripting Exploits and Defense, Syngress, 2007. Jakob Kallin and Irene Lobo Valbuena. Excess XSS: A comprehensive tutorial on cross-site scripting. Nathan, OWASP. XSS Filter Evasion Cheat Sheet. Stuttart and Pinto, The Web Application Hacker’s Handbook, 2nd edition, Wiley, 2011. Michal Zalewski, The Tangled Web: A Guide to Securing Modern Web Applications, No Starch Press, 2012.

27 Released under CC BY-SA 3.0
All slides in this presentation unless otherwise noted are released under the Creative Commons Attribution-ShareAlike 3.0 Unported (CC BY-SA 3.0) license You are free: to Share — to copy and redistribute the material in any medium to Adapt— to remix, build, and transform upon the material to use part or all of this presentation in your own classes Under the following conditions: Attribution — You must attribute the work to James Walden, but cannot do so in a way that suggests that he endorses you or your use of these materials. Share Alike — If you remix, transform, or build upon this material, you must distribute the resulting work under this or a similar open license. Details and full text of the license can be found at

Download ppt "CSC 482/582: Computer Security"

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.

Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
HTTP and Server Security James Walden Northern Kentucky University.

HTTP and Server Security James Walden Northern Kentucky University.

Similar presentations

Ads by Google