We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byYasmin Bankes
Modified over 4 years ago
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane firstname.lastname@example.org
©2009 Justin C. Klein Keane Types of XSS Non-persistent (reflected) Persistent (stored) DOM-based
©2009 Justin C. Klein Keane Reflected XSS Script that is passed to the site is rendered back to the browser Like string format vulnerabilities, originally considered a harmless bug Common scenarios is a search engine that returns a value of “Your search for X returned Y records” Developers didn't care if site users cause pop- ups to appear
©2009 Justin C. Klein Keane Reflected XSS Takes Imagination Attackers quickly figured out ways to exploit reflected XSS – URL passed variables used to redirect users to other sites – Combined with e-mail or link or form on another site to create a trust compromise – Generally involves social engineering of some sort
©2009 Justin C. Klein Keane Persistent XSS Attacker injects script that is stored on the target and displayed to any user requesting the page At a minimum can cause a denial of service
©2009 Justin C. Klein Keane Typical XSRF User logs into a target site as an admin User views a page with a persistent XSS The script then calls a form or submits an AJAX request with attacker determined values Can be used to do things like change the user's password or perhaps exploit other vulnerabilities in authenticated areas of the site Attacker uses XSRF to reset SOHO router settings
©2009 Justin C. Klein Keane Protecting Against XSRF Forms contain a transitory token that is tied to the user account Token must then be passed in the form submission in order to carry out an action Even this is not foolproof as a clever XSRF can instantiate an iframe that includes a legitimate call to the form, with a valid token
©2009 Justin C. Klein Keane Other XSRF Defenses Require a user to fill in existing password in order to change it Auto complete on form fields can defeat even this protection, however
©2009 Justin C. Klein Keane Preventing XSS & XSRF Essentially a problem of validating user input Filters for “known bad” are especially dangerous with XSS – New techniques emerge regularly – Browsers change – New web browsers emerge
©2009 Justin C. Klein Keane Mitigation Strategy Disallow HTML Don't utilize user supplied input in display (including scripts) without careful sanitization DO NOT ALLOW BAD DATA INTO THE DB! – Do NOT sanitize exclusively on output! Use a library for translation – This can be useful if the library is centrally maintained as it can easily evolve – Still a broadside approach, not as effective as limiting to known good
©2009 Justin C. Klein Keane Useful PHP Functions htmlspecialchars() – '&' to '&' – “ to " – ' to ' – < to < – > to > htmlentities() – Much more thorough, all characters with HTML equivalents are translated.
©2009 Justin C. Klein Keane More PHP strip_tags() - strips out all HTML (and PHP) tags – Can optionally allow certain tags fgetss() - same as fgets(), which gets a line from a pointer, but strips tags
©2009 Justin C. Klein Keane More Useful PHP Functions ereg_replace() – Allow only characters you want eregi_replace() preg_replace()
©2009 Justin C. Klein Keane Finding XSS Tools can sometimes be useful Code analysis may not be as effective Enter text such as alert('foo'); in every possible input value and observe results
©2009 Justin C. Klein Keane Filter Evasion Techniques Alternating case: <ScRiPt Inject “legal” characters – script/src= – <scr%00ipt URL encoding input – alert('foo'); – <script>al&# 101;rt('foo') 9;</script> – %3cscript%3e – %253script%253e
©2009 Justin C. Klein Keane Filter Exploitation Be careful that any filters you use can't be used against you Filters that remove text might actually be used to de-mangle input: – A filter that removes the string “ ” can be defeated using the input: ipt>
©2009 Justin C. Klein Keane Other Concerns XSS in uploaded files (images, PDF, etc.) Code analysis may not be as effective Enter text such as alert('foo'); in every possible input value and observe results
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009
Cross Site Scripting (XSS)
Cross-site Request Forgery (CSRF) Attacks
Past, Present and Future By Eoin Keary and Jim Manico
Web Security Never, ever, trust user inputs Supankar.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
COMP 321 Week 12. Overview Web Application Security Authentication Authorization Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane
Introduction to the OWASP Top 10. Cross Site Scripting (XSS) Comes in several flavors: Stored Reflective DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
© 2019 SlidePlayer.com Inc. All rights reserved.