Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/18/2015.

Published byMark Walton Modified over 8 years ago

Similar presentations

Presentation on theme: "Cross-Site Scripting Vulnerabilities Adam Doupé 11/18/2015."— Presentation transcript:

1 Cross-Site Scripting Vulnerabilities Adam Doupé 11/18/2015

2

3 Ethics Only hack into sites you own –Or you have permission Popular sites may have bug bounty program –Facebook –github –Google You will get caught

4 Tech HTTP HTML CSS JavaScript SQL Server-Side Code (Python/PHP/Ruby)

5 Many Vulnerabilities Cross-Site Scripting (XSS) SQL Injection Cross-Site Request Forgery (XSRF) HTTP Parameter Pollution (HPP) Command Injection Parameter Manipulation File Exposure Directory Traversal Forced Browsing Logic Flaws Execution After Redirect (EAR)

6 Many Vulnerabilities Cross-Site Scripting (XSS) SQL Injection Cross-Site Request Forgery (XSRF) HTTP Parameter Pollution (HPP) Command Injection Parameter Manipulation File Exposure Directory Traversal Forced Browsing Logic Flaws Execution After Redirect (EAR)

7 Tech HTTP HTML CSS JavaScript SQL Server-Side (Python/PHP/Ruby)

8 HTML Original HTML had –images –tables –font sizes –…–… Content was static

9 https://web.archive.org/web/19961017235908/http://www2.yahoo.com/

10

11 https://web.archive.org/web/19961022174810/http://www.altavista.com/

12 https://web.archive.org/web/19981202230410/http://www.google.com/

13 HTML Design HTML designed to describe a text document with hyperlinks to other documents How to do fancy animations or pretty web pages?

14 Interactive HTML Java Applets –Your computer downloads java bytecode from a random website and runs it What could possibly go wrong? ActiveX Controls –Binary, OS-specific programs that are downloaded and executed in the context of a web page Adobe Flash –Fundamentally a vector graphics and animation engine Silverlight –Microsoft competitor and replacement/upgrade to ActiveX JavaScript –Lingua franca of the web

15 JavaScript Client-Side scripting language for interacting and manipulating HTML Created by Brendan Eich at Netscape Navigator 2.0 in September 1995 as "LiveScript" Renamed to "JavaScript" in December 1995 and is (from the Netscape Press Release) –"announced JavaScript, an open, cross-platform object scripting language for the creation and customization of applications on enterprise networks and the Internet" JavaScript is a (from wikipedia) "prototype-based scripting language with dynamic typing and first-class functions" –Does this sound like Java? Questions over why the name change –Marketing ploy to capitalize on the "hot" Java language? –Collaboration between Sun and Netscape? By August 1996, Microsoft added support for JavaScript to Internet Explorer –Microsoft later changed the name to JScript to avoid Sun's Java trademark Submitted to Ecma International for standardization on November 1996 ECMA-262, on June 1997, standardized first version of ECMAScript

16 JavaScript Lingua franca of the web Eventually supported by all browsers Language organically evolved along the way Document Object Model (DOM) allows JavaScript to manipulate the client-side HTML content –Distinct from JavaScript the programming language

17 JavaScript Code can be embedded into HTML pages using the script element and (optionally storing the code in HTML comments) <!-- var name = prompt('Please enter your name below.', ''); if (name == null) { document.write('Welcome to my site!'); } else { document.write('Welcome to my site ' + name + '!'); } -->

18

19

20

21 DOM Example DOM Example DOM Example var hr = document.createElement('HR'); document.getElementById('insert_here').appendChild(hr);

22

23 HTTPSQL Web Applications

24 JavaScript HTTPSQL Web Applications

25 JavaScript HTTPSQL Web Applications

26 HTTP Client Request GET / HTTP/1.1 User-Agent: curl/7.37.1 Host: www.facebook.com Accept: */*

27 HTTP Server Response HTTP/1.1 200 OK Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: datr=cohyVEAwQmq5jJh2cWZ9pZc9; expires=Wed, 23-Nov-2016 01:22:58 GMT; Max-Age=63072000; path=/; domain=.facebook.com; httponly Set-Cookie: reg_ext_ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8... Welcome to Facebook - Log In, Sign Up or Learn More

28 JavaScript Security Browsers are downloading and running foreign (JavaScript) code, sometimes concurrently The security of JavaScript code execution is guaranteed by a sandboxing mechanism (similar to what we saw in Java applets) –No access to local files –No access to (most) network resources –No incredibly small windows –No access to the browser's history –…–… The details of the sandbox depend on the browser

29

30

31 Same Origin Policy (SOP) Standard security policy for JavaScript across browsers –Incredibly important to web security If you learn only one thing from this lecture, let it be the Same Origin Policy Every frame or tab in a browser's window is associated with a domain –A domain is determined by the tuple: from which the frame content was downloaded Code downloaded in a frame can only access the resources associated with that domain If a frame explicitly includes external code, this code will execute within the SOP –On adamdoupe.com, the following JavaScript code has access to the SOP –

32 Example Same Origin Policy https://www.facebook.com/ (https, www.facebook.com, 443) http://www.cnn.com/ (http, www.cnn.com, 80)

33 Cross-Site Scripting (XSS) XSS attacks are used to bypass JavaScript's Same Origin Policy

34 XSS – Example Hello

35 http://example.com/test.php?name=adam Hello

36 http://example.com/test.php?name=adam Hello adam

37 http://example.com/test.php?name=adam Hello adam

38

39 http://example.com/test.php?name= alert(‘xss’) Hello

40 Hello alert(‘xss’) http://example.com/test.php?name= alert(‘xss’)

41 Hello alert(‘xss’) http://example.com/test.php?name= alert(‘xss’)

42

43 http://example.com/test.php?name=

44 HTTP http://example.com/test.php?name= JavaScript Reflected XSS

45 SQL http://example.com/test.php?title=

46 HTTPSQL JavaScript Stored XSS

47 Exploits – Phishing Malicious JavaScript can completely control the DOM Change current page to login page where the login sends credentials to the attacker

48

49 Exploits – Session Theft HTTP is session-less –No HTTP-native way to tie requests to the same user Web applications typically use cookies to create a session –Session describes who the user is, if they’ve passed authentication JavaScript has access to cookies…

50 JavaScript HTTPSQL Exploits – Session Theft

51 Exploits – Unauthorized Actions JavaScript can make requests to the web application –Browser sends cookies –Appears as if the user made the request (clicked the link or filled out the form) Malicious JavaScript can make requests to the web application on your behalf

52 JavaScript

53 Exploits – Worms Stored XSS vulnerability + Unauthorized Actions –Self-propagating worm Social networks particularly susceptible –“samy is my hero” (2005) –Tweetdeck (2014)

54 http://samy.pl/popular/

55

56

57 XSS – Detection Understand how input is used in HTML source Input “forbidden” characters – –‘ “ ; / Understand what sanitization is performed

58 XSS – Prevention XSS is very difficult to prevent Every piece of data that is returned to the user and that can be influenced by the inputs to the application must first be sanitized (GET parameters, POST parameters, Cookies, request headers, database contents, file contents) Specific languages (e.g., PHP) often provide routines to prevent the introduction of code –Sanitization has to be performed differently depending on where the data is used –This context-sensitivity of sanitization has been studied by the research community 58

59 XSS – Prevention Sanitize all user inputs using known sanitization routine Depends on where output is in HTML page – necessary in HTML –Only need ‘ in JavaScript

60 Tools Browser Developer Tools Wireshark Burp Proxy SQLMap OWASP Broken Web Apps Project –https://www.owasp.org/index.php/OWASP_Broke n_Web_Applications_Project Google Gruyere –https://google-gruyere.appspot.com/

61 Questions? @adamdoupe doupe@asu.edu http://adamdoupe.com/

Download ppt "Cross-Site Scripting Vulnerabilities Adam Doupé 11/18/2015."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Essentials for Design JavaScript Level One Michael Brooks

Essentials for Design JavaScript Level One Michael Brooks
Java Script Session1 INTRODUCTION.

Java Script Session1 INTRODUCTION.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Attacking Authentication and Authorization CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.

Into the Mind of the Hacker: Hands-On Web Application Hacking Adam Doupé University of California, Santa Barbara 4/23/12.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
1 Chapter 12 Working With Access 2000 on the Internet.

1 Chapter 12 Working With Access 2000 on the Internet.
Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Web Security Model CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
How the web works: HTTP and CGI explained

How the web works: HTTP and CGI explained
COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.

COMPUTER TERMS PART 1. COOKIE A cookie is a small amount of data generated by a website and saved by your web browser. Its purpose is to remember information.
2440: 141 Web Site Administration Web Server-Side Programming Professor: Enoch E. Damson.

2440: 141 Web Site Administration Web Server-Side Programming Professor: Enoch E. Damson.
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.

Sys Prog & Scripting - HW Univ1 Systems Programming & Scripting Lecture 15: PHP Introduction.
Workshop 3 Web Application Security Li Weichao March 14 2014.

Workshop 3 Web Application Security Li Weichao March
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Similar presentations

Ads by Google