Ppt on cross-site scripting attack

Command Injection Attacks CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

%s ", $city, $district); $stmt->close();} Adam Doupé, Security and Vulnerability Analysis Cross-Site Scripting (XSS) XSS attacks are used to bypass JavaScripts Same Origin Policy Reflected attacks –The injected code is reflected off the web server, such as in an error message,/link (a reflected XSS attack) 45 Adam Doupé, Security and Vulnerability Analysis Stored Cross-Site Scripting Cross-site scripting can also be performed in a two-step attack –First the JavaScript code by the attacker is stored in a /


Off-Path Attacking the Web Yossi Gilad and Amir Herzberg Computer Science Department, Bar Ilan University.

. by the puppet) Internet 1. Surf to Oscar.com 2. Send page with script 3. Script opens (hidden) frame of Bob.com 4. Inject (e.g., script) as content from Bob Attack Goal and Scenario Alice’s browser assigns Oscar’s spoofed response with context of `Bob’  Can contain script: cross site scripting (XSS)  Request objects: cross site request forgery (CSRF)  Spoof a web-page, response may be cached What/


Closing the Door on Web Application Attacks FISSEA 2004 Confidential and proprietary information ©2004, MagniFire Websystems Inc.

28 Cross Site Scripting - Example 29 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 29 Cross Site Scripting - Example 30 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 30 Cross Site Scripting - Example 31 Confidential and proprietary information ©2004, MagniFire Websystems Inc. 31 Known Vulnerabilities & Misconfiguration – Exploiting configuration errors in 3rd party components, such as web and database servers – Newdsn.exe can be used by an attacker to/


1 Web site security Part 1 : SQL Injection Reporter : James Chen.

and/or commands on the backend database server through the web application. 5 Cross site scripting attack Cross-site scripting is gaining popularity among attackers as an easy vulnerability to find in web sites and exploit. The threats of cross-site scripting:  Users can unknowingly execute malicious scripts when viewing dynamically generated pages based on content provided by an attacker.  An attacker can take over the user session before the users session cookie expires.  An/


Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.

Configured incorrectly Source code disclosure Canonicalization Server extensions Input validation (e.g. buffer overflow) Web Application SQL Injection (not only in web applications) Cross-Site Scripting Cross Site Request Forgery OSs Misconfiguration Input validation (e.g. buffer overflow) Design Flaws Vector of Attack SQL Injection The ability to inject SQL commands into the database engine through an existing application What is SQL? SQL stands for Structured/


Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University

input (built-in in ASP.NET)  Perform HTML escaping when displaying text data in a Web control XSS Attack XSS  Cross-site scripting attack  Cookie theft  Account hijacking  Modify content  Modify user settings  Download malware  Submit CRSF attack  Password prompt 15 Submits script on an unsafe form Execute the script on visiting the page 16  HTML escaping is the act of replacing special characters with their HTML entities/


Web Security SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking SoftUni Team Technical Trainers Software University

input (built-in in ASP.NET)  Perform HTML escaping when displaying text data in a Web control XSS Attack 15  Cross-site scripting attack  Cookie theft  Account hijacking  Modify content  Modify user settings  Download malware  Submit CRSF attack  Password prompt XSS Attack (2) Submits script on an unsafe form Execute the script on visiting the page 16  ASP.NET applies automatic request validation  Controlled by the ValidateRequest attribute of/


Hacking Andrei, Arto, Esko, Markus What kind of threats/attacks there exist in social media? – Emphases on cross site scripting Possibilities and drawbacks.

and drawbacks of Web 2.0 technologies How can you protect against these threats? Common Social Networking Security Threats Cross-site scripting (XSS) Enables attackers to inject client-side script into Web pages Uses known vulnerabilities in web-based applications, their servers, or plug-in systems Persistent/Non-persistent Self-XSS: tries to trick user into cutting and pasting a /


Cross Site Scripting & SQL injection

constant downloads from website. JavaScript is often used to create polls and quizzes. Cross Site Scripting (XSS) – Introduction XSS is a vulnerability that allows an attacker to run arbitrary JavaScript in the context of the vulnerable website. Exploit in /(OWASP top 10 2013 is available in the training materials) Thus, basically Cross Site Scripting is when attackers use vulnerabilities in your web application to distribute malicious scripts to other users (which then run other users web browsers) Types of/


Attacking Rich Internet Applications kuza55 Stefano Di Paola i snorted Ajax i almost died.

and sink o Being able to set cookies < Being able to execute script  Can inject cookies into SSL from the network window.name (all browsers) & window.arguments (Firefox) o Attacker controlled IE persistence IE (and now Firefox) window.showModalDialog (input via window/All functions in Google Gears are NOT NULL-safe o Can truncate input to any function o Limited usefulness on the web Cross-Site Tracing makes a come-back! o Apache/IIS implement TRACE/TRACK methods  Meant for debugging  Echo back the whole/


Presented to OWASP San Antonio at Denim Group Introduction to Cross-Site Scripting with BeEF Created by: Charles Neill Modified Date: 2/5/2015.

Presented to OWASP San Antonio at Denim Group Introduction to Cross-Site Scripting with BeEF Created by: Charles Neill Modified Date: 2/5/2015 What is cross-site scripting? Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser TL;DR: Not filtering out HTML and JavaScript in user/


Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets permanently stored –And displayed Attack based on uploading a script Other users inadvertently download it –And run it... Lecture 16 Page 2 CS 236 Online The Effect of XSS Arbitrary malicious script executes on user’s machine In context of his web browser/


SQL Injection, XSS, CSRF, Parameter Tampering, DoS Attacks, Session Hijacking Telerik Software Academy ASP.NET MVC.

input (built-in in ASP.NET)  Perform HTML escaping when displaying text data in a Web control 14  Cross-site scripting attack  Cookie theft  Account hijacking  Modify content  Modify user settings  Download malware  Submit CRSF attack  Password prompt 15 Submits script on an unsafe form Execute the script on visiting the page  ASP.NET applies automatic request validation  Controlled by the ValidateRequest attribute of Page directive  Checks/


Attacking Web Applications Presented by Kristian Erik Hermansen /

/SQL_Injection_Prevention_Cheat_Sheet http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet A2 – Cross-Site Scripting (XSS) Cross-Site Scripting Illustrated Application with stored XSS vulnerability 3 2 Attacker sets the trap – update my profile Attacker enters a malicious script into a web page that stores the data on the server 1 Victim views page – sees attacker profile Script silently sends attacker Victim’s session cookie Script runs inside victim’s browser with full access to the/


Presented By: Chandra Kollipara. Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected.

Presented By: Chandra Kollipara Cross-Site Scripting: Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user “Users get compromised because they are not security-conscious” “You can’t own a/


PREVENTING INJECTION ATTACKS.

the list of tweets. The current users browser runs this nasty little script DIRECTLY off of the other server – Also known as "cross-site scripting attack" (XSS) – Can also be accomplished with an – Continue attack in same manner as before… But oh, the evils of "cross-site scripting" can be bad in so many ways Potential consequences of cross-site scripting – Stealing data from the page Confidentiality fail – Submitting forms on the/


Web Security Mike OLeary Towson University. Talk Outline Malware Viruses, Worms, Trojan Horses Phishing Spoofing IP Address, , Web Web Attacks Session.

happens if the users comment is not just a comment, but rather a piece of code? HTML- the attacker can modify the content of the visited page. Javascript- the attacker can obtain information about the victim- including session information. This is called a cross site scripting attack. Web pages that solicit user comments must implement strong filters. Questions? Contact Information: Mike OLeary Department of Mathematics Towson/


Web Application (LAMP*) Security Attack and Defense for System Administrators *LAMP (linux, apache, mysql, php/perl/python) application security.

and securing a (LAMP) w eb application as soon as possible when changing code is not an option. Attack (Hired Pen test) ● Cross Site Scripting (XSS) ● SQL injection ● Insecure Code Defense (Sys Admin) ● Application level (mod_sec) ● Network level/aiken.cz ● http://inotify-tools.sourceforge.net/ (iNotify toolset) http://inotify-tools.sourceforge.net/ Cross Site scripting: ● http://www.xssed.org (Cross site scripting attacks archive) http://www.xssed.org Backdoor web shells: ● http://www.sh3llz.org (list of/


Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009 Web Security Nick Feamster CS 6262 Spring 2009 Cross-Site Scripting Overview Attack Server visit web site 1 receive malicious page 2 send valuable data 5 3 User Victim 4 click on link echo user/some IP address HttpOnly in IE can be written to by script, but cannot be read 13 13 Cross Site Request Forgery Overview Server Victim establish session 1 send forged request 4 2 visit server 3 User Victim receive malicious page Attack Server Q: how long do you stay logged on to Gmail/


Cross Site Scripting (XSS)

= alert(XSS) &x=0&y=0 HTML returned to victim: Search Results Search: " alert(XSS) " Reflected XSS Example Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the applications immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied/


Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

enHanced Information Management What is Cross-Site Scripting? Cross-Site Scripting, or XSS (not to be confused with CSS or Cascading Style Sheets), allows attackers to inject client-side script in a web page. The attacker injects script, such as JavaScript, VBScript,/vulnerability-scanner/download.htm http://www.acunetix.com/vulnerability-scanner/download.htm Adobe Systems Incorporated (2004). Cross Site Scripting in Flash. Retrieved from http://kb2.adobe.com/cps/196/tn_19604.htmlhttp://kb2.adobe.com/cps/196/


Part 2: Input validation attacks continued …

to also validate “type” of input. Just validating the size isn’t enough!! Examples (next): SQL injection, HTTP parameter tampering, Cross Site Scripting attack. The rest of this lecture is not from the textbook. Please take notes. Next: SQL injection attack Next: SQL injection attack. Before that: Everything we need to know for the moment about SQL Consider a University database that maintains information about every/


Overview Custom software or Commercial/Open software Authentication Cross-Site Scripting SQL Injection Tips References.

Cheat Sheet: http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet http://www.owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet OWASP Authentication Attacks: http://www.owasp.org/index.php/Category:Authentication_Vulnerability http://www.owasp.org/index.php/Category:Authentication_Vulnerability OWASP Cross Site Scripting Attacks:http://www.owasp.org/index.php/Category:Authentication_Vulnerabilityhttp://www.owasp.org/index.php/Category:Authentication_Vulnerability XSS Examples: http/


Phishing Attacks & Defense!. Who am I? Michael LaSalvia Has been in the information security industry for over 10 years and has worked for several fortune.

normally imposed on web content by modern web browsers. By finding ways of injecting malicious scripts into web pages, an attacker can gain elevated access-privileges to sensitive page content, session cookies, and a variety of other information maintained by the browser on behalf of the user. Cross-site scripting attacks are therefore a special case of code injection.web browserscode injection There are three types/


1 Secure Web Site Design Dan Boneh CS 155 Spring 2007 Project 2: out today.

user using same cache server Defense: don’t do that. 40 Summary thus far 41 App code Little programming knowledge can be dangerous: Cross site scripting SQL Injection HTTP Splitting What to do? Band-aid: Web App Firewall (WAF)  Looks for attack patterns and blocks requests  False positive / false negatives Code checking 42 Code checking Blackbox security testing services: Whitehatsec.com Automated blackbox testing/


Web Security. Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total.

“active” web pages –AJAX, huge number of Web-based applications Many security and correctness issues Many security and correctness issues –Attacker gets to execute some code on user’s machine –Often used to exploit other vulnerabilities Cross Site Scripting Attacker goal: their code into browser Attacker goal: their code into browser XSS forces a website visitor to execute malicious code in his/her browser XSS forces/


Web Application (LAMP*) Security Attack and Defense for System Administrators *LAMP (linux, apache, mysql, php/perl/python) application security.

securing a (LAMP) w eb application as soon as possible when changing code is not an option. Attack (Hired Pen test)‏ Cross Site Scripting (XSS)‏ SQL injection Insecure Code Defense (Sys Admin)‏ Application level (mod_sec)‏ Network level (snort)‏ /tripwire.com http://inotify-tools.sourceforge.net/ (iNotify toolset)‏ http://inotify-tools.sourceforge.net/ Cross Site scripting: http://www.xssed.org (Cross site scripting attacks archive)‏ http://www.xssed.org Backdoor web shells: http://www.sh3llz.org (list of /


BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

a scheme that empowers user? 27 References 1M. Ter Louw, V.N. Venkatakrishnan. BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers, IEEE Symposium on Security & Privacy, 2009 2DP, KF, et al. www.xssed.com, Cross-site Scripting Attacks Information, 2007-presentwww.xssed.com 3UIC, http://sisl.rites.uic.edu/blueprint, BLUEPRINT information site (Wiki), 2009http://sisl.rites.uic.edu/blueprint 4Wikipedia, http://en.wikipedia.org/wiki/


Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 3 Application and Network Attacks.

Web applications –Hardening the Web server –Protecting the network Security+ Guide to Network Security Fundamentals, Fourth Edition4 5 Figure 3-1 Web application infrastructure © Cengage Learning 2012 Web Application Attacks (cont’d.) Common Web application attacksCross-site scripting –SQL injection –XML injection –Command injection / directory traversal Security+ Guide to Network Security Fundamentals, Fourth Edition6 7 Figure 3-2 Web application security © Cengage Learning 2012/


Cross-domain leakiness Divulging sensitive information & attacking SSL sessions Chris Evans - Google Billy Rios - Microsoft.

valid JavaScript Valid JavaScript from remote domain will execute just fine Cant read source but can observe side effects from executing source Cross-site script inclusion XSSI: stealable constructs Function callback o e.g. "callback_func(1, data);" Setting variables o e.g."var result /XSRF protection is to compare nonce with URL param For apps at scale, store nonce in cookie Now, attacker controls nonce cookie and URL param! Cookie forcing App logic cookies Some cookies affect app logic Irritations o /


SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

to display the user’s name to the screen (“I see you username”). Cross-site Scripting (XSS) Trick client browser to execute malicious code (JS/HTML) Targets clients of Web applications, not application itself Parties involved: –Attacker –Server –Client (victim) – runs malicious code in browser Cross-site scripting attacks 1.Victim uses a web site that sets cookies on victim’s browser 2.Victim clicks on a URL link/


Unit 2: Cyber Security Part 4 Vulnerabilities/Attacks.

frames) It is possible for the web page developer to add a little frame busting code to their web documents, but that can be defeated as well. Clickjacking Attacks Vulnerabilities Cross Site Scripting Vulnerabilities Cross-site scripting an attack, like many others requires a hacked or otherwise maliciously crafted __________ Educating users about this risk and logging into social media manually rather than from web links can help/


Session Management Dan Boneh CS 142 Winter 2009. Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be.

as wireless Café ? Other reasons why session token sent in the clear:  HTTPS/HTTP mixed content pages at site  Man-in-the-middle attacks on SSL Example 2: Cross Site Scripting (XSS) exploits Amplified by poor logout procedures: Logout must invalidate token on server Session fixation attacks Suppose attacker can set the user’s session token: For URL tokens, trick user into clicking on URL For cookie/


EECS 354 Network Security Cross Site Scripting (XSS)

host server to steal data, even root a box SQL injection to read arbitrary database information Shell attacks, direct object reference, directory traversal, and more Client side attacks Web Application Security Server side attacks Client side attacks Exploiting users’ trust in their browser Javascript attacks on other clients Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) Browser Basics Document Object Model (DOM) An interface to access HTML elements dynamically/


Team Members: Brad Stancel,

Team Members: Brad Stancel, Mark Szarka, And Benjamin Moore Presentation Overview Why its Important to Study Affected Languages Types & Examples of Attacks Proposed Solutions Methods used to circumvent XSS prevention Demo of Online Tutorial Conclusion and Questions Overview - What is Cross Site Scripting? Referred to as XSS Is a type of code injection that circumvents browser security Gains unauthorized access to sensitive information Cookies/


Forensics Book 4: Investigating Network Intrusions and Cybercrime

files Error messages such as 500 errors, “internal server error,” and “problem processing your request” Types of Web Attacks Attacks include: Cross-site scripting (XSS) attack Cross-site request forgery (CSRF) SQL injection Code injection Command injection Parameter tampering Cookie poisoning Buffer overflow Cookie snooping DMZ protocol attack Zero-day attack Cross-Site Scripting (XSS) Application-layer hacking method used for hacking Web applications Occurs when a dynamic Web page gets malicious data/


Web Security. Why Web Security: a Real Business Problem > 60% of total attack attempts observed on the Net are against Web applications > 60% of total.

: –Prove issue to be a non-problem or –Describe actions to take Web Attacks Cross Site Scripting (XSS) Cross Site Scripting (XSS) SQL Injection SQL Injection Shell Attacks Shell Attacks If interested in more XPATH Injection XPATH Injection LDAP Injection LDAP Injection SSI Injection SSI Injection JSP Injection JSP Injection Cross Site Scripting Attacker goal: their code into browser Attacker goal: their code into browser XSS forces a website visitor to execute malicious code/


Chapter 8. Copyright Pearson Prentice-Hall 2010  Some attacks inevitably get through network protections and reach individual hosts  In Chapter 7, we.

is the malicious code that wasinjected at the beginning of the file: /**/eval(base64_decode("aWYoZnVuY3Rpb25f ZXhpc3RzKCdvYl9zdGFydCcpJiYhaXNzZXQo... (this continues on) 8  Buffer Overflows  Stack Overflows  Cross-Site Scripting (XSS)  SQL-Injection Copyright Pearson Prentice-Hall 2010 9  Buffer Overflow Attacks ◦ Buffers are places where data is stored temporarily ◦ A condition at an interface under which more input can be placed into a buffer or data/


1 Part 2: Attacks and Countermeasures u Vulnerabilities u System Attacks  Virus, Trojan, Worm  Buffer overflow  Rootkit  Zombies  Web based attacks.

u Type 2  A message board contains crafter URLs that can send cookies to the attacker u Many attacks, including the recent gmail attack were done via XSS 22 Gmail Attack [from a blog] Haochi Chen discovered what looks like a Gmail XSS (cross-site scripting) security problem. Using a small piece of JavaScript you can put on any server, the user’s contact names & email addresses/


Java.sun.com/javaone/sf | 2004 JavaOne SM Conference | Session 1703 1 How to Attack Java™ 2 Platform, Enterprise Edition (J2EE) Applications Jeff Williams.

subject to all local laws and customs, and may be… | 2004 JavaOne SM Conference | Session 1703 4 Agenda Network Security Is Irrelevant A Tool for Attacking Testing J2EE Apps Cross Site Scripting SQL Injection Session Hijacking Denial of Service Attacks Breaking Access Control Error Handling and Logging Weak Cryptography Malicious Code | 2004 JavaOne SM Conference | Session 1703 5 Hackers Trick Your Code Network protection means/


MIS 5211.001 Week 9 Site:

 Inject parameters when Flash object is embedded in an HTML page  Cross Domain Privilege Escalation  Access and modify DOM  Cross Site Scripting  Access and modify DOM  Cross Site Flashing  Call another flash object from flash MIS 5211.00152  Just a teaser at this point  JavaScript is a primary infection path with web site based attacks  Used for:  Cross Site Scripting (XSS)  Cross Site Request Forgery (CSRF)  Direct Delivery  Downloaders  Droppers  Keyloggers  And anything/


Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse these materials in any way you wish, but you are held responsible for any damage caused in result of using code/method/actions. What are XSS Attacks? XSS attack is when an attacker manages to inject Java script code or sometimes other code (usually/


1 Secure Web Site Design Dan Boneh CS 155 Spring 2006.

user using same cache server Defense: don’t do that. 28 Summary thus far 29 App code Little programming knowledge can be dangerous: Cross site scripting SQL Injection HTTP Splitting What to do? Band-aid: Web App Firewall (WAF)  Looks for attack patterns and blocks requests  False positive / false negatives Code checking 30 Code checking Blackbox security testing services: Whitehatsec.com Automated blackbox testing/


XSS-GUARD : Precise Dynamic Prevention of Cross Site Scripting (XSS) Attacks Prithvi Bisht (http://cs.uic.edu/~pbisht) Joint work with : V.N. Venkatakrishnan.

Cross Site Scripting (XSS) Attacks Prithvi Bisht (http://cs.uic.edu/~pbisht) Joint work with : V.N. Venkatakrishnan Systems and Internet Security Laboratory Department of Computer Science University of Illinois, Chicago USA XSS attacks : number one threat …and the trend continues...  Second half of 2007 : 80% of all attacks/ (response time) Parse tree comparison is rarely done : in presence of attacks, or scripts embedding user inputs. These numbers indicate worst case performance –  Negligible network/


Web Application Security ECE 4112. ECE 4112 - Internetwork Security What is a Web Application? An application generally comprised of a collection of scripts.

resources. Can also be used to change cookie values. ECE 4112 - Internetwork Security What you will do in this lab: Information Gathering using nmap and netcat SQL Injection OS Commanding Cross Site Scripting Phishing Attacks Achilles Web Proxy ECE 4112 - Internetwork Security Resources Lecture Slides excerpted from:  http://www.securityfocus.com/infocus/1709  http://www.securityfocus.com/infocus/1722  http://www.securityfocus.com/infocus/


Security Attacks CS 795. Buffer Overflow Problem Buffer overflows can be triggered by inputs that are designed to execute code, or alter the way the program.

template, include an input control such as a TextBox control and add a validation control. In addition, when extracting the value of the control, you should encode it.DetailsViewFormViewDataList LoginTextBox Cross-site Scripting Attack Video: https://www.youtube.com/watch?v=_Z9RQSnf8-g Video: https://www.youtube.com/watch?v=r79ozjCL7DA http://www.acunetix.com/websitesecurity/xss.htm http://www.cgisecurity.com/xss-faq/


Security Attacks CS 795. Buffer Overflow Problem Buffer overflow Analysis of Buffer Overflow Attacks.

template, include an input control such as a TextBox control and add a validation control. In addition, when extracting the value of the control, you should encode it.DetailsViewFormViewDataList LoginTextBox Cross-site Scripting Attack http://www.acunetix.com/websitesecurity/xss.htm http://www.cgisecurity.com/xss-faq.html http://www.imperva.com/resources/glossary/cross_site_scripti ng.htmlhttp://www.imperva.com/resources/glossary/cross_site_scripti ng/


Cross Site Scripting (XSS) Attack Chien-Chung Shen

customers view a web page, and so on –Tools -> Page Info -> Cookies It may be possible for third parties to steal cookies from an innocent client’s browser by mounting cross-site scripting attack How JavaScript Set/Change Cookies Example: WealthTracker.html (by Prof. Avi Kak @ Purdue) Downloading web page WealthTracker.html from the server constitutes one session –Enter a string for your name/


Same Origin Policies Hidetake Jo.

attacker can set domain to live.com and access clock.live.com! Threats: All eggs in one basket (*.google.com or *.live.com). Cross-subdomain communication. Risk Domain Lowering Cross-Site Request Forgery Putting all the eggs in one basket Cross-Site/= Trouble Cross-domain Get/Post can introduce CSRF. Incorrectly configured RIA policy files and apps can introduce cross-site access. Lenient subdomain rule for cookie access makes hosting multiple sites a challenge. Cross-domain resource sharing of script, json,/


SEC835 OWASP Top Ten Project.

– Insufficient transport layer protection A10 – Unvalidated redirect and forwards Cross-Site Scripting and Injection Flows See Week 10 materials Insecure Direct Object Reference A direct object reference occurs when a developer exposes a reference to an internal implementation object, such as a file, directory, database record, or key, as a URL or form parameter. Attackers can manipulate those references to access other objects without/


Ads by Google