Preventing Image based Cross Site Request Forgery Attacks

Size: px
Start display at page:

Download "Preventing Image based Cross Site Request Forgery Attacks"

Transcription

1 Preventing Image based Cross Site Request Forgery Attacks Ramarao R, Radhesh M, Alwyn R Pais Information Security Lab, Department of Computer Engineering, National Institute of Technology Karnataka, Surathkal, Karnataka, INDIA {ramisetty.ramarao, radhesh, alwyn.pais}@gmail.com Abstract Cross Site Request Forgery (CSRF) is an attack on web applications which exploits the trust of authenticated users. This attack allows a partially compromised site to make arbitrary HTTP requests on behalf of victim user who is currently logged in to a site. Currently very few defensive mechanisms like secret validation token, referer header, custom HTTP header and origin header are available to prevent this attack. In this paper, we present a client-side proxy solution that detects and prevents CSRF attacks using IMG element or other HTML elements which are used to access the graphic images for the webpage. Keywords: Cross-Site Request Forgery, Client-side proxy solution, Image based CSRF. 1 Introduction Cross-site Request Forgery [3] (abbreviated CSRF or XSRF, one-click attack, sometimes also called Session Riding ) is a new class of attack on web applications which exploit the trust of authenticated users. By launching a successful CSRF attack against the authenticated user, an attacker is able to initiate arbitrary HTTP requests using the user credentials to the vulnerable web application. A successful CSRF attack effectively bypasses the underlying authentication mechanism and it can compromise the end user data and operation. If the victim account has administrator rights, this attack can compromise the entire web application. In contrast to Cross-site scripting (XSS) and SQL injection attacks, CSRF attack is little-known to the web application developers and academic community [2]. As a result, few mitigation solutions exist but these do not offer complete protection against CSRF, or require modifications to the existing web applications that need to be protected. In this paper, we present a client-side proxy solution which provides protection from CSRF attacks using IMG (image) elements. More precisely, our client-side proxy solution detects and prevents all kinds of image based CSRF attacks in a way that is transparent to the users as well as to the web application itself. OWASP s open source Webscarab proxy plug-in [4] in the CSRFTester tool is used as a client-side proxy. The paper is organized as follows: Section 2 gives the required technical background details. Section 3 illustrates image based CSRF attack with an example. Sections 4, 5 and 6 explain the solution to prevent image based CSRF attack, its implementation details and experimental results respectively. 2 Technical Background In this section we introduce the basic concept of HTML image elements and the CSRF attack. 2.1 Image Retrieval HTML has the ability to include images with text in the following ways: as an inline image, as a background image, or can be linked to a different image source via hyperlink. When a browser requests a webpage, it can t know that the page has an image. The browser realizes this only when it parses the HTML within the response. At this point the browser sends a separate HTTP GET request to the web server to retrieve the image. The web server replies with the requested image data [8]. The HTML IMG element is widely used for embedding images into the document and is supported by all major web browsers. The basic attributes of IMG element are: align, alt, border, dynsrc(ie), height, hspace, ismap, lowsrc(netscape), name(netscape), src, usemap, vspace and width [8,9]. The src attribute of IMG element is used to provide the absolute or relative URI (Uniform Resource Identifier) of the image to be displayed. The lowsrc attribute is used to specify the URI of the low resolution equivalent of the image specified by the src attribute, but it is supported only by Netscape. The dynsrc attribute loads a movie file instead of a still picture file. Browsers that recognize dynsrc will ignore the link specified in the src attribute. The alt attribute is used to give replacement text, which will be displayed when the requested image is not loaded. The longdesc attribute gives the link to a long description of the image. The following code illustrates the usage of these attributes of IMG element to retrieve images: <IMG src="logo1.gif" /> <IMG src= logo1.gif lowsrc="logo1_lowres.gif" /> <IMG src="logo1.gif" alt= logo longdesc= logo.html /> <IMG src="sample.gif" dynsrc="test.avi"> The ismap and usemap attributes for the IMG element tells the browser that the image is a special mouse-selectable visual map of one or more hyperlinks, commonly known as an image map. The ismap attribute is used to indicate the user s mouse actions over the image and it is processed using

2 a server-side image map. When the user clicks on an area of the image using the mouse, the coordinates are sent back to the server in the form of a query string in the URI [10]. The images can also be displayed on a webpage by specifying the URI of the image in the src attribute of INPUT element, data attribute of OBJECT element, or the background attribute of the BODY, TABLE or TD elements. If the type attribute value is image in the INPUT element, then it creates an image, which can be used as a button. The src attribute must be included to specify the URI of the image. Image can be accessed using the OBJECT element, by setting the type attribute value to image and URI of the image to data attribute. The following code illustrates the above explained elements: <INPUT type="image" src="submit.gif" /> <OBJECT type="image/jpg" data="logo3.gif"></object> <BODY background= "background1.gif" > <TABLE background= background2.gif > <TD background= background3.gif > In Cascading Style Sheets (CSS), background:url( URI ); and background-image: url( URI ); attributes are used to specify the image as shown below: body { background: url ("background2.gif"); background-image: url ("background3.gif"); } In JavaScript, Image() object is used to specify the target image location. An example code snippet is shown below: <script> var imageobj = new Image(); imageobj.src= logo.gif ; </script> An attacker can include a CSRF attack code or redirect the victim to a malicious webpage using a suitable value for the src attribute. The CSRF attack is not possible with alt, name, height, width, usemap and ismap attribute values of IMG element. The attacker can also create a CSRF attack using CSS background, background-image attributes and JavaScript image objects. 2.2 Cross Site Request Forgery This section presents basics of CSRF attack, real-world CSRF attacks and an overview of its existing defenses Understanding the CSRF attack Cross Site Request Forgery attack is ranked at 5 th position in the Open Web Application Security Project (OWASP) top 10 web application threats in 2007 [3]. It is an attack that tricks the victim into loading a page that contains a malicious request. It is malicious in the sense that it inherits the identity and privileges of the victim to perform an undesired function on the victim's behalf, like change the victim's password, e- mail address, or purchase something. These attacks generally target functions that cause a state change on the server but can also be used to access sensitive data. For most sites, after a successful initial authentication, web browsers will automatically include any credentials associated with the site in further requests without user interaction. The credentials associated with the site are Session Cookie, HTTP authentication credentials, IP address, Windows domain credentials, etc. Therefore, if the user is currently authenticated to the site, the site will have no way to distinguish a malicious request from a legitimate user request [1]. Any action that an authenticated user can perform on the vulnerable website can be performed by an attacker by utilizing CSRF. This could include posting content to a message board, subscribing to an online newsletter, logout, purchase an item, change account information or any other function provided by the vulnerable website. This attack can also be used as a vector to exploit existing XSS flaws in a given application. For example if there is a XSS issue on an online forum or blog, an attacker could force the user through CSRF attack to post a copy of the next big website worm. An attacker could also utilize CSRF to relay an attack against a chosen site, as well as perform a Denial of Service (DoS) attack in the right circumstances [11]. In the web based applications, the CSRF attack can be carried out in different ways. The attack could be done using HTML IMG Tag or a specially crafted URL embedded into the Target application. This works for sure since the victim will be logged into the application. Sometimes, it is possible to store the malicious code using IMG, IFRAME element or XSS in a field that accepts HTML and perform CSRF attack on the vulnerable site itself. Such vulnerabilities are called Stored CSRF attacks. If the attacker stores a CSRF attack code in the site then the severity of the attack is high. The likelihood is increased because the victim is more likely to view the page containing the attack code than some random page on the Internet. Another way of doing it is attacker host a site/blog and influences the victim to visit the site. This site in turn would contain the malicious request. This kind of attack is called reflected CSRF attack. This might not work always as the user may not be currently logged into the target system when the exploit is tried. Several CSRF vulnerabilities against real-world web applications have been discovered [12]. In January 2007, vulnerability in Gmail was discovered which allowed an attacker to steal a Gmail user's contact list. The vulnerability in Netflix allowed an attacker to change name and address of the victim s account as well as add movies to the rental queue [13]. In January 2008, by accessing the malicious IMG element in the sent by an attacker, the user initiated a router command to change the DNS entry and making any subsequent access by the user to the bank go through the attacker's server [14]. In September 2008, Bill zeller [15] found CSRF vulnerabilities in 4 major web sites. These

3 vulnerabilities allow an attacker to transfer funds out of user s bank accounts (ING Direct), add videos to a user s Favorites (YouTube), take control of user s account (MetaFilter) and find out the address of an arbitrary user (The New York Times). All of these vulnerabilities were fixed. CSRF vs. XSS: Cross-Site Scripting (XSS) attack exploits the trust that a client has for the website or application. Users generally trust that the content displayed in their browsers was intended to be displayed by the website being viewed. In contrast, CSRF exploits the trust that a site has for the user. The website assumes that if an 'action request' was performed, it trusts that the request is being sent by the user [11] Existing CSRF defenses There are few mechanisms a site can use to defend itself against CSRF attacks: validating a secret token, validating the HTTP Referer header, including additional headers with XMLHttpRequest and the Origin header. None of these mechanisms completely defend against CSRF attacks [5]. Secret Validation token: In each HTTP request a secret token is sent as additional information that can be used to determine whether the request came from an authorized source. If the request missing a validation token or the token does not match the expected value, the server will reject the request. The Referer Header: In many cases, browser includes Referer header while sending a HTTP request to indicate which URL initiated the request and is used to distinguish a same-site request from a cross-site request. So it can prevent CSRF attack by checking whether the request in question was issued by the site itself or not. Custom HTTP Headers: The browser prevents sites from sending custom HTTP headers to another site but allows sites to send custom HTTP headers to themselves using XMLHttpRequest. To use custom headers as a CSRF defense, a site must issue all state-modifying requests using XMLHttpRequest, attach the custom header, and reject all state-modifying requests that are not accompanied by the header. Origin Header: The browser sends the Origin header with all the POST requests to identify the origin that initiated the request. If the browser cannot determine the origin, the browser sends the value null. The server rejects the requests whose Origin header contains an undesired value (including null). 3 Image based CSRF attacks Cross site request forgery attacks exploit the browsers feature of sending authentication information along with every POST/GET HTTP request to the target application. An attacker identifies a URL on a website like a banking application that performs some functions like purchase, money transfer or any transaction or update account. An attacker posts the malicious URL in a web page on which they have control. When the victim visits the web page the URL is triggered (via an Image Request). The browser sends the authenticated information to the particular website along with that request [16]. Image based CSRF attack works by including HTML image elements, attributes or image objects in a page that accesses a site to which the user is known (or is supposed) to have authenticated. For example [13], a banking site provides a HTML form to place online credit transfers. This form uses the GET method and has the action URL /transfer.php. This form is only accessible by properly authenticated users. One user, Alice, is logged into bank.com website and at the same time browsing a chat forum ABC, where another user, Mary, has posted a message to the forum. Suppose that Mary has crafted an HTML image element that references a feature or web page on Alice's bank's website (rather than an image file).e.g. <IMG src= &amount=100000&for=mary width= 0 height= 0 /> Figure 1. CSRF attack using IMG element. We assume that the bank website keeps Alice authentication information in a cookie. If the cookie hasn't expired, and at the same time Alice views the crafted message sent by Mary, then the Alice s browser will attempt to load the image, and it will submit the transfer request with Alice credentials to bank.com server without requiring any further interaction from the Alice. Thus authorizing the malicious transaction by the bank s server. Figure 1 shows the process of CSRF attack in the above example. The following is another simple example to illustrate realworld image based CSRF attack request (crafted by one of the authors) to logout of their authenticated Gmail session: <IMG src=" width= 0 height= 0 /> Suppose an attacker places the above CSRF attack code in a vulnerable website. When an authenticated Gmail user visits the vulnerable site, the browser sends a request to retrieve the image specified in the IMG src attribute, thus sending a logout request to Gmail, with the users credentials. This

4 results in successful logout from Gmail. Due to the lack of anti-csrf mechanism, many websites are vulnerable to this logout CSRF attack. It is not a severe attack but it clearly explains how Image based CSRF attacks can be used against websites to perform malicious activities and cause inconvenience to the users. The HTML IMG element is used as a common method to perform the CSRF attack. It is by no means that only this element can be used to perform this attack. The other HTML image elements and attribute values mentioned in section 2.1 can be used to perform the CSRF attack. The script and iframe elements are also used to perform this attack. These elements have URLs embedded within them that create an automatic HTTP request with a malicious action. The attacker can also create a CSRF attack using JavaScript image objects. The GET requests are especially vulnerable to CSRF attack, but POST requests are not immune. An attacker can use JavaScript to auto submit the malicious form to a target location on a victim's website. Performing CSRF attack for POST request is much more difficult than GET request but the attack is still possible. The CSRF attack takes advantage of the fact that many users tend to forget to logout of the web applications they have used. This does not provide the web applications a chance to clear their session IDs or other types of session information from the cookie, allowing the CSRF attack to be successful even when the user is not actively browsing vulnerable websites. 4 Prevention of Image based CSRF attacks We propose a client-side solution to enable security conscious users to protect themselves against Image based CSRF attacks. Concept: The CSRF attacks are possible due to the fact that the browser automatically sends the GET requests for all kinds of HTML image elements while rendering a webpage. By using these image elements, it is very simple to exploit any vulnerable website. This is because, the web browsers do not validate the URL specified by the IMG element attribute before sending a request for that image. Identification of suspicious image elements: Most of the websites use the static image URLs to obtain the images in their web pages. The widely recognized image formats include GIF, JPEG, and PNG. The other formats supported by popular browsers are jpg, bmp, xbm. So if the website uses a static image URL then the URL must end with gif, jpeg, jpg, png, bmp or xbm extension. We can successfully mitigate the CSRF attacks using static image URL by checking the URL extensions and validating the URL specified in all types of image elements before the browser renders the webpage. Our solution works as a local proxy on the user s computer and disables the automatic dispatching of GET requests for all image elements. The proxy identifies all the image elements in the response and validates the URL for each image element in the webpage source code. If the proxy detects any invalid URL, it disables that image element in the webpage. If there is a dynamic image in the webpage, an alert is displayed to the user and based on the user response the image request is processed or blocked. 4.1 A Proxy-Based Solution Figure 2. Client-Side Proxy Solution. We chose to implement our solution in the form of a proxy because this approach enables CSRF protection for all the web browsers. Figure 2 shows the general setup of the web browser, the client side proxy and the web server. Identification of suspicious requests: The proxy resides between the client s web browser and the web application s server. Every HTTP request and response is routed through the proxy. Due to the fact that the browser and the proxy are separate entities, the proxy is unable to identify how a HTTP request is initiated for the images. To decide an image element is legitimate or suspicious of CSRF, we introduce the following classification criteria: Once the response is received from the web server for each request, the client-side proxy checks for image extensions in the static image URLs. If any invalid URL is found then the proxy blocks that image element by enclosing it within the CDATA element and it forwards the response to the browser. If the response contains valid image URLs then the proxy forwards response content intact to the browser without any modifications Limitations Our current proxy solution successfully prevents the CSRF attack using all kinds of static image URLs except the JavaScript Image objects. In this solution, we are blocking the dynamic image URLs in the response page because these do not have the image extensions (.jpg etc.) like static image URLs. The IMG attribute longdesc can be used to specify the attacker s controlled site where he posted a malicious code. So an attacker can redirect the user and perform the CSRF attack using this attribute. Our solution is not immune to this kind of attack. We are providing an option to the user to block this attribute as a partial solution Future work Validating JavaScript image objects is yet to be implemented. The existing code can be extended to include this functionality to protect against JavaScript image object based CSRF attacks. We used CSRFTester tool and Webscarab proxy plug-in present in that tool as the proxy to execute and test our implementation. A separate GUI need to be

5 implemented to make it as a separate tool. Usage of dynamic image URLs in the webpage is very less as compared to static image URLs and these are used mainly for advertisements. So blocking advertisements is advantageous to the users, but some users may want to see the advertisement or some websites restrict the user to login to the site only after viewing the advertisement. We can provide more number of options to the user such as allow or block the dynamic images, view the list of images in the webpage etc. This solution can also be made browser specific by creating an add-on to the browsers like Firefox. 5 Implementation Details We used OWASP s CSRFTester tool to test our implementation. CSRFTester tool attempts to give developers the ability to test their applications for CSRF flaws [4]. The Webscarab proxy plug-in in the CSRFTester sets up a HTTP proxy and listens by default on localhost port This plug-in accepts both HTTP and HTTPS requests. We implemented image based CSRF attack detection and prevention code in Java and is integrated with webscarab proxy plug-in. It is an open source code and is available at [17]. Java regular expression functions are used to validate the extensions of static image URLs. The sample procedure for checking IMG element URLs in the response is as follows: 1. Obtain all IMG elements from the response by compiling the regular expression pattern "<\\s*img[<^>]+>" 2. Obtain URLs present in all IMG elements by compiling the pattern "src\\s*=\\s*(' \"){0,1}\\s*([^\\s\"\'\\(\\;\\#\\&\\<\\?][A-Zaz0-9\\_\\.\\/\\:\\-\\%\\~]*)\\s*(' \"){0,1}" 3. Check the extension of each URL by compiling the pattern ".*\\.(gif png jpg jpeg bmp xbm)$". If the image URL matches with the extension then it is valid. Otherwise it is treated as invalid and that image element is included inside the CDATA section. We can delete the malicious image elements if we don t want to comment it with CDATA. CDATA sections are used to escape blocks of text containing characters that would otherwise be regarded as markup. The only delimiter that is recognized in a CDATA section is the "]]>" string that ends the CDATA section. Putting <![CDATA[...]]> round a section essentially says "do not parse this section - everything in it should be interpreted as characters". The primary purpose of CDATA is to include material such as XML fragments, without needing to escape all the delimiters [6]. The same procedure is followed for other image elements and attributes. 6 Experimental Results To test our implementation, initially we gathered different types of IMG elements (including XSS attacks using IMG element) with all attributes and their values, INPUT, OBJECT elements, background attribute and CSS background: url (), background-image: url() attribute values. Our implementation successfully disabled these image based CSRF attacks from executing. The following are the websites tested for finding image based CSRF attacks. The experimental results from Table 1 show that our current implementation successfully blocked all the static image elements containing CSRF attack code and also the dynamic image elements present in the response. The CSRF attacks are much harder to test because the attacker can include the malicious IMG tag whenever required and delete them once the attack is successful on the victim(s). Website Localhost (all images are malicious) com timesofindia.i ndiatimes.com cmt.nitk.ac.in (NITK forum) Total Images Blocked Images Table 1. Tested Applications Reason for blocking the Images The image source contains malicious code (including XSS script, logout URLs etc.) The site uses dynamic URLs inside the IMG element for displaying advertisements. The site uses CMS system to generate dynamic image URLs. The site contains Gmail, cmt site Logout and message URLs [posted by the author (login required)] Figure 3 shows the sample output of our implementation, when it is tested on cmt.nitk.ac.in chat forum. This website is vulnerable to image based CSRF attacks since it is allowing the users to post (malicious) HTML content in the forum. 7 Related Work Figure 3. Test results on cmt.nitk.ac.in chat forum Our analysis of the main existing CSRF defenses is provided in section The other defensive approaches which use proxy are as follows. RequestRodeo is the first client-side solution for protection against Session Riding attacks [1]. It prevents CSRF attack by stripping the implicit authorization information (i.e. cookie header etc.), from the outgoing crosssite HTTP requests. But the limitation of RequestRodeo is, it cannot automatically distinguish legitimate cross-site requests from attacks. NoForge [2] is a server-side proxy used to defend PHP applications against CSRF attacks. In this, the

6 proxy is located between the web server and the protected web applications. This proxy is able to inspect and modify client requests as well as the application s replies (output) automatically and transparently extend applications with the secret token validation technique. 8 Conclusion Cross Site Request Forgery is one of the widely exploited vulnerability in web sites. In this attack, the trust of web application in its authenticated users is exploited and it allows an attacker to make arbitrary HTTP requests in the victim s name. CSRF attacks using IMG elements are very simple and easy to exploit. We have proposed a simple and effective solution to detect and prevent CSRF attacks using image elements which use static URLs with a client-side proxy. This enables the users to protect themselves against CSRF attacks using any browser. Acknowledgements We thank Jevitha KP who helped in integrating the implemented code to CSRFTester tool and for proof reading of this paper. This work was supported by the Department of Information Technology, Government of INDIA under ISEA project. We would also like to thank Department of Computer Engineering, NITK Surathkal for providing all facilities to complete this research work. References [1] J.Martin, Justus Winter. RequestRodeo: Client Side Protection against Session Riding. In OWASPAppSec2006Europe, [2] J.Nenad, K.Engin, K.Christopher. Preventing Cross Site Request Forgery attacks. In securecomm and workshops, [3] Cross-Site Request Forgery. Cross-Site_Request_Forgery, May, [4] OWASP CSRFTester Project. index.php/ Category: OWASP_CSRFTester_Project, May, [5] A.Barth, C.Jackson, and J.C.Mitchell. Robust defenses for crosssite request forgery. In Proc. ACM Conference on Computer and Communications Security (CCS), Oct, [6] Mike Champion, Steve Byrne. Document Object Model (core) level1. html#id-e067d597. May, [7] The web hacking incidents database. projects/whid/byid_id_ shtml, 2008 [8] Chuck Musciano, Bill Kennedy. HTML & XHTML: The Definitive Guide, Fifth Edition. Aug, [9] Image-Inline Image. special/img.html. May, [10] HTML input type attribute. /att_input_type.asp. May, [11] Robert Auger. The Cross-Site Request Forgery (CSRF/XSRF) FAQ. Apr, [12] OWASP. Top ten most critical web application security vulnerabilities. Whitepaper. / Top [13] Cross-site request forgery. request forgery. May, [14] Cyrill Brunshewiler. Cross Site Request Forgery. csnc.ch/misc/files/publications/compass_event08_csrf_bru_v1.0.pdf. Sept, [15] Bill Zeller, Cross-Site Request Forgeries: Exploitation and Prevention. /files/csrf.pdf. May [16] Sapna satish. CSRF- The hidden menace. June, [17] Ramarao R. Tool for preventing image based CSRF attacks. May, 2009.

Web Application Security. Philippe Bogaerts

Web Application Security. Philippe Bogaerts Web Application Security Philippe Bogaerts OWASP TOP 10 3 Aim of the OWASP Top 10 educate developers, designers, architects and organizations about the consequences of the most common web application security

More information

Web basics: HTTP cookies

Web basics: HTTP cookies Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the

More information

Web basics: HTTP cookies

Web basics: HTTP cookies Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the

More information

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends

More information

Information Security CS 526 Topic 11

Information Security CS 526 Topic 11 Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive

More information

CSCD 303 Essential Computer Security Fall 2018

CSCD 303 Essential Computer Security Fall 2018 CSCD 303 Essential Computer Security Fall 2018 Lecture 17 XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate security of Web Browser/Server

More information

CSCD 303 Essential Computer Security Fall 2017

CSCD 303 Essential Computer Security Fall 2017 CSCD 303 Essential Computer Security Fall 2017 Lecture 18a XSS, SQL Injection and CRSF Reading: See links - End of Slides Overview Idea of XSS, CSRF and SQL injection is to violate the security of the

More information

Robust Defenses for Cross-Site Request Forgery

Robust Defenses for Cross-Site Request Forgery University of Cyprus Department of Computer Science Advanced Security Topics Robust Defenses for Cross-Site Request Forgery Name: Elena Prodromou Instructor: Dr. Elias Athanasopoulos Authors: Adam Barth,

More information

P2_L12 Web Security Page 1

P2_L12 Web Security Page 1 P2_L12 Web Security Page 1 Reference: Computer Security by Stallings and Brown, Chapter (not specified) The web is an extension of our computing environment, because most of our daily tasks involve interaction

More information

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Computer Security 3e. Dieter Gollmann.  Chapter 18: 1 Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter

More information

Application vulnerabilities and defences

Application vulnerabilities and defences Application vulnerabilities and defences In this lecture We examine the following : SQL injection XSS CSRF SQL injection SQL injection is a basic attack used to either gain unauthorized access to a database

More information

WEB SECURITY: XSS & CSRF

WEB SECURITY: XSS & CSRF WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often

More information

Information Security CS 526 Topic 8

Information Security CS 526 Topic 8 Information Security CS 526 Topic 8 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive

More information

CIS 4360 Secure Computer Systems XSS

CIS 4360 Secure Computer Systems XSS CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection

More information

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang WEB SECURITY WORKSHOP TEXSAW 2014 Presented by Solomon Boyd and Jiayang Wang Introduction and Background Targets Web Applications Web Pages Databases Goals Steal data Gain access to system Bypass authentication

More information

Lecture Overview. IN5290 Ethical Hacking

Lecture Overview. IN5290 Ethical Hacking Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp

More information

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp

More information

Client Side Injection on Web Applications

Client Side Injection on Web Applications Client Side Injection on Web Applications Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e Contents INTRODUCTION... 3 HTML Injection Vulnerability... 4 How to

More information

Robust Defenses for Cross-Site Request Forgery Review

Robust Defenses for Cross-Site Request Forgery Review Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic

More information

Common Websites Security Issues. Ziv Perry

Common Websites Security Issues. Ziv Perry Common Websites Security Issues Ziv Perry About me Mitnick attack TCP splicing Sql injection Transitive trust XSS Denial of Service DNS Spoofing CSRF Source routing SYN flooding ICMP

More information

Preparing for the Cross Site Request Forgery Defense

Preparing for the Cross Site Request Forgery Defense Preparing for the Cross Site Request Forgery Defense By Chuck Willis chuck.willis@mandiant.com Presented at Black Hat Briefings DC 2008 on February 20, 2008 Slides available at www.blackhat.com. Abstract:

More information

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application

More information

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing

More information

Computer Security CS 426 Lecture 41

Computer Security CS 426 Lecture 41 Computer Security CS 426 Lecture 41 StuxNet, Cross Site Scripting & Cross Site Request Forgery CS426 Fall 2010/Lecture 36 1 StuxNet: Overview Windows-based Worm First reported in June 2010, the general

More information

Robust Defenses for Cross-Site Request Forgery

Robust Defenses for Cross-Site Request Forgery Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis Petros Paper Authors: Adam Barth, Collin Jackson, John C. Mitchell Outline What is CSRF attack? What is a login

More information

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Advanced Web Technology 10) XSS, CSRF and SQL Injection Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation

More information

CSC 482/582: Computer Security. Cross-Site Security

CSC 482/582: Computer Security. Cross-Site Security Cross-Site Security 8chan xss via html 5 storage ex http://arstechnica.com/security/2015/09/serious- imgur-bug-exploited-to-execute-worm-like-attack-on- 8chan-users/ Topics 1. Same Origin Policy 2. Credential

More information

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output

More information

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Lecture 17 Browser Security Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422 Documents Browser's fundamental role is to display documents comprised

More information

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security. Attacking the Application Dave Ferguson, CISSP Security Consultant FishNet Security Copyright The Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 4 Week of February 13, 2017 Question 1 Clickjacking (5 min) Watch the following video: https://www.youtube.com/watch?v=sw8ch-m3n8m Question 2 Session

More information

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection Is Browsing Safe? Web Browser Security Charlie Reis Guest Lecture - CSE 490K - 5/24/2007 Send Spam Search Results Change Address? Install Malware Web Mail Movie Rentals 2 Browser Security Model Pages are

More information

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report. Report on IRONWASP Software Product: IronWASP Description of the Product: IronWASP (Iron Web application Advanced Security testing Platform) is an open source system for web application vulnerability testing.

More information

C1: Define Security Requirements

C1: Define Security Requirements OWASP Top 10 Proactive Controls IEEE Top 10 Software Security Design Flaws OWASP Top 10 Vulnerabilities Mitigated OWASP Mobile Top 10 Vulnerabilities Mitigated C1: Define Security Requirements A security

More information

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14 Attacks Against Websites 3 The OWASP Top 10 Tom Chothia Computer Security, Lecture 14 OWASP top 10. The Open Web Application Security Project Open public effort to improve web security: Many useful documents.

More information

Overview Cross-Site Scripting (XSS) Christopher Lam Introduction Description Programming Languages used Types of Attacks Reasons for XSS Utilization Attack Scenarios Steps to an XSS Attack Compromises

More information

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew

More information

Web Security. Course: EPL 682 Name: Savvas Savva

Web Security. Course: EPL 682 Name: Savvas Savva Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell, Robust Defenses for Cross-Site Request Forgery, pub. in 15th ACM Conference, 2008. [2] L. Huang and A. Moshchuk

More information

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11 Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:

More information

Web Application Security

Web Application Security Web Application Security Rajendra Kachhwaha rajendra1983@gmail.com October 16, 2015 Lecture 16: 1/ 14 Outline Browser Security Principles: 1 Cross Site Scripting (XSS) 2 Types of XSS 3 Lecture 16: 2/ 14

More information

Web Security: Vulnerabilities & Attacks

Web Security: Vulnerabilities & Attacks Computer Security Course. Song Dawn Web Security: Vulnerabilities & Attacks Cross-site Scripting What is Cross-site Scripting (XSS)? Vulnerability in web application that enables attackers to inject client-side

More information

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP OWASP Top 10 Risks Dean.Bushmiller@ExpandingSecurity.com Many thanks to Dave Wichers & OWASP My Mom I got on the email and did a google on my boy My boy works in this Internet thing He makes cyber cafes

More information

CSCE 813 Internet Security Case Study II: XSS

CSCE 813 Internet Security Case Study II: XSS CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017 Outline Cross-site Scripting (XSS) Attacks Prevention 2 What is XSS? Cross-site scripting (XSS) is a code injection attack that

More information

RKN 2015 Application Layer Short Summary

RKN 2015 Application Layer Short Summary RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,

More information

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side www.ijcsi.org 650 Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side S.SHALINI 1, S.USHA 2 1 Department of Computer and Communication, Sri Sairam Engineering College,

More information

WHY CSRF WORKS. Implicit authentication by Web browsers

WHY CSRF WORKS. Implicit authentication by Web browsers WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication

More information

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007 Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1

More information

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security Cross-Site Request Forgery: The Sleeping Giant Jeremiah Grossman Founder and CTO, WhiteHat Security Cross-Site Request Forgeries (CSRF) 1. Session Riding 2. Client-Side Trojans 3. Confused Deputy 4. Web

More information

Copyright

Copyright 1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?

More information

OWASP Top 10 The Ten Most Critical Web Application Security Risks

OWASP Top 10 The Ten Most Critical Web Application Security Risks OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain

More information

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically. Secure Coding CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security Formatted output

More information

Automatically Checking for Session Management Vulnerabilities in Web Applications

Automatically Checking for Session Management Vulnerabilities in Web Applications Regular Paper Automatically Checking for Session Management Vulnerabilities in Web Applications Yusuke Takamatsu 1,a) Yuji Kosuga 2 Kenji Kono 1,3 Received: July 4, 2012, Accepted: October 17, 2012 Abstract:

More information

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in 1 This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in terms of prevalence (how much the vulnerability is widespread),

More information

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications

A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications A Server- and Browser-Transparent CSRF Defense for Web 2.0 Applications Riccardo Pelizzi System Security Lab Department of Computer Science Stony Brook University December 8, 2011 1 / 18 Riccardo Pelizzi

More information

More attacks on clients: Click-jacking/UI redressing, CSRF

More attacks on clients: Click-jacking/UI redressing, CSRF Web Security More attacks on clients: Click-jacking/UI redressing, CSRF (Section 7.2.3 on Click-jacking; Section 7.2.7 on CSRF; Section 7.2.8 on Defenses against client-side attacks) 1 Recall from last

More information

Web Security: Web Application Security [continued]

Web Security: Web Application Security [continued] CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security [continued] Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

More information

Web Security II. Slides from M. Hicks, University of Maryland

Web Security II. Slides from M. Hicks, University of Maryland Web Security II Slides from M. Hicks, University of Maryland Recall: Putting State to HTTP Web application maintains ephemeral state Server processing often produces intermediate results; not long-lived

More information

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/

More information

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer. Application Layer Attacks Application Layer Attacks Week 2 Part 2 Attacks Against Programs Application Layer Application Layer Attacks come in many forms and can target each of the 5 network protocol layers

More information

Penetration Test Report

Penetration Test Report Penetration Test Report Feb 12, 2018 Ethnio, Inc. 6121 W SUNSET BLVD LOS angeles, CA 90028 Tel (888) 879-7439 ETHN.io Summary This document contains the most recent pen test results from our third party

More information

Cross-Site Request Forgery

Cross-Site Request Forgery Cross-Site Request Forgery Venkateshwar Reddy S, MBA (Banking Technology), Pondicherry Central University, Puducherry, bobby938@gmail.com. Project guide: Dr. N.P. Dhavale, Deputy General Manager, INFINET

More information

Web Security IV: Cross-Site Attacks

Web Security IV: Cross-Site Attacks 1 Web Security IV: Cross-Site Attacks Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab3 New terminator: http://www.cs.ucr.edu/~csong/sec/17/l/new_terminator Bonus for solving the old one

More information

WebGoat& WebScarab. What is computer security for $1000 Alex?

WebGoat& WebScarab. What is computer security for $1000 Alex? WebGoat& WebScarab What is computer security for $1000 Alex? Install WebGoat 10 Download from Google Code 20 Unzip the folder to where ever you want 30 Click on WebGoat.bat 40 Goto http://localhost/webgoat/attack

More information

Cross Site Request Forgery

Cross Site Request Forgery Cross Site Request Forgery VULNERABILITY OVERVIEW WHITE PAPER PUBLIC Version: 1.0 By: Acadion Security URL: http://www.acadion.nl/ Date: February 6, 2013 Address: Koornmarkt 46 2611 EH Delft Nederland

More information

last time: command injection

last time: command injection Web Security 1 last time: command injection 2 placing user input in more complicated language SQL shell commands input accidentally treated as commands in language instead of single value (e.g. argument/string

More information

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks

Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition. Chapter 3 Investigating Web Attacks Computer Forensics: Investigating Network Intrusions and Cyber Crime, 2nd Edition Chapter 3 Investigating Web Attacks Objectives After completing this chapter, you should be able to: Recognize the indications

More information

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side) Narendra Bhati @NarendraBhatiB http://websecgeeks.com Abusing Windows Opener To Bypass CSRF Protection Narendra Bhati Page

More information

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam. Eleonora Petridou Pascal Cuylaerts System And Network Engineering University of Amsterdam June 30, 2011 Outline Research question About Perslink Approach Manual inspection Automated tests Vulnerabilities

More information

Introduction to Ethical Hacking

Introduction to Ethical Hacking Introduction to Ethical Hacking Summer University 2017 Seoul, Republic of Korea Alexandre Karlov Today Some tools for web attacks Wireshark How a writeup looks like 0x04 Tools for Web attacks Overview

More information

Cross-Site Request Forgery in Cisco SG220 series

Cross-Site Request Forgery in Cisco SG220 series Cross-Site Request Forgery in Cisco SG220 series Security advisory 12/09/2016 Renaud Dubourguais Nicolas Collignon www.synacktiv.com 5 rue Sextius Michel 75015 Paris Vulnerability description The Cisco

More information

Some Facts Web 2.0/Ajax Security

Some Facts Web 2.0/Ajax Security /publications/notes_and_slides Some Facts Web 2.0/Ajax Security Allen I. Holub Holub Associates allen@holub.com Hackers attack bugs. The more complex the system, the more bugs it will have. The entire

More information

Content Security Policy

Content Security Policy About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training

More information

Acknowledgments... xix

Acknowledgments... xix CONTENTS IN DETAIL PREFACE xvii Acknowledgments... xix 1 SECURITY IN THE WORLD OF WEB APPLICATIONS 1 Information Security in a Nutshell... 1 Flirting with Formal Solutions... 2 Enter Risk Management...

More information

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1

Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability

More information

Exploiting and Defending: Common Web Application Vulnerabilities

Exploiting and Defending: Common Web Application Vulnerabilities Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,

More information

Sichere Software vom Java-Entwickler

Sichere Software vom Java-Entwickler Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer

More information

Solutions Business Manager Web Application Security Assessment

Solutions Business Manager Web Application Security Assessment White Paper Solutions Business Manager Solutions Business Manager 11.3.1 Web Application Security Assessment Table of Contents Micro Focus Takes Security Seriously... 1 Solutions Business Manager Security

More information

COMP9321 Web Application Engineering

COMP9321 Web Application Engineering COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Midterm 1 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic misconduct will be reported

More information

Hacking Intranet Websites from the Outside

Hacking Intranet Websites from the Outside 1 Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous" Black Hat (Japan) 10.05.2006 Jeremiah Grossman (Founder and CTO) WhiteHat Security 2 WhiteHat Sentinel -

More information

Web Security. Thierry Sans

Web Security. Thierry Sans Web Security Thierry Sans 1991 Sir Tim Berners-Lee Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing Web

More information

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -

More information

Certified Secure Web Application Engineer

Certified Secure Web Application Engineer Certified Secure Web Application Engineer ACCREDITATIONS EXAM INFORMATION The Certified Secure Web Application Engineer exam is taken online through Mile2 s Assessment and Certification System ( MACS ),

More information

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH Faculty of Computer Science Institute of Systems Architecture, Operating Systems Group PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH THE WEB AS A DISTRIBUTED SYSTEM 2 WEB HACKING SESSION 3 3-TIER persistent

More information

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web

More information

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities

Ethical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand

More information

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 180 CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS 8.1 SUMMARY This research has focused on developing a Web Applications Secure System from Code Injection Vulnerabilities through Web Services (WAPS-CIVS),

More information

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

The PKI Lie. The OWASP Foundation  Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,

More information

CSWAE Certified Secure Web Application Engineer

CSWAE Certified Secure Web Application Engineer CSWAE Certified Secure Web Application Engineer Overview Organizations and governments fall victim to internet based attacks every day. In many cases, web attacks could be thwarted but hackers, organized

More information

Security. CSC309 TA: Sukwon Oh

Security. CSC309 TA: Sukwon Oh Security CSC309 TA: Sukwon Oh Outline SQL Injection NoSQL Injection (MongoDB) Same Origin Policy XSSI XSS CSRF (XSRF) SQL Injection What is SQLI? Malicious user input is injected into SQL statements and

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2011 CS 161 Computer Security Discussion 6 March 2, 2011 Question 1 Cross-Site Scripting (XSS) (10 min) As part of your daily routine, you are browsing through the news and status updates

More information

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2 CNIT 129S: Securing Web Applications Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2 Finding and Exploiting XSS Vunerabilities Basic Approach Inject this string into every parameter on every

More information

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015 INF3700 Informasjonsteknologi og samfunn Application Security Audun Jøsang University of Oslo Spring 2015 Outline Application Security Malicious Software Attacks on applications 2 Malicious Software 3

More information

Security Course. WebGoat Lab sessions

Security Course. WebGoat Lab sessions Security Course WebGoat Lab sessions WebGoat Lab sessions overview Initial Setup Tamper Data Web Goat Lab Session 4 Access Control, session information stealing Lab Session 2 HTTP Basics Sniffing Parameter

More information

John Coggeshall Copyright 2006, Zend Technologies Inc.

John Coggeshall Copyright 2006, Zend Technologies Inc. PHP Security Basics John Coggeshall Copyright 2006, Zend Technologies Inc. Welcome! Welcome to PHP Security Basics Who am I: John Coggeshall Lead, North American Professional Services PHP 5 Core Contributor

More information

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s Session I of III JD Nir, Security Analyst Why is this important? ISE Proprietary Agenda About ISE Web Applications

More information

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt

Excerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand

More information

Web Security: Web Application Security [continued]

Web Security: Web Application Security [continued] CSE 484 / CSE M 584: Computer Security and Privacy Web Security: Web Application Security [continued] Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

More information

Reflected XSS Cross-Site Request Forgery Other Attacks

Reflected XSS Cross-Site Request Forgery Other Attacks Reflected XSS Cross-Site Request Forgery Other Attacks CS 166: Introduction to Computer Systems Security 2/21/18 XSS, CSRF, Other Attacks 1 Reflected XSS 2/21/18 XSS, CSRF, Other Attacks 2 Recap of Persistent

More information

XSS Homework. 1 Overview. 2 Lab Environment

XSS Homework. 1 Overview. 2 Lab Environment XSS Homework 1 Overview Cross-site scripting (XSS) is a type of vulnerability commonly found in web applications. This vulnerability makes it possible for attackers to inject malicious code (e.g. JavaScript

More information