CIS 4360 Secure Computer Systems XSS

Similar documents
CSCE 813 Internet Security Case Study II: XSS

WEB SECURITY: XSS & CSRF

Web Application Security. Philippe Bogaerts

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web basics: HTTP cookies

Application vulnerabilities and defences

Web Application Security

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

P2_L12 Web Security Page 1

Common Websites Security Issues. Ziv Perry

Chrome Extension Security Architecture

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

Client Side Injection on Web Applications

7.2.4 on Media content; on XSS) sws2 1

Advanced Web Technology 10) XSS, CSRF and SQL Injection

CS 161 Computer Security

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

CSC 482/582: Computer Security. Cross-Site Security

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

Web Security: Vulnerabilities & Attacks

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Web Security II. Slides from M. Hicks, University of Maryland

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

Content Security Policy

Aguascalientes Local Chapter. Kickoff

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

The security of Mozilla Firefox s Extensions. Kristjan Krips


RKN 2015 Application Layer Short Summary

Reflected XSS Cross-Site Request Forgery Other Attacks

CSCD 303 Essential Computer Security Fall 2018

CSCD 303 Essential Computer Security Fall 2017

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Web Security: XSS; Sessions

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Web Security IV: Cross-Site Attacks

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

CS 161 Computer Security

Security for the Web. Thanks to Dave Levin for some slides

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Security, Part 2

Information Security CS 526 Topic 11

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Robust Defenses for Cross-Site Request Forgery

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Web Security: Vulnerabilities & Attacks

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

WebGoat Lab session overview

Security for the Web. Thanks to Dave Levin for some slides

More attacks on clients: Click-jacking/UI redressing, CSRF

Information Security CS 526 Topic 8

Security Course. WebGoat Lab sessions

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Robust Defenses for Cross-Site Request Forgery Review

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Detecting XSS Based Web Application Vulnerabilities

EasyCrypt passes an independent security audit

NET 311 INFORMATION SECURITY

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Combating Common Web App Authentication Threats

COMP9321 Web Application Engineering

Cross-Site Request Forgery

Copyright

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

1 About Web Security. What is application security? So what can happen? see [?]

Application Layer Security

COMP9321 Web Application Engineering

CSC 405 Computer Security. Web Security

Preparing for the Cross Site Request Forgery Defense

Web Application Threats and Remediation. Terry Labach, IST Security Team

Attacking the Application OWASP. The OWASP Foundation. Dave Ferguson, CISSP Security Consultant FishNet Security.

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Web Security: Web Application Security [continued]

CS 155 Project 2. Overview & Part A

The PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

CS 161 Computer Security

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

Integrity attacks (from data to code): Cross-site Scripting - XSS

WHY CSRF WORKS. Implicit authentication by Web browsers

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

last time: command injection

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

Computer Security CS 426 Lecture 41

Web Security Computer Security Peter Reiher December 9, 2014

Configuring User Defined Patterns

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Transcription:

CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena

Previous Class Two important criteria to evaluate an Intrusion Detection System Visibility Isolation Host-based IDS has good visibility but bad isolation Network-based IDS has good isolation but bad visibility VMI (Virtual Machine Introspection) based IDS achieves both good visibility and isolation CIS 4360 Secure Computer Systems 2

Outline Cross-site Scripting (XSS) Attacks Prevention CIS 4360 Secure Computer Systems 3

What is XSS? Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. The vulnerable website has acted as an unintentional accomplice to the attacker The attacker does not directly attack the victim Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript to the victim CIS 4360 Secure Computer Systems 4

How to Inject Malicious JavaScript? An attacker leaves comment in a forum website But the comment actually some JavaScript, e.g., <script> </script> A victim browser loads the webpage containing the comment It will execute whatever JavaScript code inside the <script> tags Vulnerable website: print "<html>" print "Latest comment:" print database.latestcomment print "</html>" VicAm: <html> Latest comment: <script>...</script> </html> CIS 4360 Secure Computer Systems 5

Consequences of Malicious JavaScript Because the attacker has injected code into a page served by the website, the malicious JavaScript is executed in the context of the downloaded webpages from the vulnerable website This means that it is treated like any other script from that website: it has access to the victim's data for that website (such as cookies) CIS 4360 Secure Computer Systems 6

Consequences of Malicious JavaScript Cookie theft The attacker can access the victim's cookies associated with the website using document.cookie, send them to his own server, and use them to extract sensitive information like session IDs Keylogging The attacker can register a keyboard event listener using addeventlistener and then send all of the user's keystrokes to his own server, potentially recording sensitive info such as passwords and credit card numbers Phishing The attacker can insert a fake login form and then trick the user into submitting sensitive information CIS 4360 Secure Computer Systems 7

Steps in a Classic XSS Attack Instance Actors: the website, the victim, the attacker The website serves HTML pages to users who request them, e.g., http://website/ The victim is a normal user of the website who requests pages from it using his browser The attacker is a malicious user of the website who intends to launch an attack on the victim by exploiting an XSS vulnerability in the website CIS 4360 Secure Computer Systems 8

Steps in a Classic XSS Attack Instance 1. The attacker uses one of the website's forms to insert a malicious string into the website's database 2. The victim requests a page from the website 3. The website includes the malicious string from the database in the response and sends it to the victim 4. The victim's browser executes the malicious script inside the response, sending the victim's cookies to the attacker's server CIS 4360 Secure Computer Systems 9

Steps in a Classic XSS Attack Instance CIS 4360 Secure Computer Systems 10

Types of XSS Persistent XSS, where the malicious string originates from the website's database That is what we covered just now Reflected XSS, where the malicious string originates from the victim's request DOM-based XSS, where the vulnerability is in the client-side code rather than the server-side code CIS 4360 Secure Computer Systems 11

Reflected XSS 1. The attacker crafts a URL containing a malicious string and sends it to the victim 2. The victim is tricked by the attacker into requesting the URL from the website 3. The website includes the malicious string from the URL in the response This is the most confusing part; we will explain it! 4. The victim's browser executes the malicious script inside the response, sending the victim's cookies to the attacker's server CIS 4360 Secure Computer Systems 12

Reflected XSS CIS 4360 Secure Computer Systems 13

DOM (Document Object Model) An HTML page is treated as a tree wherein nodes can be <head>, <body>, <h1> objects These objects then can be manipulated programmatically by, e.g., JavaScript add, change, remove all of the HTML elements With DOM, JavaScript is able to create dynamic HTML <p id="par1">welcome to JavaScript DOM</p> var tag = document.getelementbyid("par1"); var tp = tag.nodetype; CIS 4360 Secure Computer Systems 14

DOM-based XSS 1. The attacker crafts a URL containing a malicious string and sends it to the victim 2. The victim is tricked by the attacker into requesting the URL from the website 3. The website receives the request, but does not include the malicious string in the response 4. The victim's browser executes the legitimate script inside the response, causing the malicious script to be inserted into the page 5. The victim's browser executes the malicious script inserted into the page, sending the victim's cookies to the attacker's server CIS 4360 Secure Computer Systems 15

What makes DOM-based XSS different? In traditional XSS, the malicious JavaScript is executed when the page is loaded, as part of the HTML sent by the server, while in DOM-based XSS, the malicious JavaScript is executed after the page has loaded, as a result of the page's legitimate JavaScript treating user input in an unsafe way This means that XSS vulnerabilities can be present not only in your website's server-side code, but also in your website's client-side JavaScript code The malicious string is never known by the server CIS 4360 Secure Computer Systems 16

Preventing XSS XSS is essentially due to careless handling of user input (e.g., the comment and weird url) Secure input handling XSS frequently relies on external website s JavaScript code Content Security Policy (CSP): defines trusted sources <html> Latest comment: <script src="hcp://acacker/malicious-script.js"></script> </html> XSS frequently steals cookies Http-only cookies: cookies that cannot be manipulated via JavaScript CIS 4360 Secure Computer Systems 17

Preventing XSS Encoding, which escapes the user input so that the browser interprets it as data, not as code print userinput => print encodehtml(userinput) <script> </script> => <script>...</script> There are mature libraries you can use: e.g., OWASP s Encoder Project Validation, which filters the user input so that the browser interprets it as code without malicious commands Whitelisting: only allow URLs starting with http or https Blacklisting: disallow any URL starting with javascript: CIS 4360 Secure Computer Systems 18

XSS vs. CSRF (Cross-site Request Forgery) XSS exploits users trust for website servers CSRF exploits website s trust for users When you login your online bank, and assume you simultaneously visit a malicious website, the malicious website forge a money transfer request to your bank website By default, all the cookies (including the login authentication cookie) will be sent along with the request to the bank The bank will be tricked to believe it is a legitimate request submitted by you Preventing CSRF: same-site cookie attribute, which requests that the cookie is sent back to the server only when the request is originated from the bank s pages CIS 4360 Secure Computer Systems 19

Summary Three types of XSS attacks: Persistent XSS Reflected XSS DOM-based XSS Preventing XSS: Input handling: encoding and validation Content Security Policy Http-only cookies CIS 4360 Secure Computer Systems 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback