Client Side Injection on Web Applications

Similar documents
Web Application Security

CIS 4360 Secure Computer Systems XSS

CSCE 813 Internet Security Case Study II: XSS

Lecture Overview. IN5290 Ethical Hacking

Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks

Web Application Security. Philippe Bogaerts

Web basics: HTTP cookies

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

CSC 482/582: Computer Security. Cross-Site Security

Web Security: Vulnerabilities & Attacks

Web Security, Summer Term 2012

Web Security, Summer Term 2012

CSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis

HTTP Security Headers Explained

WEB SECURITY: XSS & CSRF

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild

Is Browsing Safe? Web Browser Security. Subverting the Browser. Browser Security Model. XSS / Script Injection. 1. XSS / Script Injection

Application Layer Attacks. Application Layer Attacks. Application Layer. Application Layer. Internet Protocols. Application Layer.

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

CS 161 Computer Security

Web security: an introduction to attack techniques and defense methods

7.2.4 on Media content; on XSS) sws2 1

CS 161 Computer Security

Preparing for the Cross Site Request Forgery Defense

CSCD 303 Essential Computer Security Fall 2018

Computer Security 3e. Dieter Gollmann. Chapter 18: 1


W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Lecture 17 Browser Security. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Some slides from Bailey's ECE 422

Chrome Extension Security Architecture

CSCD 303 Essential Computer Security Fall 2017

CS 161 Computer Security

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

The security of Mozilla Firefox s Extensions. Kristjan Krips

2/16/18. Secure Coding. CYSE 411/AIT 681 Secure Software Engineering. Web Security Outline. The Web. The Web, Basically.

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Security. CSC309 TA: Sukwon Oh

CS 161 Computer Security

CSC 405 Computer Security. Web Security

Web Security: Vulnerabilities & Attacks

Web Security IV: Cross-Site Attacks

Evaluating the Security Risks of Static vs. Dynamic Websites

WHY CSRF WORKS. Implicit authentication by Web browsers

OWASP Top 10 Risks. Many thanks to Dave Wichers & OWASP

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

Copyright

last time: command injection

Web Security II. Slides from M. Hicks, University of Maryland

RKN 2015 Application Layer Short Summary

Markup Language. Made up of elements Elements create a document tree

Large-Scale Analysis of Style Injection by Relative Path Overwrite

Web development using PHP & MySQL with HTML5, CSS, JavaScript

Information Security CS 526 Topic 11

Cross Site Request Forgery

CS Paul Krzyzanowski

Computer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018

Web Security. Thierry Sans

Client Side Security And Testing Tools

Common Websites Security Issues. Ziv Perry

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Reflected XSS Cross-Site Request Forgery Other Attacks

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

C1: Define Security Requirements

Static Webpage Development

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Cross-Site Request Forgery: The Sleeping Giant. Jeremiah Grossman Founder and CTO, WhiteHat Security

Information Security CS 526 Topic 8

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

XSS Homework. 1 Overview. 2 Lab Environment

Web Security. Jace Baker, Nick Ramos, Hugo Espiritu, Andrew Le

About the OWASP Top 10

Advanced Web Technology 10) XSS, CSRF and SQL Injection

Application Security through a Hacker s Eyes James Walden Northern Kentucky University

P2_L12 Web Security Page 1

Finding Vulnerabilities in Web Applications

Preventing Image based Cross Site Request Forgery Attacks

Project 2: Web Security

Content Security Policy

Assignment 6: Web Security

CNIT 129S: Securing Web Applications. Ch 12: Attacking Users: Cross-Site Scripting (XSS) Part 2

NET 311 INFORMATION SECURITY

Web System and Technologies (Objective + Subjective)

CORS Attacks. Author: Milad Khoshdel Blog: P a g e. CORS Attacks

Security for the Web. Thanks to Dave Levin for some slides

Web Security, Part 2

Project 3 Web Security Part 1. Outline

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Application vulnerabilities and defences

Web Application Vulnerabilities

Welcome to the OWASP TOP 10

OWASP TOP 10. By: Ilia

25 Million Flows Later Large-scale Detection of DOM-based XSS. CCS 2013, Berlin Sebastian Lekies, Ben Stock, Martin Johns

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Some Facts Web 2.0/Ajax Security

WELCOME. APEX Security Primer. About Enkitec. About the Presenter. ! Oracle Platinum Partner! Established in 2004

Exploiting and Defending: Common Web Application Vulnerabilities

Transcription:

Client Side Injection on Web Applications Author: Milad Khoshdel Blog: https://blog.regux.com Email: miladkhoshdel@gmail.com 1 P a g e

Contents INTRODUCTION... 3 HTML Injection Vulnerability... 4 How to Mitigate HTML Injection?... 6 CSS Injection Vulnerability... 7 How to Mitigate CSS Injection... 8 Client Side URL Redirect Vulnerability... 9 How to Mitigate Client Side URL Redirect... 10 DOM-Based Client Side Scripting Vulnerability... 10 How to Mitigate DOM-Based Client Side Scriptings... 12 References... 13 2 P a g e

INTRODUCTION As you know web applications or websites works with communicating with users. For example in a forum websites, all information will shared by different users from different places or in a news website users can comment on each news or articles and this comments are visible by other people. So dangerous data should not store by users in database and it is very important for developer and website admin to make sure that Meta characters will filter on user input forms data. There are too many technic for performing client side attacks. I will explain bellow attacks in this articles. HTML Injection CSS Injection Client Side URL Redirect DOM-Based Client Side Scripting 3 P a g e

HTML Injection Vulnerability This vulnerability will happen when hacker is able to inject HTML tags into a form and finally store the html code into database. Imagine we have a blog and users are able to share their comment under our blog posts. In a html injection vulnerable form, hacker is able to write html tags as comment and this code will be visible for all people. As you know with html tags hacker can do bellow malicious actions: Can change the style of the text Can insert a Link with a tag within his comment text and tempt people for clicking on this link (The link may contain malicious information). Can insert an Image within his comment And if HTML Injection combine with other attacks: Can steal User Cookie. (XSS) Can redirect the vulnerable page to other destination automatically. (XSS) Can Deface the Vulnerable Webpage. (CSS Injection) In this section I only explain HTML injection and I will cover other items in next sections. Let s explain HTML injection vulnerability with a pictorial Example. We have a website with a guestbook that allow users to share his comments for other people. You can see the comment section of this website in bellow image: Now we want to store out html code into database instead of plain text comment. We try to submit bellow html code as a valid comment. <b><i>hi this is an html code</i></b> And here is the result: 4 P a g e

As you see, out comment is stored in HTML Format. We can post plenty of things with HTML code, for example we can post an image or even we can load another site in this page using iframe tag and do a deface attack. We are going to load an image in comment section. <img src="your IMAGE URL"> And here is the result: 5 P a g e

If your image size is 2MP or more, you can do a successful deface attack using some CSS injection technique. I will explain it with details in next section. How to Mitigate HTML Injection? If you are a programmer and you are going to fix this vulnerability on your website, you just need to filter Meta characters and translate these characters to Entity Names. Please note that if you don t use any frameworks (such as Django, Laravel, ), you need to do it manually. In the reference section, you have a link to the full encoding table. But for now, the most commonly used codes are: Character Entity Number Entity Name Description " " " quotation mark ' &#39; &apos; apostrophe (does not work in IE) & & & ampersand < < < less-than > > > greater-than So if you use Entity names for Meta characters, Browser does not parse HTML code in client side and just show the code in plain text format. I use this technique in our vulnerable website and here is the result: 6 P a g e

CSS Injection Vulnerability In previous section, I explained HTML injection. Now I want to explain CSS Injection. As you know, CSS is used to define styles for web pages, including the design, layout and variations in display for different devices and screen sizes. It means if you found a web page that is vulnerable to HTML Injection, you can use CSS Injection for changing your injected HTML elements style. For example if you combine the malicious HTML code with CSS, you can change your image size and cover all the webpage screen with your image and it means you performed successful deface attack. Here is the code: <img style= padding:1000px; width= 500px; height= 500px; src= OUR-IMAGE-URL > Also some times when an application imports a style sheet from a user-supplied URL, or embeds user input in CSS blocks without adequate escaping, we faced some kind of CSS Injection. For Example, take a look to bellow vulnerable code: <a id="input">click me</a> <script> if (location.hash.slice(1)) { document.getelementbyid("input").style.csstext = "color: " + location.hash.slice(1); } </script> And here is the vulnerable URL: https://www.url/#red After loading URL, we will have bellow style in web page style tag: <style> #input{ color: red; } </style> Now we can inject our CSS at the end of the URL. For example if we load bellow URL: 7 P a g e

https://www.url/#red; padding:1000px; font-size:70px; background-color:#000000 It means that we injected extra CSS code into style tag. After loading this URL the style tag will be as bellow: <style> #input{ color: red; padding:1000px; font-size:70px background-color:#000000; } </style> In some case you can even import CSS file from external source. For example: https://www.url/#red; @import "https://externalsource/navigation.css" How to Mitigate CSS Injection For preventing CSS Injection, you shouldn t allow your user to add code in CSS blocks using embeds input without escaping. So Ensure that user input is adequately escaped before embedding it in CSS blocks, and consider using a whitelist to prevent loading of arbitrary style sheets. Finally, the vulnerability can be mitigated using the following best practice steps, which may look awfully familiar: Set the server header X-Frame-Options: deny on all pages Set the server header X-Content-Type-Options: nosniff on all pages Set a modern doctype (eg: <!doctype html>) on all pages 8 P a g e

Client Side URL Redirect Vulnerability Client Side URL Redirection, also known as Open Redirection and Base on OWASP explanation, It is an input validation flaw that exists when an application accepts an user controlled input which specifies a link that leads to an external URL that could be malicious. This kind of vulnerability could be used to accomplish a phishing attack or redirect a victim to an infection page. This vulnerability occurs when an application accepts untrusted input that contains an URL value without sanitizing it. This URL value could cause the web application to redirect the user to another page as, for example, a malicious page controlled by the attacker. By modifying untrusted URL input to a malicious site, an attacker may successfully launch a phishing scam and steal user credentials. Since the redirection is originated by the real application, the phishing attempts may have a more trustworthy appearance. For example, look at the bellow JavaScript code: <script> var redir = location.hash.substring(1); if (redir) window.location='http://'+decodeuricomponent(redir); </script> This function will redirect user to another internal page after logout. This is the URL: http://url/?#www.url/login In this vulnerable code, script does not perform any validation of the redir value that contains the user supplied input via the query string, this means that an attacker could redirect the victim to a phishing site simply by submitting the following URL: http://url/?#www.attackerurl/phising-page So after Logout, user will redirect to malicious URL rather than Login page. 9 P a g e

How to Mitigate Client Side URL Redirect Programmer can prevent this kind of attacks by checking the URL that is passed to the redirect function. Programmer should make sure all URLs in this function are relative paths i.e. start with a single / character. (External URLs start with // will be translated by the browser as a protocol, absolute URL so programmer should reject this kind of URLs too.) If programmer needs to perform external URL redirection, he should consider white Lists for all of external URLs too. Also for the second layer of defense, programmer should check that the Referrer in the HTTP request header matches the domain name whenever redirect process performs. DOM-Based Client Side Scripting Vulnerability Dom-Based XSS is an XSS attack that payload will inject by modifying the web page DOM Elements and it means that the client side code runs unexpectedly. In previous attacks, I mean HTML Injection and URL Redirect, you can exploit Dom-Based XSS. For example, In HTML Injection you can Exploit Dom-Based XSS with bellow payload: <img src='some-link' onerror=alert(1)> And here is the result: And in Client Side URL Redirect you can Exploit Dom-Based XSS with bellow Payload: 10 P a g e

http://www.url/?#javascript:alert(document.cookie) Please note that vulnerable JavaScript code in this case is: <script> var redir = location.hash.substring(1); if (redir) window.location='http://'+decodeuricomponent(redir); </script> Another example for Dom-Based Xss Imagine we have a website with a form for changing the website language. Also we have a JavaScript function for handling this form. This is the JavaScript Code: <select><script> document.write("<option value=1>"+document.location.href.substring(document.location.href.indexof(" lang=")+8)+"</option>"); document.write("<option value=2>english</option>"); </script></select> And here is the changing language URL: http://www.url/page.php?lang=french According to JavaScript Code, lang parameter load in URL using GET method, so if you change the value of lang parameter, the language of the page will change using JavaScript function. It means you can inject your JavaScript malicious payload as a value for lang parameter. For Example, you can exploit Dom-Based XSS using bellow payload in URL: http://www.url/page.php?lang=<script>alert(document.cookie)</script> 11 P a g e

How to Mitigate DOM-Based Client Side Scriptings If you need to Load HTML code into Dome Elements dynamically, you should use HTML encoding with bellow function: element.innerhtml element.outerhtml Also for second layer of security, you can use JavaScript encoding for all untrusted input with bellow functions: document.write document.writeln Also for the first example, preventing HTML Injection and Client Side URL Redirect can prevent DOM- Based XSS too. Have Fun Milad Khoshdel 12 P a g e

References 1. https://www.owasp.org/index.php/dom_based_xss_prevention_cheat_sheet 2. https://portswigger.net/blog/detecting-and-exploiting-path-relative-stylesheet-import-prssivulnerabilities#badcss 3. https://www.owasp.org/index.php/testing_for_client_side_url_redirect_(otg-client- 004) 4. https://portswigger.net/kb/issues/00501300_css-injection-reflected 5. https://www.owasp.org/index.php/testing_for_css_injection_(otg-client-005) 6. https://www.hacksplaining.com/prevention/open-redirects 13 P a g e

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback