1 / 14

The Bank Job Utilizing XSS Vulnerabilities

The Bank Job Utilizing XSS Vulnerabilities. Adi Sharabani IBM Rational Application Security Research Group Manager. OWASP IL. Agenda. Theoretical part: Same Origin Policy 101 Cross-Site Scripting 101 HTTP sessions Practical part: Trivial robbery Advanced robbery.

gary
Download Presentation

The Bank Job Utilizing XSS Vulnerabilities

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. The Bank JobUtilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application SecurityResearch Group Manager OWASP IL

  2. Agenda • Theoretical part: • Same Origin Policy 101 • Cross-Site Scripting 101 • HTTP sessions • Practical part: • Trivial robbery • Advanced robbery

  3. Browser Scripting Capabilities • What can scripts do: • Scripts can perform user interactions with the site • Scripts can seamlessly interact with the web site • Can perform any action that is related to the site • Can launch signed and safe ActiveX control

  4. Scripting Restrictions – Same Origin Policy • What scripts can not do: • Scripts can only interact with the domain they came from • Scripts can see send and receive responses only from their domain • Scripts can access other browser’s frames only from same domain • Scripts can issue requests to other domains (but not view the corresponding responses)

  5. XSS 101 • XSS occurs when user input (JavaScript) is returned by the web application: String data = request.getParameter(“param”); out.println(data) • Simple exploit: • http://www.thebank.site/action?param=<payload> • XSS breaks Same-Origin Policy • Vulnerable domain may now return arbitrary JavaScripts.

  6. 1 Link to bank.com sent to user via E-mail or HTTP User sends script embedded as data 2 3 Script returned, executed by browser Cross Site Scripting – The Exploit Process Evil.org User TheBank.site

  7. The session cookie • HTTP is stateless • Session id makes your application stateful • Session id = your identification • Should not be guessable • JavaScript access: document.cookie

  8. Evil.org uses stolen session information to impersonate user Script sends user’s cookie and session information without the user’s consent or knowledge 1 Link to bank.com sent to user via E-mail or HTTP 5 4 User sends script embedded as data 2 3 Script returned, executed by browser Cross Site Scripting – The Exploit Process Evil.org User TheBank.site

  9. Trivial Robbery Demo

  10. Demo • Build payload • Send malicious link to victim • Retrieve the cookie and extract the session id • Manually add session cookie to local browser • Make a transaction

  11. Advanced Robbery Demo

  12. Problems: The session id cookie is not enough • HTTPOnly • Set-Cookie: <name>=<value>[; <name>=<value>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; HttpOnly] • Pre-logon XSS

  13. Problems: Key-logging is not enough • Second factor authentication • Dongles • Client certificates • Challenge on transaction • Security questions: “What is your mom’s maiden name?” • Time-based challenge

  14. ? http://blog.watchfire.com

More Related