Blind XSS & Click Jacking
•
3 j'aime•4,740 vues
null Mumbai Chapter December 2012 meet
Recommandé
Recommandé
Contenu connexe
Tendances
Tendances (20)
Similaire à Blind XSS & Click Jacking
Similaire à Blind XSS & Click Jacking (20)
Plus de n|u - The Open Security Community
Plus de n|u - The Open Security Community (20)
Dernier
Dernier (20)
Blind XSS & Click Jacking
- 2. Vinesh Redkar (Security Analyst) At NII Consulting Research Found Stored XSS on Paypal ,Rediffmail. http://securityvin32.blogspot.com vineshredkar89@gmail.com
- 3. Introduction What is Cross-Site Scripting Types of Cross-site Scripting What is Blind XSS Demo of Blind XSS Impact of XSS Mitigation Of XSS
- 4. Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into web sites. Types Of Cross-Site Scripting Reflected XSS (Non-persistent) Stored XSS(Persistent) DOM XSS
- 6. Attacker sets the trap – update my profile Application with stored XSS Attacker enters a malicious vulnerability script into a web page that stores the data on the server Communication Bus. Functions Administration Transactions E-Commerce Knowledge Accounts Finance Mgmt 2 Custom Code Script runs inside victim’s browser with full access to the DOM and cookies 3 Script silently sends attacker Victim’s session cookie
- 8. • XSS attack’s first target is the Client – Client trusts server (Does not expect attack) – Browser executes malicious script • But second target = Company running the Server – Loss of public image (Blame) – Loss of customer trust – Loss of money
- 9. What is it? Using it in penetration tests Challenges
- 10. IT’S NOT LIKE BLIND SQLI WHERE YOU GET IMMEDIATE FEEDBACK. YOU DON’T EVEN KNOW WHETHER YOUR PAYLOAD WILL EXECUTE (OR WHEN!) YOU MUST THINK AHEAD ABOUT WHAT YOU WANT TO ACCOMPLISH … AND YOU HAVE TO BE LISTENING.
- 17. 1. Carefully choose the right payload for the right situation. 2. Get lucky! 3. Patience
- 18. log viewers exception handlers customer service apps (chats, tickets, forums, etc.) anything moderated For Demo we used Feedback Page.
- 20. A malicious user can use XSS to steal credentials or silently redirect to malicious pages which can aide in further exploitation. A cross site scripting attack can result in the following: 1. Account hijacking 2. Malicious script execution 3. Information theft -. 4. Denial of Service 5. Browser Redirection 6. Manipulation of user settings
- 21. Input validation Output Encoding: < < > > ( ( ) ) # # & & Do not use "blacklist" validation Specify the output encoding
- 22. Clickjacking is an attack that tricks a web user into clicking a button, a link or a picture, etc. that the web user didn’t intend to click, typically by overlaying the web page with an iframe. We’ve known about clickjacking, also called “UI redress attacks,” for years now, as they were originally described in 2008 by Robert Hansen and Jeremiah Grossman. Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both. Payload for Iframe injection <iframe src=“Target WebSite”> Set opacity:0; Use z-index:-1 :An element with greater stack order is always in front of an element with a lower stack order.
- 25. Don’t allow website to inject in IFRAME by using X-frame Header. Using X-Frame-Options There are three possible values for X-Frame-Options: 1. DENY The page cannot be displayed in a frame, regardless of the site attempting to do so. 2. SAMEORIGIN The page can only be displayed in a frame on the same origin as the page itself. 3. ALLOW-FROM uri The page can only be displayed in a frame on the specified origin.
- 26. Thank You