Web hack & attacks
-
Upload
apurva-dhanwantri-cisa-scjpceh-isoiec-27001-lacpisi -
Category
Technology
-
view
781 -
download
2
description
Transcript of Web hack & attacks
Web Hack & AttacksExamining Cross Site Scripting (XSS) & Cross Site Request Forgery (CSRF) attacks
Purpose of this presentation
• Retouch on the basics of XSS
• Review the advances over last several years
• Demonstrations of the capability of what can be done with XSS
• Open discussions of risk and impact
• Open discussions on how to protect your self
Disclaimer
The information provided in this presentation is for educational purposes only. I am in no way responsible for any damage that is the result of the use or misuse of the information provided in this presentation.
Agenda
• What is cross site scripting (XSS)
• Why should we be concerned
• Advances in XSS attacks over the last 2 years using javascript
• AttackApi
• Live demo ( Zombie control of machines)
Basic concepts of
XSS
&
CSRF
XSS
• Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users
Wikipedia
• First paper published on the subject 02/02/2000– http://ha.ckers.org/cross-site-scripting.html
XSS• A short segment from this paper - A security
issue has come to Microsoft’s attention that we refer to as “cross-site scripting”. This is not an entirely new issue – elements of the information we present have been known for some time within the software development community. However, the overall scope of the issue is larger than previously understood What does this mean
XSS
• WHY– XSS is caused when dynamic generated web
content contains user inputted data– XSS is the result of failed input validation
• Demo
CSRF
• Cross-site request forgery, is a type of malicious exploit works by exploiting the trust that a site has for the user.
• Example:– Online Banking web site– Attacker uses a XSS to get your browser to connect
to the bank and execute a fund transfer
• Real life example– Change passwords– Change user ID
So where has this gone over the last several
years
Advances
• The basics of XSS has not changed They have just found betters ways to utilize it.
• XSS worm- The first XSS worm was the now famous MySpace 'Samy' worm “Oct 2005”
• Javascript malware– Trojans– Key loggers– Port Scanners
• All brought to you by XSS
http://www.darkreading.com/document.asp?doc_id=155995&WT.svl=news2_1
Code Development
• Jerimiah Grossman – WhiteHat security– BlackHat 2007 code released
• AttackAPI– Petko D. (pdp) Petkov– http://www.gnucitizen.org– http://groups.google.com/group/attackapi
• beEf browser exploitation framework – http://www.bindshell.net/tools– Wade Alcorn
ZOMBIE
• Browser based command & control
• Browser detail information
• Read users clipboard
• Cross protocol attacks
• Browser control “ URL Request”
• Java Injection
• Port Scanning
DEMO
Conclusion
• Proper web site coding– Input validation– Validation– Validation
• User protection– Don’t click on url links in emails– Setup email program not to render html– Logout of online e-commerce and banking sites when done.– Use authentication tokens if available
• Paypal• Ebay
– Keep web browsers patched– Be careful what web sites you go to.– Change password frequently – Don’t use same password– Set web browser security setting high
Discovery tools
• http://www.acunetix.com/cross-site-scripting/scanner.htm?gclid=COzKudiqrJQCFQkRswodSjjXuQ
• http://www.securitycompass.com/exploitme.shtml
Reference
• XSS Attacks “CROSS SITE SCRIPTING EXPLOITS AND DEFENSE” ISBN-13: 978-1-59749-154-9