Web Hack & AttacksExamining Cross Site Scripting (XSS) & Cross Site Request Forgery (CSRF) attacks

Purpose of this presentation

• Retouch on the basics of XSS

• Review the advances over last several years

• Demonstrations of the capability of what can be done with XSS

• Open discussions of risk and impact

• Open discussions on how to protect your self

Disclaimer

The information provided in this presentation is for educational purposes only. I am in no way responsible for any damage that is the result of the use or misuse of the information provided in this presentation.

Agenda

• What is cross site scripting (XSS)

• Why should we be concerned

• Advances in XSS attacks over the last 2 years using javascript

• AttackApi

• Live demo ( Zombie control of machines)

Basic concepts of

XSS

&

CSRF

XSS

• Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users

Wikipedia

• First paper published on the subject 02/02/2000– http://ha.ckers.org/cross-site-scripting.html

XSS• A short segment from this paper - A security

issue has come to Microsoft’s attention that we refer to as “cross-site scripting”. This is not an entirely new issue – elements of the information we present have been known for some time within the software development community. However, the overall scope of the issue is larger than previously understood What does this mean

XSS

• WHY– XSS is caused when dynamic generated web

content contains user inputted data– XSS is the result of failed input validation

• Demo

CSRF

• Cross-site request forgery, is a type of malicious exploit works by exploiting the trust that a site has for the user.

• Example:– Online Banking web site– Attacker uses a XSS to get your browser to connect

to the bank and execute a fund transfer

• Real life example– Change passwords– Change user ID

So where has this gone over the last several

years

Advances

• The basics of XSS has not changed They have just found betters ways to utilize it.

• XSS worm- The first XSS worm was the now famous MySpace 'Samy' worm “Oct 2005”

• Javascript malware– Trojans– Key loggers– Port Scanners

• All brought to you by XSS

http://www.darkreading.com/document.asp?doc_id=155995&WT.svl=news2_1

Code Development

• Jerimiah Grossman – WhiteHat security– BlackHat 2007 code released

• AttackAPI– Petko D. (pdp) Petkov– http://www.gnucitizen.org– http://groups.google.com/group/attackapi

• beEf browser exploitation framework – http://www.bindshell.net/tools– Wade Alcorn

ZOMBIE

• Browser based command & control

• Browser detail information

• Read users clipboard

• Cross protocol attacks

• Browser control “ URL Request”

• Java Injection

• Port Scanning

DEMO

Conclusion

• Proper web site coding– Input validation– Validation– Validation

• User protection– Don’t click on url links in emails– Setup email program not to render html– Logout of online e-commerce and banking sites when done.– Use authentication tokens if available

• Paypal• Ebay

– Keep web browsers patched– Be careful what web sites you go to.– Change password frequently – Don’t use same password– Set web browser security setting high

Discovery tools

• http://www.acunetix.com/cross-site-scripting/scanner.htm?gclid=COzKudiqrJQCFQkRswodSjjXuQ

• http://www.securitycompass.com/exploitme.shtml

Reference

• XSS Attacks “CROSS SITE SCRIPTING EXPLOITS AND DEFENSE” ISBN-13: 978-1-59749-154-9