1. Web Hack & Attacks Examining Cross Site Scripting (XSS) & Cross Site Request Forgery (CSRF) attacks

2. Purpose of this presentation Retouch on the basics of XSS Review the advances over last several years Demonstrations of the capability of what can be done with XSS Open discussions of risk and impact Open discussions on how to protect your self

3. Disclaimer The information provided in this presentation is for educational purposes only. I am in no way responsible for any damage that is the result of the use or misuse of the information provided in this presentation.

4. Agenda What is cross site scripting (XSS)‏ Why should we be concerned Advances in XSS attacks over the last 2 years using javascript AttackApi Live demo ( Zombie control of machines)‏

5. Basic concepts of XSS & CSRF

6. XSS Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users Wikipedia First paper published on the subject 02/02/2000 http://ha.ckers.org/cross-site-scripting.html

7. XSS A short segment from this paper - A security issue has come to Microsoft’s attention that we refer to as “cross-site scripting”. This is not an entirely new issue – elements of the information we present have been known for some time within the software development community. However, the overall scope of the issue is larger than previously understood What does this mean

8. XSS WHY XSS is caused when dynamic generated web content contains user inputted data XSS is the result of failed input validation Demo

9. CSRF Cross-site request forgery, is a type of malicious exploit works by exploiting the trust that a site has for the user. Example: Online Banking web site Attacker uses a XSS to get your browser to connect to the bank and execute a fund transfer Real life example Change passwords Change user ID

10. So where has this gone over the last several years

11. Advances The basics of XSS has not changed They have just found betters ways to utilize it. XSS worm- The first XSS worm was the now famous MySpace 'Samy' worm “Oct 2005” Javascript malware Trojans Key loggers Port Scanners All brought to you by XSS

12. http://www.darkreading.com/document.asp?doc_id=155995&WT.svl=news2_1

13. Code Development Jerimiah Grossman WhiteHat security BlackHat 2007 code released AttackAPI Petko D. (pdp) Petkov http://www.gnucitizen.org http://groups.google.com/group/attackapi beEf browser exploitation framework http://www.bindshell.net/tools Wade Alcorn

14. ZOMBIE Browser based command & control Browser detail information Read users clipboard Cross protocol attacks Browser control “ URL Request” Java Injection Port Scanning

15. DEMO

17. Conclusion Proper web site coding Input validation Validation Validation User protection Don’t click on url links in emails Setup email program not to render html Logout of online e-commerce and banking sites when done. Use authentication tokens if available Paypal Ebay Keep web browsers patched Be careful what web sites you go to. Change password frequently – Don’t use same password Set web browser security setting high

18. Discovery tools http://www.acunetix.com/cross-site-scripting/scanner.htm?gclid=COzKudiqrJQCFQkRswodSjjXuQ http://www.securitycompass.com/exploitme.shtml

19. Reference XSS Attacks “CROSS SITE SCRIPTING EXPLOITS AND DEFENSE” ISBN-13: 978-1-59749-154-9