Notice…• The ‘query’ part in the URL may contain user provided data that is feed to the application.• And contains Payload for maximum possible attacks.
Web Application Architecture: Server Side & Client Side Courtesy: “Top 10 attacks” by Saumil Shah
How a Request is resolved by the Server for the Browser?
HTML Markup• HTML Markups provides presentation for the data/content.• In Web 2.0 data & Markup altogether build Document Object Model (DOM)• DOM form a XML tree structure for easy retrieval of data.
Risk That We Do Not Care …• A website is malicious and an user visits this site and get infected. [We can leave it to the discretion of the visitor]
Risk That We Care(2) …• A website is not intended to be malicious but attacker has compromised this page and let everyone who visit it, be compromised. o [ We do Care for this ]
Attacking Approach (Client-server Perspective)• Attack Servers / Services [ Server side attack] o Ex. Website Defacement , o SQL injection, o DoS Attack and others• Attack Web Client [ Client / Browser based attack]. o Ex: XSS ( Cross Site Scripting) o XSRF ( Cross Site Request forgery) o Phishing ( Social Eng.) and others
Attacking Approach (Way of Attacks)• Content Injection o SQL Injection o Script Injection (XSS) o DOM element Injection (DOM based XSS)• Breaking Access-Control / Access- Restriction o Cross Domain / Cross Frame Attack o Ex. Cross Domain Capability Leaks• Exploiting Application Configuration o Session Hijacking / Credential Stealing o Failure to Restrict URL access o Insecure Cryptography
Attacking Approach (Way of Attacks) continuing…• Insecure Network o Proxy-based attack o Man-in-the-middle attacks• Web Based Malware Attack We are more Interested on Content Injection Attack because of its wide attack surface.
Content Injection (Through URL)Demonstrating Reflected XSS attack Sends through email / other way www.goodhost.com?search=@#badcontent#@ @#badcontent #@ Clicks the URL Client Web Browser @#badcontent #@ @#badcontent#@ @#badcontent #@ Web Server User is infected with the injection attack
Content Injection (via comment)Demonstrating ‘Stored XSS attack’ Inserted in DB @#comment!@# Malicious content Comment Retrieved From database @#comment!@# Clicks the URL Clicks the URL Request Put Malicious comment Bob Request the same page
Consequence of XSS attack• Sensitive Information theft. o Credential Theft ( Ex: cookies)• Intranet Scanning o Scan Open ports .• Attacking other users o Replay attack from compromised browser.
What are other Control Points ? Control JS & DOM Interactions Output Interface Input Interface JS DOM Control Flow of User providedSanitize URL to data Cookiediscardmalicious Web Servercontent Control JS Communication with External Domain Control Cookie Send out to External Domain Compare input / output interface data for to check user whether malicious content is Other Domains trespassed through the server .