Web hack & attacks


Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Web hack & attacks

  1. 1. Web Hack & Attacks<br />Examining Cross Site Scripting (XSS) & Cross Site Request Forgery (CSRF) attacks <br />
  2. 2. Purpose of this presentation<br />Retouch on the basics of XSS<br />Review the advances over last several years<br />Demonstrations of the capability of what can be done with XSS<br />Open discussions of risk and impact<br />Open discussions on how to protect your self<br />
  3. 3. Disclaimer<br />The information provided in this presentation is for educational purposes only. I am in no way responsible for any damage that is the result of the use or misuse of the information provided in this presentation.<br />
  4. 4. Agenda<br />What is cross site scripting (XSS)‏<br />Why should we be concerned<br />Advances in XSS attacks over the last 2 years using javascript<br />AttackApi<br />Live demo ( Zombie control of machines)‏<br />
  5. 5. Basic concepts of<br />XSS<br />&<br />CSRF<br />
  6. 6. XSS<br />Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code injection by malicious web users into the web pages viewed by other users Wikipedia<br />First paper published on the subject 02/02/2000<br />http://ha.ckers.org/cross-site-scripting.html<br />
  7. 7. XSS<br /> A short segment from this paper - A security issue has come to Microsoft’s attention that we refer to as “cross-site scripting”. This is not an entirely new issue – elements of the information we present have been known for some time within the software development community. However, the overall scope of the issue is larger than previously understood What does this mean<br />
  8. 8. XSS<br />WHY<br />XSS is caused when dynamic generated web content contains user inputted data<br />XSS is the result of failed input validation<br />Demo<br />
  9. 9. CSRF<br />Cross-site request forgery, is a type of malicious exploit works by exploiting the trust that a site has for the user. <br />Example:<br /> Online Banking web site<br /> Attacker uses a XSS to get your browser to connect to the bank and execute a fund transfer<br />Real life example<br />Change passwords<br />Change user ID<br />
  10. 10. So where has this gone over the last several years<br />
  11. 11. Advances<br />The basics of XSS has not changed They have just found betters ways to utilize it.<br />XSS worm- The first XSS worm was the now famous MySpace 'Samy' worm “Oct 2005”<br />Javascript malware<br />Trojans<br />Key loggers<br />Port Scanners<br />All brought to you by XSS<br />
  12. 12. http://www.darkreading.com/document.asp?doc_id=155995&WT.svl=news2_1<br />
  13. 13. Code Development<br />Jerimiah Grossman <br />WhiteHat security<br />BlackHat 2007 code released<br />AttackAPI<br />Petko D. (pdp) Petkov<br />http://www.gnucitizen.org<br />http://groups.google.com/group/attackapi<br />beEf browser exploitation framework <br />http://www.bindshell.net/tools<br />Wade Alcorn<br />
  14. 14. ZOMBIE<br />Browser based command & control<br />Browser detail information<br />Read users clipboard<br />Cross protocol attacks<br />Browser control “ URL Request”<br />Java Injection<br />Port Scanning <br />
  15. 15. DEMO<br />
  16. 16.
  17. 17. Conclusion<br />Proper web site coding<br />Input validation<br />Validation<br />Validation<br />User protection<br />Don’t click on url links in emails<br />Setup email program not to render html<br />Logout of online e-commerce and banking sites when done.<br />Use authentication tokens if available<br />Paypal<br />Ebay<br />Keep web browsers patched<br />Be careful what web sites you go to.<br />Change password frequently – Don’t use same password<br />Set web browser security setting high<br />
  18. 18. Discovery tools<br />http://www.acunetix.com/cross-site-scripting/scanner.htm?gclid=COzKudiqrJQCFQkRswodSjjXuQ<br />http://www.securitycompass.com/exploitme.shtml<br />
  19. 19. Reference<br />XSS Attacks “CROSS SITE SCRIPTING EXPLOITS AND DEFENSE” ISBN-13: 978-1-59749-154-9<br />