Expose Website

Security Vulnerabilities
XSS
Warm up

 So what’s news?
 Anyone listening to interesting podcasts?
 Who heard about Oracle’s severity 10 flaw and emergency fix?
http://www.zdnet.com/article/oracle-pushes-out-emergency-fix-for-
remote-system-hijack-vulnerability/
 Who found the most severe vulnerability from previous homework?
 In security, people assume you’ve heard about anything in the news
 SANS “StormCast” are daily 5-10 min updates about threats
 https://isc.sans.edu/podcast.html
Cross Site Scripting (XSS)

 You’ve made a website with a forum to talk about

your favourite topic: cats!
 You have PHP code (scripts) allowing people to log in,
post messages, direct message other users, etc.
 Users trust your website
 Today, someone wrote an unusual post:

Hi all!
Thank you for your help.
<script>steal_your_banking_cookies()</script>
 A week later, your bank calls and asks if you’ve made
purchases in Zimbabwe recently.
 What happened?
Cross Site Scripting

1. Users went to your (trusted) website and trusted you

2. Someone inserted their own script (untrusted/malicious) into your website
e.g. www.mysite.com/forum/topic1.php
3. Another user went to the same page and ran both trusted and untrusted scripts
 The attacker now can potentially:
 Access cookies (see saved passwords, steal your session tokens, see websites you visit)
 Access files on your computer
 Have your computer run other code (post spam messages, change content)
 Basically: they potentially can do anything you can do in your browser
 Types of XSS

 Stored XSS Attacks

 E.g. Attacker makes a malicious forum post
 Victims see the post and run the code
 Affects everyone
 Reflected XSS Attacks
 A user is emailed a link that looks safe
(www.bank.com) but hides a malicious link
e.g. http://www.me.com/topic1.php?post=
<img src=http://evil.com/attack.js>
 User clicks on the link, which runs the code
 Generally only affects user who clicked
 There are other types (e.g. DOM based)
Scripting on the web

 What’s the most common scripting

language used on the web?
 Javascript
(Completely unrelated to Java.
Yes, it’s confusing.)
 What can you do with Javascript?
 Change images (onmouseover)
 Popups / alerts Copyright https://vimalb.github.io/IoT-ESP8266-Starter/Lesson_05/lesson.html

 Download other elements

 Interact with the user
 Steal your cookies
(pretend to be you)
 How do we know if a site is
vulnerable to XSS attacks?
Web for Pentester 1 – Example 1

 Expected input: name=jeff, name=user, etc

 Recall – with SQL injection, I can insert code instead. What if I use basic Javascript?
 http://site.com/xss/example1.php?name=<script>alert('Hi mom!')</script>
 What is this: Stored XSS or reflected XSS?
 Reflected: not stored on website; malicious code delivered via link
Web for Pentester – Example 2&3

 First – try the same trick.

 Nope – doesn’t work. Why?
 If we can’t use <script>, can we try something else?
 Maybe the developer was lazy: maybe they didn’t check aLL variations of SCriPT?
 Can we use something else? (try <img src=null onerror="alert('XSS worked!')">
Today’s work

 Do the quiz
 Try XSS exercises
 Revise previous exercises (SQLi, IDOR, Nikto, NMap)
 Review and begin Assessment Task 2