Scribd
Upload
33 views9 pages

VU21997 - Expose Website Security Vulnerabilities - Class 5 XSS

This document discusses cross-site scripting (XSS) vulnerabilities. It begins with an example of how a malicious script could be inserted into a trusted website's forum to steal users' banking cookies. It then explains that XSS allows attackers to potentially access cookies, files, and run other code on users' browsers. The document outlines stored and reflected XSS, and notes that JavaScript is commonly used in XSS attacks due to its ability to change content, popups, and steal cookies. It provides examples of testing for XSS vulnerabilities and encourages reviewing exercises on related vulnerabilities like SQL injection.

Uploaded by

cryptailmine
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
33 views9 pages

VU21997 - Expose Website Security Vulnerabilities - Class 5 XSS

This document discusses cross-site scripting (XSS) vulnerabilities. It begins with an example of how a malicious script could be inserted into a trusted website's forum to steal users' banking cookies. It then explains that XSS allows attackers to potentially access cookies, files, and run other code on users' browsers. The document outlines stored and reflected XSS, and notes that JavaScript is commonly used in XSS attacks due to its ability to change content, popups, and steal cookies. It provides examples of testing for XSS vulnerabilities and encourages reviewing exercises on related vulnerabilities like SQL injection.

Uploaded by

cryptailmine
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 9

Expose Website

Security Vulnerabilities
XSS
Warm up

 So what’s news?
 Anyone listening to interesting podcasts?
 Who heard about Oracle’s severity 10 flaw and emergency fix?
http://www.zdnet.com/article/oracle-pushes-out-emergency-fix-for-
remote-system-hijack-vulnerability/
 Who found the most severe vulnerability from previous homework?
 In security, people assume you’ve heard about anything in the news
 SANS “StormCast” are daily 5-10 min updates about threats
 https://isc.sans.edu/podcast.html
Cross Site Scripting (XSS)

 You’ve made a website with a forum to talk about


your favourite topic: cats!
 You have PHP code (scripts) allowing people to log in,
post messages, direct message other users, etc.
 Users trust your website
 Today, someone wrote an unusual post:

Hi all!
Thank you for your help.
<script>steal_your_banking_cookies()</script>
 A week later, your bank calls and asks if you’ve made
purchases in Zimbabwe recently.
 What happened?
Cross Site Scripting

1. Users went to your (trusted) website and trusted you


2. Someone inserted their own script (untrusted/malicious) into your website
e.g. www.mysite.com/forum/topic1.php
3. Another user went to the same page and ran both trusted and untrusted scripts
 The attacker now can potentially:
 Access cookies (see saved passwords, steal your session tokens, see websites you visit)
 Access files on your computer
 Have your computer run other code (post spam messages, change content)
 Basically: they potentially can do anything you can do in your browser
Types of XSS

 Stored XSS Attacks


 E.g. Attacker makes a malicious forum post
 Victims see the post and run the code
 Affects everyone
 Reflected XSS Attacks
 A user is emailed a link that looks safe
(www.bank.com) but hides a malicious link
e.g. http://www.me.com/topic1.php?post=
<img src=http://evil.com/attack.js>
 User clicks on the link, which runs the code
 Generally only affects user who clicked
 There are other types (e.g. DOM based)
Scripting on the web

 What’s the most common scripting


language used on the web?
 Javascript
(Completely unrelated to Java.
Yes, it’s confusing.)
 What can you do with Javascript?
 Change images (onmouseover)
 Popups / alerts Copyright https://vimalb.github.io/IoT-ESP8266-Starter/Lesson_05/lesson.html

 Download other elements


 Interact with the user
 Steal your cookies
(pretend to be you)
 How do we know if a site is
vulnerable to XSS attacks?
Web for Pentester 1 – Example 1

 Expected input: name=jeff, name=user, etc


 Recall – with SQL injection, I can insert code instead. What if I use basic Javascript?
 http://site.com/xss/example1.php?name=<script>alert('Hi mom!')</script>
 What is this: Stored XSS or reflected XSS?
 Reflected: not stored on website; malicious code delivered via link
Web for Pentester – Example 2&3

 First – try the same trick.


 Nope – doesn’t work. Why?
 If we can’t use <script>, can we try something else?
 Maybe the developer was lazy: maybe they didn’t check aLL variations of SCriPT?
 Can we use something else? (try <img src=null onerror="alert('XSS worked!')">
Today’s work

 Do the quiz
 Try XSS exercises
 Revise previous exercises (SQLi, IDOR, Nikto, NMap)
 Review and begin Assessment Task 2

You might also like