1 / 14

CROSS SITE SCRIPTING..!

CROSS SITE SCRIPTING..!. (XSS). Overview. What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?. XSS=CSS=Cross Site Scripting. What is XSS ?.

gladys
Télécharger la présentation

CROSS SITE SCRIPTING..!

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CROSS SITE SCRIPTING..! (XSS)

  2. Overview • What is XSS? • Types of XSS • Real world Example • Impact of XSS • How to protect against XSS?

  3. XSS=CSS=Cross Site Scripting

  4. What is XSS ? • XSS is one of the popularvulnerability(mainly in web applications) which allows malicious users to inject any arbitrary code into the web pages which will infect the other users(victims) who view it.The term ‘cross site script’ means foreign/attacker’s arbitrary script sent via server to client’s browser.

  5. TYPES OF XSS • Type 0 (DOM based XSS) • Type 1 (Reflected XSS) • Type 2 (Persistent XSS)

  6. TYPE 0-XSS • A piece of JavaScript accesses a URL request parameter and it is dynamically used to create HTML to its own page.CAUSE: This parameter value is not encoded using HTML entities. • Input data will be re-interpreted by browsers as HTML which could include additional client-side script. • DEMO: www.example.com/index.php?username= <script>alert(“HACKER”)</script>

  7. TYPE 1-XSS • This loophole is when a user input data is used as an input by server side scripts to generate page of results for that user • CAUSE: Input not sanitized/HTML encoding not taken care • A classic example of this is in site search engines and some other text fields. • DEMO: POST method: “><marquee><h1>HACKER</h1></marquee>

  8. TYPE 2-XSS • The input data provided by the attacker gets stored in the server side and then permanently displayed on normal pages returned to other users in the course of regular browsing, without proper HTML escaping(special characters escaping). • CAUSE: Input arbitrary script get stored in server side. • Highly Critical • DEMO: POST method: “><script>alert(“Hacker”)</script>

  9. Real World Examples DEMO……!!

  10. IMPACT OF XSS • Who is gonna suffer ? -CLIENT: He trust the server and he will not be knowing that browser is executing malicious script. -Vendors(where server is hosted): public image on the owning company of the product or web apps.

  11. Is XSS Critical…..! XSS+SOCIAL ENGINEERING= PHISHING XSS  DOS XSS->JavaScript Backdoor XSS---spoils----> Image of company. Hence, this bug is critical and prominent .

  12. How to protect against XSS? • Input sanitization/validation - parameter passed via GET and POST method. - User agent, Domain data in the cookie need to be validated. • HTML encoding - when input data is used to generate output pages or URL , input data should be HTML encoded.

  13. User defined functions and Firewalls • Developer can create a function that escapes or replaces the special malicious characters. • Web application Firewalls can be used.

  14. DON’T LEARN TO HACK……! HACK TO LEARN…..!! :P THANK YOU

More Related