Learn about XSS vulnerabilities and how to prevent cross-site scripting attacks
•Als PPTX, PDF herunterladen•
1 gefällt mir•682 views
Explanation on what are the types of XSS attacks, What is Blind XSS And the security hole google had in gmodules
Empfohlen
Weitere ähnliche Inhalte
Was ist angesagt?
Was ist angesagt? (20)
Andere mochten auch
Andere mochten auch (15)
Ähnlich wie Learn about XSS vulnerabilities and how to prevent cross-site scripting attacks
Ähnlich wie Learn about XSS vulnerabilities and how to prevent cross-site scripting attacks (20)
Kürzlich hochgeladen
Kürzlich hochgeladen (20)
Learn about XSS vulnerabilities and how to prevent cross-site scripting attacks
- 1. XSS: Cross-site scripting Ziv Ginsberg
- 2. What are we going to learn today? • Types of XSS: • Non-Persistent (Reflected) • Persistent (Stored) • Blind XSS • DOM • How it works • Examples • How to defend most
- 3. #2 most common hacking method Cross Site Scripting (XSS) 13% SQL Injection 19% Daniel of Service 8% Predictable Resource Location 4% Unintentional Information Disclosure 4% Unknown 19% Brute Force 4% Credential / Session Prediction 2% More 27%
- 4. Types of XSS: Cross Site Scripting Non-Persistent (Reflected) Reflected immediately on the page by server-side CSRF: Cross-Site Request Forgery Redirect to another site display text that seems to come from the site owners. Think phishing. Steal secrets that are stored in JS variables. display a password input, log keystrokes, and send the result to a site of your choosing Persistent (Stored) Saved by the server without the need to individually target victims Cookie theft Data theft DOM client (browser) side injection issue Can do everything
- 5. Example 2: Persistent (Stored) <a href="http://www.mybank.com/transfer?acc=jon&amount=1000&for=attacker">Something</a> Example 1: Non-Persistent (Reflected) Samy worm - infected over 1 million MySpace profiles in less than 20 hours. Example 3: DOM Based XSS Using a built-in object and manipulate it
- 6. Blind XSS: What is it? 1 MonthDay 1 2 Month Then after some time the Script get executed (: Blind XSS is that attacker “blindly” deploys a series of malicious payloads on web pages that are likely to save them to a persistent state (like in a database, or in a log file), and waits… References ADAM BALDWIN: DEFCON 20: Blind XSS
- 7. Blind XSS - How is it working?
- 8. Preventing Blind XSS Attacks
- 9. Xploiting Google Gadgets: Gmalware and Beyond XSS hole in gmodules.com Gmodules is a platform to test and host your google gadget. XSS Vulnerability documented by Rsnake in 2007 found that anyone can run xss attack on Gmodules.com which is a domain owned by google. Gmodules can also be a platform to host your malware. Gmodules is a domain host by google and can be used for phishing activity. References Robert Hansen and Tom Stracener: Xploiting Google Gadgets: Gmalware and Beyond
- 10. Example of Gadgets Hack Yosi ******* ******** ******** Yosi ********