2. What are we going to learn today?
• Types of XSS:
• Non-Persistent
(Reflected)
• Persistent (Stored)
• Blind XSS
• DOM
• How it works
• Examples
• How to defend most
3. #2 most common hacking method
Cross Site Scripting (XSS)
13%
SQL Injection
19%
Daniel of Service
8%
Predictable Resource
Location
4%
Unintentional Information
Disclosure
4%
Unknown
19%
Brute Force
4%
Credential / Session
Prediction
2%
More
27%
4. Types of XSS: Cross Site Scripting
Non-Persistent
(Reflected)
Reflected immediately on
the page by server-side
CSRF: Cross-Site Request Forgery
Redirect to another site
display text that seems to come
from the site owners. Think
phishing.
Steal secrets that are stored in JS
variables.
display a password input, log
keystrokes, and send the result to a
site of your choosing
Persistent (Stored)
Saved by the server
without the need to individually
target victims
Cookie theft
Data theft
DOM
client (browser) side injection issue
Can do everything
5. Example 2: Persistent (Stored)
<a href="http://www.mybank.com/transfer?acc=jon&amount=1000&for=attacker">Something</a>
Example 1: Non-Persistent (Reflected)
Samy worm - infected over 1 million MySpace profiles in less than 20 hours.
Example 3: DOM Based XSS
Using a built-in object and manipulate it
6. Blind XSS: What is it?
1 MonthDay 1 2 Month
Then after some time the
Script get executed (:
Blind XSS is that attacker “blindly” deploys a series of malicious payloads
on web pages that are likely to save them to a persistent state (like in a
database, or in a log file), and waits…
References ADAM BALDWIN: DEFCON 20: Blind XSS
9. Xploiting Google Gadgets:
Gmalware and Beyond
XSS hole in gmodules.com
Gmodules is a platform to test and host your google gadget.
XSS Vulnerability documented by Rsnake in 2007 found that anyone
can run xss attack on Gmodules.com which is a domain owned by
google.
Gmodules can also be a platform to host your malware.
Gmodules is a domain host by google and can be used for phishing
activity.
References Robert Hansen and Tom Stracener: Xploiting Google Gadgets: Gmalware and Beyond