Blind XSS & Click Jacking
26
Vinesh Redkar
-
Upload
nu-the-open-security-community -
Category
Education
-
view
4.412 -
download
2
description
null Mumbai Chapter December 2012 meet
Transcript of Blind XSS & Click Jacking
Vinesh Redkar
Vinesh Redkar
(Security Analyst)
At NII Consulting
Research
Found Stored XSS on Paypal ,Rediffmail.
http://securityvin32.blogspot.com
Introduction What is Cross-Site Scripting Types of Cross-site Scripting What is Blind XSS Demo of Blind XSS Impact of XSS Mitigation Of XSS
Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into web sites.
Types Of Cross-Site Scripting
Reflected XSS (Non-persistent)
Stored XSS(Persistent)
DOM XSS
Application with stored XSS vulnerability
3
2
Attacker sets the trap – update my profile
Attacker enters a malicious script into a web page that stores the data on the server
Script silently sends attacker Victim’s session cookie
Script runs inside victim’s browser with full access to the DOM and cookies
Custom Code
Acco
un
ts
Fin
an
ce
Ad
min
istr
ati
on
Tra
nsacti
on
s
Co
mm
un
icati
on
K
no
wle
dg
e
Mg
mt
E-C
om
merc
e
Bu
s. F
un
cti
on
s
• XSS attack’s first target is the Client
– Client trusts server (Does not expect attack)
– Browser executes malicious script
• But second target = Company running the Server
– Loss of public image (Blame)
– Loss of customer trust
– Loss of money
What is it? Using it in penetration tests Challenges
IT’S NOT LIKE BLIND SQLI WHERE YOU GET IMMEDIATE FEEDBACK.
YOU DON’T EVEN KNOW WHETHER YOUR
PAYLOAD WILL EXECUTE (OR WHEN!)
YOU MUST THINK AHEAD ABOUT WHAT YOU WANT TO ACCOMPLISH … AND YOU
HAVE TO BE LISTENING.
1. Carefully choose the right payload for the
right situation. 2. Get lucky! 3. Patience
log viewers exception handlers customer service apps (chats, tickets, forums,
etc.) anything moderated For Demo we used Feedback Page.
A malicious user can use XSS to steal credentials or silently redirect to malicious pages which can aide in further exploitation.
A cross site scripting attack can result in the following:
1. Account hijacking 2. Malicious script execution 3. Information theft -. 4. Denial of Service 5. Browser Redirection 6. Manipulation of user settings
Input validation Output Encoding: < < > >
( ( ) )
# # & & Do not use "blacklist" validation Specify the output encoding
Clickjacking is an attack that tricks a web user into clicking a button, a link or a picture, etc. that the web user didn’t intend to click, typically by overlaying the web page with an iframe.
We’ve known about clickjacking, also called “UI redress attacks,” for years now, as they were originally described in 2008 by Robert Hansen and Jeremiah Grossman.
Clickjacking is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is “hijacking” clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both.
Payload for Iframe injection <iframe src=“Target WebSite”>
Set opacity:0; Use z-index:-1 :An element with greater stack order is always in front of an
element with a lower stack order.
Don’t allow website to inject in IFRAME by using X-frame Header.
Using X-Frame-Options There are three possible values for X-Frame-Options: 1. DENY The page cannot be displayed in a frame, regardless
of the site attempting to do so. 2. SAMEORIGIN The page can only be displayed in a frame
on the same origin as the page itself. 3. ALLOW-FROM uri The page can only be displayed in a
frame on the specified origin.
Thank You
