XSS - Cross-Site-Scripting (XSS) 2 Presentation Overview...

Info iconThis preview shows pages 1–7. Sign up to view the full content.

View Full Document Right Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: Cross-Site-Scripting (XSS) 2 Presentation Overview What is Cross-Site Scripting? What is the impact of Cross-Site Scripting? What are Cross-Site Scripting Techniques? Basic anatomy of Attacks How can we protect applications against it? Basic protection mechanisms 3 What is Cross-Site Scripting? The three conditions for Cross-Site Scripting: 1. A Web application accepts user input Well, which Web application doesn't? 2. The input is used to create dynamic content Again, which Web application doesn't? 3. The input is insufficiently validated Most Web applications don't validate sufficiently! 4 What is Cross-Site Scripting? Cross-Site Scripting aka XSS or CSS The players: An Attacker Anonymous Internet User Malicious Internal User A companys Web server (i.e. Web application) External (e.g.: Shop, Information, CRM, Supplier) Internal (e.g.: Employees Self Service Portal) A Client Any type of customer Anonymous user accessing the Web-Server 5 What is Cross-Site Scripting? Scripting: Web Browsers can execute commands Embedded in HTML page Supports different languages (JavaScript, VBScript, ActiveX, etc.) Most prominent: JavaScript Cross-Site means: Foreign script sent via server to client Attacker makes Web-Server deliver malicious script code Malicious script is executed in Clients Web Browser Attack: Steal Access Credentials, Denial-of-Service, Modify Web pages Execute any command at the client machine 6 XSS-Attack: General Overview Post Forum Message: Subject: GET Money for FREE !!! Body: <script> attack code </script> 1. Attacker sends malicious code 2. Server stores message Did you know this? ..... 3. User requests message 4. Message is delivered by server 5. Browser executes script in message GET Money for FREE !!! <script> attack code </script> Get /forum.jsp?fid=122&mid=2241 Attacker Client Web Server GET Money for FREE !!! <script> attack code </script> !!! attack code !!! This is only one example out of many attack scenarios!...
View Full Document

Page1 / 20

XSS - Cross-Site-Scripting (XSS) 2 Presentation Overview...

This preview shows document pages 1 - 7. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online