5/5 - (1 vote)

Web Security SQL Injection, CSRF, XSS
ECEN 4133 Feb 11, 2021

Web Review | HTTP
GET / HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK

http://gmail.com/ says: Hi!
gmail.com
GET /img.png HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK
<89>PNG^M

Web Review | Cookies
POST /login HTTP/1.1 Host: gmail.com
user=alice&pass=s3cre7
gmail.com
HTTP/1.1 200 OK
Server: gws
Set-Cookie: foo=bar Set-Cookie: token=8kFmCe

GET / HTTP/1.1
Host: gmail.com
Cookie: foo=bar; token=8k
Ah, its alice!

Web Review | AJAX (jQuery style)
HTTP/1.1 200 OK

http://gmail.com/ says:
gmail.com
function (data) { alert(data) });
{ new_msgs: 3}
GET / HTTP/1.1 Host: gmail.com
$.get(http://gmail.com/msgs.json,
GET /msgs.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK
{ new_msgs: 3 }

Web Review | Same-Origin Policy (SOP)
(evil!) facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK

$.get(http://gmail.com/msgs.json, function (data) { alert(data); }
GET /msgs.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK
{ new_msgs: 3 }

Web Review | Same-Origin Policy (SOP)
facebook.com
?
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK

gmail.com

Web Review | Same-Origin Policy (SOP)
facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK

GET /img.png HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK
<89>PNG^M

Web Review | Same-Origin Policy (SOP)
facebook.com
?
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK

Web Review | Same-Origin Policy (SOP)
http://gmail.com/ says: {
$.get(http://gmail.com/chat.json,
new_msgs:{ from:Bob,
function (data) { alert(data); })
msg: Hi!}}
gmail.com
GET /chat.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK
...
{ new_msg:{ from:Bob, msg: Hi!}}

Cross-site Request Forgery (CSRF)
Suppose you log in to bank.com
fde874 = bob
bank.com
POST /login?user=bob&pass=abc123 HTTP/1.1 Host: bank.com
HTTP/1.1 200 OK Set-Cookie: login=fde874 ....

Cross-site Request Forgery (CSRF)
fde874 = bob
bank.com
GET /account HTTP/1.1 Host: bank.com Cookie: login=fde874
HTTP/1.1 200 OK ....
$378.42

Cross-site Request Forgery (CSRF)
Click me!!!
http://bank.com/transfer?to=badguy&amt=100
fde874 = bob
bank.com
GET /transfer?to=badguy&amt=100 HTTP/1.1 Host: bank.com
Cookie: login=fde874
HTTP/1.1 200 OK
....
Transfer complete: -$100.00

CSRF Defenses
Need to authenticate each user action originates from our site
One way: each action gets a token associated with it
On a new action (page), verify the token is present and correct
Attacker cant find token for another user,
and thus cant make actions on the users behalf

CSRF Defenses
Pay $25 to Joe: http://bank.com/transfer?to=joe&amt=25&token=8d64
fde874 = bob
bank.com
HTTP/1.1 200 OK Set-Cookie: token=8d64 ....
GET /transfer?to=joe&amt=25&token=8d64 HTTP/1.1 Host: bank.com
Cookie: login=fde874&token=8d64
HTTP/1.1 200 OK
....
Transfer complete: -$25.00

Cross-Site Scripting (XSS)
BobHTTP/1.1
HTTP/1.1 200 OK ...
Hello, Bob!

Cross-Site Scripting (XSS)
alert(XSS)
GET /?user=HTTP/1.1
HTTP/1.1 200 OK
...
Hello,!

Web Review | Same-Origin Policy (SOP)
(evil!) facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
HTTP/1.1 200 OK
...

GET /msgs.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK ...
{ new_msgs: 3 }

Cross-Site Scripting (XSS) Attack
(evil!) facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
$.get(http://gmail.com/ msgs.json, function (data)
{ alert(data); })
HTTP/1.1 200 OK
...
$.get(http://gmail.com/msgs.json, function (data) { alert(data); }) >
GET /?user=HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK

Hello,

Cross-Site Scripting (XSS) Attack
(evil!) facebook.com
gmail.com
GET / HTTP/1.1 Host: facebook.com
h$t.tgpe:t/(/ghmttapil:./c/goma/ils.cayosm: / msgs.json, function (data)
{ new{_amlesrgts(:d3at}a); })
HTTP/1.1 200 OK

$.get(http://gmail.com/msgs.json, function (data) { alert(data); }) >
GET /msgs.json HTTP/1.1 Host: gmail.com
HTTP/1.1 200 OK
{ new_msgs: 3 }

Types of XSS
Reflected XSS
http://vulnerable.com/?q=
Stored XSS
Attacker stores XSS in database
POST /message HTTP/1.1
Host: vulnerable.com
to=victim&message=
Victim browses to http://vulnerable.com/inbox
You have 1new message:
From: attacker
Message:

Cross-Site Scripting (XSS) Attack
What can an attacker do with an XSS?
Exfiltrate data back to attacker (HTTP POST)
Cookies,CSRFtokens,privateinformation
Perform actions on victims behalf AnyCSRFattacks!
Set cookies to attackers choosing

XSS Defenses
Make sure data gets shown as data, not executed as code!
Escape special characters
Which ones? Depends what context your $data is presented
Inside an HTML document?

$data

$data =
Inside a tag? $data = onmouseover=alert(XSS!) foo=
Inside Javascript code? var x = $data; $data = ; alert(XSS!); //
Inside CSS code? body { color: $data; }
$data = #000; background:url(javascript:alert(XSS!))
Make sure to escape every last instance!
Frameworks can let you declare whats user-controlled data and automatically escape it

Code Injection
prepare(
SELECT * FROM `users` WHERE location=?);
$pstmt->execute(array($city)); // Data

Reviews

There are no reviews yet.

Only logged in customers who have purchased this product may leave a review.

Whatsapp Us

[SOLVED] CS javascript SQL jquery Java database Web Security SQL Injection, CSRF, XSS

Reviews

Whatsapp Us

[SOLVED] CS javascript SQL jquery Java database Web Security SQL Injection, CSRF, XSS

Reviews

Related products

[Solved] Python program that plays a guess-the-number game with magic lists

[Solved] Indel

[SOLVED] COP 3223 Program #3: Counting Pez

[SOLVED] pakudex

[SOLVED] Basic Calculator Client and Server

[Solved] Modify your first program to print a table of the words