
e0047a1e4c8b18dca606414b958012b8.ppt
- Количество слайдов: 14
IBM Rational Application Security The Bank Job Utilizing XSS Vulnerabilities Adi Sharabani IBM Rational Application Security Research Group Manager OWASP IL © 2009 IBM Corporation
ILSL - IBM Israel Software Lab Agenda § Theoretical part: – Same Origin Policy 101 – Cross-Site Scripting 101 – HTTP sessions § Practical part: – Trivial robbery – Advanced robbery © 2009 IBM Corporation
ILSL - IBM Israel Software Lab Browser Scripting Capabilities § What can scripts do: – Scripts can perform user interactions with the site – Scripts can seamlessly interact with the web site – Can perform any action that is related to the site – Can launch signed and safe Active. X control © 2009 IBM Corporation
ILSL - IBM Israel Software Lab Scripting Restrictions – Same Origin Policy § What scripts can not do: – Scripts can only interact with the domain they came from – Scripts can see send and receive responses only from their domain – Scripts can access other browser’s frames only from same domain – Scripts can issue requests to other domains (but not view the corresponding responses) © 2009 IBM Corporation
ILSL - IBM Israel Software Lab XSS 101 § XSS occurs when user input (Java. Script) is returned by the web application: String data = request. get. Parameter(“param”); out. println(data) § Simple exploit: – http: //www. thebank. site/action? param=<payload> § XSS breaks Same-Origin Policy – Vulnerable domain may now return arbitrary Java. Scripts. © 2009 IBM Corporation
ILSL - IBM Israel Software Lab Cross Site Scripting – The Exploit Process Evil. org 1 Link to bank. com sent to user via E-mail or HTTP User sends script embedded as data User The. Bank. site 2 3 Script returned, executed by browser © 2009 IBM Corporation
ILSL - IBM Israel Software Lab The session cookie § HTTP is stateless § Session id makes your application stateful § Session id = your identification § Should not be guessable § Java. Script access: document. cookie © 2009 IBM Corporation
ILSL - IBM Israel Software Lab Cross Site Scripting – The Exploit Process Evil. org Script sends user’s cookie and session information without the user’s consent or knowledge 1 Link to bank. com sent to user via E-mail or HTTP 5 Evil. org uses stolen session information to impersonate user 4 User sends script embedded as data User The. Bank. site 2 3 Script returned, executed by browser © 2009 IBM Corporation
IBM Rational Application Security Trivial Robbery Demo © 2009 IBM Corporation
ILSL - IBM Israel Software Lab Demo § Build payload § Send malicious link to victim § Retrieve the cookie and extract the session id § Manually add session cookie to local browser § Make a transaction © 2009 IBM Corporation
IBM Rational Application Security Advanced Robbery Demo © 2009 IBM Corporation
ILSL - IBM Israel Software Lab Problems: The session id cookie is not enough § HTTPOnly – Set-Cookie: <name>=<value>[; <name>=<value>] [; expires=<date>][; domain=<domain_name>] [; path=<some_path>][; secure][; Http. Only] § Pre-logon XSS © 2009 IBM Corporation
ILSL - IBM Israel Software Lab Problems: Key-logging is not enough § Second factor authentication – Dongles – Client certificates § Challenge on transaction – Security questions: “What is your mom’s maiden name? ” – Time-based challenge © 2009 IBM Corporation
ILSL - IBM Israel Software Lab ? http: //blog. watchfire. com © 2009 IBM Corporation
e0047a1e4c8b18dca606414b958012b8.ppt