2.4 - Cross-site Scripting Flashcards

1
Q

Cross-site scripting

A
  • XSS
    – Cascading Style Sheets (CSS) are
    something else entirely
  • Originally called cross-site because of
    browser security flaws
    – Information from one site could be
    shared with another
  • One of the most common web application
    development errors
    – Takes advantage of the trust a user has for a site
    – Complex and varied
  • Malware that uses JavaScript
    – Do you allow scripts? Me too.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Non-persistent (reflected) XSS attack

A
  • Web site allows scripts to run in user input
    – Search box is a common source
  • Attacker emails a link that takes advantage of
    this vulnerability
    – Runs a script that sends credentials /
    session IDs / cookies to the attacker
  • Script embedded in URL executes in
    the victim’s browser
    – As if it came from the server
  • Attacker uses credentials/session IDs/ cookies to
    steal victim’s information without their knowledge
    – Very sneaky
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Persistent (stored) XSS attack

A
  • Attacker posts a message to a social network
    – Includes the malicious payload
  • It’s now “persistent”- Everyone gets the payload
  • No specific target - All viewers to the page
  • For social networking, this can spread quickly
    – Everyone who views the message can have it
    posted to their page
    – Where someone else can view it and propagate it further…
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Hacking a Subaru

A
  • June 2017, Aaron Guzman - Security researcher
  • When authenticating with Subaru, users get a token
    – This token never expires (bad!)
  • A valid token allowed any service request
    – Even adding your email address to someone else’s account
    – Now you have full access to someone else’s car
  • Web front-end included an XSS vulnerability
    – A user clicks a malicious link, and you have their token
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Protecting against XSS

A
  • Be careful when clicking untrusted links
    – Never blindly click in your email inbox. Never.
  • Consider disabling JavaScript
    – Or control with an extension
    – This offers limited protection
  • Keep your browser and applications updated
    – Avoid the nasty browser vulnerabilities
  • Validate input
    – Don’t allow users to add their own scripts to an input field
How well did you know this?
1
Not at all
2
3
4
5
Perfectly