Section 18.174 XSS and XSRF Flashcards
Objectives 2.2 Explain common threat vectors and attack strategies. Objectives 2.3 Explain various types of vulnerabilities Objectives 2.4 Given a scenario, you must be able to analyse indicators of malicious activity. Objectives 2.5 Explain the purpose of mitigation techniques used to secure the enterprise. Objectives 2.6 Given a scenario, you must be able to apply common security techniques to computing resources.
Cross-Site Scripting (XSS)
Injects a malicious script into a trusted site to compromise the sites visitors
Attackers Goal: Have visitors run a malicious script so your system will process it, bypassing the normal security mechanisms
Mitigate the threat with proper input validation
Four steps to an XSS attack
Step 1
The attacker identifies an input validation vulnerability within a trusted website
e.g if a website does not conduct proper input validation for the username and password fields then there is a risk of cross-site scripting attacks
Four steps to an XSS attack
Step 2
The attacker crafts a URL to perform a code injection against the trusted website
The attacker needs to get somebody to click on the encoded URL e.g phising etc
Four steps to an XSS attack
Step 3
The trusted site will return a page containing the malicious code injected
Four steps to an XSS attack
Step 4
The malicious code runs in the client’s browser with permission level as the trusted site
This is why its called a cross-site scripting attack because malicious code is actually going to be injected and served by the trusted site to their users.
Cross-Site Scripting (XSS) example
Now, for example, let’s say, I was scrolling Facebook, and somebody was able to perform a cross-site scripting attack there, and they could inject code into my newsfeed. Now, it’s going to cross that threat actor site into the trusted site, in this case, Facebook, and then it’s delivered to me, the end user who’s scrolling my newsfeed. That’s how a cross-site scripting attack works.
Functions of a XSS Attack
● Defacing the trusted website
● Stealing the users data
● Intercepting data or communications
XSS is dangerous as it breaks the browsers security and trust model
Types of XSS Attacks
Non-Persistent XSS
A XSS attack that only occurs when it is launched and only happens once (hence its called non persistent)
○ Server executes the attack (Server-side scripting attack)
xss-game.appspot.com - XSS game from google
Types of XSS Attacks
Persistent XSS
Allows an attacker to insert code into a backend database used by that trusted website
○ Server executes the attack (Server-side scripting attack)
attacker does not need anyone to click a link in this case - considered more dangerous
Attacker does not need anyone to click a link in this case - considered more dangerous
Types of XSS Attacks
Document Object Model (DOM) XSS
Exploits the client’s web browser using client-side scripts to modify the content and layout of the web page
○ Client’s device executes the attack (Client-side scripting attack)
○ Can be used to change the DOM environment
○ Runs using the logged in user’s privileges on the local system
DOM XSS runs with the logged in users permissions for that local system
Exam help:
First, anytime you’re looking at a log snippet
or captured URLs that have the script
or any kind of JavaScript inside of them,
it’s most likely going to be a cross-site scripting attack that’s going to be the right answer for that question.
And second, if you see something
with document dot something in it,
like document dot cookie or document dot right,
this should tell you it’s a DOM-based,
cross-site scripting attack because it’s affecting
the document object model of your browser.
If you keep those two tips in mind, you’ll do great on the exam.
Session Management
Enables web applications to uniquely identify a user across several different
actions and requests
■ Fundamental security component in modern web applications
e.g hundreds of people logged in to a website at the same time working on training courses. We need a way to track which users are doing which courses and which items in those courses. the website needs to know what courses you have taken and what quizzes you hace completed. This needs to be stored in the database so when you log in next time you can resume the course at the correct place and lose your progress.
Develpers can use server side tracking within the DB or instead use cookies that are located on the users device
Cookie Tracking also known as a session cookie
Non-persistent cookies
Resides in memory and are used for a very short time period
■ Deleted at the end of the session
Cookie Tracking
Persistent cookies
Stored in the browser cache until either deleted by a user
or expire
Cookies need to be encypted and secure as they can contain sensitive information
Session Hijacking
Type of spoofing attack where the attacker disconnects a host and then replaces it with his or her own machine by spoofing the original host IP or using some other takeover mechanism
For example, a lot of session hijacking occurs
by taking cookie theft or modification
of those session cookies. If the attacker is able to steal the session cookie, they can take over the session as the already authenticating user
Session Prediction
Type of spoofing attack where the attacker attempts to predict the
session token in order to hijack the session
○ Prevent these attacks by using a non-predictable algorithm to generate session tokens
