Section 18.174 XSS and XSRF Flashcards
Objectives 2.2 Explain common threat vectors and attack strategies. Objectives 2.3 Explain various types of vulnerabilities Objectives 2.4 Given a scenario, you must be able to analyse indicators of malicious activity. Objectives 2.5 Explain the purpose of mitigation techniques used to secure the enterprise. Objectives 2.6 Given a scenario, you must be able to apply common security techniques to computing resources.
Cross-Site Scripting (XSS)
Injects a malicious script into a trusted site to compromise the sites visitors
Attackers Goal: Have visitors run a malicious script so your system will process it, bypassing the normal security mechanisms
Mitigate the threat with proper input validation
Four steps to an XSS attack
Step 1
The attacker identifies an input validation vulnerability within a trusted website
e.g if a website does not conduct proper input validation for the username and password fields then there is a risk of cross-site scripting attacks
Four steps to an XSS attack
Step 2
The attacker crafts a URL to perform a code injection against the trusted website
The attacker needs to get somebody to click on the encoded URL e.g phising etc
Four steps to an XSS attack
Step 3
The trusted site will return a page containing the malicious code injected
Four steps to an XSS attack
Step 4
The malicious code runs in the client’s browser with permission level as the trusted site
This is why its called a cross-site scripting attack because malicious code is actually going to be injected and served by the trusted site to their users.
Cross-Site Scripting (XSS) example
Now, for example, let’s say, I was scrolling Facebook, and somebody was able to perform a cross-site scripting attack there, and they could inject code into my newsfeed. Now, it’s going to cross that threat actor site into the trusted site, in this case, Facebook, and then it’s delivered to me, the end user who’s scrolling my newsfeed. That’s how a cross-site scripting attack works.
Functions of a XSS Attack
● Defacing the trusted website
● Stealing the users data
● Intercepting data or communications
XSS is dangerous as it breaks the browsers security and trust model
Types of XSS Attacks
Non-Persistent XSS
A XSS attack that only occurs when it is launched and only happens once (hence its called non persistent)
○ Server executes the attack (Server-side scripting attack)
xss-game.appspot.com - XSS game from google
Types of XSS Attacks
Persistent XSS
Allows an attacker to insert code into a backend database used by that trusted website
○ Server executes the attack (Server-side scripting attack)
attacker does not need anyone to click a link in this case - considered more dangerous
Attacker does not need anyone to click a link in this case - considered more dangerous
Types of XSS Attacks
Document Object Model (DOM) XSS
Exploits the client’s web browser using client-side scripts to modify the content and layout of the web page
○ Client’s device executes the attack (Client-side scripting attack)
○ Can be used to change the DOM environment
○ Runs using the logged in user’s privileges on the local system
DOM XSS runs with the logged in users permissions for that local system
Exam help:
First, anytime you’re looking at a log snippet
or captured URLs that have the script
or any kind of JavaScript inside of them,
it’s most likely going to be a cross-site scripting attack that’s going to be the right answer for that question.
And second, if you see something
with document dot something in it,
like document dot cookie or document dot right,
this should tell you it’s a DOM-based,
cross-site scripting attack because it’s affecting
the document object model of your browser.
If you keep those two tips in mind, you’ll do great on the exam.
Session Management
Enables web applications to uniquely identify a user across several different
actions and requests
■ Fundamental security component in modern web applications
e.g hundreds of people logged in to a website at the same time working on training courses. We need a way to track which users are doing which courses and which items in those courses. the website needs to know what courses you have taken and what quizzes you hace completed. This needs to be stored in the database so when you log in next time you can resume the course at the correct place and lose your progress.
Develpers can use server side tracking within the DB or instead use cookies that are located on the users device
Cookie Tracking also known as a session cookie
Non-persistent cookies
Resides in memory and are used for a very short time period
■ Deleted at the end of the session
Cookie Tracking
Persistent cookies
Stored in the browser cache until either deleted by a user
or expire
Cookies need to be encypted and secure as they can contain sensitive information
Session Hijacking
Type of spoofing attack where the attacker disconnects a host and then replaces it with his or her own machine by spoofing the original host IP or using some other takeover mechanism
For example, a lot of session hijacking occurs
by taking cookie theft or modification
of those session cookies. If the attacker is able to steal the session cookie, they can take over the session as the already authenticating user
Session Prediction
Type of spoofing attack where the attacker attempts to predict the
session token in order to hijack the session
○ Prevent these attacks by using a non-predictable algorithm to generate session tokens
Cross-Site request Forgery (XSRF)
XSRF
Malicious script is used to exploit a session started on another site within the same web browser
Attacker needs to convince the victim to start a session with the targeted website. Once that occurs the attacker can pass a HTTP request to join the victim browser and spoof this as an action on the target site
Can be disguised as tags, images and other HTML code. Doesn’t need victim to click on a link
XSRF Prevention
Use user-specific tokens in all form submissions
● Add randomness and prompt for additional information whenever a user
tries to reset their password
Require two-factor authentication
● Require users to enter their current password when changing their password
XSRF Example
So let’s take a look at a real-world example of how this might play out.
First, let’s assume the browser’s already authenticated to the target site.
In this case, the victim’s bank.
That cross-site request forgery will then try to steal the valid session token from that victim’s browser.
For this example, let’s assume there are
two tabs open in the web browser. One is the attacker’s website
and the other one is your bank. Now, you’ve already authenticated to your bank, but now, you’ve also connected to the attacker’s website inside this new tab because you clicked on a link
in a phishing campaign or another social engineering scheme. Now, the attacker can use a cross-site request forgery attack to try to manipulate the session with your bank because your browser is already authenticated to that site,
and they can attempt to take over
that session inside the other tab.
Now for the exam, remember, that if somebody is trying to get a victim to unintentionally carry out
an action on a website, this is normally going to be
a form of cross-site request forgery. This most often occurs by trying to get the victim to do some kind of unknown update to their default email address or by changing that user’s password,
so keep that in mind for the exam.
