March Intensive: XSS Exploits Patrick Dyroff Sudikoff http://www.ists.dartmouth.edu/images/Sudikoff_Lab.JPG Sergey Bratus • ISTS' Chief Security Advisor and a Postdoctoral Research Assistant Professor in the Computer Science Department at Dartmouth College • Taught the “Computer Security and Privacy” course • Undergraduate education at the Moscow Institute of Physics and Technology (AKA, Moscow Phystech), and his Ph.D. at Northeastern University (1999). http://www.ists.dartmouth.edu/people/fellows/bratus.html What is XSS? • Cross-Site Scripting • Webpage vulnerability • Simple, Used often • Code Injection • Three types: Type 1, 2 … 0? http://cdn.memegenerator.net/instances/400x/15481816.jpg Type 1 • Known as non-persistent or reflected. • The most common type. • Arises when server-side scripts generate a page of results using the data from the web client for the user. • An attacker could embed this URL in an email, posing a situation and enticing the victim to click on it Type 2 • Known as stored, persistent, or second order • Most powerful type of XSS attack • Can be made when data provided to a web app by a user is stored in a database or file system and can be accessed later by different users • Forums are a Type 2 targeted victim examples Type 0 • Known as DOM-based or Local XSS • Very similar to the type 1 vulnerability • The problem is also within a page’s client side script • There is one key difference between the two • This attack goes around the client-side sandbox, not only the cross domain, like other XSS attacks do How can it be used? • Cookies!! • Allows access to previous sessions • Certain logon information • Worms, Phishing, Spamming, Oh My! http://meowcheese.com/files/lolpics/2010/06/ok-ok-i-stole-a-cookie.jpg Patches • All these examples can be patched relatively easily • Many possibilities that keep being found • HTML or JavaScript escape function Thanks for listening! http://images.sodahead.com/profiles/0/0/2/8/9/6/8/4/1/Jazz_Hands_Cat-79814272162.jpeg