Xss_Hritwik_Roy.pptx@kjfbbwefhjoiqrw[i0-3envnvig87trhgohiulefvonvrivfgkmlghoihfiwbfl
jafixew160
11 views
15 slides
Aug 18, 2024
Slide 1 of 15
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
About This Presentation
All about xss
Slide Content
Presented By Hritwik Roy Cross site scripting ( xss )
What is xss XSS is a vulnerability which when present in websites or web applications, allows malicious users (Hackers) to insert their client side code(normally JavaScript) in those web pages. When this malicious code along with the original webpage gets displayed in the web client (browsers like IE, Mozilla etc ), allows Hackers to gain greater access of that page .
How xss works Web server gets data from web client (POST, GET, COOKIES etc ) with the request. So a malicious User can include client side code snippets (JavaScript) into the data. For example : <script>alert (‘this site has been hacked’) ;</script >
Type of xss attacks Reflected Based XSS where the malicious script comes from the current HTTP request. Stored Based XSS where the malicious script comes from the website's database. DOM Based XSS where the vulnerability exists in client-side code rather than server-side code.
Reflected XSS Reflected XSS involves the reflecting of a malicious script off of a web application, onto a user’s browser. The script is embedded into a link, and is only activated once that link is clicked on . Here is a simple example of a reflected XSS vulnerability: https://insecure-website.com/status?message=All+is+well . < p>Status: All is well .</p >
The application doesn't perform any other processing of the data, so an attacker can easily construct an attack like this: https:// insecure-website.com/ status?message =<script>/*+ Bad+stuff+here ...+*/</script> < p>Status: <script>/* Bad stuff here... */</script></p > If the user visits the URL constructed by the attacker, then the attacker's script executes in the user's browser
Stored XSS Stored XSS, also known as persistent XSS, is the more damaging of the two. It occurs when a malicious script is injected directly into a vulnerable web application. An attack can affect a large amount of users and the application can also be infected by a XSS Virus.
Step 1 server save XSS code to DB Ahttp request with XSS java Script Stored XSS Hacker’s Browser Server DB Step 2 server save XSS code to DB Ahttp request with XSS java Script http response with XSS javaScript DB Server Hacker’s Browser User Browser
DOM-based XSS DOM-based XSS (also known as DOM XSS ) arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data back to the DOM . var search = document.getElementById ('search').value ; results.innerHTML = 'You searched for: ' + search; You searched for: < img src =1 onerror ='/* Bad stuff here... */'>
IMPACT OF XSS Account Hijacking Stealing credentials Sensitive Data Data Manipulation Phishing Attacks Client-Side Redirection
PREVENTION Never trust the user input data Input Validation Input Whitelisting Input Blacklisting
Black List Blacklists– Block <script> and other attributes such as onload , onclick , onmouseover etc . <script>alert(1)</script> ----- block < ScRiPt >alert(1)</ ScRiPt > ----- Allow <style>< img title="</style>< img src onerror =alert(1)>"></style > ---- Allow
White List White lists – Allow <strong>, < em > and < br > only ( name , number, email etc ) – Does help, but not 100 %
Ask Your Query…….
Thank you…….
Tags
Categories
BusinessDownload
Download Slideshow Get the original presentation fileQuick Actions
Statistics
- Views 11
- Slides 15
- Age 472 days
Related Slideshows
1
DTI BPI Pivot Small Business - BUSINESS START UP PLAN
MeljunCortes
31 views
1
CATHOLIC EDUCATIONAL Corporate Responsibilities
MeljunCortes
31 views
11
Karin Schaupp – Evocation; lançamento: 2000
alfeuRIO
31 views
10
Pillars of Biblical Oneness in the Book of Acts
JanParon
27 views
31
7-10. STP + Branding and Product & Services Strategies.pptx
itsyash298
29 views
44
Business Legislation PPT - UNIT 1 jimllpkggg
slogeshk98
32 views