Meet-theharmonyguy课件.pptxVIP

Cross-Site Scripting is Not Your Friend;Meet theharmonyguy;Today’s theme: Facebook Familiar cases for me Wide range of examples Representative of mash-ups Three types of Facebook apps FBML/FBJS: App output proxied/filtered by Facebook Canvas: IFrame within Facebook domain/chrome External site: Facebook APIs used on outside domain ;a.k.a. HTML Injection, Web Content Injection Code injection targeting the client side Essentially, XSS lets an attacker modify the source code of a web app “XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation and escaping.” tl;dr: The browser renders code that it shouldn’t.;Three types of XSS Reflected Code injected into a particular request Server dynamically generates modified response Persistent Code injected into static content on the server Server always generates modified response DOM-Based Code injected into a client-side parameter Client dynamically generates modified response;Meet Cross-Site Scripting (XSS);Meet Cross-Site Scripting (XSS);When a user visits , they trust that they’re communicating with Facebook When a browser loads code for , it trusts that the code is authorized by Facebook When a site receives requests from a browser, it trusts that they’re coming from the user XSS breaks all of these chains of trust;So What?;Same-origin policies block cross-domain access Cookies Inline frames (iframe) XMLHTTPRequest But with XSS, malicious scripts share the domain of the victim application (“cross-site”) ;What if links (a) are allowed? ;What if images (img) are allowed? Images still make HTTP requests XSS is commonly used to launch CSRF Can also be used for information leakage;What if inline frames (iframe) are allowed? CSRF, UI redressing, phishing, etc.;Also, JavaScript can appear in many places… div style=width: expression(alert(XSS)); ?xml-stylesheet href=javascript:alert(XSS)? img src=http://site/404 onerror=alert(XSS); link rel=stylesheet href=data:,*%7bx:exp