Introduction to infosec recitation 9
1 / 18

Introduction to InfoSec – Recitation 9 - PowerPoint PPT Presentation

  • Uploaded on

Introduction to InfoSec – Recitation 9. Nir Krakowski ( nirkrako at Itamar Gilad ( itamargi at Today. SOP - Same origin policy CSRF – Cross site request Forgery XSS – Cross Site Scripting PHP file inclusion vulnerabilities

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Introduction to InfoSec – Recitation 9' - reese-walter

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Introduction to infosec recitation 9

Introduction to InfoSec – Recitation 9

Nir Krakowski (nirkrako at

ItamarGilad (itamargi at


  • SOP - Same origin policy

  • CSRF – Cross site request Forgery

  • XSS – Cross Site Scripting

  • PHP file inclusion vulnerabilities

  • DNS rebinding (if we have time)

Same origin policy
Same Origin Policy

  • Modern sites use elements from many different sources (e.g.: main content, embedded ads, embedded google maps controls, embedded twitter feed, etc.)

  • Without the SOP – we’d have to trust ALL that code

  • With the SOP – interactions are limited by ‘origin’

  • An origin is the combination of domain name and protocol type

Cross site request forgery
Cross Site Request Forgery

  • User goes to malicious site

  • Site initiates a request to a different site (e.g.: Gmail)

  • Request is sent using user’s credentials

  • Site accepts request, but due to SOP – the attacker cannot read contents or state (‘blind’ attack)

  • Profit!

Csrf limitations
CSRF - Limitations

  • Cannot spoof referrer header (but few sites check it)

  • Depends on a ‘GET’ request to cause side-effects

  • Blind attack – if the attack depends on any prior info, attacker has to guess

  • Attack must take place while the user is logged in to the target site

Xss cross site scripting
XSS – Cross site scripting

  • Today, many sites just aggragate user-generated content

    • Forums

    • Facebook / Twitter / Reddit

    • Web mail

    • Ynet / nrg – ‘talkbacks’

  • That’s great, but what happens if we trust user submitted content?

  • A user can submit HTML code

  • Which can be malicious

How malicious are they
How malicious are they?

  • Once the malicious code runs in the context of the target site, it can do whatever the original site can

    • Steal javascript-accessible cookies

    • Use any aspect of the site’s API

      • Write posts

      • Add friends

      • Delete all user content

      • Send out mass-email

      • E.g.: Sammy is my hero

Non persistent xss
Non persistent XSS

  • User clicks a link with extra parameters, the server reflects it back, without proper sanitation

Persistent xss
Persistent XSS

  • Malicious user submits content to the target site via

    • Forum post / ‘talkback’ / FB post, twitter post

    • E-mail

    • Etc.

  • Content is not sanitized, and therefore – displayed to the user

  • The user’s browser treats it as code from the target site, thereby bypassing the SOP

  • Profit!

Php file inclusion
PHP File Inclusion

Source: Wikipedia

Php file inclusion cont
PHP File Inclusion cont.

  • /vulnerable.php?COLOR=C:\\ftp\\upload\\exploit - Executes code from an already uploaded file called exploit.php (local file inclusion vulnerability)

  • /vulnerable.php?COLOR=C:\\notes.txt%00 - example using NULLs to remove the .phpsuffix, allowing access to files other than .php

  • /vulnerable.php?COLOR=/etc/passwd%00 - allows an attacker to read the contents of the passwd file on a UNIX system directory traversal

  • /vulnerable.php?COLOR= injects a remotely hosted file containing a malicious code

Dns rebinding csrf
DNS Rebinding CSRF

  • We’ll discuss a very specific example

  • Client has a home router, which we want to access

  • We can get the client to browse to

  • But thanks for the SOP – JS code from cannot access the router other than blindly (CSRF)

Enter dns rebinding
Enter DNS Rebinding

  • The DNS for returns two records:

    • Our web server public address

    • The requesting client’s address

  • By default, a browser will use the first address, and download our malicious JavaScript

  • That Javascript will make another request to

  • But this time – the server will refuse the connection

  • The browser will happily try the next entry

Dns rebinding cont
DNS Rebinding cont.

  • But that’s the client’s home router public address…

  • Which should be protected via a FW from access…

  • But since most routers are configured with interface-based rules, and have internal webservers that listen on – it won’t matter – they will answer our client

  • So now our JS code can connect to and access the home router!

  • And it can still connect back outside

Dns rebinding doesn t work anymore
DNS Rebinding doesn’t work anymore

  • Most routers will use HTTP-authentication

  • You used to be able to browse to: http://user:[email protected]/

  • But it has been disabled. All HTTP auth now requires a user dialog

  • Which makes the attack non-feasible

  • Also, there are some browser and network mitigations one can do (DNS pinning, DNS filtering, NoScript, etc.)