web audit vulnerability
Download
Skip this Video
Download Presentation
Web Audit Vulnerability

Loading in 2 Seconds...

play fullscreen
1 / 34

Web Audit Vulnerability - PowerPoint PPT Presentation


  • 115 Views
  • Uploaded on

Web Audit Vulnerability. cross-site scripting (XSS) concerns by Ron Widitz. Business Problem. Independent security audit Regulatory compliance XSS issue raised Must provide a response. Audit Response. Either: Prove issue to be a non-problem or Describe actions to take.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Web Audit Vulnerability' - rudolf


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
web audit vulnerability

Web Audit Vulnerability

cross-site scripting (XSS) concerns

by Ron Widitz

business problem
Business Problem
  • Independent security audit
  • Regulatory compliance
  • XSS issue raised
  • Must provide a response
audit response
Audit Response
  • Either:
    • Prove issue to be a non-problem

or

    • Describe actions to take
resolution steps
Resolution Steps
  • Investigate security concerns
  • Restate as IT problem(s)
  • Determine solution(s)
  • Provide audit response
  • Mitigate risk
investigation
Investigation
  • Define cross-site scripting (XSS)
  • Examine how auditors applied
  • Identify risks
  • Research preliminary solutions
cross site scripting
cross-site scripting
  • Attacker goal: their code into browser
  • XSS forces a website to execute malicious code in browser
  • Browser user is the intended victim
  • Why? Account hijacking, keystroke recording, intranet hacking, theft…
auditor finding
Auditor finding
  • Freeform edit box
  • Message to Customer Service
xss types
XSS types
  • Immediate reflection : phishing
  • DOM-based : 95 JavaScript methods
  • Redirection : header, meta, dynamic
  • Multimedia : Flash, QT, PDF scripts
  • Cross-Site Request Forgery (CSRF)
  • others…
    • (e.g. non-persistent search box)
risks
Risks
  • XSS abuses render engines or plug-ins
  • Steal browser cookies
  • Steal session info for replay attack
  • Malware or bot installation
  • Redirect or phishing attempt
our actual risk
Our actual risk
  • Currently, none.
  • Edit box info viewed in thick client
  • DHTML or JavaScript needs browser
  • Our thick client is Java Swing-based
planned audit response
Planned Audit Response
  • Could indicate “no audit problem”
  • Might have future impact
  • Address through dev standards
  • Consider application firewall
  • Widen problem scope to include all user agent injection tactics
more on web attacks
More on Web Attacks
  • Cross Site Scripting
  • SQL Injection
  • XPATH Injection
  • LDAP Injection
  • SSI (server side inclusion) Injection
  • JSP (Java server pages) Injection
artifacts
Artifacts
  • For each injection issue:
    • Vulnerability description documented
    • Preventative coding technique
  • Discuss with App Dev teams
    • Publish and socialize direction
    • Include in peer reviews/code walkthroughs
    • Set deadlines for full incorporation
  • Communicate with auditors
cross site scripting example 1
Cross Site Scripting Example 1
  • Trudy posts the following JavaScript on a message board:
  • When Bob views the posted message, his browser executes the malicious script, and his session cookie is sent to Trudy
cross site scripting example 2
Cross Site Scripting Example 2
  • Trudy sends a link to the following URL to Bob that will take him to a personalized page:
  • http://host/personalizedpage.php?username=
  • A page is returned that contains the malicious script instead of the username Bob, and Bob’s browser executes the script causing his session cookie to be sent to Trudy
  • Hex is often used in place of ASCII for the JavaScript to make the URL less suspicious
cross site scripting detection
Cross Site Scripting Detection
  • A client usually is not supposed to send scripts to servers
    • If the server receives