Information Security

CS3002
(Sections BSE-7A)
Lecture 19
Instructor: Dr. Syed Mohammad Irteza
Assistant Professor, Department of Computer Science
29 October, 2024
Appendix – Helpful Links
• Understanding the iframe within HTML:
• HTML Iframes
• Understanding Cookies:
• Cookies and Session Management | Computer Security
• CSRF Prevention Cheat Sheet:
• Cross-Site Request Forgery Prevention - OWASP Cheat Sheet Series
• Web Application Security, Testing & Scanning
• Web Application Security, Testing, & Scanning - PortSwigger

2
Web Security – II
• Cross Site Scripting (XSS) Attack
• Types of XSS
• Reflected
• Stored
• DOM based
• Countermeasures
• Encoding
• Validation
• Input handling contexts
• Secure input handing

3
Cross Site Scripting (XSS)

4
 Cross Site Scripting (XSS)
• Cross-site scripting (also known as XSS) is a web security vulnerability
that allows an attacker to compromise the interactions that users have
with a vulnerable application.
• Cross-site scripting vulnerabilities normally allow an attacker to
masquerade as a victim user, to carry out any actions that the user is
able to perform, and to access any of the user's data.
• If the victim user has privileged access within the application, then the
attacker might be able to gain full control over all of the application's
functionality and data.

5
 The actors in an XSS attack
• In general, an XSS attack involves three actors: the website, the victim,
and the attacker.
• The website serves HTML pages to users who request them. In our
examples, it is located at http://website/.
• The website's database is a database that stores some of the user input included
in the website's pages.
• The victim is a normal user of the website who requests pages from it
using his browser.
• The attacker is a malicious user of the website who intends to launch an
attack on the victim by exploiting an XSS vulnerability in the website.
• The attacker's server is a web server controlled by the attacker for the sole
purpose of stealing the victim's sensitive information. In our examples, it is
located at http://attacker/.

6
 What can an XSS attack do?
Following attacks are possible:
• Cookie theft:
• The attacker can access the victim's cookies associated with the website
using document.cookie, send them to his own server, and use them to extract sensitive
information like session IDs.
• Keylogging:
• The attacker can register a keyboard event listener using addEventListener and then send
all of the user's keystrokes to his own server, potentially recording sensitive information such
as passwords and credit card numbers.
• Phishing:
• The attacker can insert a fake login form into the page using DOM manipulation, set the
form's action attribute to target his own server, and then trick the user into submitting
sensitive information.
• The malicious JavaScript is executed in the context of that website
7
 Types of XSS

• Reflected
• Stored
• DOM based

8
1. Reflected XSS
• Reflected XSS occurs when user input is immediately returned by a
web application in an error message, search result, or any other
response that includes some or all of the input provided by the user
as part of the request, without that data being made safe to render in
the browser, and without permanently storing the user provided
data.

9
XSS Scenario - Reflected

10
XSS Example – Vulnerable Site

11
XSS Example – Bad input

12
XSS Example – Bad input

13
How attack Works – Reflected XSS

14
2. Stored XSS (Persistent)

• To successfully execute a stored XSS attack, a perpetrator has to locate a

vulnerability in a web application and then inject malicious script into its
server (e.g., via a comment field).

15
Stored XSS

16
XSS Scenario - Stored

17
How attack Works – Stored XSS

18
 3. DOM Based XSS
• DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS
attack wherein the attack payload is executed as a result of modifying
the DOM “environment” in the victim’s browser used by the original
client side script, so that the client side code runs in an “unexpected”
manner.
• That is, the page itself (i.e., the HTTP response) does not change, but
the client side code contained in the page executes differently due to
the malicious modifications that have occurred in the DOM
environment.

19
The HTML DOM Tree of Objects
Java script can change:
1) all the HTML elements in the page
2) all the HTML attributes in the page
3) all the CSS styles in the page

In addition, JavaScript can remove existing

HTML elements and attributes, and also add
new HTML elements and attributes

20
 DOM Based XSS
• Example page
<HTML><TITLE>Welcome!</TITLE>
Hi <SCRIPT>
var pos = document.URL.indexOf(“name=”) + 5;
document.write(document.URL.substring(pos, document.URL.length));
</SCRIPT>
</HTML>
• Works fine with this URL
http://www.example.com/welcome.html?name=Joe
• But what about this one?
http://www.example.com/welcome.html?name=<script>alert(document.cookie)</script>
21
How attack works - DOM-based XSS

22
XSS Countermeasures

23
 XSS Defenses

Recall that an XSS attack is a type of code injection:

→ user input is mistakenly interpreted as malicious program code.

In order to prevent this type of code injection, secure input handling is

needed.

24
 1. Encoding
• Encoding is the act of escaping user input so that the browser interprets it only as data,
not as code.
• The most recognizable type of encoding in web development is HTML escaping, which
converts characters like < and > into &lt; and &gt;, respectively.
• If the user input were the string <script>...</script>, the resulting HTML would be as
follows

25
2. Validation
• Validation is the act of filtering user input so that all malicious parts of it are
removed, without necessarily removing all code in it.
• One of the most recognizable types of validation in web development is
allowing some HTML elements (such as <em> and <strong>) but
disallowing others (such as <script>)
• There are two main characteristics of validation that differ between
implementations:

• Classification strategy
User input can be classified using either blacklisting or whitelisting.
• Validation outcome
User input identified as malicious can either be rejected or sanitized.

26
3. Input Handling Contexts
• There are many contexts in a web page where user input might be inserted. For
each of these, specific rules must be followed so that the user input cannot break
out of its context and be interpreted as malicious code. Below are the most
common contexts:

27
 Input handling contexts
• In all of the contexts described, an XSS vulnerability would arise if user input were
inserted before first being encoded or validated.
• An attacker would then be able to inject malicious code by simply inserting the
closing delimiter for that context and following it with the malicious code.
• For example, if at some point a website inserts user input directly into an HTML
attribute, an attacker would be able to inject a malicious script by beginning his
input with a quotation mark

28
Input handling contexts

29
4. Secure Input Handling (Client/Server)
• In most modern web applications, user input is handled by both
server-side code and client-side code. In order to protect against all
types of XSS, secure input handling must be performed in both the
server-side code and the client-side code.
• In order to protect against traditional XSS, secure input handling must
be performed in server-side code. This is done using any language
supported by the server.
• In order to protect against DOM-based XSS where the server never
receives the malicious string (such as the fragment identifier attack
described earlier), secure input handling must be performed in client-
side code. This is done using JavaScript.

30
User Authentication (New Topic)
• Types
• password
• biometric
• symmetric/asymmetric

31
Authentication

32
Authentication Methodologies
• Something you know (e.g., password)
• Something you have (e.g., smart card)
• Something you are (e.g., fingerprint)

• Can be based on multiple factors

• (1/2/3 – factors of authentication)

• Multifactor authentication is the combination of the above, e.g., PIN

enabled smart card
• Other methods:
• Information about a user, e.g., attribute authentication
• Voice patterns, typing rhythm
• Location of a user

33
 Types of Authentication
• There are two basic types of authentication: non-repudiable and repudiable.
• Repudiable Authentication – involves factors, e.g., “what you know” and
“what you have” that can present problems to the authenticator because the
information presented can be unreliable because such factors suffer from
several well-known problems including the fact that possessions can be lost,
forged, or easily duplicated.
• Non-repudiable Authentication – involves characteristics whose proof of
origin cannot be denied. Such characteristics include biometrics like iris
patterns, retinal images, and hand geometry and they positively verify the
identity of the individual

34
Acknowledgments
• Material from Dr. Rana Asif Rehman

35