XSS Attack & Defense - Edgescan
XSS Attack & Defense
Eoin Keary CTO BCC Risk Advisory
@eoinkeary
What is XSS?
Attacker driven JavaScript or JavaScript Injection Most common web vulnerability Easy vulnerability to find via auditing Easy vulnerability to exploit Certain types of XSS are very complex to fix Significant business and technical impact potential
XSS Attack Payload Types
Session hijacking Site defacement Network scanning Undermining CSRF defenses Site redirection/phishing Data theft Keystroke logging Loading of remotely hosted scripts
Input Example
Consider the following URL : saveComment?comment=Great+Site!
How can an attacker misuse this?
XSS Variants
Reflected/ Transient
Data provided by a client is immediately used by server-side scripts to generate a page of results for that user.
Search engines
Stored/ Persistent
Data provided by a client is first stored persistently on the server (e.g., in a database, filesystem), and later displayed to users
Bulletin Boards, Forums, Blog Comments
DOM based XSS
A page's client-side script itself accesses a URL request parameter and uses this information to dynamically write some HTML to its own page
DOM XSS is triggered when a victim interacts with a web page directly without causing the page to reload.
Difficult to test with scanners and proxy tools ? why?
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related download
- pymodbustcp documentation
- pattern matching and text manipulation bram kuijper
- decimal binary and hexadecimal
- v2x asn 1 python encode decode api user s guide
- mtat 07 017 applied cryptography
- xss attack defense edgescan
- uflash documentation read the docs
- python language
- ese 461 design automation for integrated circuit systems
- crash course on character encodings new york university
Related searches
- panic attack and heart attack similarities
- http bxss me t xss html 00
- bxss me t xss html 00
- 1 script acu src xss bxss me t xss js 9119 script
- 1 img src xss bxss me t dot gif onload lv2z 9708
- a href http xss bxss me a
- the script acu src xss bxss me t xss js 9842 script
- the img src xss bxss me t dot gif onload l8td 9252
- the script acu src xss bxss me t xss js 9239 script
- the img src xss bxss me t dot gif onload l1ln 9008
- the script acu src xss bxss me t xss js 9323 script
- the img src xss bxss me t dot gif onload scvr 9660