1
00:00:03,960 --> 00:00:11,070
A proper acronym for cross-site scripting is Exocets as she says is already reserved for cascading style

2
00:00:11,070 --> 00:00:11,780
sheets.

3
00:00:15,090 --> 00:00:19,050
Anyway this attack used to be extremely popular in the past.

4
00:00:19,140 --> 00:00:20,870
It's still very widespread.

5
00:00:23,880 --> 00:00:31,220
Exocets relies on the fact that most Web sites are active to some degree Web sites display information

6
00:00:31,280 --> 00:00:34,420
and also allow users to post some information as well.

7
00:00:35,930 --> 00:00:44,550
Since a two way communication is available we can use this to place something on an external website.

8
00:00:44,640 --> 00:00:48,340
We can run the following attack first.

9
00:00:48,340 --> 00:00:52,100
We'd like to embed a malicious script on a Web site.

10
00:00:52,220 --> 00:00:59,660
It can be embedded directly on the site in the easiest case the site will have a comment box.

11
00:00:59,700 --> 00:01:04,730
This can be exploited to leave DML tags next to a comment so that the script is created.

12
00:01:07,620 --> 00:01:10,910
After this is done we wait for a visitor to display the site

13
00:01:13,690 --> 00:01:15,100
once it's displayed.

14
00:01:15,190 --> 00:01:24,730
A browser will render the entirety of the page including our script the script payload is up to us script

15
00:01:24,730 --> 00:01:32,240
can be embedded on a Web site or placed inside a link to a page that is sent to the victim this variation

16
00:01:32,240 --> 00:01:36,290
is the basis for the division of cross-site scripting attacks into two types.

17
00:01:37,970 --> 00:01:41,090
Reflected Exocets and persistent excesses

18
00:01:45,150 --> 00:01:49,950
are reflected Exocets the attack occurs when an attacker communicates with the victim directly.

19
00:01:52,820 --> 00:01:55,070
We'll see an example of this attack in a moment.

20
00:01:56,480 --> 00:01:59,990
We can for example be persuaded to click on the following address.

21
00:02:01,340 --> 00:02:07,300
Although we're connected to a bank page we also launched a script that is not stored in the page.

22
00:02:07,380 --> 00:02:09,740
The bank website is not compromised.

23
00:02:09,900 --> 00:02:11,830
It has not been broken into.

24
00:02:12,180 --> 00:02:14,470
It's our assertion that is no longer secure.

25
00:02:16,790 --> 00:02:20,500
This attack can be delivered in a number of ways.

26
00:02:20,710 --> 00:02:25,780
We can for example be redirected to a different page without noticing it.

27
00:02:25,780 --> 00:02:29,280
We can also launch a script on a trusted page that comes from a different page

28
00:02:33,720 --> 00:02:38,970
a persistent cross-site scripting attack on the other hand relies on placing malicious code directly

29
00:02:38,970 --> 00:02:42,200
onto a Web site instead of putting it in a link.

30
00:02:42,270 --> 00:02:48,710
For example in an email this type of attack is definitely easier to detect.

31
00:02:49,140 --> 00:02:52,350
It's also larger in scale.

32
00:02:52,380 --> 00:02:54,390
Let's see how this works in practice.

33
00:02:56,890 --> 00:03:03,030
I assume you've received the following e-mail message this message doesn't look too suspicious.

34
00:03:04,070 --> 00:03:07,370
You can see that it was sent from a bank branch.

35
00:03:07,420 --> 00:03:10,530
There are no mistakes in language.

36
00:03:10,590 --> 00:03:17,160
The message reads unambiguous and doesn't seem to raise any doubts the email doesn't ask you for your

37
00:03:17,160 --> 00:03:22,050
log in or password or pressure you to log in the next 35 seconds to get a prize.

38
00:03:24,280 --> 00:03:26,450
There's no such tactics in this message.

39
00:03:28,160 --> 00:03:34,290
All it asks you to click on a link to log in as you can plainly see in the status bar of the browser

40
00:03:35,040 --> 00:03:37,850
a hidden longer address lurks underneath the link.

41
00:03:42,080 --> 00:03:44,830
It's longer than expected anyway.

42
00:03:44,870 --> 00:03:50,720
We still click it we were redirected to a logging page of the bank.

43
00:03:50,720 --> 00:03:53,490
It looks familiar.

44
00:03:53,580 --> 00:03:56,030
The page looks no different than it looked before.

45
00:03:57,050 --> 00:04:02,960
Everything seems in perfect order until you take a look at the address bar.

46
00:04:03,040 --> 00:04:08,240
It turns out that while the bank page is displayed on the screen a script is running at the same time.

47
00:04:12,220 --> 00:04:17,970
To get a better picture of the situation we can copy this script into a notepad.

48
00:04:18,060 --> 00:04:20,930
The script here is not contained in the bank page.

49
00:04:21,270 --> 00:04:25,370
It's a javascript called Snoop.

50
00:04:25,460 --> 00:04:29,650
We can assume that the script will be executed soon because we can see an event that launches it

51
00:04:33,030 --> 00:04:39,420
assume that we haven't caught all of this and decided to log in after clicking a logging link.

52
00:04:39,470 --> 00:04:44,680
There is a window that looks normal but that there's a missing log in and password something strange

53
00:04:44,680 --> 00:04:46,470
pops up.

54
00:04:46,700 --> 00:04:55,450
The right side was never originally part of the window actually even now it's not visible.

55
00:04:55,510 --> 00:05:00,570
The script we show simply aims to demonstrate that an attacker has access to the credentials we submit

56
00:05:02,540 --> 00:05:04,720
if correct credentials are submitted.

57
00:05:04,870 --> 00:05:06,950
We logged in correctly.

58
00:05:06,940 --> 00:05:14,590
There's one problem though we've just fallen victim to across a scripting attack despite the fact that

59
00:05:14,590 --> 00:05:17,710
we're connected to a trusted and unmodified page.

60
00:05:17,990 --> 00:05:22,330
We have connected to it in such a way that the location of the script that will be executed by us in

61
00:05:22,330 --> 00:05:26,100
a moment was also sent.

62
00:05:26,170 --> 00:05:29,440
The script is contained on a server controlled by a black hat hacker

63
00:05:34,240 --> 00:05:40,900
this type of attack can be thwarted quite easily even using automated tools.

64
00:05:40,900 --> 00:05:46,280
Note that when you click on the link in the email again the browser prompts a message stating that it's

65
00:05:46,280 --> 00:05:50,290
modified the page source code.

66
00:05:50,490 --> 00:05:56,660
This time a logging attempt doesn't cause any adverse side effects.

67
00:05:56,870 --> 00:06:02,030
The browser detected that the page code contains links to scripts stored on external servers under different

68
00:06:02,030 --> 00:06:02,960
addresses.

69
00:06:04,250 --> 00:06:06,820
It commented them out before interpreting the code.

70
00:06:11,220 --> 00:06:17,860
Below you can see a script that was executed on this page it aims simply to read the values of user

71
00:06:17,860 --> 00:06:20,060
supplied log in and password fields.

72
00:06:24,440 --> 00:06:27,810
The last topic will briefly cover relates to session hijacking.

73
00:06:30,090 --> 00:06:36,240
Session hijacking is an event of impersonating a user that has been authenticated to an application.

74
00:06:36,290 --> 00:06:39,180
It doesn't involve cracking or guessing a user's password.

75
00:06:41,250 --> 00:06:45,290
An attacker waits for a user to log on and logs as well along that user

76
00:06:48,620 --> 00:06:52,550
this attack scenario is in particular a threat to web applications.

77
00:06:53,330 --> 00:07:00,820
Especially since many of them use h t t p since HTP is a stateless protocol.

78
00:07:00,880 --> 00:07:03,340
It has to simulate a session in some manner.

79
00:07:06,070 --> 00:07:11,320
A session is simulated in this case by the advent of adding identification data to each query

80
00:07:14,360 --> 00:07:20,820
the data in question could be cookies or other data placed inside you are a address's.

81
00:07:20,880 --> 00:07:26,220
This means that a cookie an unprotected text file is a temporary credential.

82
00:07:26,470 --> 00:07:30,430
If someone obtains a cookie that person can impersonate us in the application

83
00:07:33,070 --> 00:07:38,440
if we've been previously authenticated to that application the highjacker will also be authenticated.

84
00:07:40,680 --> 00:07:45,160
See a wireshark session where an HTP cookie has just been intercepted.

85
00:07:46,670 --> 00:07:50,680
This however can be done easier even without resorting to wireshark

86
00:07:56,310 --> 00:08:00,290
a Firefox add on such as fire sheep can be used for this purpose.

87
00:08:01,570 --> 00:08:04,070
The extension works just like wireshark.

88
00:08:04,340 --> 00:08:10,280
It listens on for users transmitting cookies to a selected array of Web sites.

89
00:08:10,390 --> 00:08:15,610
If an exchange is detected the sniffer steals the cookie and shares the use of the cookie with the legitimate

90
00:08:15,610 --> 00:08:25,020
user a server is not alarmed if someone sends more than one copy of a cookie to pull the attack off.

91
00:08:25,080 --> 00:08:30,520
An attacker needs only to share a medium with a targeted user.

92
00:08:30,610 --> 00:08:39,200
This is viable for example in an Internet cafe.

93
00:08:39,230 --> 00:08:42,410
What methods can be engaged to foil such an hijacking.

94
00:08:44,140 --> 00:08:49,720
It's possible to bind a certain identifier to something that identifies a user uniquely for example

95
00:08:49,720 --> 00:08:55,030
by a session identifier to computer data a Mac address or an IP address.

96
00:08:56,570 --> 00:09:01,230
This produces one problem using Wi-Fi networks.

97
00:09:01,340 --> 00:09:08,200
We sometimes switch between various access points computer configuration can change during this process

98
00:09:08,440 --> 00:09:14,220
and losing a session needs to be avoided for example because we're in the middle of some important operation.

99
00:09:15,270 --> 00:09:17,190
The solution is quite intrusive.

100
00:09:21,740 --> 00:09:29,190
An alternative is encrypting all traffic using TTP s this encryption would also make a cookie encrypted

101
00:09:30,830 --> 00:09:33,880
extracting cookies from packets would no longer be possible.

102
00:09:35,740 --> 00:09:40,020
This module discussed typical application attacks.

103
00:09:40,210 --> 00:09:42,450
The major focus was placed on database server.

104
00:09:42,460 --> 00:09:47,670
Since most applications today make use of them even if you're not aware of it.

105
00:09:47,820 --> 00:09:54,560
Other than that buffer overflow attacks were covered as well as cross-site scripting both of these attacks

106
00:09:54,560 --> 00:09:59,580
target web site visitors and now Web sites.

107
00:09:59,670 --> 00:10:06,980
At the end authenticated session highjacking information was proposed to sum up the topic.

108
00:10:07,060 --> 00:10:07,590
Thank you.