XSS - Cross Site Scripting

https://en.wikipedia.org/wiki/Cross-site_scripting

 

The general idea is that a script is loaded on to some resource like a website or email due to a lack of input validation. 

 

Once stored on a resource, any new users to the resource will execute the script which could do anything from sending sensitive data to a remote server or attempting to access a third party site (like a bank) and trying to manipulate the API of the third party site.

XSS Example

A online forum (like Reddit) may not be sanitizing one of it's many input field and directly displaying anything the user inputs direct on their site.

 

Any new users will then execute that script. 

 

In one scenario, the script could be a keylogger that attempts to log all keypress, hoping that you eventually type in your username and password.

Myspace: https://en.wikipedia.org/wiki/Samy_(computer_worm)

XSS Example

In another scenario, the script may try to send a request to insecurebank.com's api. Since insecurebank.com uses cookies to keep track of user session, any calls to the api will carry a valid user session. 

 

The api the script ends up calling will transfer 1 million dollars from your bank account to the attackers bank account with no visual indicators.

XSS Defense

Validate your Inputs!

 

Use a sanitization library of some sort to ensure that any <script> or any other attack string is sanitized out before it's saved to your database. 

 

OWASP XSS prevention cheat sheet:

https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet

CSRF - Cross Site Request Forgery

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

 

The main purpose of a CSRF attack is to leverage an exploit on one page to inject some code, which eventually attacks another page altogether. 

 

Often known as session riding. 

CSRF  Example

Take the script from the previous example, once it runs on a user's computer, it may try to send a request to insecurebank.com's api. Since insecurebank.com uses cookies to keep track of user session, any calls to the api will carry a valid user session. 

 

The api the script ends up calling will transfer 1 million dollars from your bank account to the attackers bank account with no visual indicators.

CSRF Defense

Most server now come with an option to send a csrf-token along with any page load.

 

The purpose of this token is to ensure that the user has at least loaded this token before making any requests tot he API.

 

The token itself should be embedded in the html (usually in a hidden input field) and should be specific to the user that is requesting the token.

SQL Injection attacks

https://en.wikipedia.org/wiki/SQL_injection

 

Often times when input is not properly validated and is directly added to a database query. Special characters can be used to stop the current query and start a new query that could potentially return sensitive information.

 

It could also be used to delete critical information.

 

Or even worse, take control of the entire server by breaking out of the database application. 

SQL Injection Example

SQL Inj. Defense

Sanitize your goddamn inputs!!!111one!!eleventy!one

This can often be easily accomplished by just using a database connector lib like knex or bookshelf. They usually have built in mechanisms that will sanitize your query.

 

But even with these libraries, there are often a "raw" query that you might be generating by hand and can insert. In these cases, you need to ...

 

SANITIZE YOUR INPUTS!

Validating User Inputs

As you've probably guess right now, this is the most effective way to protect your application. 

 

There are many libraries out there that will help ensure that the input you're getting from your users are safe.

Validation Libraries

JOI - https://github.com/hapijs/joi

 

validator.js - https://github.com/chriso/validator.js

 

sanitize-html - https://github.com/punkave/sanitize-html

 

google-caja - https://code.google.com/archive/p/google-caja/wikis/JsHtmlSanitizer.wiki

 

Nearly every language will have some kind of validator. 

Advanced defense

helmet - https://github.com/helmetjs/helmet

An all in one security library for express

 

OWASP Web Application Security Cheat Sheet:

https://www.owasp.org/index.php/Web_Application_Security_Testing_Cheat_Sheet

 

SQL Map - SQL Penetration testing tool

http://sqlmap.org/

More Tools

Fuzzing: https://en.wikipedia.org/wiki/Fuzzing

A technique to automate sending invalid, unexpected or just random input to web applications

 

WFuzz - https://github.com/xmendez/wfuzz

Social Engineering

Wired

 Apple, Amazon epic hack:

https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/

Well known attacks

Github Attack: 

https://en.wikipedia.org/wiki/Censorship_of_GitHub

NTP Reflection Attack: 

https://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks/

ILOVEYOU Bug:

https://en.wikipedia.org/wiki/ILOVEYOU

Well known hackers:

Adrian Lamo:

https://en.wikipedia.org/wiki/Adrian_Lamo

Kevin Mitnick:

https://en.wikipedia.org/wiki/Kevin_Mitnick