Beruflich Dokumente
Kultur Dokumente
Application Security
Rafel Ivgi
Security-Art
• Request Validation
• Smart D.o.S
– Source code.
– DB access.
• The “attack” occurs when a web server replies the user with
the exact raw data received from the user.
Original message
• Every user that logs in will get a command from the server.
• The attacker can harvest the following details using the XSS
alone:
– Password (using a perfect phishing attack)
– Name
– Age
– Email
– Friend list (that will also be attacked to become future victims)
• The server will then be used by all the other victims or,
“Fetchers”.
• The server will then use Google or any other search engine
to get a list of sites that suit the attack and return it to the
fetcher.
• The fetcher now asks the server for the content of a certain
site on the list.
• Once the value returns, the fetcher parse out the inner link
from this page.
• This may have a low ratio of success but when talking about
an XSS Worm in the sufficient magnitude and considering
the fact that this process is fully automatic the result is highly
satisfying for the attacker
• The problem with this mechanism is that it`s not 100% proof.
The application will never cover all types of encoding the
methods of attacks.
• White list filtering on the other hand sets a template for each
type of field in the system.
• Vulnerable
• Secure
• The attack occurs when a web server passes the exact raw
data received from the user to the Database server.
• Once the attacker has control over the machine they can
then use it as a “Bot” in order to automatically exploit other
vulnerable sites.
• This is why the application must always filter the input it gets,
and should not consider certain sources as safe.
• Just like with XSS, there are plug-ins that attempt to prevent
these attacks, along with many WAF products in the market.
• The problem with these products remains the same, it
cannot be a single line of defense. These products get
broken.
• The application must have a filtering module that prevents
these attacks on its own.
• In the case of SQL Injection the most important part is to
encode the parameter before sending it to the SQL Server
so that characters like ‘ will have no affect.
• The attacker can use this XSS and cause the victim to
generate a post to the original form on the first site.
• This XSS cannot affect the referring site, it still uses that
site`s credibility to unleash the attack.
• What is unknown is the fact that the color of the link can be
checked using CSS.
• The most critical method was fixed in the final release of the
product but there are still ways to bypass this defense.
• Within a short time, Google will index the site in question and
discover the exploiting code.
• From now on every attempt to view the site will result with
the following sight:
• All in all the company under attack has lost a few days of
internet activity and spent a lot of money dealing with the
outcome of the attack.
• Jody Keyser
• jkeyser@aliadocorp.com
• www.aliadocorp.com
• 1-888-373-0680
Thank You