A Server Solution for Cookie-Stealing-Based XSS Attacks

13
A Server Solution for Cookie-Stealing-Based XSS Attacks Jhen-Li Wang, Shih-Jen Chen, Chia-Hao Lee, Fu-Hau Hsu CSIE@NCU – Networks & Multimedia Institute For Information In

TAGS:

description

A Server Solution for Cookie-Stealing-Based XSS Attacks. Jhen -Li Wang, Shih-Jen Chen, Chia-Hao Lee, Fu- Hau Hsu. CSIE@NCU – ADLab , Networks & Multimedia Institute For Information Industry. Stored XSS. Reflected XSS. Stored XSS. Reflected XSS. X S S. How to defend XSS?. - PowerPoint PPT Presentation

Transcript of A Server Solution for Cookie-Stealing-Based XSS Attacks

Page 1: A Server Solution for Cookie-Stealing-Based XSS Attacks

A Server Solution for Cookie-Stealing-Based XSS Attacks

Jhen-Li Wang, Shih-Jen Chen, Chia-Hao Lee, Fu-Hau Hsu

CSIE@NCU – ADLab,Networks & Multimedia Institute For Information Industry

Page 2: A Server Solution for Cookie-Stealing-Based XSS Attacks

Stored XSS Reflected XSSStored XSS Reflected XSS

X S S

Page 3: A Server Solution for Cookie-Stealing-Based XSS Attacks

How to defend XSS?

Page 4: A Server Solution for Cookie-Stealing-Based XSS Attacks

We do this…

Modify KERNEL

Page 5: A Server Solution for Cookie-Stealing-Based XSS Attacks

Finish. And wait for next.

Page 6: A Server Solution for Cookie-Stealing-Based XSS Attacks
Page 7: A Server Solution for Cookie-Stealing-Based XSS Attacks

sys_read do_sock_read sock_recvmsg

inet_recvmsgtcp_recvmsgskb_copy_

datagram_iovec

memcpy_toiovec copy_to_user

Page 8: A Server Solution for Cookie-Stealing-Based XSS Attacks

Web Server

Application

Cookie VerifierCookie Verifier

Cookie AbstractorCookie Abstractor

CookieCleanerCookieCleaner

Payload CollectorPayload Collector

Packet

User mode

Kernel mode

CookieTable

捉封包資料

捉 cookie, source IP, 算時間

比對 cookie 和 IP檢查 table node 的時間 , 看是否須清除

(Hash table) 儲存 cookie(key), IP, 時間

Page 9: A Server Solution for Cookie-Stealing-Based XSS Attacks

Finish. And wait for next.

Page 10: A Server Solution for Cookie-Stealing-Based XSS Attacks

Non-persistent cookie, 77

Persistent cookie; 3

Page 11: A Server Solution for Cookie-Stealing-Based XSS Attacks

26%

10%

17%

3%

18%

26%

Non-persistent Cookie Name

PHPSESSID

JSESSIONID

ASP.NET_SessionId

.ASPXAUTH

ASPSESSIONID+8bits random

User-defined

Page 12: A Server Solution for Cookie-Stealing-Based XSS Attacks

原系統 修改過後的系統

總時間 (秒 ) 6.989 8.1561

每次平均時間 (秒 ) 0.006989 0.0081561

Overhead 0.16699(16.699%)

Page 13: A Server Solution for Cookie-Stealing-Based XSS Attacks

Web Attacks - Stanford University · Prevents Google Analytics from stealing your cookie — 1. Never sent by browser to Google because (google.com, /) does not match (bank.com, /)

Web Attacks - Stanford University · Prevents Google Analytics from stealing your cookie — 1. Never sent by browser to Google because (google.com, /) does not match (bank.com, /)

XSS Defense

XSS Defense

Ess xss homepage_framework_ecc_50_erp_2004

Ess xss homepage_framework_ecc_50_erp_2004

COOKIE DOUGH & MORE | COOKIE DOUGH & MORE | COOKIE …

COOKIE DOUGH & MORE | COOKIE DOUGH & MORE | COOKIE …

Seculabs eBook - Yahoo Session Hijacking - Cookie Stealing

Seculabs eBook - Yahoo Session Hijacking - Cookie Stealing

Building Advanced XSS Vectors - Brute XSS · About - Presentation Not just another talk on XSS Use of alert(1) for didactic purposes Mainly about event based XSS Some stuff may be

Building Advanced XSS Vectors - Brute XSS · About - Presentation Not just another talk on XSS Use of alert(1) for didactic purposes Mainly about event based XSS Some stuff may be

WORK STEALING SCHEDULER 6/16/2010 Work Stealing Scheduler 1.

WORK STEALING SCHEDULER 6/16/2010 Work Stealing Scheduler 1.

document.cookie Identity Theft ✗ Cookie Stealing.

document.cookie Identity Theft ✗ Cookie Stealing.

Seculabs eBook - IsR Stealer - Cookie Stealing

Seculabs eBook - IsR Stealer - Cookie Stealing

CSP - the panacea for XSS - owasp.org another security blogger . XSS. 4 XSS ... Over 12 million email messages daily ... CSP Based IDS Magic XSS XSS XSS Test & Fix . 29

CSP - the panacea for XSS - owasp.org another security blogger . XSS. 4 XSS ... Over 12 million email messages daily ... CSP Based IDS Magic XSS XSS XSS Test & Fix . 29

Grails vs XSS: Defending Grails against XSS attacks

Grails vs XSS: Defending Grails against XSS attacks

PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •

PRELIMINARY SLIDESconference.hackinthebox.org/hitbsecconf2012kul... · • 2007 - Orkut Worm • 2008 - Yahoo IM XSS • 2009 - Twitter hit by multiple XSS variants, Memova XSS •

A Server Solution for Cookie-Stealing-Based XSS Attacks

A Server Solution for Cookie-Stealing-Based XSS Attacks

Stylish XSS

Stylish XSS

Combinatorial XSS Attack Grammars - SBA Research · Combinatorial XSS Attack Grammars XSS Vectors for ... SBA Research April 10, 2015 SBA Research, Vienna. Outline Introduction XSS

Combinatorial XSS Attack Grammars - SBA Research · Combinatorial XSS Attack Grammars XSS Vectors for ... SBA Research April 10, 2015 SBA Research, Vienna. Outline Introduction XSS

Universal XSS via IE8s XSS Filters - Black Hat Briefings · Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides:

Universal XSS via IE8s XSS Filters - Black Hat Briefings · Universal XSS via IE8s XSS Filters the sordid tale of a wayward hash sign slides:

SPMCIL...Protection against SQL Injections, Cross-site Scripting (XSS). Session Hijacking. URL Tampering, Cookie Poisoning etc. - Support for HTTP 0.9M .011.1 - Back-end servers supported:

SPMCIL...Protection against SQL Injections, Cross-site Scripting (XSS). Session Hijacking. URL Tampering, Cookie Poisoning etc. - Support for HTTP 0.9M .011.1 - Back-end servers supported:

DOM-based XSS

DOM-based XSS

Stealing proverbs

Stealing proverbs

Cookie Cookie Cookie

Cookie Cookie Cookie