001 ISSES Web Hacking v002
001 ISSES Web Hacking v002
001 ISSES Web Hacking v002
Education in Serbia
WEB HACKING
ISSES 2017-2020
Novi Sad, Serbia
Vision
▪ From Zero to Hero in web
hacking
▪ Web intro
▪ Injection
▪ Broken authentication &
authorization
▪ Cross-site scripting
▪ Vulnerable 3rd party
components
2
WEB INTRO
https://www.ntu.edu.sg/home/ehchua/programming/webprogramming/HTTP_Basics.html
HTTP/1.1 200 OK
Date: Sun, 18 Oct 2009 08:56:53 GMT
Server: Apache/2.2.14 (Win32)
Last-Modified: Sat, 20 Nov 2004 07:16:26 GMT
ETag: "10000000565a5-2c-3e94b66c2e680"
Accept-Ranges: bytes
Content-Length: 44
Connection: close
Content-Type: text/html
X-Pad: avoid browser bug
<html><body><h1>It works!</h1></body></html>
ISSES 2017-2020, Erasmus+ CBHE 7
Server-side architecture
▪ HTML elements:
<img onmouseout="script(this)" … />
▪ Remote:
<script src="example.com/glob.js"></script>
▪ CSS:
BODY{background:url("javascript:alert('XSS')")}
▪ Cross-origin accesses
• Cross-origin write (sending): allowed to any origin
• Examples: links, redirects, form submission
• Without this pages would only to link to themselves
• CSRF and clickjacking is still possible (not in scope of SOP)
• Cross-origin read (receiving): permitted only from same origin
• But is typically circumvented by embedding
• Cross-origin embedding: allowed from any origin
• Examples: JavaScript (the <script> tag), CSS (<link…>), images
(<img>), <audio>, <video>, <iframe>, …
42
XSS steps
▪ DEF: Cross-site scripting is an HTML/script injection
vulnerability
▪ If attackers can make a malicious script appear and run in a
page (HTML) or data sent to victim's browser or application
▪ XSS usually relies on malicious JavaScript code
▪ Optionally it can be also HTML/HTML5 code, Flash or other
executable code
54
Thank you for your attention!
55