We’ll get started at 1[68]:05

client side injection

6[84]43 week7

house cleaning

due dates

  • most of the Topic04 challenges should be out
  • these are due Week8 Sunday @ 11:59pm

report groups

  • the second report is out
  • if you need a new group for the 2nd report, msg me.
  • marks/feedback will be out at some point

origin vs site

origin

https://www.example.com:80

origin = scheme + host + port

origin vs site

site

http://www.example.com:80 https://api.example.com:443

site = private_domain + public_suffix

  • scheme, subdomain and port

SOP (Same Origin Policy)

  • Blocks resource requests to/from an external site

  • External” is based on SOP: only requests from the same origin are allowed to use the resources

  • more secure but how people bypassed it isn’t xd

read more here

Cross-Origin Resource Sharing

  • Obviously sometimes you need to access resources from another origin (e.g. using images, videos)

  • This can be achieved if the resource owner sets certain headers on the resource (more here)

give it a try

Can it be bypassed

  • It’s just a browser protection
  • Doesn’t prevent the request (it’ll still succeed), it prevents you from accessing the response.
  • Would it block you if accessed it through a script?

Client-side injection

  • html injection
  • xss
  • csrf
  • clickjacking

HTML injection

  • Browsers just render the DOM
  • How would it know if tags are user-supplied or server-supplied
  • what if our input was just <s>?

Cool graphic?

understand the tags

different ones have different props, etc

  • some are paired <div></div>
  • some aren’t <img src=.../>
  • what goes in here? <script>...</script>

xss (cross-site scripting)

a better name is Javascript Injection

  • another ‘mixing of data and control’ issue
    • your browser only receives a single stream of data
    • the content of the stream determines if it’s control or data
  • Tricking a browser into executing your code

reflected XSS

  • payload is part of user input
    • e.g. a search query, cookie, header, etc
    • anything insecurely rendered on the page

www.example.com/database?q=<script>alert(1)</script>

stored XSS

  • payload is stored in some database
    • anybody who visits a certain page will view it
    • e.g. blog posts, twitter (lol)
  • generally worse, but more easily detected

DOM-based XSS

  • Similar to the others, but the vulnerability comes from modifying the DOM
<script>
const pos = document.URL.indexOf("context=") + 8;
document.write(document.URL.substring(pos, document.URL.length));
</script>

Demo!

xss isn’t just <script> tags

// event-handlers
<img src=x onerror=alert(1)/>
 
// injecting into javascript code
const a = '<user_input>'

// and much more

it’s any time you get user supplied input in a javascript context

Some good resources

Bonus: breaking mitigations

  • Content stripped/blocked
    • embed dummy characters: <SCRscriptIPT>
    • use alternating case: <ScRiPt>
    • different tag <img onerror=...>
    • different event handler <body onload=...>

here’s a couple more

CSRF

What is it?

  • Cross-site request forgery
  • Trick a user into performing an unintended action
    • e.g. make them authorize a bank transaction
    • e.g. make them change their email/password
  • kinda similar to SSRF

<form method="POST" >

Demo!

click-jacking

  • a fake form sitting under a real form

  • if you try to interact with the fake form, you’ll accidentally interact with the real one.

  • this could be either local, or external

    • local: same form switch confirm/cancel buttons
    • external: an invisible iframe with a higher z-index

demo