Attacks 🙀 - HackMD

# Attacks 🙀 ![](https://i.imgur.com/5h8F4ZD.gif) + XSS + CSRF --- ## What are the risks? + Hijack an account and steal tokens and personal data. + Spread web worms 🐛. + Access browser history and clipboard contents. + Control the browser remotely. + Scan and exploit intranet applications. --- ## Cross Site Scripting (XSS) Cross-Site Scripting (XSS) attacks are a type of injection attack, where malicious 😈 JavaScript code is injected into trusted websites and executed client-side on unsuspecting victims. --- ### Stored/persistent XSS 💿 Where the malicious script comes from the target website's database or server. --- ### Reflected XSS In this attack malicious code is not stored on the server but rather gets passed through a trusted server and presented to the victim. The script comes from the website's HTTP own request in the display of an Error message or Search result. ![](https://i.imgur.com/TTApjbU.gif) --- Example search: https://insecure-website.com/search?term=gift With this output: `<p>You searched for: gift</p>` Without sanitisation attackers can send: ``` https://insecure-website.com/search?term=<script>/*+Bad+stuff+here...+*/</script> ``` --- ### DOM-based XSS When a website writes data to the DOM without proper sanitization 🧼. Similar to reflected attacks in that it relies on link clicking except rather than including the payload in the HTTP response of a trusted site, the attack is executed entirely in the browser by modifying the DOM or Document Object Model directly. --- ## Cross Site Request Forgery (CSRF) + Cross-Site Request Forgery (CSRF) is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated. --- ![](https://i.imgur.com/6l4BtKa.jpg) --- ### XSS and CSRF DEFENSE! ![](https://i.imgur.com/W6jFPEW.gif) --- ### XSS - Treat any user input as unsafe and never let users input data on your application - Ways to protect against Cross Site Scripting aka XSS ![](https://i.imgur.com/DDpcoW3.gif) --- - Properly use modern JS frameworks, here are some framework vunerabilities :shocked_face_with_exploding_head: ![](https://i.imgur.com/WdcDILl.png) - These libraries provide HTML Sanitization :point_down: [Google Closure Library](https://developers.google.com/closure/library/) [DOM Purify](https://cure53.de/purify) [Python Bleach](https://pypi.org/project/bleach/) --- - Content Security Policy (CSP) is an added layer of security to prevent XSS attacks :scream: To enable CSP, you need to configure your web server to return the [Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy) HTTP header - Or the HTML meta tag can be used like so :tada: ![](https://i.imgur.com/SNQUDoP.png) --- - Use Sanitisation techniques to encrypt your HTML ![](https://i.imgur.com/fLalyNV.png) - [Sanitation Api](https://developer.mozilla.org/en-US/docs/Web/API/HTML_Sanitizer_API) This is an experimental technology and only available in secure contexts (HTTPS) --- - To access the API you would use the `Sanitizer()` constructor to create and configure a Sanitizer instance. The configuration options parameter allows you to specify the allowed and dis-allowed elements and attributes, and to enable custom elements and comments. - `Element.setHTML()` A safe :lock: version of `Element.innerHTML` --- - `Sanitizer.sanitizeFor()` parses and sanitizes a string of HTML for later insertion into the DOM. This might be used when the target element for the string is not always ready/available for update - `Sanitizer.sanitize()` sanitizes data that is in a Document or DocumentFragment. It might be used, for example, to sanitize a Document instance in a frame. --- ### CSRF - Prevent phishing :fish: from happening by only using JSON APIs ![](https://i.imgur.com/qehYsYE.png) - Make sure that none of your GET requests change any relevant data in your database - Because forms can only GET and POST, use other methods like PUT, PATCH, and DELETE so attackers have fewer methods to attack your site --- - There's a method-override node module that actually makes CSRF attacks much more likely, so don't use it! - The older the browser :older_man: the more vulnerable data is, they don't support CORS :face_with_monocle: --- - CSRF Tokens are submitted via the POST method secretly to the client via a hidden value in a HTML form - The token will then be included as a request parameter when the form is submitted - Secure and :lock: only known by the server :shushing_face: ![](https://i.imgur.com/ABwYJRH.png) --- # *Fin* ![](https://i.imgur.com/d0Pn8yx.gif)