跳转至

Lecture 15 XSS and UI Attacks

Cross-Site Scripting (XSS)

alt text

Idea: The attackers add malicious Javascript to a legitimate website

  • The legitimate website server will send attackers' Javascript to the victim's browser.
  • The attackers' Javascript will run with the origin of legitimate website.
  • Now the attackers' Javascript can access information on the legitimate website.

(1) Def (Cross-site Scripting, XSS)

Injecting Javascript into websites that are viewed by other users.

(2) Two main types of XSS

  • Stored XSS
  • Reflected XSS

Stored XSS

Stored XSS (persistent XSS): The attacker's Javascript is stored on the legitimate server and sent to browser.

Remember: Stored XSS is a server-side vulnerability!

alt text

Reflected XSS

Reflected XSS: The attacker causes the victim to input JavaScript into a request, and the content is reflected (copied) in the response from the server.

Reflected XSS requires the victim to make a request with injected JavaScript

alt text

alt text

很有意思的一点是,如何使用户主动向合法网站服务器发送“被攻击的请求”呢?这里采用的方式是:攻击者将恶意的JS代码放在一个URL中,然后诱导用户点击这个URL,点击后用户就进入“攻击者的网站”,然后会进行重定向操作,使用户主动向合法网站服务器发送“被攻击的请求”。

Reflected XSS && CSRF

Reflected XSS and CSRF both require the victim to make a request to a link.

  • CSRF: A malicious HTTP request is made (containing the user's cookies), executing an effect on the server side.

  • XSS: An HTTP response contains maliciously inserted JavaScript, executed on the client side.

XSS Defenses

  • HTML sanitization
    • Escaping: e.g., replace < with &lt; with " with &quot;
    • Now generally achieved through templating
  • CSP: Content Security Policy
    • Idea: Instruct the browser to only use resources loaded from a specific places
    • Uses additional headers to specify the policy
    • Actually, more of a mitigation for "defense-in-depth"
    • (1) Disallow all inlined scripts
    • (2) Only allow scripts from specified domains

UI Attacks

General theme: The attacker tricks the victim into thinking they are taking an intended action, when they are actually taking a malicious action.

UI Attack can be devided into two categories:

  • Clickjacking
  • Phishing

Clickjacking

Clickjacking (点击攻击):

  • Invisible Iframes
  • Temporal Attack: JavaScript can detect the position of the cursor and change the website right before the user clicks on something
  • Cursorjacking: JavaScript has the ability to track a cursor's position. If we change the appearance a certain way, we can create a fake cursor to trick users into clicking on things!

Clickjacking Defenses:

  • Enforce visual integrity: Ensure clear visual separation between important dialogs and content.
  • Enforce temporal integrity: Ensure that there is sufficient time for a user to register what they are clicking on.
  • Require confirmation from users.
  • Frame-busting: The legitimate website forbids other websites from embedding it in an iframe.

Phishing

Phishing (钓鱼信息):

Phishing: Trick the victim into sending the attacker personal information

Utilize Main vulnerability: The user can't distinguish between a legitimate website and a website impersonating the legitimate website

Phishing: Don't Blame the Users
  • Most users aren't security experts
  • Attacks are uncommon: users normally don't suspect malicious action
  • Detecting phishing is hard, even if you're on the lookout for attacks

Two-Factor Authentication

Based on the attack of Phishing, we need more to verify the user's identity.

Hence, we offer 2FA (Two-Factor Authentication)

alt text

Subverting 2FA: Relay Attacks

But actually, even 2FA can be attacked :(

This attack function is called Relay Attacks

Relay attacks (transient phishing)

The attacker steals both factors in a phishing attack.

alt text

Review

alt text