1
Q
Cross-site scripting
A
- XSS
– Cascading Style Sheets (CSS) are
something else entirely - Originally called cross-site because of
browser security flaws
– Information from one site could be
shared with another - One of the most common web application
development errors
– Takes advantage of the trust a user has for a site
– Complex and varied - Malware that uses JavaScript
– Do you allow scripts? Me too.
2
Q
Non-persistent (reflected) XSS attack
A
- Web site allows scripts to run in user input
– Search box is a common source - Attacker emails a link that takes advantage of
this vulnerability
– Runs a script that sends credentials /
session IDs / cookies to the attacker - Script embedded in URL executes in
the victim’s browser
– As if it came from the server - Attacker uses credentials/session IDs/ cookies to
steal victim’s information without their knowledge
– Very sneaky
3
Q
Persistent (stored) XSS attack
A
- Attacker posts a message to a social network
– Includes the malicious payload - It’s now “persistent”- Everyone gets the payload
- No specific target - All viewers to the page
- For social networking, this can spread quickly
– Everyone who views the message can have it
posted to their page
– Where someone else can view it and propagate it further…
4
Q
Hacking a Subaru
A
- June 2017, Aaron Guzman - Security researcher
- When authenticating with Subaru, users get a token
– This token never expires (bad!) - A valid token allowed any service request
– Even adding your email address to someone else’s account
– Now you have full access to someone else’s car - Web front-end included an XSS vulnerability
– A user clicks a malicious link, and you have their token
5
Q
Protecting against XSS
A
- Be careful when clicking untrusted links
– Never blindly click in your email inbox. Never. - Consider disabling JavaScript
– Or control with an extension
– This offers limited protection - Keep your browser and applications updated
– Avoid the nasty browser vulnerabilities - Validate input
– Don’t allow users to add their own scripts to an input field
Comptia A+ Core 2
flashcards
Decks in class (69)
# Cards
-
1.1 An Overview of Windows8
-
1.1 - Windows Features8
-
1.1 - Windows Upgrades5
-
1.2 - Windows Command Line Tools15
-
1.2 - The Windows Network Command Line8
-
1.3 - Task Manager7
-
1.3 - The Microsoft Management Console9
-
1.3 - Additional Windows Tools6
-
1.4 - The Windows Control Panel15
-
1.5 - Windows Settings11
-
1.6 - Windows Network Technologies8
-
1.6 - Configuring Windows Firewall3
-
1.6 - Windows IP Address Configuration3
-
1.6 - Windows Network Connections5
-
1.7 - Installing Applications10
-
1.8 - Operating System Overview10
-
1.8 - Filesystems5
-
1.9 - Installing Operating Systems7
-
1.9 - Upgrading Windows5
-
1.10 - macOS Overview6
-
1.10 - macOS System Preferences7
-
1.10 - macOS Features12
-
1.11 - Linux Commands20
-
1.11 - Linux Features4
-
2.1 - Physical Security9
-
2.1 - Physical Security for Staff8
-
2.1 - Logical Security7
-
2.1 - Active Directory8
-
2.2 - Wireless Encryption8
-
2.2 - Authentication Methods5
-
2.3 - Malware10
-
2.3 - Anti-Malware Tools7
-
2.4 - Social Engineering10
-
2.4 - Denial of Service4
-
2.4 - Zero-Day Attacks2
-
2.4 - On-Path Attacks3
-
2.4 - Password Attacks5
-
2.4 - Insider Threats2
-
2.4 - SQL Injection2
-
2.4 - Cross-site Scripting5
-
2.4 - Security Vulnerabilities6
-
2.5 - Defender Antivirus3
-
2.5 - Windows Firewall3
-
2.5 - Windows Security Settings9
-
2.6 - Security Best Practices10
-
2.7 - Mobile Device Security9
-
2.8 - Data Destruction5
-
2.9 - Securing a SOHO Network15
-
2.10 - Browser Security11
-
3.1 - Troubleshooting Windows11
-
3.1 - Troubleshooting Solutions14
-
3.2 - Troubleshooting Security Issues6
-
3.3 - Removing Malware9
-
3.4 - Troubleshooting Mobile Devices8
-
3.5 - Troubleshooting Mobile Device Security12
-
4.1 - Ticketing Systems6
-
4.1 - Asset Management3
-
4.1 - Document Types9
-
4.2 - Change Management11
-
4.3 - Managing Backups10
-
4.4 - Managing Electrostatic Discharge4
-
4.4 - Safety Procedures4
-
4.5 - Environmental Impacts7
-
4.6 - Privacy, Licensing, and Policies13
-
4.7 - Communication6
-
4.7 - Professionalism5
-
4.8 - Scripting Languages7
-
4.8 - Scripting Use Cases8
-
4.9 - Remote Access12
