 Alright, let's finish off the less stuff and then let's get into more interesting things. Alright, so what's the whole idea behind cross-site scripting? Circumventing the same origin policy. Circumventing the same origin policy, how do we circumvent the same origin policy? Isn't it this ironclad guarantee that the browser gives us? Through script tags, like through JavaScript, right? So if we can trick a web application to include attacker-controlled content in the HTML response and if we can trick it to somehow turn R the code that we're giving it into JavaScript then we've essentially circumvented the same origin policy because the attacker-controlled JavaScript is now executing in the context of the browser. Cool. Alright, so we look at stored cross-site scripting. Sorry, reflected cross-site scripting. So reflected cross-site scripting to recognize ourselves is essentially when a URL parameter is being used as part of the JavaScript code when a URL parameter is used in generating the HTML response by the web application and therefore an attacker can input any HTML they want including JavaScript. And so why is it reflected? Yeah, so we need to trick a victim to click on a link to our existing which includes our malicious JavaScript payload. Otherwise we can't trick them to exploit and to execute our code. Stored cross-site scripting, on the other hand, is basically when the web application itself will store our cross-site scripting payload and send it out to every single person that visits us. So basically stored in the database as part of a message then everybody who visits that page will download and execute that JavaScript code. These are very frequent on like, ultimate word systems, forums, blogs any type of thing where you can post user content and it's stored there forever. Cool. Okay, so we talked about the main one we talked about this a little bit on Monday. How do we actually tell the browser to execute JavaScript? So what's the main way that we talk about? Script tags, start script tag and script tag. There are actually, if you go to this, R Snake is a pretty famous hacker who created this XSS cheat sheet which has a list of all different types of ways to trick a browser to execute JavaScript. So the simplest is script tags as we've been talking about we can use event handler. So this is injecting a body tag with an on load, print on load attribute which is which the browser will execute as JavaScript only in page loads. We can do a B with an on mouseover. So we can make an element have it be when the mouse cursor goes over that element that event is triggered. What's the downside of this? I would force the user to mouse over your element that you're talking about. So what can we do? Yeah, make it into something that says click me or click me to win a free iPhone X. Okay, what an error box and okay. Ooh, that's really tricky. I would probably click on that. You had an error message and said okay. Yeah, maybe just. Isn't it possible to change the pieces? I mean all the pages are pressed. So we can't actually in the place that or click is. Yeah, so we can remember at this point we haven't executed any JavaScript yet but in line in this act in this element that we're creating we can control the style attribute which has the CSS, the cascading style sheets which says how to visually display this element. We can make the element as big as the display. So literally all you do is move the mouse a little bit and it's game over which is basically guaranteeing that it works. We can do, this is one of the ones I like to use. It's a pretty nice one because it works automatically. So the tricky thing with on-load, not every element actually has an on-load element so you have to pick your element correctly. The mouse over again has tricks where you have to make sure that the page is as big and that they're actually going to mouse over it. The other nice one is an image tag with a source attribute of a URL that does not exist. So when the browser is going to try to render this image it's going to try to fetch this URL and when it fetches it, it's probably going to get what kind of an error. Yeah, probably a 404 or maybe even a DNS error where that domain name doesn't even exist. And then when that happens it's going to call the on-error event handler. So if you can guarantee that this thing doesn't exist now you're automatically executing that JavaScript code. And that's one of your favorite ones? Yes. Yes, you can do other things. And the other thing I'll say if you look at the XSS cheat sheet these are sometimes browser dependent because different browsers have different behaviors on what they do when rendering different content. For something like script tags they all obviously do that. But the other trick you can do, is when you talk about have you ever gone to a web page and the browser says, oh, this is really bad HTML, I'm not going to write it to this page. They missed it, close a body tag. You mean the page by the way you can just say continue anyway? No. What's the error message you've seen? I think that was a credentials. Yeah, so credentials that could be one thing but that's not really an error message for the browser that's going to go out there. Does it just print the HTML or the text of it? It does the best ever parsing. If you started looking at the HTML of every page you visited you would be, and you could even go to GeoCity's sites from the late 90s or early 2000s and still render them to your browser even when you look at those and it's malformed and just terrible HTML content because the browser, everybody will switch to a browser that actually works. So browsers do a best effort parsing and so sometimes, and you as an attacker can take advantage of that by using browser quirks or something and weird things that shouldn't work but do because of how nice browsers are. So you can do things like this. This is something that probably shouldn't work. So this is an image tag with a source attribute of JavaScript code. So in some browsers this will execute that JavaScript code in order to get the source image. You can HTML entity encode the A in the JavaScript because why would you have HTML entity decode that? That's not actually part of the standard where you could do that but the browser just does it for you to be helpful. You can use no quotes. So this is a super cool one. So getting around in this image source. So here you had to use single quotes or double quotes in here. But here you can use an image tag of %20 which sometimes they will interpret as a space weirdly you know that's not valid HTML. You can have the source x.js on air and here you have a space in between my on air handler and the actual JavaScript but in some browsers that works. And then here you have alert and I'm taking string what's a JavaScript please tell me what slash item slash is. It's close. Very close. It's a literal regular expression which is normally used in replacements. Yeah, that's why they have that syntax. So it's defining a regular expression but I'm passing into the string function to turn it into a string and then I'm taking the substring of 1 to 5 which is that same string and that's going to return me the string item. So here I have an image tag with no single quotes and yeah I can do anything with any arbitrary string that I want. So you are actually bypassing the limitation of using single quotes. Correct. So this would be and this is kind of one of these things for instance what type of if there's any filtering being applied or lack listing of your input. So for instance I'll tell you an example one of the first times I set up I think it was Blacko Ego one of these intentionally immoral web apps I set it up for the students to use it was all through the NSU's network and everything was working great and then I tried to do the process scripting example and I used script tags and my request just, hey, I was like I don't understand what's going on maybe I messed something up this is pretty complicated how to go into my lab and then forward it to my open second instance and then forward it to a virtual machine so I go okay I'm going to TCP dump every one of those machines to see where the request normally goes and where it failed it never got into my lab and then I realized oh ASU must have a web application firewall that's monitoring all of the traffic so I changed it from script tags and then the shaggy then it worked because it was just looking for script tags and anything but I think this probably still exists if you try to make a request to an HTTP maybe now it's going I don't know if that's true but definitely an incoming request which includes script tags usually gets blocked sometimes you open a screen that you won't be able to filter so is it possible to use you know, a Java screen to put that screen in there for example, putting Adam in the middle of the screen and then removing the Adam from the screen How do you remove the Adam from the script? That's for the script actually Yes, because you need to execute Java script for that if you answered the Java script then you already answered the Java script One interesting thing you can do on a related note some things will incorrectly sanitize by replacing script with the empty screen which sounds like that should be an effective blacklisting approach but you do SCRI script PT closing and so it replaces the middle script with empty screen thus creating the script type that you actually want so you're actually using the blacklist and the filtering method to get what you want out of it this is why writing on blacklist is terrible you could never do it because it's going to get messed up and also for all of these reasons because even if you validate or even if you attempt to try to validate according to the spec you're going to get some garbage that looks like it should be not valid but some browser out there is interpreting that as HTML So with the percentage of encoding on the A and the image type that isn't a guarantee it's just that some browser may have happened Correct Everything's terrible Cool, so the third type we talked about was DOM-based cross-site scripting Client-side XSS is the way I think about it because I think about what is the bug like where's the vulnerability what code are you going to fix for a reflected or a stored cross-site scripting the problem is you're not sanitizing your output correctly and so that's a server-side code fix you need to do For a client-side XSS the bug isn't the JavaScript code itself because it incorrectly takes some input from the URL and passes it to the eval function unsanitized So an example would be get another name from the location.hash so what's the location.hash.ln for you to give us the URL that you're currently at Yes, so the URL has quotes or protocol authority, path, query, fragment so the fragment is everything after the hash so location.hash is a nice way to give you just that data after the hash So this is how you've been on a JavaScript heavy or even what they call like a single page application in JavaScript where you click on the object and it changes immediately and the URL changes but it's everything after the hash that's changed That's the way JavaScript knows how to get back there So let's say you have this and then you have document.writeHelloName just like the example we had earlier the server-side code wanting to tell us hello this we're writing out to the document.helloName and so if we look we can go here and we can visit if this page is on example.com.tesh.html when we make this request Adam is going to go into this location.hash which is going to be a return to name which is going to be output here and it's going to say hello Adam Now if we put after the hash script tags location.hash will return everything after the hash because that's what it does and there's no sanitization here so this is going to write out script tags in the document which is reinterpreted by the browser parses.html and displayed as cross-excripting One of the super cool things here is when I make a request like this what does the server see what's the HTTP request that my client makes Yes, it sends the URL before the hash because everything after the hash that fragment is only useful to the client it's never sent to the server so the server web application doesn't even know that this cross-excripting exploit happened whereas in all the other cases reflected and stored the web server actually gets to see that traffic but here it's all stored locally in the browser so it doesn't it never leaves the browser which I think is super cool it's like a really cool twist on cross-excripting Alright So one of the cool things about cross-excripting is if you have a combination of a stored cross-excripting and a social network you can turn it into a worm What is a worm? Is it a game? For a client it's a self-propelled system Yeah, it's usually some piece of malware that will scan for it In fact, it will scan for a vulnerable host in its local network or on other computers on the network when it finds one it attempts to exploit that system when it successfully exploits it it transfers itself to that other system starts running that one does the same thing it scans the network with a vulnerable host and so you get this really awesome firewall pattern where you get like literally like internet so this was when we talked about the Morris worm way back when that literally took down the internet and all of the the systems there that's because of this form-like behavior So there's some really good examples for this my favorite is the Sandia's My Hero from 2005 but this is not just an old vulnerability this vulnerability existed in TweetDeck where basically the TweetDeck is a UI for Twitter and so they weren't properly sanitizing tweets so if you created a tweet with containing JavaScript code and you loaded that up in TweetDeck that would cause a process scripting and exploit it would start executing the attack with JavaScript the attack with JavaScript would tweet out that same message on your account it's been anyone else who had it would do it and it would spread throughout Twitter the Sandia's My Hero one is a cool one because it's nice to go back in their time machine and I'm going to do something that I always hate doing does anybody remember MySpace let's get smaller and smaller over here back when we thought that MySpace was so much better than Friendster so there was a I think I do remember his name immediately in here I don't want to get it wrong but there's a rash of people adding I think it was under Heroes so on MySpace there's different whatever sections of your profile under Heroes you can see here a lot of people are adding but most of all Sandia's My Hero and if you look this is on the super reliable so here there was a ton of search results I don't have the actual numbers here and so this was about 4,000 results from the awesome NSN search which everyone knows is super reliable and so what would happen was is this this person Sammy figured out a process 15 vulnerability in the MySpace profile and so that process 15 vulnerability when you visit somebody's page that has this vulnerability it would change your status to include the words Sammy and most of all Sammy is My Hero under Heroes and include the cross-eyed script and so you want to go into your page with vulnerable but also it would also friend Sammy so that was part of it so these are actual screenshots that are like from Sammy's thing here so this is him you can see he has almost almost a million friend requests so this is 919,000 friend requests which is a lot in the MySpace phase this is more like I don't know 2 billion users with a lot and so anyways yeah so this was super interesting time capsule about how a stored cross-eyed script and vulnerability can lead to a vulnerable thing in the social network yes is it possible to get some own you know executing code to get instances on a server no not what XSS itself XSS is all about executing JavaScript in a user's browser by violating the same order of policy so it all depends I mean can you use a processor in vulnerability I mean if you have that you could then use that to launch a drive-in download attack which is taking advantage of a system in the browser in somebody's browser so we saw what are browsers written in C, C++ C sharp we're trying we're trying I think there's zero browsers written in C sharp mainly for performance reasons I'd say although maybe it's an edge I don't know maybe much yeah it's something even today would not be that I guess I don't know about edge maybe edge maybe C sharp maybe parts of it are the main browser like the main rendering engine the main JavaScript engine is all C, C++ so are these the safest languages on Earth do you know how to exploit vulnerabilities in C and C++ applications not yet that was the heck she got like a good luck studying there's a semester to work on content so yeah so obviously I think there are advanced types of vulnerabilities but it's at the core if the same style of memory-cropping vulnerabilities exist in web browsers and so attackers if they can when they find these vulnerabilities they can write a JavaScript program to take advantage of them and start executing code on your system and basically turn your system into a botnet so that's one way maybe you could do that I would say it's the server what I'd be more interested in is somehow getting the admin at the site so getting code execution on the admin system through some kind of process scripting vulnerability and then from there stealing their username password to the site and then logging in and doing whatever I wanted something like XSS to you know making some memory of the admin yeah possibly something like that yeah or maybe you could get the SSH private key and then log into the system and something like that you can only do XSS if there's a HTML rendering company correct the tricky thing is there's HTML rendering in a lot of places so actually some research that I did I think it was 2013 it was just 14 we looked at mobile apps so how do you develop mobile apps so normally when you write like a mobile app you write with either Java if it's on Android or you write it in Objective C or Swift on iOS but does anybody develop a web app that does not use React I think we have what do you use React what is that I'm making sure it's what I think it is does Susan not come to React but use it in JavaScript yes okay perfect so yeah it's using the embedded web view inside the app to load HTML and JavaScript content and so what we found is that actually a very large percentage of apps use a web view to render web content and when they do it they can do it this way to allow the problem is your app is then no longer fully featured right you can't from JavaScript code embedded in a web app in a web view get access to the contacts to the phone whatever which is what you want to know applications what you need to do is you need to enable this feature called the JavaScript bridge to allow the JavaScript code access to your Java Objects which is probably a React network that's for you this JavaScript bridge does not respect the same origin policy so you have your Java Flask where you say add this Java Object accessible to JavaScript through this main food and every single frame that you load in that web view can access that Java Object and when you click on any links in your embedded browser any of those pages that you end up browsing to can also get that content so it's a nice the short answer is people have looked at these types of cross-executive capabilities inside of applications so they've done all kinds of crazy stuff or some apps like some Bluetooth apps will use like render a page in HTML so we make a Bluetooth name device name with spare tags it will execute JavaScript there which is one of the cases I think I've seen cross-executive I don't know because car dashboards are like Android and so sometimes they use web views there so you can not speak JavaScript there so yeah there's a lot of embedded browsers and a lot of weird places that you necessarily expect which is a long answer for that question so how do we fix this I think it's don't use the internet actually more and more liking that answer yeah more and more I get jealous of people before the internet we have a physically right out there to a person to talk to them if they weren't like in your video vicinity like that's so nice but we cannot stop using the internet so what do we do there's maybe including some specific characters you know some special characters right so one of the ideas that we looked at sequel injections right we said well there are some frameworks that will ensure so Google has this system like this template language called Kaja C-A-G-J-A that automatically will do sanitization when it needs to insert parts a lot of people don't use those or they use other types of template languages which can have their own problems so yeah another type of way another way would be doing sanitization the problem is when it comes to doing sanitization cross-eyed stripping is fundamentally much more difficult than doing sequel injection so the key problem is it's contact sensitive so I want to show an example of what I mean by this so what I mean here okay I'm going to use like a star for where there's like so okay so I bracket HTML bracket and I have a star here so what do you need to execute JavaScript here yeah starting script app script this says script this is the world's thickest pen okay so there it's very clear we use script apps right now what if I am a href so before you answer I want you to say what happens if we put this payload inside here or yes try to load if you click on that link it will try to load a URL of this thing that's not about a URL it will fail but the important thing is because of the context of the HTML page right so you think about the browser's parsing engine right here in between his HTML tags what we need to transition to JavaScript is a starting script app here inside of an href we're inside of a double quoted attribute now which means that whatever we put if we don't include double quotes we're not going to execute JavaScript right because it will think that that is the value of the href attribute so here we need well we need many things we could do let's do let's close the double quote let's close the a tag and then we'll do our script tag and then the end script tag so we left this hanging but that's fine HTML is pretty robust right so here we needed the single quotes and the ending bracket to essentially because of the specific context where we were right so then let's say we say okay well it was already brought up now what if around here we said everything that comes out of here we'll HTML entity encode it right so this means that every bracket will be translated into ampersand LT something like that right which will completely fix this cross-site scripting vulnerability here there's absolutely no way to execute JavaScript if we call HTML entities HTML entity encode everything that's out of there but what if we call so what if we did the same thing here we do HTML entity encode will it stop the exploit we just wrote the script is there so it's going to encode exactly and then encode are less than and greater than symbols right which isn't going to break us out of the A tag to start a new script tag and in fact we can't start a new script tag because everything here this this this this is going to be encoded so does this mean this is we've created up there's no cross-site script anymore in the A what if we did this because we know that well one thing we need to do is what exactly what did the encoding do right and so one thing we would see is that it doesn't do anything to double quotes so what if we input double quote space on click single quote alert XSS then oh I won't do this closing double quotes we'll get this closing one and then this and so now we're able so this will with most is none of these characters are special HTML characters right the only characters that are important in the context of parsing HTML elements is less than greater than symbols and ever since along with a handful of others right double quotes have no meaning there but when we're inside of a double quoted href attribute double quote is the important character there so HTML code if I have in one place the encoding is correct in the other place the encoding is incorrect this is one of the fundamental problems with process stripping vulnerabilities you can't do something like let's just sanitize after every place where I'm outputting in the HTML because you need to know what context of the pages is value being used in because you need different so if we instead double quotes is the special character for URLs that will be encoded to percent whatever double quote is the space will also be changed to percent 20 and so if we change that to URL encoding that is completely secure but if we change this to URL encoding that's not secure and there's actually many different types of these areas so there's no code and how it needs to work and this really is the fundamental problem of why process stripping is so difficult to solve automatically it seems like a trivial problem but this is what clearly makes it so difficult and make it even more difficult okay let's look at this one this is one of my favorite ones so has anybody written a code like this in javascript code to put inside that name parameter whatever we want so essentially pass that from the server side code to the client side code so here what do we need to do to execute javascript do we need a starting script tag? no why not we already have one right inside javascript right so we can do here alert xss and then I could do a semi-colon and then a double quote had to close that up or I could comment down the rest of that line with slash slash this would I believe you could craft this such that it bypasses both htmlxd encoding and url encoding because you're already inside javascript you need a completely different type you need to actually like json encode the string or basically encode it for a javascript which is a completely different type of sanitization so there's a super long way of saying that javascript cross-site scripting is incredibly complicated which is why it is still so prevalent now and it's really the context sensitivity and all of this so this is showing you how complicated it is there are other quotes here any questions on cross-site scripting we have other stuff to cover so don't you want to read this from the ctf? okay excuse me yeah so should we execute it in javascript on the browser is there a possibility they have like sandboxing or javascript yes so how are they going to access for example in a point which they have in other form there for instance your browser can open files right and the browser is the process right that is running and so the javascript code is executing with the permissions of that process which means if they can essentially break out of the sandbox or they find a buffer overflow in the browser take advantage of that and execute codes with the permissions of the browser itself now they can do whatever the browser can do yes I mean that is the simplified version that is probably about like 10 years ago now it is like a multi-step process especially with something like chrome so with chrome not only is let's see not only so chrome is split up into a number of different sandboxes in some sense so you need to find a vulnerability in the rendering engine and when you break out of that you actually don't know where it is so you have to find some other vulnerability to break out of that and you look up a really good resource for this is Pome to Own which is a yearly competition where basically they have up to date Safari, Chrome internet explorer on like the latest versions and you can come with an exploit that gets remote code execution then it used to be you would win the laptop that was there now the price of these vulnerabilities is so much that the laptop is like worthless in comparison so it's like 20 grand or 30 grand for some of these exploits and that's actually on the low end the browser manufacturers do this so they can kind of get find out some of these bugs and vulnerabilities because usually you need like at least four or five bugs because you have things like ASLR like we've seen so to do that you need a memory disclosure bug and you chain together bit by bit and then finally get a full execution yeah, it's crazy cool, alright now we're going to go to some fun stuff not that this wasn't fun everything that you guys is fun cross-aid request forgery okay, so now we have a smattering of fun web topics of stuff that I actually haven't been in the cover in the past because for some reason it went a lot faster which is good even though we had three in class CTS I still don't fully understand why but I'm happy with it so good job on you guys yes hide yourselves on the back okay so we looked at HTML we know all about HTML I'm not going to make much of a deal about it okay yeah, this is a good point though so when the browser gets this page and renders this what other request is it going to make it's going to make a request to example.com for that image it needs to display this image it's going to make a request to example to example.com it's going to make a request to this gravitar.com so essentially if I get you to visit this site I can get you to make arbitrary web requests would you agree with that? does anybody browse with images disabled? are you a crazy person? are you ready? not I've done it on occasion I'm not going to try and get out of here it's way too much work right and images are kind of one of these special cases where we want to be able to essentially you think of it in some cases of breaking same origin policy it doesn't really have anything to do with JavaScript but the image request triggers an HTTP request of the user's browser to wherever this image tag says cool so we can see here in the developer tab of the requests here so this means that so this is why I harped on a lot that okay this is a good example so interesting okay so we know that this request is going to make a request to facebook.com hdbs all inside facebook.com the interesting thing is that because we don't really know where this resource is located the browser is going to send along all of the cookies it has for facebook.com this website which is let's say which is on my image example cookies this doesn't have this cookie so this is super old there's nobody who can use these cookies by the way in case you were wondering at least I was up so it's sending the request to facebook.com sending all those cookies so if facebook gets this request does it know that we're logged in yeah because it has the cookies right we've already established a section on facebook we're sending all these cookies along great okay and we saw a form so this was the form that we saw earlier about grade changes right so student class grade so if you knew that this was running on like the let's say the homework submission system right that there's a way you can just put it in there but you can't visit that because you're not the administrator but you know it exists and it's using a form like this would one of you really want me to click on a link or visit a web page why what was that you can't get my own review man you're not why would I say I want you to if I visit your terrible site.com then you can't get the cookies to the submission server you can click on that well we do have I mean you redirect you to the other site like a frame or something what would you put in that frame or what would you have the source of that frame then be able to get your I don't know that is the goal there's things for that yeah is that the same which I make you do visit I can actually send get a request on your behalf so that is on your knows that goes along with this request but you can't send it well how would you make so what you want your goal is for my browser with my cookies to send a get request to example.com slash raise slash submit what type of request is this in this form well actually I don't remember okay is it a post request no it's a get request you guys are all failed I forgot to it's okay okay it's a get request so we want to make a get request if you can convince me somehow to make a get request to this URL with sending my cookies and then sending the values of student you probably want it to be you class you probably want it to be this class and grade E A or A plus maybe you want to do an A plus that would be a little bit too like you know distracting maybe that would stand out maybe you just want an A right so if I will visit any site that you're choosing how could you get me to automatically visit that link and send the cookies have an image tag you could have an image tag there's no limit on the page on the source you can put in the attribute of an image tag you can put the source of this exact URL which you can't really see or you can just get me to click on it so there's a couple ways one you could try to send me a link to it and then you send me a link and you want me to put me an A plus and you could say hey click me for a free iPhone 6 why was I really dating this maybe you'd be like why would I waste my time with an iPhone 6 and if we look at that it's that link there so one thing would be to trick me to click on a link and then I go there and now I've I've updated your grade to an A okay good so yeah so the problem is and the other one you can get an image tag right you can get there there's a site they just have an image tag pointing to that page and now my browser will automatically make a request there sending all the cookies so what's the core problem here so if we go back to this my form passive and what's that change all you have to do is visit that page and it does it yeah so so basically there's two different things right so the web app for the for the web applications perspective it only wants to change the grade when I the user visit this visit this form type in the new information and click submit right that's what the web application wants but the way it's currently written does the web application have any way to tell the difference between here's your request from visiting that page and putting in all that information or if somebody forcing you to visit that page no there's no way for it to tell and one of the right so here we have we have one to the so everything is always to this URL one is the one that we show the user in the form the other is that length of the attacker sent me interesting so there's different intent here in the user's mind right on the user's side one the user just wanted to submit the form and actually make that action and make that change which does go to like a passive active thing but the second one is I just wanted to click a link now would you do you worry in your daily browsing when you click on a link are you going to transfer $500 into my bank account now you're worried when you look at your credit zone right you should have to worry about that but the web application actually needs to do something to make that happen it doesn't just happen automatically because both of these requests look identical to the application the application has no way to know which one so this would be an example of the image tag right now I don't even need to get you to click on something I just need to get you to visit somewhere and so there's a lot of even web applications that are correctly coded where you can like you can put an image tag on a blog post or something or a blog comment and usually it will render that so then everybody who's visiting that page hits that site it doesn't need to be you tricking me to visit your terrible site yeah cool so we think the culprit is using get requests right because what's the problem with using a get request here parameters are part of the URL right we know the poster request sends it as part of the body right which is a lot harder to trick it on but this post actually solved the problem for us so we changed this to post you're like ahh somebody told me I had a vulnerability in my application I'm going to change it right so it's going to make this post great to submit and the body content will be in here so one question will be well is the server side code actually checking that it's a post request which is a get request right we saw in PHP you can use the dollar sign your score request super global and that will use either get or post so that would be one thing to check as an attacker if it's actually respecting that it's a post it's not so now what if I get you to visit my web page and it looks like this I have a form are there any limits on what the action URL of my form is it's not limited to the same origin it's not limited to the same domain it's just like a link right literally built into the worldwide web and the hypertext is that you can link to anything right similarly with forms so here I have a form action example.com grid submit method post and I have so I have an ID CSRF and now I have the name of student shadow name class CSC591 name grid value A plus so we know that these values in here leads to what's going to happen I will fill in right this form and then I can get even fancier after the fact I can create a script tag which is like the form element is the form element by ID CSRF so get the CSRF element and then use this HTML form element that is submit call to call the submit functionality of that form which automatically summits this form by the browser which in which case your browser we automatically It tells me 404, wow, well that's because this doesn't actually exist, but why doesn't this show me? Okay, it would show me that I actually made that request with these values of shadow CSE 591 A plus. So this vulnerability is called cross-site request forgery. So the idea is when somebody else contributes, you take action on another site, simply by sending you a link or causing you to make a request. So how do you fix this? What's the core problem? Distinguished images and requests. Unable to distinguish between the two requests, right? We can't just use cookies because the cookies are always sent in both requests. What do we want? What's the property we want to ensure? Intent. Intent or, and how do we know that there's some intent? Like what were the phases that the user went through in both scenarios? Not possibly, but you can scrub those sometimes. I wouldn't rely on them. And you can do, if you, like you refer from HTTPS to HTTP, the browser won't have you drop through for a header. So you definitely can't count on that. If you could have some way of including the URL that you've sent the form to as part of the same origin policy? Possibly, you can completely change the fundamental security requirements of the browser. I think some people probably already we should have done that, but we did not. What's the user action? So in the case where the user wants to do it, what do they have to do? What's their steps? Before they click the button, they visit the page of the form, they fill it out, and then they click the button. In the second case, what happens? They essentially have the set of just clicking the button. The button is kind of clicked for them. So the key difference in the workflow is visiting the page originally. So the idea is usually, and this is if you go to the submission site, you can see that all the forms are, should be intentionally immune to this, because the idea is you include a cross-sector quest for a token. So basically, you have a hidden feel in your form that has a random per user value. And then on form submission, you check if that value is present or not. Now, you can ensure that they visit the page first, and then they click the button. And we know because of the same order of policy, even though you can make an image request to that page, we cannot be, so the same order of policy actually means, so even though the image tag can make that request, the JavaScript code can't interrogate anything about that page. Like nothing, you can't see, you can't try to parse it, you can't try to see if it's valid and it's nothing. Yeah? Yes, it's similar issue of capture, but the idea is you're not trying to stop because an automated tool still could do this, right? An automated tool could go to the original page, get the form, get the CSRF value, fill out everything else and submit it, but that's fine, you're not trying to stop a robot. You're trying to stop somebody else from tricking you to perform that action. So it's also called XSRF, I think CSRF is kind of the, and like CSRF is also the cool name for that, so. So the idea is basically generate a random and un-dissable knots for every user, and it could be even as crazy as for every user for every form, depends on how you implement it. A lot of web frameworks will help you with this, so there'll be some kind of middleware, and so the idea is now every sensitive or every state changing request must have this knot and on the post end of that, and so A, you should never just get for a state changing response, you should always do post. And every processing of that must check that the knot is valid, if not, let it go away. And this is actually A, so you can do kind of crazy things with this, because you could do things like literally, it's almost just as bad as a cross-site scripting in some sense, because now an attacker can constrict you to perform actions on the web application without you actually doing anything. So instead of using a non-screen, you just want to head into the field, so I can position headers and stuff like that. Could you use headers? I think not, because there's not a good way for you to ask the browser to include headers when it fills out a form. So you have to essentially put this data in the form itself. Yeah, this is really easy to mess up, and it's a pretty severe vulnerability when you have it, because it means that, this was like, think about it like a changing password functionality, right? If I could just get you to visit my site and change your password, now I'm in. If I, if it was deleting your account, I could do that for any kind of a thing. So this is actually a key thing on the web, so you really do need to be able to do this. But when you inspect the page, it didn't filter out showing you an HTML, right? Yes. So you can easily check for this, I mean, when you're looking for it, right? So. When I guess it doesn't help you. Exactly, it doesn't help the attacker, because the attacker can not get the HTML content to the page. And, but, so the key thing to think about and the thing that a lot of people start to mix in their minds is, oh, this must defend against cross-site scripting. But it does not. Why? Yeah, I think you're doing it. Right, so it actually is a, the same word in policy helps here, because, like I said, you can make a request to the page with a form on it, but you can't read the HTML, so you cannot get this C-serve token. If you're a JavaScript running in the domain of this page, or another page, you can make an AJAX request for this page, which, and then you can parse and read that entire HTML response, and you can extract the token value from there, and use that to submit another AJAX request to this page. So literally, the C-serve token does not stop an attacker at all from performing actions on the website on your behalf, if there's a cross-site scripting vulnerability. We'll talk about one more thing. This will be pretty quick. C-serve is just to control your form submit behavior. I would think about less in terms of forms, because that's more of a presentation issue, more of state-changing actions. So state-changing actions, or security-sensitive actions, which is all of them, need to have C-serve tokens. If not, that's a huge security issue. Because cross-site scripting is just JavaScript execution that you can do on your own. It doesn't really have a real relate to each other. They're related in some sense, but very different. Yeah, it's kind of the, I mean, C-serve and also click-jacking, as we'll see, kind of surface some of the underlying problems and assumptions with the web. Right, like this fact that you can have an image tag, which gets them to make any HTTP request you want is pretty absurd. But it's actually not that absurd because you can, part of our threat model with the web is you can get anybody to click on any link. Right, and so when you assume you can do that, you can start to assume you can do a lot of things. So if I trick you to click on a link that deletes your account, like that's the website that a lot of ads problem, not more probably. Cool. Yeah, and almost like, I mean, you need to like completely re-architect to think about the web, to think about a different way of handling this, which would be interesting. Okay, we're talking about click-jacking, which is super cool. Okay, so would you click this button? It says click me. You definitely would. Maybe not after taking this class, hopefully, but you know, none of you are curious. You don't like see a click me button and you're like, I wonder what it does. It's not so great. What if it said, don't click me? I probably won't work here. That'd be an interesting study. Yeah. So, okay. So, the basic idea is, you actually have no way of knowing this click me button is on this page, which is, what's this? Oh, this is on my local machine. Or if this is an iframe with a button that basically says, like this Facebook page, because you can load up somebody else's page in an iframe, move it to where exactly you want and only show the user that button. And this is the basic idea of click jacking where the user, it's one of these intention things. The user thinks they're clicking on an element on a page to win a free iPhone or I don't know, play a game or something. And so, here's an example. So, this is running. So, the way to do this is, another way to do this is you basically overlay the web page. So, you can do, for those, we didn't talk about it very much, it's kind of a silent thing. You can stack DOM elements on top of each other in different borders and you can make one using styles of paint or like transparent or whatever, transparent. So, you can put the Facebook page, iframe it, make it completely transparent and then put the button you want them to click on exactly where you want them to click in the Facebook page. So, essentially, you can trick somebody who clicked through Facebook, essentially actually accomplishing the same things as the CSRF, performing actions on the website that you want them to do. And so, yeah, like classic examples of these are like, here's a download a free screen saver button but actually gets you to like some terrible page that nobody actually likes. It's also called UI redressing because you can think of that you're changing the UI of Facebook so that you don't see it but the user's actually interacting with it, yeah. And the transparency is the actual action part of that, right? Yes, so it's an interesting thing. So, you have the layout elements, right? So, you have Facebook on top and then you have your thing underneath. The Facebook would be transparent, so you can't see it but when a user clicks on it, the way that click events goes, they go first in order from top to bottom, not in essentially visual order, right? Because there technically is something there, it's like a glass, right? You can see through it, but you can't. You have to go ask the glass again and just click on that before going down to the layer below it. So, you can do this with, you probably actually hopefully can't do this in Facebook but this is essentially the idea is you have this kind of, yeah, you have a Z-level one, which is the lower one, your button, and you have a Z-level two, the transparency of the layer above it, you have the Facebook page. And the super interesting thing about this is you can even, so they've started to change things, like you can't make the thing transparent too much or something like that. So what you can do is make the back, basically right when the user, when you know the user is about to click on it, you swap them, and then they'll click on it and then you swap them back or you just continually swap them and they'll probably click on it. Yeah, it gets really tricky, just click on it. So one of the key ways to get around this is basically frames, so the core problem here is that one site can frame another site completely and that's how you may not want that, especially in terms of something like Facebook, right? Like iframes are meant for something like advertisements or you want to have a separate piece of content on your DOM controlled by somebody else, right? But essentially we think about that, the advertiser is opting in to being framed because that's the whole idea. But here Facebook doesn't want you to frame their content. So this is, you can actually put JavaScript code on the top of your page, which will make sure that you are not framed and if you are redirected to somewhere else. There's also, if you look at a lot of sites now that set this X frame options header, which is a way for the website to communicate to the browser, hey, don't frame me. Anyways, clickjacking is super cool. It's one of my favorites. I use this on a site. I think it was during a contest. I showed them that I could basically get them to do whatever I wanted on the site by creating this game or there's ball that was moving, you get to click on the ball and it was like, you didn't realize you were actually interacting with their site underneath. So it was actually really fun to do. So it's something to think about. This is gonna, these X frame options is one of the standard, like if you look at Havascript, your website or web application, these are some of the headers. Make sure the cookies are HTTP only, make sure that these, make sure you're doing CSRF tokens part of kind of the checklist of things. But it's fun to abuse and if you're doing a contest it's definitely something to be aware of. This is because by default, any frame, any website can frame another website. Exactly, there's again another major, it's kind of all those trusting nature of the web. It's like, well, of course an I-frame is just this thing. You could do it with the same origin policy. It means that they're separated, right? They can't talk to each other or they can't, the I-frame content can't mess with the parent content. But in this case it's weird because it's like a parent content essentially using the framed content. All right, I think I'm gonna do something I have a lot of semester and watch out early. So, it's not a good semester for content. Everybody's shocked. Bravo, bravo.