Security Vibes : April 2017

Friday, April 28, 2017

Reflected Cross Site Scripting (XSS) with examples

Cross site scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted web sites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it

- OWASP
In order to achieve XSS there are two things that need to be satisfied.

1. Attacker has to inject a malicious code to a client side user agent.

2. It has to execute.

There are two types of Cross Site Scripting techniques.

1. Reflected XSS - At the run time script gets in to the body and execute.

2. Stored XSS - Script is going to be stored in somewhere(eg- database).

The main element which is hardly threatened by XSS is user sessions, cookies. Once an attacker exploits XSS vulnerability on any website which has a login feature , he can make each and every session cookie of the users send to him (account hijacking). When he has cookies he can pretend to be someone else (identity theft).

Unlike a reflected attack, where the script is activated after a link is clicked, a stored attack only requires that the victim visit the compromised web pages.

Stored XSS example

There are two ways to fix XSS.

1. Input validation - ( check whether user inputs contains unnecessary special characters or not. If they have escape them).

2. Output encoding/sanitizing

Now lets see how XSS works with some examples.

(All the web pages that are required for these tasks are uploaded to github. You can either download or clone the zip file and run it on apache tomcat server or whatever the server you use).

https://github.com/sajith01prasad/Cross-Site-Scripting.git

Home.html is the Home page of this project. You can access it from the browser using this link.(This can be different)

http://localhost/xss/Home.html

Now you will see the home page

In the home page as you can see I have divided it into two parts ( Reflected XSS and stored XSS). Under reflective XSS I am going to show how an attacker achieves cross site scripting using four different methods. In all these four situations user input takes from the user and it will be showed as it is in the web page.

1. If user input goes to p tag or h tag

Click on the first link.

In here if you provide your first name and last name something like this will be displayed.

Now I will show how an attacker use these two textboxes to do XSS on this particular web page.

Only thing he has to do is provide this line in one of the textboxes.

<script>alert(‘Cross Site Scripting’)</script>

2. If user input goes in to a textbox

Click on the second link in the home page.

If you give user name as Sajith and password as SAJITH something like this will be displayed.

Now let's see of someone input this line to the password field what will happen.

"/><script>alert('Cross Site Scripting')</script>

3. If user input goes to HTML hyperlink.

Click on the 3rd link in home page.

When you give a website name to this text box(eg: google.com) it will be taken as the value of the hyperlink. Then the next page will be displayed where we have the hyperlink to visit the web site.

When you click on "click here" it will direct you to the particular web site you entered in the previous page.

What will happen if we enter something like this in the text box?

"></a><a HREF="javascript:alert('Cross Site Scripting’)

click on "click here".

4. If user input goes in to javascript

click on the 4th link in home page.

Input your name and click on the button.

This javascript alert box will be displayed.

What will happen if an attacker inputs this line to the textbox?

");alert("Cross Site Scripting

First it will show the same pop up we got earlier. ( just Hello)

When we click ok now another pop will be displayed.

Those who are made up to this point CHEERS !!!

If you have any doubt or problem leave in the comment section.

Saturday, April 8, 2017

Encryption Decryption

Encryption is a very useful technique when it comes to preserving confidentiality of data/information.
Back in the days people ( specially military guys ) wanted a strong method to make their information readable only to an intended party. Why I purposely mentioned "a strong method" because even Caesar had a method to do this. We call it Caesar cipher. But it was not strong enough. We can get into details about these technique later. Before that let's get a clear idea about encryption and decryption.

figure 1:

figure 2:

As you can see, in figure 1 outsider can read the message and in figure 2 he cannot. How that happened? This is where encryption comes.

Encryption : The process of converting plain text (readable format) into cipher text (unreadable format).

Decryption : The process of converting cipher text into plain text.

Terminologies

Cipher : In cryptography, a cipher (or cypher) is an algorithm for performing encryption or decryption.

Key : is a string of bits used by a cryptographic algorithm to transform plain text into cipher text or vice versa.

Transposition Cipher : A character is shifted pre-agreed number (key) of times according to a regular system. The order of characters is changed (cipher text).

Substitution Cipher : In cryptography, a substitution cipher is a method of encoding by which units of plaintext are replaced with ciphertext, according to a fixed system; the "units" may be single letters (the most common), pairs of letters, triplets of letters, mixtures of the above, and so forth.

Types of Encryption

1. Symmetric encryption - A single key is used for both encryption and decryption processes.

2. Asymmetric encryption - Key pair ( public key & private key ) is used for encryption and decryption. If private key is used for encryption public key of the same key pair must be used for decryption. If public key is used for encryption private key of the same key pair must be used for decryption.

Symmetric encryption algorithms : AES, DES, 3DES

Asymmetric encryption algorithms : DSA, Elliptic curve, RSA, Diffie-Hellman

I have implemented a software which uses AES 128 bit algorithm to encrypt files in our computer. This software supports for text files and PDF files only.

This is the Github link which contains the source code. All the instructions are there in the Readme file.

https://github.com/sajith01prasad/Encryption-Decryption

IDE used- NetBeans 8.1
Language used - Java

Jar file is provided. Go to this GitHub link and download the jar file. Readme file is there if you need any help with setting it up locally.

Once the jar file is downloaded, open up a command prompt. This is how you run a java application using cmd.

Now you will see the application running.

As you can see you can provide a text file, PDF file or a folder which contains multiple text files and multiple PDF files. Browse button will help you to browse the file you need and upload it to the application. In java you have JFileChooser class for this feature.

(1) Text files

Browse a text file

In my desktop I have a text file called "Original.txt". You also make one.

Now click on "Encrypt" button in the application interface. Now open the file.

It is encrypted. To decrypt this and get the original content again click on "Decrypt" button. Then open the file again.

(2) PDF

Browse a PDF file

I have a pdf file called "test.pdf" in my desktop. You also make one and browse it.

Now click on "Encrypt" button and open the file.

It is encrypted. Let's decrypt this now. click on "Decrypt" button and open the file.

It is decrypted . 😊

(3) Folders

In my desktop I have a folder called "testingFolder".

In that I have to text files (original.txt, original1.txt ) and one PDF file ( testPDF).

Original.txt

Original1.txt

testPDF.pdf

Now browse this folder.

Now click on "Encrypt" button. Open the files to see whether they are encrypted or not.

Original.txt