SlideShare a Scribd company logo

Web App Security: XSS and CSRF

Dave Ross, profile picture
Dave Ross

The document discusses common web security threats like cross-site scripting (XSS) and cross-site request forgery (CSRF). It notes that over half of identity theft cases are internal and that the web remains vulnerable. The document recommends ways to prevent XSS like sanitizing user input and using nonces to prevent CSRF. Additional resources are provided for further information on XSS and CSRF.

Technology
1 of 23
Downloaded 62 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
PREVENTING XSS & CSRF Dave Ross • Suburban Chicago PHP & Web Development Meetup
2½ years ago http://www.slideshare.net/csixty4/intro-to-php-security
REALITY CHECK
“More than half of identity theft cases are inside jobs” Judith Collins, Associate Criminal Justice Professor @ Michigan State University “who recently completed a study of 1,037 such cases”
THE WEB IS STILL A NASTY PLACE
BROWSER SECURITY IS BETTER
PHP IS BETTER
REGISTER_GLOBALS IS DEPRECATED IN 5.3.0
THREATS:
XSS - CROSS SITE SCRIPTING
NON-PERSISTENT XSS
PARAMETERS ECHOED BACK TO THE USER
<IMG SRC=”HTTP://SEARCH.AMAZON.COM?S= <SCRIPT>ALERT(‘TEST’);</SCRIPT>” />
PERSISTENT XSS
INJECT <IFRAME> & <SCRIPT> INTO CONTENT
BLOG COMMENTS, FORUM POSTS
STRIP OUT TAGS
I RECOMMEND REMOVING TAGS ON DISPLAY, NOT SAVE
CSRF - CROSS-SITE REQUEST FORGERY
<IMG SRC=”HTTP://TWITTER.COM/POST?TEXT=I’M A BIG FAT DORK” />
USE A NONCE.
HTTP://HA.CKERS.ORG/XSS.HTML
HTTP://WWW.CGISECURITY.COM/CSRF-FAQ.HTML

More Related Content

PPTX
Navigating Online Threats - Website Security for Everyday Website Owners
Tony Perez
 
PPTX
Web hack & attacks
Apurva Dhanwantri - CISA ,SCJP,C|EH, ISO/IEC 27001 LA,CPISI
 
PPT
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
Tony Perez
 
PDF
WordCamp Miami 2016 SiteLock Presentation
SiteLock
 
PPTX
Word camp orange county 2012 enduser security
Tony Perez
 
PDF
Understanding CSRF
Potato
 
PPTX
Content Management System Security
Samvel Gevorgyan
 
PDF
Esoteric xss payloads
Riyaz Walikar
 
Navigating Online Threats - Website Security for Everyday Website Owners
Tony Perez
 
Web hack & attacks
Apurva Dhanwantri - CISA ,SCJP,C|EH, ISO/IEC 27001 LA,CPISI
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
Tony Perez
 
WordCamp Miami 2016 SiteLock Presentation
SiteLock
 
Word camp orange county 2012 enduser security
Tony Perez
 
Understanding CSRF
Potato
 
Content Management System Security
Samvel Gevorgyan
 
Esoteric xss payloads
Riyaz Walikar
 

What's hot (20)

PDF
Bug Bounty - Hackers Job
Arbin Godar
 
DOCX
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
PPTX
Introduction to CSRF Attacks & Defense
Surya Subhash
 
PDF
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir Goldshlager
 
PPTX
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
Samvel Gevorgyan
 
PDF
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
PDF
The most Common Website Security Threats
HTS Hosting
 
PDF
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
Casey Ellis
 
DOCX
1
lowieBertrand
 
PDF
Attacking Web Proxies
InMobi Technology
 
PDF
Writing vuln reports that maximize payouts - Nullcon 2016
bugcrowd
 
PPTX
Open Source CMS : How secure are they?
Yassine Aboukir
 
PPT
Xss.e xopresentation from eXo SEA
Thuy_Dang
 
PPTX
Cross site request forgery(csrf)
Ai Sha
 
PPTX
Xss (cross site scripting)
vinayh.vaghamshi _
 
PPT
HoneySpam 2.0 Profiling Web Spambot Behaviour
Pedram Hayati
 
PPTX
Cross Site Scripting
Ali Mattash
 
PPTX
Steps to Keep Your Site Clean
Sucuri
 
PPTX
Security testing for web developers
matthewhughes
 
PPTX
WordPress Security Begins With Good Posture
Tony Perez
 
Bug Bounty - Hackers Job
Arbin Godar
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
Samvel Gevorgyan
 
Introduction to CSRF Attacks & Defense
Surya Subhash
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir Goldshlager
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
Samvel Gevorgyan
 
Cross-Site Request Forgery Vulnerability: “A Sleeping Giant”
Capgemini
 
The most Common Website Security Threats
HTS Hosting
 
ACRNA Webinar #5: Cyber Security – The Unlikely Romance
Casey Ellis
 
1
lowieBertrand
 
Attacking Web Proxies
InMobi Technology
 
Writing vuln reports that maximize payouts - Nullcon 2016
bugcrowd
 
Open Source CMS : How secure are they?
Yassine Aboukir
 
Xss.e xopresentation from eXo SEA
Thuy_Dang
 
Cross site request forgery(csrf)
Ai Sha
 
Xss (cross site scripting)
vinayh.vaghamshi _
 
HoneySpam 2.0 Profiling Web Spambot Behaviour
Pedram Hayati
 
Cross Site Scripting
Ali Mattash
 
Steps to Keep Your Site Clean
Sucuri
 
Security testing for web developers
matthewhughes
 
WordPress Security Begins With Good Posture
Tony Perez
 
Ad

Viewers also liked (19)

KEY
Advanced CSRF and Stateless Anti-CSRF
johnwilander
 
PPTX
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 
PDF
Oh no, was that CSRF #Ouch
Abhinav Sejpal
 
PPT
CSRF_RSA_2008_Jeremiah_Grossman
guestdb261a
 
PPTX
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Nilesh Sapariya
 
PPTX
CSRF
Dilan Warnakulasooriya
 
PDF
Protect you site from CSRF
Acquia
 
KEY
Stateless Anti-Csrf
johnwilander
 
PDF
Web security: OWASP project, CSRF threat and solutions
Fabio Lombardi
 
ODP
Drupal Security for Coders and Themers - XSS and CSRF
knaddison
 
PDF
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Mark Stanton
 
PDF
Csrf final
•sreejith •sree
 
PDF
CSRF Basics
n|u - The Open Security Community
 
PPTX
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
PPTX
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Paul Mooney
 
PDF
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
PPTX
Understanding Cross-site Request Forgery
Daniel Miessler
 
PPTX
Browser Security 101
Stormpath
 
PPT
XSS and CSRF with HTML5
Shreeraj Shah
 
Advanced CSRF and Stateless Anti-CSRF
johnwilander
 
CSRF Attack and Its Prevention technique in ASP.NET MVC
Suvash Shah
 
Oh no, was that CSRF #Ouch
Abhinav Sejpal
 
CSRF_RSA_2008_Jeremiah_Grossman
guestdb261a
 
Its all about CSRF - null Mumbai Meet 10 January 2015 Null/OWASP Chapter
Nilesh Sapariya
 
CSRF
Dilan Warnakulasooriya
 
Protect you site from CSRF
Acquia
 
Stateless Anti-Csrf
johnwilander
 
Web security: OWASP project, CSRF threat and solutions
Fabio Lombardi
 
Drupal Security for Coders and Themers - XSS and CSRF
knaddison
 
Be Afraid. Be Very Afraid. Javascript security, XSS & CSRF
Mark Stanton
 
Csrf final
•sreejith •sree
 
CSRF Basics
n|u - The Open Security Community
 
A8 cross site request forgery (csrf) it 6873 presentation
Albena Asenova-Belal
 
OWASP Ireland June Chapter Meeting - Paul Mooney on ARMOR & CSRF
Paul Mooney
 
CSRF, ClickJacking & Open Redirect
Blueinfy Solutions
 
Understanding Cross-site Request Forgery
Daniel Miessler
 
Browser Security 101
Stormpath
 
XSS and CSRF with HTML5
Shreeraj Shah
 
Ad

Similar to Web App Security: XSS and CSRF (20)

PPTX
Pci compliance writing secure code
Miva
 
PDF
Session7-XSS & CSRF
zakieh alizadeh
 
ODP
XSS
Hrishikesh Mishra
 
PDF
Lets Make our Web Applications Secure
Aryashree Pritikrishna
 
PDF
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
PDF
Evolution Of Web Security
Chris Shiflett
 
PPTX
CS166 Final project
Kaya Ota
 
PPT
PHPUG Presentation
Damon Cortesi
 
PPTX
Vulnerabilities in Web Applications
Venkat Ramana Reddy Parine
 
PDF
Secure Form Processing and Protection - Sunshine PHP 2015
Joe Ferguson
 
PPT
[Php Camp]Owasp Php Top5+Csrf
Bipin Upadhyay
 
PPTX
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
PDF
Web Security Horror Stories
Simon Willison
 
PDF
Security in PHP Applications: An absolute must!
Mark Niebergall
 
PDF
null Bangalore meet - Php Security
n|u - The Open Security Community
 
PDF
Web vulnerabilities
Oleksandr Kovalchuk
 
PPT
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
Russ McRee
 
PPTX
Owasp & php
Ahmed Kamel Taha
 
PPTX
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
ODP
Security In PHP Applications
Aditya Mooley
 
Pci compliance writing secure code
Miva
 
Session7-XSS & CSRF
zakieh alizadeh
 
XSS
Hrishikesh Mishra
 
Lets Make our Web Applications Secure
Aryashree Pritikrishna
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
Evolution Of Web Security
Chris Shiflett
 
CS166 Final project
Kaya Ota
 
PHPUG Presentation
Damon Cortesi
 
Vulnerabilities in Web Applications
Venkat Ramana Reddy Parine
 
Secure Form Processing and Protection - Sunshine PHP 2015
Joe Ferguson
 
[Php Camp]Owasp Php Top5+Csrf
Bipin Upadhyay
 
Cross site scripting
Bilal Mazhar MS(IS)Cyber Security II Privacy Professional
 
Web Security Horror Stories
Simon Willison
 
Security in PHP Applications: An absolute must!
Mark Niebergall
 
null Bangalore meet - Php Security
n|u - The Open Security Community
 
Web vulnerabilities
Oleksandr Kovalchuk
 
DEFCON 17 Presentation: CSRF - Yeah, It Still Works
Russ McRee
 
Owasp & php
Ahmed Kamel Taha
 
Deep understanding on Cross-Site Scripting and SQL Injection
Vishal Kumar
 
Security In PHP Applications
Aditya Mooley
 

More from Dave Ross (20)

KEY
Stylesheets of the future with Sass and Compass
Dave Ross
 
KEY
HTML5 History & Features
Dave Ross
 
PPT
A geek's guide to getting hired
Dave Ross
 
KEY
NoSQL & MongoDB
Dave Ross
 
PDF
Date and Time programming in PHP & Javascript
Dave Ross
 
KEY
Simulated Eye Tracking with Attention Wizard
Dave Ross
 
KEY
What's new in HTML5?
Dave Ross
 
KEY
The Canvas Tag
Dave Ross
 
KEY
Wordpress
Dave Ross
 
PPT
Lamp Stack Optimization
Dave Ross
 
PPT
The FPDF Library
Dave Ross
 
PPT
FirePHP
Dave Ross
 
PPT
Bayesian Inference using b8
Dave Ross
 
PPT
SQL Injection in PHP
Dave Ross
 
KEY
The Mobile Web: A developer's perspective
Dave Ross
 
KEY
Balsamiq Mockups
Dave Ross
 
KEY
LAMP Optimization
Dave Ross
 
KEY
Lint - PHP & Javascript Code Checking
Dave Ross
 
KEY
Cufon - Javascript Font Replacement
Dave Ross
 
KEY
PHP Output Buffering
Dave Ross
 
Stylesheets of the future with Sass and Compass
Dave Ross
 
HTML5 History & Features
Dave Ross
 
A geek's guide to getting hired
Dave Ross
 
NoSQL & MongoDB
Dave Ross
 
Date and Time programming in PHP & Javascript
Dave Ross
 
Simulated Eye Tracking with Attention Wizard
Dave Ross
 
What's new in HTML5?
Dave Ross
 
The Canvas Tag
Dave Ross
 
Wordpress
Dave Ross
 
Lamp Stack Optimization
Dave Ross
 
The FPDF Library
Dave Ross
 
FirePHP
Dave Ross
 
Bayesian Inference using b8
Dave Ross
 
SQL Injection in PHP
Dave Ross
 
The Mobile Web: A developer's perspective
Dave Ross
 
Balsamiq Mockups
Dave Ross
 
LAMP Optimization
Dave Ross
 
Lint - PHP & Javascript Code Checking
Dave Ross
 
Cufon - Javascript Font Replacement
Dave Ross
 
PHP Output Buffering
Dave Ross
 

Recently uploaded (20)

PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PDF
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PPTX
Spectroscopy.pptx food analysis technology
nawahassan45
 
PDF
Encapsulation theory and applications.pdf
gurumoop
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
The Rise and Fall of 3GPP – Time for a Sabbatical?
3G4G
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
Digital-Transformation-Roadmap-for-Companies.pptx
David Malick Dieng
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Machine learning based COVID-19 study performance prediction
IAESIJAI
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
Approach and Philosophy of On baking technology
30anthuong17
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
Electronic commerce courselecture one. Pdf
OmerMohamed64
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
Understanding_Digital_Forensics_Presentation.pptx
ImranKhan423233
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
How UI/UX Design Impacts User Retention in Mobile Apps.pdf
SynapseIndia
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Spectroscopy.pptx food analysis technology
nawahassan45
 
Encapsulation theory and applications.pdf
gurumoop
 

Web App Security: XSS and CSRF