Lecture 14: Cross-Site Scripting (XSS) and UI Attacks

Intro to XSS, Review




Stored XSS


If the user input is stored on the server and displayed as HTML, how can an attacker inject Javascript?




XSS Demo




Real-world XSS Attacks




Reflected XSS


(True/False) Reflected XSS requires the victim to visit a malicious link crafted by the attacker, but Stored XSS does not.




XSS Defenses


Consider an escaper that finds all instances of <script> and </script> in user input and removes them. Can an attacker still perform an XSS attack with <script> tags? If yes, write a malicious input that would bypass this escaping function. If no, explain why.




Impersonation Attacks

Authentication and Impersonation




Two-Factor Authentication


What two factors are used when you sign into your Berkeley account?




Session Hijacking


(True/false) Setting the HttpOnly flag on a cookie is a good defense against session hijacking by packet sniffers (on-path network attackers).




Intro to Phishing




Phishing Example


(True/false) There is no phishing attack on this webpage.




Phishing Defense: Check URLs




URL Obfuscation Attack




Homeograph Attack




Spear Phishing




Why Does Phishing Work?




Phishing Conclusion




Clickjacking


How does clickjacking subvert the same-origin policy?




Cursorjacking




Clickjacking Defenses


(True/false) If we enabled dialogue boxes asking for confirmation on every website, clickjacking attacks would never work.


(True/false) Clickjacking attacks can only happen when you are visiting an attacker’s website.




Defense: Framebusting




Defense: Ensuring Visual Integrity




Defense: Enforcing Temporal Integrity




Defense: X-Frames-Options




Browser-in-Browser Attack