Lecture 14: Cross-Site Scripting (XSS) and UI Attacks

Intro to XSS, Review

Stored XSS

If the user input is stored on the server and displayed as HTML, how can an attacker inject Javascript?

XSS Demo

Real-world XSS Attacks

Reflected XSS

(True/False) Reflected XSS requires the victim to visit a malicious link crafted by the attacker, but Stored XSS does not.

XSS Defenses

Consider an escaper that finds all instances of <script> and </script> in user input and removes them. Can an attacker still perform an XSS attack with <script> tags? If yes, write a malicious input that would bypass this escaping function. If no, explain why.

Impersonation Attacks

Authentication and Impersonation

Two-Factor Authentication

What two factors are used when you sign into your Berkeley account?

Session Hijacking

(True/false) Setting the HttpOnly flag on a cookie is a good defense against session hijacking by packet sniffers (on-path network attackers).

Intro to Phishing

Phishing Example

(True/false) There is no phishing attack on this webpage.

Phishing Defense: Check URLs

URL Obfuscation Attack

Homeograph Attack

Spear Phishing

Why Does Phishing Work?

Phishing Conclusion


How does clickjacking subvert the same-origin policy?


Clickjacking Defenses

(True/false) If we enabled dialogue boxes asking for confirmation on every website, clickjacking attacks would never work.

(True/false) Clickjacking attacks can only happen when you are visiting an attacker’s website.

Defense: Framebusting

Defense: Ensuring Visual Integrity

Defense: Enforcing Temporal Integrity

Defense: X-Frames-Options

Browser-in-Browser Attack