DOC PREVIEW
GT ECE 4112 - JavaScript Injection and Web Hacking Techniques

This preview shows page 1-2-3-4-5 out of 14 pages.

Save
View full document
View full document
Premium Document
Do you want full access? Go Premium and unlock all 14 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 14 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 14 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 14 pages.
Access to all documents
Download any document
Ad free experience
View full document
Premium Document
Do you want full access? Go Premium and unlock all 14 pages.
Access to all documents
Download any document
Ad free experience
Premium Document
Do you want full access? Go Premium and unlock all 14 pages.
Access to all documents
Download any document
Ad free experience

Unformatted text preview:

Slide 1Slide 2Slide 3Slide 4Slide 5Slide 6Slide 7Slide 8Slide 9Slide 10Slide 11Slide 12Slide 13Slide 14Group 19Juan O’ConnellJustin RandECE 4112 Group 19May 1, 2007Georgia Institute of TechnologyCollege of EngineeringSchool of Electrical and Computer Engineering JavaScript Injection and Web Hacking TechniquesGroup 19•Motivation•To learn more about web security•Analyze rather than double click•There is no set path to assess vulnerabilities•JavaScript is used in millions of web pages•Supplement from Lab 9•It is easy to learn!Group 19•What is JavaScript? •JavaScript is a dynamic scripting language that supports prototype based object construction •Developed by Netscape•Adds additional interaction between the web site and its visitors •JavaScript is the most popular scripting language on the internet.Group 19•PkCrack – Cracking PkZip Encryption•Known plaintext attack–Need unencrypted file•Command line program–\PkCrack> pkcrack -C -c -P -p -d»-C <encrypted .ZIP>»-c <encrypted file>»-P <plaintext .ZIP>»-p <plaintext file>»-d <cracked .ZIP>Group 19•Lab Layout•Section 0: Setup•Section 1: JavaScript•Section 1.1 – The Basics: JavaScript Tutorial•Section 1.2 – JavaScript Injection•Section 1.3 – Vulnerability Assessment of Guest Books•Section 2 - “Realistic” Web HackGroup 19•Section 1.2 Demo•Variable change•http://www.prism.gatech.edu/~gtg131v/4112/•The code <javascript:c=5;>•Grandma’s Cookie•http://www.prism.gatech.edu/~gtg131v/4112/•The code<javascript:void:(document.cookie=”Authorized=true”);javascript:alert(document.cookie);>Group 19•Section 1.3 Real Demo•Guest Book•http://www.legacy.com/Atlanta/Obituaries.asp•Assessment code <u> some text </u> <plaintext>•Injection<img src="asdf" onerror="alert('Welcome!')"/>•Get Creative!<img src="asdf" onerror=" void(window.location=('http://www.ece.gatech.edu'))"/>Group 19•Solutions•JavaScript Injection•Always validate the input received against a white list •Do not rely on client side validation to validate the user input•Validate the input every time •Guest Books•Use a code filter!Group 19•Section 2 – “Realistic” Web Hack•Search page source for hidden directory•Download critical file•Exploit using PkCrack•From here?Group 19Group 19Group 19•Solution•Limit Directory access •Apache can use .htaccess and .htpasswd–Must change httpd.conf»AllowOverride AuthConfig–Create .htaccess in the directory you want to protect»Will reference .htpasswd and ask for authorizationGroup 19•References–[1] http://www.hackthissite.orgGroup


View Full Document

GT ECE 4112 - JavaScript Injection and Web Hacking Techniques

Documents in this Course
Firewalls

Firewalls

40 pages

Firewalls

Firewalls

126 pages

Load more
Download JavaScript Injection and Web Hacking Techniques
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view JavaScript Injection and Web Hacking Techniques and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view JavaScript Injection and Web Hacking Techniques 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?