Seminar details


CTL

6 October 2009 - 14h00
XCS: Cross Channel Scripting and its Impact on Web Applications
by Elie Bursztein from Stanford Security Laboratory



Abstract: We study the security of embedded web servers used in con-
sumer electronic devices, such as security cameras and photo
frames, and for IT infrastructure, such as wireless access
points and lights-out management systems. All the devices
we examine turn out to be vulnerable to a variety of web
attacks, including cross site scripting (XSS) and cross site
request forgery (CSRF). In addition, we show that consumer
electronics are particularly vulnerable to a nasty form of
persistent XSS where a non-web channel such as NFS or
SNMP is used to inject a malicious script. This script is
later used to attack an unsuspecting user who connects to
the device's web server. We refer to web attacks which are
mounted through a non-web channel as cross channel script-
ing (XCS). We propose a client-side defense again certain
XCS which we implement as a browser extension.

Slides of the Presentation.


Contact | Site Map | Site powered by SPIP 4.2.8 + AHUNTSIC [CC License]

info visites 3900045