CTL
6 octobre 2009 - 14h00
XCS: Cross Channel Scripting and its Impact on Web Applications
par Elie Bursztein de Stanford Security Laboratory
Abstract: We study the security of embedded web servers used in con-
sumer electronic devices, such as security cameras and photo
frames, and for IT infrastructure, such as wireless access
points and lights-out management systems. All the devices
we examine turn out to be vulnerable to a variety of web
attacks, including cross site scripting (XSS) and cross site
request forgery (CSRF). In addition, we show that consumer
electronics are particularly vulnerable to a nasty form of
persistent XSS where a non-web channel such as NFS or
SNMP is used to inject a malicious script. This script is
later used to attack an unsuspecting user who connects to
the device's web server. We refer to web attacks which are
mounted through a non-web channel as cross channel script-
ing (XCS). We propose a client-side defense again certain
XCS which we implement as a browser extension.
Les tranparents de la presentation.