October 2019: Cross-site scripting

What is cross-site scripting (XSS)?

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same-origin policy, which is designed to segregate different websites from each other. Cross-site scripting vulnerabilities normally allow an attacker to masquerade as a victim user, to carry out any actions that the user is able to perform and to access any of the user's data. If the victim user has privileged access within the application, then the attacker might be able to gain full control over all of the application's functionality and data.

How does XSS work?

Cross-site scripting works by manipulating a vulnerable web site so that it returns malicious JavaScript to users. When the malicious code executes inside a victim's browser, the attacker can fully compromise their interaction with the application.

What are the types of XSS attacks?

There are three main types of XSS attacks. These are:

  • Reflected XSS, where the malicious script comes from the current HTTP request.
  • Stored XSS, where the malicious script comes from the website's database.
  • DOM-based XSS, where the vulnerability exists in client-side code rather than server-side code.

Reflected cross-site scripting

Reflected XSS is the simplest variety of cross-site scripting. It arises when an application receives data in an HTTP request and includes that data within the immediate response in an unsafe way.

Here is a simple example of a reflected XSS vulnerability:

https://insecure-website.com/status?message=All+is+well.

Status: All is well.

The application doesn't perform any other processing of the data, so an attacker can easily construct an attack like this:

https://insecure-website.com/status?message=<script>/*+Bad+stuff+here...+*/</script>

<p>Status: <script>/* Bad stuff here... */</script></p>

If the user visits the URL constructed by the attacker, then the attacker's script executes in the user's browser, in the context of that user's session with the application. At that point, the script can carry out any action, and retrieve any data, to which the user has access.

Read more

Reflected cross-site scripting Cross-site scripting contextsCross-site scripting cheat sheet

Stored cross-site scripting

Stored XSS (also known as persistent or second-order XSS) arises when an application receives data from an untrusted source and includes that data within its later HTTP responses in an unsafe way.

The data in question might be submitted to the application via HTTP requests; for example, comments on a blog post, user nicknames in a chat room, or contact details on a customer order. In other cases, the data might arrive from other untrusted sources; for example, a webmail application displaying messages received over SMTP, a marketing application displaying social media posts, or a network monitoring application displaying packet data from network traffic.

Here is a simple example of a stored XSS vulnerability. A message board application lets users submit messages, which are displayed to other users:

<p>Hello, this is my message!</p>

The application doesn't perform any other processing of the data, so an attacker can easily send a message that attacks other users:

<p><script>/* Bad stuff here... */</script></p>

Read more

Stored cross-site scripting Cross-site scripting contextsCross-site scripting cheat sheet

DOM-based cross-site scripting

DOM-based XSS (also known as DOM XSS) arises when an application contains some client-side JavaScript that processes data from an untrusted source in an unsafe way, usually by writing the data back to the DOM.

In the following example, an application uses some JavaScript to read the value from an input field and write that value to an element within the HTML:

var search = document.getElementById('search').value;
var results = document.getElementById('results');
results.innerHTML = 'You searched for: ' + search;

If the attacker can control the value of the input field, they can easily construct a malicious value that causes their own script to execute:

You searched for: <img src=1 onerror='/* Bad stuff here... */'>

In a typical case, the input field would be populated from part of the HTTP request, such as a URL query string parameter, allowing the attacker to deliver an attack using a malicious URL, in the same manner as reflected XSS.

Read more

DOM-based cross-site scripting

What can XSS be used for?

An attacker who exploits a cross-site scripting vulnerability is typically able to:

  • Impersonate or masquerade as the victim user.
  • Carry out any action that the user is able to perform.
  • Read any data that the user is able to access.
  • Capture the user's login credentials.
  • Perform virtual defacement of the web site.
  • Inject Trojan functionality into the web site.

Impact of XSS vulnerabilities

The actual impact of an XSS attack generally depends on the nature of the application, its functionality and data, and the status of the compromised user. For example:

  • In a brochureware application, where all users are anonymous and all information is public, the impact will often be minimal.
  • In an application holding sensitive data, such as banking transactions, emails, or healthcare records, the impact will usually be serious.
  • If the compromised user has elevated privileges within the application, then the impact will generally be critical, allowing the attacker to take full control of the vulnerable application and compromise all users and their data.

Read more

Exploiting cross-site scripting vulnerabilities

How to find and test for XSS vulnerabilities

The vast majority of XSS vulnerabilities can be found quickly and reliably using Burp Suite's web vulnerability scanner.

Manually testing for reflected and stored XSS normally involves submitting some simple unique input (such as a short alphanumeric string) into every entry point in the application; identifying every location where the submitted input is returned in HTTP responses; and testing each location individually to determine whether suitably crafted input can be used to execute arbitrary JavaScript.

Manually testing for DOM-based XSS arising from URL parameters involves a similar process: placing some simple unique input in the parameter, using the browser's developer tools to search the DOM for this input, and testing each location to determine whether it is exploitable. However, other types of DOM XSS are harder to detect. To find DOM-based vulnerabilities in non-URL-based input (such as document.cookie) or non-HTML-based sinks (like setTimeout), there is no substitute for reviewing JavaScript code, which can be extremely time-consuming. Burp Suite's web vulnerability scanner combines static and dynamic analysis of JavaScript to reliably automate the detection of DOM-based vulnerabilities.

How to prevent XSS attacks

Preventing cross-site scripting is trivial in some cases but can be much harder depending on the complexity of the application and the ways it handles user-controllable data.

In general, effectively preventing XSS vulnerabilities is likely to involve a combination of the following measures:

  • Filter input on arrival. At the point where user input is received, filter as strictly as possible based on what is expected or valid input.
  • Encode data on output. At the point where user-controllable data is output in HTTP responses, encode the output to prevent it from being interpreted as active content. Depending on the output context, this might require applying combinations of HTML, URL, JavaScript, and CSS encoding.
  • Use appropriate response headers. To prevent XSS in HTTP responses that aren't intended to contain any HTML or JavaScript, you can use the Content-Type and X-Content-Type-Options headers to ensure that browsers interpret the responses in the way you intend.
  • Content Security Policy. As a last line of defense, you can use Content Security Policy (CSP) to reduce the severity of any XSS vulnerabilities that still occur.

Common questions about cross-site scripting

How common are XSS vulnerabilities? XSS vulnerabilities are very common, and XSS is probably the most frequently occurring web security vulnerability.

How common are XSS attacks? It is difficult to get reliable data about real-world XSS attacks, but it is probably less frequently exploited than other vulnerabilities.

What is the difference between XSS and CSRF? XSS involves causing a web site to return malicious JavaScript, while CSRF involves inducing a victim user to perform actions they do not intend to do.

What is the difference between XSS and SQL injection? XSS is a client-side vulnerability that targets other application users, while SQL injection is a server-side vulnerability that targets the application's database.

How do I prevent XSS in PHP? Filter your inputs with a whitelist of allowed characters and use type hints or typecasting. Escape your outputs with htmlentities and ENT_QUOTES for HTML contexts, or JavaScript Unicode escapes for JavaScript contexts.

How do I prevent XSS in Java? Filter your inputs with a whitelist of allowed characters and use a library such as Google Guava to HTML-encode your output for HTML contexts, or use JavaScript Unicode escapes for JavaScript contexts.

Compiled by:

Tech Support Department

Read More security,

September 2019: VPN! What do you know about VPNs?

Definition of VPN

VPN stands for virtual private network. It is an encrypted tunnel between two devices that lets you access every website and online service privately and securely via your computer or mobile device.

How does VPN tunneling work?

VPN tunneling creates a point-to-point connection between two devices, often the VPN server and your device. Tunneling encapsulates your data into standard TCP/IP packets and safely transfers it across the internet. Because the data is encrypted, hackers, governments, and even internet service providers cannot see or gain control of your information while you are connected to a VPN server that’s why you are able to access the censored site in your country or any other country.

Get ExpressVPN 

Why do I need a VPN?

From enhanced security to saving money, there are many benefits that come from using a VPN. Check out these five amazing things a VPN can do for you!

  1. It can keep you safe while online
  2. It can help you defeat censorship
  3. It can help you save money
  4. It can encrypt everything for you so no sniffing can happen to your content
  5. It can help you extend your coverage i.e. it can change your geolocation and you will be able to access the products that are not currently available in your country.

There is more to what a VPN can do to you check them out online

How is a VPN different from a proxy?

When you connect to a proxy server, it becomes an intermediary between your device and the internet. All of your internet traffic gets rerouted through the proxy server, making it appear to have come from the proxy server’s IP address.

Connecting to a proxy server masks your IP address and allows you to access censored content. However, proxy servers do not encrypt your traffic, so any information that you exchange over the connection can be intercepted by others who are also connected to the server, such as hackers or identity thieves.

A VPN offers all the benefits of a proxy server but also secures and encrypts the data between your device and the internet, allowing you to go online without fear of having your information intercepted or stolen.

How is a VPN different from DNS?

In addition to its main VPN service,  some VPNs such as ExpressVPN also provides a way to change your DNS settings such that only certain content goes through its servers, leaving the rest of your network traffic to be handled by your regular ISP.

However, like a proxy server, this DNS service does not include secure tunneling for your network traffic, which makes it slightly faster but leaves it prone to third party interference. Additionally, changing your DNS settings does not hide your IP address, since not all of your traffic is rerouted through the DNS server. If you want to remain anonymous and protect the information you exchange online, you need a VPN.

Learn more about ExpressVPN’s private DNS servers.

How is a VPN different from a firewall?

A firewall is a barrier that analyzes data packets from the internet that try to connect to your computer and only allows those that meet a predetermined set of rules to get through.

Using a firewall is a great way to protect your device from threats such as virus attacks and worms. However, a firewall can only protect your device from dangerous incoming traffic. To secure and protect the network traffic leaving your device, you need a VPN. A firewall does offer complementary benefits to a VPN, however, and using the two together provides optimal online security.


 

Get ExpressVPN 

What is the difference between a VPN app, a VPN plugin, and a VPN browser?

VPN browsers or browser plugins only protect your web browser traffic. The rest of the network traffic from your device is still exposed to internet service providers and potential hackers. A VPN app will encrypt and protect all network traffic from your device.

The ExpressVPN browser extension for Chrome and Firefox is different. It works in partnership with the ExpressVPN app to protect your entire device.

Read more about why you should use a VPN app instead of a standalone VPN plugin or VPN browser.

Where can I get a VPN?

ExpressVPN makes safe internet browsing easy

Get an account.

Choose your plan.

Enjoy the internet with privacy and security!

Compiled and approved by the Technical department WOUGNET read more here from ExpressVPN

Read More security,

August 2019: How to transfer all contacts from your old Android or iPhone to a new smartphone

When buying a new smartphone, transferring the entire phonebook from your old phone to your newly purchased smartphone could be a big task. Here’s how you can make it a seamless process.

HIGHLIGHTS

  • Many people face the tough challenge of transferring data from the old phone to the new one.
  • If you don't manage to transfer your contacts, it becomes difficult to make calls, send messages, use WhatsApp and make payments.
  • If you have just bought a new phone, here's how you can make sure your entire phonebook is cloned to the new phone.

With a myriad of smartphones coming out every month across various price ranges, consumers have started upgrading phones at a faster pace than before. With an increase in demand for new and convenient features in smartphones, the manufacturers are coming up with new models that house sophisticated features - for example, the periscope camera with 5X zoom in the Huawei P30 Pro or the rotating pop-up selfie camera on the Samsung Galaxy A80. With tempting features like these, it's hard not to give in to the temptation and make an investment into these smartphones

However, while making the purchase decision isn't hard, many people face the tough challenge of transferring data from the old phone to the new model. While most app data can be backed up on their native services, the most important data around which your connected life revolves is the phonebook. If you don't manage to transfer your contacts, it becomes difficult to make calls, send messages, use WhatsApp and make payments.

If you have just bought a new phone, here's how you can make sure your entire phonebook is cloned to the new phone. And don't worry, we have solutions for both Android and iOS platforms.

Transferring contacts from Android to Android:

--Go to Settings in your old Android phone and navigate to Google.

--Inside the Google section, search for backups and open it.

--By default, your Google account automatically takes a backup of all your contact on a frequent basis. You have to make sure that the auto backup option is enabled. If it isn't, turn on the backup and wait for the phone to sync it to your Google Drive.

--While saving a new contact, Android phones always ask where you want to save the contact. A wise decision is to select your Google account.

--On your new Android smartphone, simply login to your Google account and wait for the device to synchronize. After a few minutes, your phonebook should reflect all your contacts synchronized with your Google account.

--If you don't prefer or are unable to back up your data to Google's cloud, then most Android phones offer a way to share all contact details as a VCF file. You can share it over Bluetooth to your new device and simply install the file to get all your contacts.

Transferring from Android to iPhone:

--On your Android device, you need to backup all your contact to your Google Drive. Head over to the Google section and navigate to backups in the Settings menu.

--By default, your Google account automatically takes a backup of all your contact on a frequent basis. You have to make sure that the auto backup option is enabled. If it isn't, turn on the backup and wait for the phone to sync it to your Google Drive.

--On your iPhone, head over to Settings and navigate to Passwords & Accounts. Tap on Add account.

--Your iPhone will show all popular services, including Google. Tap on Google and log in with your password.

--Once you log in, tap on your Google account under the Passwords & Accounts option. Turn on synchronization for contacts.

--Wait for few minutes to let the device synchronize with the Google account. After a few minutes, your phonebook should reflect all the contacts from your Android phone.

Transferring from iPhone to Android:

--On your iPhone, navigate to Passwords & Accounts and head over to your Google account. Switch on the synchronization of contacts.

--On your new Android phone, simply log in with your Google account during the setup process.

--By the time your Android phone is set up, all your contacts will be transferred to your new Android device.

Transferring from old iPhone to new iPhone:

--Most iPhones backup your data, including contacts by default to iCloud. If you switched off the backup, head over to Settings and navigate to iCloud to turn on synchronization for contacts.

--On your new iPhone, once you log in with your Apple ID, all contacts are transferred to the device by the time the device finishes the setup.

Read More Computer,

July 2019: Apple users beware: Complete strangers could be listening to your ‘private’ conversations.

If you use an iPhone, iPad or Apple Watch you know how handy Siri can be at times.

But what you might not know is Siri is constantly snooping on your conversations, and that even includes face-to-face conversations that don’t involve a phone call!

What happens is Siri records your conversations for use in training Siri to better understand how you speak and how it should respond to the things you say.

But Siri doesn’t do this “learning” all on it’s own. It has help from human contractors that Apple pays to listen to their customers’ recorded conversations and then provide feedback to help Siri improve.

According to this recent report from “The Guardian”, those human contractors hear all kinds of conversations ranging from the boring and mundane to extremely sensitive encounters such as medical consultations and even personal encounters of a very “intimate” nature.

What’s more, as mentioned above the conversations that are recorded and listened to aren’t just telephone calls. Your face-to-face and in-person conversations are shared with the contractors as well.

The takeaway is this: If Siri is active and waiting for you to speak her into action, she is listening to everything you say (how else would she hear you when you say “Hey Siri“?).

Apple says only about 1% of all daily customer conversations are recorded and listened to.

That sounds like the odds of them listening to any particular conversation of yours are very low, and they are.

But since Siri is constantly listening 24/7 (unless you tell her not to) there’s a very real possibility that some of your conversations are being recorded and listened to by complete strangers.

If this potential eavesdropping concerns you, all you have to do to prevent it is tell Siri to stop listening to your every word. Just follow the steps listed below for the device you’re using.

If you have an iPhone or iPad:

1 – Open the Settings app.

2 – Tap Siri.

3 – Tap Search.

4 – Toggle both the Listen for “Hey Siri” and Allow Siri When Locked settings to Off.

If you have an Apple watch:

1 – Open the Settings app.

2 – Select General.

3 – Select Siri.

4 – Toggle both the Hey Siri and Raise to Speak settings to Off.

That’s all there is to it. Once those changes are made, Siri should no longer listen in on your private conversations without your knowledge or approval.

Bonus tip: Want to make sure you never miss one of my tips? Click here to join our newsletter


If you found this post useful, would you mind helping me out by sharing it? Just click one of the handy social media sharing buttons below.

Read More Computer,

May 2019: What is a Canonical URL?

A canonical URL is your preferred URL. Still not making sense? We understand, so let us explain. URLs can have multiple variables and as such, to avoid issues like repeating content, Google asks that the webmaster chooses one to use. Let us look at our homepage and see what variables are available:

  • wougnet.org
  • www.wougnet.org
  • http://www.wougnet.org
  • https://wougnet.org

Using these stems you and depending on the type of server you use, variables can include /index.html, /index.asp, even having a forward slash at the end of a URL will count as a separate page depending on the type of CMS you are using.

The big problem is that whilst these may all seem like fairly trivial variables that you see regularly, in actual fact they all count as separate web pages. In fact, you could have different content on every single one of these URLs. If the content is the same (which is most likely) it causes a duplicate content issue in that because they are considered different web pages, they are all competing against each other for ranking.

A canonical URL is one that has been chosen, either by the Webmaster or by a default setting on their CMS to act as the main URL, utilizing 301 redirects on the other variables to automatically and permanently redirect to the canonical. Google can also automatically canonicalize a URL but you do not appear to have any control over which one they choose, they just try to choose the right one. For example, if you entered www.wougnet.org into your web browser, it would automatically redirect to your canonical URL which is wougnet.org.

Canonical URLs usually refer to the homepage and is also known as the canonical domain although you want to make sure that you set a preferred domain so that you do not have all of these variables occurring for each one of your web pages.

Default settings on servers can often create duplicate URLs which you will then have to redirect and place rel=canonical tags on the duplicates in order to identify your canonical URL. The most common server-generated URLs are (using the WOUGNET domain):

Apache

  • http://www.wougnet.org/
  • http://www.wougnet.org/index.html
  • https://wougnet.org
  • https://wougnet.org/index.html

SEO Considerations and Best Practice for Canonical URLs

301 redirects are a permanent redirect from one page to another, effectively merging the two pages. All variables of a URL or domain should be 301 redirected to the canonical.

Canonical URL Tag attribute is designed for robots rather than the user (it is a rel attribute). The user will still be able to view the page in question. The canonical tag should be added to the HTML header (<head>) of a page and tells robots that this page is a duplicate of another one along with which page contains the original information. As a result, the search engines should then consider all inbound link juice and content metrics to be attributable to the original page.

You should only really have to apply either a 301 or a canonical tag to each page (we prefer to simply 301 redirect the page) although if you wanted to make sure you could add both!

If you have multiple versions of a URL or domain you run the risk of other websites linking to these variables, which will, in turn, reduce the number of direct links coming to your preferred domain. 301 redirects to the canonical will pass this link juice to the preferred URL and help search visibility.

Through Google’s search console, you can set your preferred domain via site settings which will indicate to Google which version of your domain you would like indexed and ranking on search results. However, this will not prevent users from viewing other URLs and as such, they advise 301 redirecting these variables to the preferred domain (a.k.a canonical domain).

In a blog post, Matt Cutts gives clear instructions NOT to use the URL removal tool on Google’s search console to remove versions of a domain, for example, if you wanted www.weareyellowball.com to be the preferred domain, you should not use the URL Removal tool to remove wougnet.org.

Finally, websites that have complex filtering systems or search functions may automatically create different URLs for pages that appear in different areas of the site. E-commerce sites are a classic example of this where products appear across multiple categories and the CMS creates multiple URLs.

Technical Implementation of Canonical URL Tag Attribute

<head>

<link rel=“canonical” href=“insert canonical URL here” />

</head>

Be careful not to create an infinite loop between www.weareyellowball.com and www.weareyellowball.com/index.html or www.weareyellowball.com/index.php due to Apache using the same file for these URLs. As such, they just carry on redirecting, creating an infinite loop. For information on how to prevent this please see (https://moz.com/blog/apache-redirect-an-index-file-to-your-domain-without-looping).

Read More internet,