Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross Site Scripting (XSS) David Wharton Intrusion Detection & Prevention Regions Financial Corp.

Similar presentations


Presentation on theme: "Cross Site Scripting (XSS) David Wharton Intrusion Detection & Prevention Regions Financial Corp."— Presentation transcript:

1 Cross Site Scripting (XSS) David Wharton Intrusion Detection & Prevention Regions Financial Corp.

2 Overview Introduction Introduction What is XSS? What is XSS? Is XSS Important? Is XSS Important? Exploiting XSS Exploiting XSS Preventing XSS Preventing XSS BeEF Demo BeEF Demo Conclusion Conclusion Questions Questions

3 Introduction

4 What is XSS? XSS is a vulnerability that allows an attacker to run arbitrary JavaScript in the context of the vulnerable website. XSS is a vulnerability that allows an attacker to run arbitrary JavaScript in the context of the vulnerable website. XSS bypasses same-origin policy protection XSS bypasses same-origin policy protection The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites. The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites. The term origin is defined using the domain name, application layer protocol, and (in most browsers) TCP port The term origin is defined using the domain name, application layer protocol, and (in most browsers) TCP port Requires some sort of social engineering to exploit. Requires some sort of social engineering to exploit.

5 Types of XSS Reflected XSS Reflected XSS Stored XSS (a.k.a. Persistent XSS) Stored XSS (a.k.a. Persistent XSS) DOM Based XSS DOM Based XSS

6 Reflected XSS

7 Reflected XSS Example Exploit URL: Exploit URL: alert(' XSS') &x=0&y=0 alert(' XSS') &x=0&y=0 HTML returned to victim: HTML returned to victim: Search Results Search: " alert('XSS') " Search Results Search: " alert('XSS') "

8 Reflected XSS Example

9 Stored XSS JavaScript supplied by the attacker is stored by the website (e.g. in a database) JavaScript supplied by the attacker is stored by the website (e.g. in a database) Doesnt require the victim to supply the JavaScript somehow, just visit the exploited web page Doesnt require the victim to supply the JavaScript somehow, just visit the exploited web page More dangerous than Reflected XSS More dangerous than Reflected XSS Has resulted in many XSS worms on high profile sites like MySpace and Twitter (discussed later) Has resulted in many XSS worms on high profile sites like MySpace and Twitter (discussed later)

10 DOM Based XSS Occur in the content processing stages performed by the client Occur in the content processing stages performed by the client document.write(" "+document.location.href.substring(documen t.location.href.indexOf("default=")+8)+" "); document.write(" "+document.location.href.substring(documen t.location.href.indexOf("default=")+8)+" "); T T /page.html?default= alert(document.cookie) /page.html?default= alert(document.cookie) Source: Source: Source: Source:

11 Is XSS Dangerous? Yes Yes OWASP Top 2 OWASP Top 2 Defeats Same Origin Policy Defeats Same Origin Policy Just think, any JavaScript you want will be run in the victims browser in the context of the vulnerable web page Just think, any JavaScript you want will be run in the victims browser in the context of the vulnerable web page Hmmm, what can you do with JavaScript? Hmmm, what can you do with JavaScript?

12 What can you do with JavaScript? Pop-up alerts and prompts Pop-up alerts and prompts Access/Modify DOM Access/Modify DOM Access cookies/session tokens Access cookies/session tokens Circumvent same-origin policy Circumvent same-origin policy Virtually deface web page Virtually deface web page Detect installed programs Detect installed programs Detect browser history Detect browser history Capture keystrokes (and other trojan functionality) Capture keystrokes (and other trojan functionality) Port scan the local network Port scan the local network

13 What can you do with JavaScript? (cont) Induce user actions Induce user actions Redirect to a different web site Redirect to a different web site Determine if they are logged on to a particular site Determine if they are logged on to a particular site Capture clipboard content Capture clipboard content Detect if the browser is being run in a virtual machine Detect if the browser is being run in a virtual machine Rewrite the status bar Rewrite the status bar Exploit browser vulnerabilities Exploit browser vulnerabilities Launch executable files (in some cases) Launch executable files (in some cases)

14 Example: Form Injection

15 Example: Virtual Defacement

16 Example: Pop-Up Alert

17 Example: Cookie Stealing

18 Example: XSS Worms Samy Worm Samy Worm Affected MySpace Affected MySpace Leveraged Stored XSS vulnerability so that for every visitor to Samys MySpace page, the following would silently happen: Leveraged Stored XSS vulnerability so that for every visitor to Samys MySpace page, the following would silently happen: The visitor would be added as Sammys friend The visitor would be added as Sammys friend The visitor would get an update to their page that infected it with the same JavaScript and left a message saying, but most of all, Samy is my hero. The visitor would get an update to their page that infected it with the same JavaScript and left a message saying, but most of all, Samy is my hero. Worm spread exponentially Worm spread exponentially Over 1 million friend requests in less than 20 hours Over 1 million friend requests in less than 20 hours

19 Cause of Injection Vulnerabilities: Improper Handling of User-Supplied Data >= 80% of web security issues caused by this! >= 80% of web security issues caused by this! NEVER Trust User/Client Input! NEVER Trust User/Client Input! Client-side checks/controls have to be invoked on the server too. Client-side checks/controls have to be invoked on the server too. Improper Input Validation Improper Input Validation Improper Output Validation Improper Output Validation More details in next section More details in next section

20 Preventing Injection Vulnerabilities In Your Apps Validate Input Validate Input Letters in a number field? Letters in a number field? 10 digits for 4 digit year field? 10 digits for 4 digit year field? Often only need alphanumeric Often only need alphanumeric Careful with " ' and = Careful with " ' and = Whitelist (e.g. /[a-zA-Z0-9]{0,20}/) Whitelist (e.g. /[a-zA-Z0-9]{0,20}/) Reject, dont try and sanitize Reject, dont try and sanitize

21 Preventing XSS In Your Applications Validate Output Validate Output Encode HTML Output Encode HTML Output If data came from user input, a database, or a file If data came from user input, a database, or a file Response.Write(HttpUtility.HtmlEncode(Request.Form[" name"])); Response.Write(HttpUtility.HtmlEncode(Request.Form[" name"])); Not 100% effective but prevents most vulnerabilities Not 100% effective but prevents most vulnerabilities Encode URL Output Encode URL Output If returning URL strings If returning URL strings Response.Write(HttpUtility.UrlEncode(urlString)); Response.Write(HttpUtility.UrlEncode(urlString)); How To: Prevent Cross-Site Scripting in ASP.NET How To: Prevent Cross-Site Scripting in ASP.NET us/library/ms aspx us/library/ms aspx XSS Prevention Cheat Sheet: XSS Prevention Cheat Sheet: Site_Scripting%29_Prevention_Cheat_Sheet Site_Scripting%29_Prevention_Cheat_Sheet

22 RULE #0 - Never Insert Untrusted Data Except in Allowed Locations (see rules 1-5)...NEVER PUT UNTRUSTED DATA HERE... directly in a script...NEVER PUT UNTRUSTED DATA HERE... directly in a script inside an HTML comment inside an HTML comment in an attribute name in an attribute name in a tag name in a tag name

23 RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE…...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE… …ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE… …ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE… any other normal HTML elements any other normal HTML elements

24 RULE #1 (continued) Escape these characters: Escape these characters: & --> & & --> & < < > --> > > --> > " --> " " --> " ' --> ' ' is not recommended ' --> ' ' is not recommended / --> / / --> / forward slash is included as it helps end an HTML entity forward slash is included as it helps end an HTML entity Remember HttpUtility.HtmlEncode() Remember HttpUtility.HtmlEncode()

25 RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes content content inside UNquoted attribute inside UNquoted attribute content content inside single quoted attribute inside single quoted attribute content content inside double quoted attribute inside double quoted attribute Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format or named entity if available. Examples: " ' Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format or named entity if available. Examples: " '

26 RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values The only safe place to put untrusted data into these event handlers as a quoted "data value. The only safe place to put untrusted data into these event handlers as a quoted "data value. alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...') inside a quoted string alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...') inside a quoted string x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...' one side of a quoted expression x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...' one side of a quoted expression inside quoted event handler inside quoted event handler Except for alphanumeric characters, escape all characters less than 256 with the \xHH format. Example: \x22 not \ Except for alphanumeric characters, escape all characters less than 256 with the \xHH format. Example: \x22 not \

27 RULE #3 (continued) But be careful! But be careful! window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...'); window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...');

28 RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values selector { property :...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } property value selector { property :...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } property value text property value text property value Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the \HH escaping format. Example: \22 not \ Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the \HH escaping format. Example: \22 not \

29 RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values link link Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the %HH escaping format. Example: %22 Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the %HH escaping format. Example: %22 Remember HttpUtility.UrlEncode() Remember HttpUtility.UrlEncode()

30 Reduce Impact of XSS Vulnerabilities If Cookies Are Used: If Cookies Are Used: Scope as strict as possible Scope as strict as possible Set secure flag Set secure flag Set HttpOnly flag Set HttpOnly flag On the client, consider disabling JavaScript (if possible) or use something like the NoScript Firefox extension. On the client, consider disabling JavaScript (if possible) or use something like the NoScript Firefox extension.

31 Further Resources XSS Prevention Cheat Sheet XSS Prevention Cheat Sheet Site_Scripting%29_Prevention_Cheat_Sheet Site_Scripting%29_Prevention_Cheat_Sheet XSS Attacker Cheat Sheet XSS Attacker Cheat Sheet OWASP Enterprise Security APIs OWASP Enterprise Security APIs P_Enterprise_Security_API P_Enterprise_Security_API OWASP XSS Page OWASP XSS Page site_Scripting_%28XSS%29 site_Scripting_%28XSS%29

32 Demo: BeEF Browser Exploitation Framework Browser Exploitation Framework Written by Wade Alcorn Written by Wade Alcorn Architecture: Architecture:

33 Conclusion XSS vulnerabilities are bad. XSS vulnerabilities are bad. Avoid introducing XSS vulnerabilities in your code. Avoid introducing XSS vulnerabilities in your code. Please. They will only cause delays in getting your apps into production. Please. They will only cause delays in getting your apps into production. Give me your , I have a link you *really* need to see. Give me your , I have a link you *really* need to see.

34 Questions? Contact info: David Wharton


Download ppt "Cross Site Scripting (XSS) David Wharton Intrusion Detection & Prevention Regions Financial Corp."

Similar presentations


Ads by Google