Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cross Site Scripting (XSS)

Published byMiranda Dyas Modified over 10 years ago

Similar presentations

Presentation on theme: "Cross Site Scripting (XSS)"— Presentation transcript:

1 Cross Site Scripting (XSS)
David Wharton Intrusion Detection & Prevention Regions Financial Corp.

2 Overview Introduction What is XSS? Is XSS Important? Exploiting XSS
Preventing XSS BeEF Demo Conclusion Questions

3 Introduction

4 What is XSS? XSS is a vulnerability that allows an attacker to run arbitrary JavaScript in the context of the vulnerable website. XSS bypasses same-origin policy protection “The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites.“ “The term ‘origin’ is defined using the domain name, application layer protocol, and (in most browsers) TCP port” Requires some sort of social engineering to exploit. Compared URL Outcome Reason Success Same protocol and host Success Same protocol and host

5 Types of XSS Reflected XSS Stored XSS (a.k.a. “Persistent XSS”)
DOM Based XSS

6 Reflected XSS

7 Reflected XSS Example Exploit URL: HTML returned to victim:
HTML returned to victim: <div id="pageTitleTxt"> <h2><span class="highlight">Search Results</span><br /> Search: "<script>alert('XSS')</script>"</h2>

8 Reflected XSS Example Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request which, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application. The attacker-supplied code can perform a wide variety of actions, such as stealing the victim's session token or login credentials, performing arbitrary actions on the victim's behalf, and logging their keystrokes.

9 Stored XSS JavaScript supplied by the attacker is stored by the website (e.g. in a database) Doesn’t require the victim to supply the JavaScript somehow, just visit the exploited web page More dangerous than Reflected XSS Has resulted in many XSS worms on high profile sites like MySpace and Twitter (discussed later)

10 DOM Based XSS http://www.some.site/page.html?default=ASP.NET
Occur in the content processing stages performed by the client <select><script> document.write("<OPTION value=1>"+document.location.href.substring(document.location.href.indexOf("default=")+8)+"</OPTION>"); </script></select> /page.html?default=<script>alert(document.cookie)</script> Source: Source:

11 Is XSS Dangerous? Yes OWASP Top 2 Defeats Same Origin Policy
Just think, any JavaScript you want will be run in the victim’s browser in the context of the vulnerable web page Hmmm, what can you do with JavaScript?

12 What can you do with JavaScript?
Pop-up alerts and prompts Access/Modify DOM Access cookies/session tokens “Circumvent” same-origin policy Virtually deface web page Detect installed programs Detect browser history Capture keystrokes (and other trojan functionality) Port scan the local network

13 What can you do with JavaScript? (cont)
Induce user actions Redirect to a different web site Determine if they are logged on to a particular site Capture clipboard content Detect if the browser is being run in a virtual machine Rewrite the status bar Exploit browser vulnerabilities Launch executable files (in some cases)

14 Example: Form Injection

15 Example: Virtual Defacement

16 Example: Pop-Up Alert

17 Example: Cookie Stealing

18 Example: XSS Worms Samy Worm Affected MySpace
Leveraged Stored XSS vulnerability so that for every visitor to Samy’s MySpace page, the following would silently happen: The visitor would be added as Sammy’s friend The visitor would get an update to their page that infected it with the same JavaScript and left a message saying, “but most of all, Samy is my hero”. Worm spread exponentially Over 1 million friend requests in less than 20 hours Twitter XSS worm this week, affected 500K accounts!

19 Cause of Injection Vulnerabilities: Improper Handling of User-Supplied Data
>= 80% of web security issues caused by this! NEVER Trust User/Client Input! Client-side checks/controls have to be invoked on the server too. Improper Input Validation Improper Output Validation More details in next section

20 Preventing Injection Vulnerabilities In Your Apps
Validate Input Letters in a number field? 10 digits for 4 digit year field? Often only need alphanumeric Careful with < > " ' and = Whitelist (e.g. /[a-zA-Z0-9]{0,20}/) Reject, don’t try and sanitize

21 Preventing XSS In Your Applications
Validate Output Encode HTML Output If data came from user input, a database, or a file Response.Write(HttpUtility.HtmlEncode(Request.Form["name"])); Not 100% effective but prevents most vulnerabilities Encode URL Output If returning URL strings Response.Write(HttpUtility.UrlEncode(urlString)); How To: Prevent Cross-Site Scripting in ASP.NET XSS Prevention Cheat Sheet:

22 RULE #0 - Never Insert Untrusted Data Except in Allowed Locations (see rules 1-5)
<script>...NEVER PUT UNTRUSTED DATA HERE...</script> directly in a script <!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment <div ...NEVER PUT UNTRUSTED DATA HERE...=test /> in an attribute name <...NEVER PUT UNTRUSTED DATA HERE... href="/test" /> in a tag name

23 RULE #1 - HTML Escape Before Inserting Untrusted Data into HTML Element Content
<body>...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE…</body> <div>…ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE…</div> any other normal HTML elements

24 RULE #1 (continued) Escape these characters:
& --> & < --> < > --> > " --> " ' --> ' &apos; is not recommended / --> / forward slash is included as it helps end an HTML entity Remember HttpUtility.HtmlEncode()

25 RULE #2 - Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
<div attr=…ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE…>content</div> inside UNquoted attribute <div attr='…ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE…'>content</div> inside single quoted attribute <div attr="…ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE…">content</div> inside double quoted attribute Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format or named entity if available. Examples: " '

26 RULE #3 - JavaScript Escape Before Inserting Untrusted Data into HTML JavaScript Data Values
The only safe place to put untrusted data into these event handlers as a quoted "data value.“ <script>alert('...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...')</script> inside a quoted string <script>x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'</script> one side of a quoted expression <div onmouseover="x='...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...'"</div> inside quoted event handler Except for alphanumeric characters, escape all characters less than 256 with the \xHH format. Example: \x22 not \”

27 RULE #3 (continued) But be careful!
<script> window.setInterval('...EVEN IF YOU ESCAPE UNTRUSTED DATA YOU ARE XSSED HERE...'); </script>

28 RULE #4 - CSS Escape Before Inserting Untrusted Data into HTML Style Property Values
<style>selector { property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...; } </style> property value <span style=property : ...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...;>text</style> property value Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the \HH escaping format. Example: \22 not \”

29 RULE #5 - URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
<a href=" ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a > Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the %HH escaping format. Example: %22 Remember HttpUtility.UrlEncode()

30 Reduce Impact of XSS Vulnerabilities
If Cookies Are Used: Scope as strict as possible Set ‘secure’ flag Set ‘HttpOnly’ flag On the client, consider disabling JavaScript (if possible) or use something like the NoScript Firefox extension.

31 Further Resources XSS Prevention Cheat Sheet XSS Attacker Cheat Sheet
XSS Attacker Cheat Sheet OWASP Enterprise Security APIs OWASP XSS Page

32 Demo: BeEF Browser Exploitation Framework Written by Wade Alcorn
Architecture:

33 Conclusion XSS vulnerabilities are bad.
Avoid introducing XSS vulnerabilities in your code. Please. They will only cause delays in getting your apps into production. Give me your , I have a link you *really* need to see. 

34 Questions? Contact info: David Wharton

Download ppt "Cross Site Scripting (XSS)"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Appeared in 30 th IEEE Symposium on Security and Privacy, May 2009. Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.

The OWASP Foundation Web Application Security Host Apps Firewall Host Apps Database Host Web serverApp serverDB server Securing the.
© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.

© 2008 Security Compass inc. 1 Firefox Plug-ins for Application Penetration Testing Exploit-Me.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.

JavaScript FaaDoOEngineers.com FaaDoOEngineers.com.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.

A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,

Similar presentations

Ads by Google