Presentation on theme: "Past, Present and Future"— Presentation transcript:
1 Past, Present and Future Ghosts of XSSPast, Present and Future
2 Jim Manico VP Security Architecture, WhiteHat Security Web Developer, 15+ YearsOWASP Connections Committee ChairOWASP Podcast Series Producer/HostOWASP Cheat-Sheet Series Project ManagerOWASP Mobile Project Contributor
3 XSS: Why so serious? Session hijacking Site defacement Network scanningUndermining CSRF defensesSite redirection/phishingLoad of remotely hosted scriptsData theftKeystroke loggingGetting Stallowned
4 Past XSS Defensive Strategies 1990’s style XSS preventionEliminate <, >, &, ", ' characters?Eliminate all special characters?Disallow user input?Global filter?Why won't these strategies work?
5 XSS Defense, 1990’s Data Type Defense Any Data Input Validation #absolute-total-fail
6 Past XSS Defensive Strategies Y2K style XSS preventionHTML Entity EncodingReplace characters with their 'HTML Entity’ equivalentExample: replace the "<" character with "<"Why won't this strategy work?
7 XSS Defense, 2000 Why won't this strategy work? Data Type Defense Any DataHTML Entity EncodingWhy won't this strategy work?
8 Danger: Multiple Contexts Browsers have multiple contexts that must be considered!HTML BodyHTML Attributes<STYLE> Context<SCRIPT> ContextURL Context
11 ESAPI CSS Encoder Pwnd I got some bad news From: Abe [mailto:abek1 at sbcglobal.net]Sent: Thursday, February 12, :56 AMSubject: RE: ESAPI and CSS vulnerability/problemI got some bad newshttps://lists.owasp.org/pipermail/owasp-esapi/2009-February/ html
12 CSS Pwnage Test Case<div style="width: <%=temp3%>;"> Mouse over </div> temp3 = ESAPI.encoder().encodeForCSS("expression(alert(String.fromCharCode (88,88,88)))"); <div style="width: expression\28 alert\28 String\2e fromCharCode\20 \28 88\2c 88\2c 88\29 \29 \29 ;"> Mouse over </div> Pops in at least IE6 and IE7. lists.owasp.org/pipermail/owasp-esapi/2009-February/ htmlhttps://lists.owasp.org/pipermail/owasp-esapi/2009-February/ html
24 Context Aware Auto-Escaping Context-Sensitive Auto-Sanitization (CSAS) from GoogleRuns during the compilation stage of the Google Closure Templates to add proper sanitization and runtime checks to ensure the correct sanitization.Java XML Templates (JXT) from OWASP by Jeff IchnowskiFast and secure XHTML-compliant context-aware auto-encoding template language that runs on a model similar to JSP.Apache Velocity Auto-Escaping by Ivan Ristic
25 Auto Escaping Tradeoffs Developers need to write highly compliant templatesNo "free and loose" coding like JSPRequires extra time but increases qualityThese technologies often do not support complex contextsSome are not context aware (really really bad)Some choose to let developers disable auto-escaping on a case-by-case basis (really bad)Some choose to encode wrong (bad)Some choose to reject the template (better)
28 THANK YOU! firstname.lastname@example.org Gaz Heyes Abe Kang Mike Samuel Jeff IchnowskiAdam BarthJeff Williamsmany many others…