Presentation on theme: "Past, Present and Future"— Presentation transcript:
1Past, Present and Future Ghosts of XSSPast, Present and Future
2Jim Manico VP Security Architecture, WhiteHat Security Web Developer, 15+ YearsOWASP Connections Committee ChairOWASP Podcast Series Producer/HostOWASP Cheat-Sheet Series Project ManagerOWASP Mobile Project Contributor
3XSS: Why so serious? Session hijacking Site defacement Network scanningUndermining CSRF defensesSite redirection/phishingLoad of remotely hosted scriptsData theftKeystroke loggingGetting Stallowned
4Past XSS Defensive Strategies 1990’s style XSS preventionEliminate <, >, &, ", ' characters?Eliminate all special characters?Disallow user input?Global filter?Why won't these strategies work?
5XSS Defense, 1990’s Data Type Defense Any Data Input Validation #absolute-total-fail
6Past XSS Defensive Strategies Y2K style XSS preventionHTML Entity EncodingReplace characters with their 'HTML Entity’ equivalentExample: replace the "<" character with "<"Why won't this strategy work?
7XSS Defense, 2000 Why won't this strategy work? Data Type Defense Any DataHTML Entity EncodingWhy won't this strategy work?
8Danger: Multiple Contexts Browsers have multiple contexts that must be considered!HTML BodyHTML Attributes<STYLE> Context<SCRIPT> ContextURL Context
11ESAPI CSS Encoder Pwnd I got some bad news From: Abe [mailto:abek1 at sbcglobal.net]Sent: Thursday, February 12, :56 AMSubject: RE: ESAPI and CSS vulnerability/problemI got some bad newshttps://lists.owasp.org/pipermail/owasp-esapi/2009-February/ html
12CSS Pwnage Test Case<div style="width: <%=temp3%>;"> Mouse over </div> temp3 = ESAPI.encoder().encodeForCSS("expression(alert(String.fromCharCode (88,88,88)))"); <div style="width: expression\28 alert\28 String\2e fromCharCode\20 \28 88\2c 88\2c 88\29 \29 \29 ;"> Mouse over </div> Pops in at least IE6 and IE7. lists.owasp.org/pipermail/owasp-esapi/2009-February/ htmlhttps://lists.owasp.org/pipermail/owasp-esapi/2009-February/ html
24Context Aware Auto-Escaping Context-Sensitive Auto-Sanitization (CSAS) from GoogleRuns during the compilation stage of the Google Closure Templates to add proper sanitization and runtime checks to ensure the correct sanitization.Java XML Templates (JXT) from OWASP by Jeff IchnowskiFast and secure XHTML-compliant context-aware auto-encoding template language that runs on a model similar to JSP.Apache Velocity Auto-Escaping by Ivan Ristic
25Auto Escaping Tradeoffs Developers need to write highly compliant templatesNo "free and loose" coding like JSPRequires extra time but increases qualityThese technologies often do not support complex contextsSome are not context aware (really really bad)Some choose to let developers disable auto-escaping on a case-by-case basis (really bad)Some choose to encode wrong (bad)Some choose to reject the template (better)
28THANK YOU! firstname.lastname@example.org Gaz Heyes Abe Kang Mike Samuel Jeff IchnowskiAdam BarthJeff Williamsmany many others…