Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

Published byYasmin Bankes Modified over 9 years ago

Similar presentations

Presentation on theme: "©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane"— Presentation transcript:

1 ©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane jukeane@sas.upenn.edu

2 ©2009 Justin C. Klein Keane XSS Basics Cross Site Scripting (XSS) Attacker leverages domain trust to exploit a victim Commonly uses JavaScript, but can us AJAX or other technologies

3 ©2009 Justin C. Klein Keane How XSS Works Attacker injects JavaScript into display The Javascript can take many forms: – javascript:foo – alert('foo'); – javascript:alert – Any tag or attribute that supports JavaScript can be used!

4 ©2009 Justin C. Klein Keane Types of XSS Non-persistent (reflected) Persistent (stored) DOM-based

5 ©2009 Justin C. Klein Keane Reflected XSS Script that is passed to the site is rendered back to the browser Like string format vulnerabilities, originally considered a harmless bug Common scenarios is a search engine that returns a value of “Your search for X returned Y records” Developers didn't care if site users cause pop- ups to appear

6 ©2009 Justin C. Klein Keane Reflected XSS Takes Imagination Attackers quickly figured out ways to exploit reflected XSS – URL passed variables used to redirect users to other sites – Combined with e-mail or link or form on another site to create a trust compromise – Generally involves social engineering of some sort

7 ©2009 Justin C. Klein Keane Persistent XSS Attacker injects script that is stored on the target and displayed to any user requesting the page At a minimum can cause a denial of service

8 ©2009 Justin C. Klein Keane Dangers of Persistent XSS Attacker can exploit JavaScript to attack victims Can steal cookies by posting them to another site Can use document.write() to display arbitrary text (including links for click fraud) Can do key logging via JavaScript

9 ©2009 Justin C. Klein Keane DOM Based XSS Client side JavaScript includes variables attacker can manipulate to inject script Because the JavaScript is dynamic DOM based XSS can be much more difficult to spot

10 ©2009 Justin C. Klein Keane Typical XSS Attacks Attacker sends an e-mail to a user insisting they change their account credentials and includes a link to your site – the link actually includes an XSS that redirects the user to attacker controlled site where credentials are harvested Attacker injects JavaScript to steal cookies which are used for session hijacking

11 ©2009 Justin C. Klein Keane More XSS Attacks Attacker injects JavaScript to manipulate display by hiding or overwriting page elements Attacker injects a link or image that drives traffic to another site (click fraud and Google jacking) Attacker injects JavaScript that records each keystroke Attacker injects JavaScript that calls a malicious URL for drive by downloading Attacker injects JavaScript that exploits browser vulnerabilities (or browser object vulnerabilities such as PDF)

12 ©2009 Justin C. Klein Keane XSRF Attacks Client side scripts that perform background actions using the authentication of a user Can be extremely useful in bypassing authentication XSRF exploits the fact that browsers send cookies by default with every page request Limited somewhat by the same domain origin policy of JavaScript

13 ©2009 Justin C. Klein Keane Typical XSRF User logs into a target site as an admin User views a page with a persistent XSS The script then calls a form or submits an AJAX request with attacker determined values Can be used to do things like change the user's password or perhaps exploit other vulnerabilities in authenticated areas of the site Attacker uses XSRF to reset SOHO router settings

14 ©2009 Justin C. Klein Keane Protecting Against XSRF Forms contain a transitory token that is tied to the user account Token must then be passed in the form submission in order to carry out an action Even this is not foolproof as a clever XSRF can instantiate an iframe that includes a legitimate call to the form, with a valid token

15 ©2009 Justin C. Klein Keane Other XSRF Defenses Require a user to fill in existing password in order to change it Auto complete on form fields can defeat even this protection, however

16 ©2009 Justin C. Klein Keane XSS & XSRF Obfuscation JavaScript is commonly encoded – URL encoding – Base64 encoding – ROT13 JavaScript may be calling externally hosted JavaScript

17 ©2009 Justin C. Klein Keane Obscure XSS Image tags can be used to display JavaScript CSS can also be used to display JavaScript on IE using the exec() statement Iframe source can be JavaScript META refresh tags Object tags For more see http://ha.ckers.org/xss.html

18 ©2009 Justin C. Klein Keane Preventing XSS & XSRF Essentially a problem of validating user input Filters for “known bad” are especially dangerous with XSS – New techniques emerge regularly – Browsers change – New web browsers emerge

19 ©2009 Justin C. Klein Keane Mitigation Strategy Disallow HTML Don't utilize user supplied input in display (including scripts) without careful sanitization DO NOT ALLOW BAD DATA INTO THE DB! – Do NOT sanitize exclusively on output! Use a library for translation – This can be useful if the library is centrally maintained as it can easily evolve – Still a broadside approach, not as effective as limiting to known good

20 ©2009 Justin C. Klein Keane Useful PHP Functions htmlspecialchars() – '&' to '&' – “ to " – ' to ' – < to < – > to > htmlentities() – Much more thorough, all characters with HTML equivalents are translated.

21 ©2009 Justin C. Klein Keane More PHP strip_tags() - strips out all HTML (and PHP) tags – Can optionally allow certain tags fgetss() - same as fgets(), which gets a line from a pointer, but strips tags

22 ©2009 Justin C. Klein Keane More Useful PHP Functions ereg_replace() – Allow only characters you want eregi_replace() preg_replace()

23 ©2009 Justin C. Klein Keane Finding XSS Tools can sometimes be useful Code analysis may not be as effective Enter text such as alert('foo'); in every possible input value and observe results

24 ©2009 Justin C. Klein Keane Filter Evasion Techniques Alternating case: <ScRiPt Inject “legal” characters – script/src= – <scr%00ipt URL encoding input – alert('foo'); – <script>al&# 101;rt('foo')&#05 9;</script&#062 – %3cscript%3e – %253script%253e

25 ©2009 Justin C. Klein Keane Filter Exploitation Be careful that any filters you use can't be used against you Filters that remove text might actually be used to de-mangle input: – A filter that removes the string “ ” can be defeated using the input: ipt>

26 ©2009 Justin C. Klein Keane Other Concerns XSS in uploaded files (images, PDF, etc.) Code analysis may not be as effective Enter text such as alert('foo'); in every possible input value and observe results

Download ppt "©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
Cross-site Request Forgery (CSRF) Attacks

Cross-site Request Forgery (CSRF) Attacks
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Similar presentations

Ads by Google