We think you have liked this presentation. If you wish to download it, please recommend it to your friends in any social system. Share buttons are a little bit lower. Thank you!
Presentation is loading. Please wait.
Published byYasmin Bankes
Modified about 1 year ago
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
©2009 Justin C. Klein Keane Types of XSS Non-persistent (reflected) Persistent (stored) DOM-based
©2009 Justin C. Klein Keane Reflected XSS Script that is passed to the site is rendered back to the browser Like string format vulnerabilities, originally considered a harmless bug Common scenarios is a search engine that returns a value of “Your search for X returned Y records” Developers didn't care if site users cause pop- ups to appear
©2009 Justin C. Klein Keane Reflected XSS Takes Imagination Attackers quickly figured out ways to exploit reflected XSS – URL passed variables used to redirect users to other sites – Combined with or link or form on another site to create a trust compromise – Generally involves social engineering of some sort
©2009 Justin C. Klein Keane Persistent XSS Attacker injects script that is stored on the target and displayed to any user requesting the page At a minimum can cause a denial of service
©2009 Justin C. Klein Keane Typical XSRF User logs into a target site as an admin User views a page with a persistent XSS The script then calls a form or submits an AJAX request with attacker determined values Can be used to do things like change the user's password or perhaps exploit other vulnerabilities in authenticated areas of the site Attacker uses XSRF to reset SOHO router settings
©2009 Justin C. Klein Keane Protecting Against XSRF Forms contain a transitory token that is tied to the user account Token must then be passed in the form submission in order to carry out an action Even this is not foolproof as a clever XSRF can instantiate an iframe that includes a legitimate call to the form, with a valid token
©2009 Justin C. Klein Keane Other XSRF Defenses Require a user to fill in existing password in order to change it Auto complete on form fields can defeat even this protection, however
©2009 Justin C. Klein Keane Preventing XSS & XSRF Essentially a problem of validating user input Filters for “known bad” are especially dangerous with XSS – New techniques emerge regularly – Browsers change – New web browsers emerge
©2009 Justin C. Klein Keane Mitigation Strategy Disallow HTML Don't utilize user supplied input in display (including scripts) without careful sanitization DO NOT ALLOW BAD DATA INTO THE DB! – Do NOT sanitize exclusively on output! Use a library for translation – This can be useful if the library is centrally maintained as it can easily evolve – Still a broadside approach, not as effective as limiting to known good
©2009 Justin C. Klein Keane Useful PHP Functions htmlspecialchars() – '&' to '&' – “ to " – ' to ' – < to < – > to > htmlentities() – Much more thorough, all characters with HTML equivalents are translated.
©2009 Justin C. Klein Keane More PHP strip_tags() - strips out all HTML (and PHP) tags – Can optionally allow certain tags fgetss() - same as fgets(), which gets a line from a pointer, but strips tags
©2009 Justin C. Klein Keane More Useful PHP Functions ereg_replace() – Allow only characters you want eregi_replace() preg_replace()
©2009 Justin C. Klein Keane Finding XSS Tools can sometimes be useful Code analysis may not be as effective Enter text such as alert('foo'); in every possible input value and observe results
©2009 Justin C. Klein Keane Filter Evasion Techniques Alternating case:
© 2017 SlidePlayer.com Inc. All rights reserved.