Download presentation
Presentation is loading. Please wait.
1
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014
2
Doupé - 11/24/14
3
Ethics Only hack into sites you own –Or you have permission Popular sites may have bug bounty program –Facebook –github –Google You will get caught Doupé - 11/24/14
4
Tech HTTP HTML CSS JavaScript SQL Server-Side Code (Python/PHP/Ruby) Doupé - 11/24/14
5
Many Vulnerabilities Cross-Site Scripting (XSS) SQL Injection Cross-Site Request Forgery (XSRF) HTTP Parameter Pollution (HPP) Command Injection Parameter Manipulation File Exposure Directory Traversal Forced Browsing Logic Flaws Execution After Redirect (EAR) Doupé - 11/24/14
6
Many Vulnerabilities Cross-Site Scripting (XSS) SQL Injection Cross-Site Request Forgery (XSRF) HTTP Parameter Pollution (HPP) Command Injection Parameter Manipulation File Exposure Directory Traversal Forced Browsing Logic Flaws Execution After Redirect (EAR) Doupé - 11/24/14
7
Tech HTTP HTML CSS JavaScript SQL Server-Side (Python/PHP/Ruby) Doupé - 11/24/14
8
HTTPSQL Web Applications
9
Doupé - 11/24/14 JavaScript HTTPSQL Web Applications
10
Doupé - 11/24/14 JavaScript HTTPSQL Web Applications
11
HTTP Client Request GET / HTTP/1.1 User-Agent: curl/7.37.1 Host: www.facebook.com Accept: */* Doupé - 11/24/14
12
HTTP Server Response HTTP/1.1 200 OK Expires: Sat, 01 Jan 2000 00:00:00 GMT Set-Cookie: datr=cohyVEAwQmq5jJh2cWZ9pZc9; expires=Wed, 23-Nov-2016 01:22:58 GMT; Max-Age=63072000; path=/; domain=.facebook.com; httponly Set-Cookie: reg_ext_ref=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.facebook.com Set-Cookie: reg_fb_ref=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Set-Cookie: reg_fb_gate=https%3A%2F%2Fwww.facebook.com%2F; path=/; domain=.facebook.com Content-Type: text/html; charset=utf-8... Welcome to Facebook - Log In, Sign Up or Learn More Doupé - 11/24/14
13
JavaScript Makes the page dynamic Full control over page –Layout –Asynchronous requests –Event handlers Code from the website running on your browser Doupé - 11/24/14
16
Same Origin Policy Browser JavaScript Security Policy (protocol, host, port) https://www.facebook.com/ (https, www.facebook.com, 443) http://www.cnn.com/ (http, www.cnn.com, 80) Doupé - 11/24/14
17
Same Origin Policy Cookies (document.cookie) DOM localStorage XMLHttpRequests img Doupé - 11/24/14
18
Cross-Site Scripting (XSS) Malicious JavaScript running in the context of your web application Doupé - 11/24/14
19
XSS – Example Hello Doupé - 11/24/14
20
http://example.com/test.php?name=adam Hello
21
Doupé - 11/24/14 http://example.com/test.php?name=adam Hello adam
22
Doupé - 11/24/14 http://example.com/test.php?name=adam Hello adam
23
Doupé - 11/24/14
24
http://example.com/test.php?name= alert(‘xss’) Hello
25
Doupé - 11/24/14 Hello alert(‘xss’) http://example.com/test.php?name= alert(‘xss’)
26
Doupé - 11/24/14 Hello alert(‘xss’) http://example.com/test.php?name= alert(‘xss’)
27
Doupé - 11/24/14
28
http://example.com/test.php?name=
29
Doupé - 11/24/14 HTTP http://example.com/test.php?name= JavaScript Reflected XSS
30
Doupé - 11/24/14 SQL http://example.com/test.php?title=
31
Doupé - 11/24/14 HTTPSQL JavaScript Stored XSS
32
Exploits – Phishing Malicious JavaScript can completely control the DOM Change current page to login page where the login sends credentials to the attacker Doupé - 11/24/14
34
Exploits – Session Theft HTTP is session-less –No HTTP-native way to tie requests to the same user Web applications typically use cookies to create a session –Session describes who the user is, if they’ve passed authentication JavaScript has access to cookies… Doupé - 11/24/14
35
JavaScript Doupé - 11/24/14 HTTPSQL Exploits – Session Theft
36
Exploits – Unauthorized Actions JavaScript can make requests to the web application –Browser sends cookies –Appears as if the user made the request (clicked the link or filled out the form) Malicious JavaScript can make requests to the web application on your behalf Doupé - 11/24/14
37
JavaScript Doupé - 11/24/14
38
Exploits – Worms Stored XSS vulnerability + Unauthorized Actions –Self-propagating worm Social networks particularly susceptible –“samy is my hero” (2005) –Tweetdeck (2014) Doupé - 11/24/14
42
XSS – Detection Understand how input is used in HTML source Input “forbidden” characters – –‘ “ ; / Understand what sanitization is performed Doupé - 11/24/14
43
XSS – Prevention Sanitize all user inputs using known sanitization routine Depends on where output is in HTML page – necessary in HTML –Only need ‘ in JavaScript Doupé - 11/24/14
44
var test = “ ”; > < < < %27 http://example.com/?adam=$name onload=“javascript:alert(xss);” “”alert(‘xss’);//” Doupé - 11/24/14
45
Tools Browser Developer Tools Wireshark Burp Proxy SQLMap OWASP Broken Web Apps Project Google Gruyere Doupé - 11/24/14
46
Questions? doupe@asu.edu http://adamdoupe.com/ Doupé - 11/24/14
Similar presentations
