Presentation is loading. Please wait.

Presentation is loading. Please wait.

XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)

Published byBuck Washington Modified over 6 years ago

Similar presentations

Presentation on theme: "XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)"— Presentation transcript:

1 XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)
RAMA KRISHNA CHAITANYA SOMAVAJHALA

2 What is Cross-Site Scripting? (CSS/XSS)
An attacker is able to inject his own JavaScript code into a web application, in such a way that the code is executed within a victim’s browser in the context of application. Types: Persistent XSS (Stored XSS) Reflected XSS (Non-Persistent XSS) DOM-based XSS (Local XSS) Players Include: An Attacker Web Application Client Server side Client side

3 The Sin Explained DOM XSS is a bug that allows an attacker to manipulate the DOM through untrusted input. var lists = document.body.all.tags('A'); for( var i =0; i< lists.length;i++) { lists[i].href=" } Code walks through the DOM for current web page or gadget and changes every anchor tag <a> to point to Studies have shown that one in ten websites are vulnerable to XSS attack

4 Cross-Site Scripting: Problem statement
Main problem: attacker‘s content ends in document and is not properly filtered/encoded Flow of data: from attacker-controllable source to security-sensitive sink Sources: e.g. the URL Sinks: e.g. document.write XMLHttpRequest object, often used in gadgets and AJAX applications, can read from files, not just make HTTP requests.

5 Examples of XSS Vulnerabilities
<script> alert(“Hacked..!!”) </script>

6 <img src=x onerror="alert('Pop-up window via stored XSS');“

7 DOM XSS will appear when a source that can be controlled by the user is used in a dangerous sink.
Popular Sinks HTML Modification sinks document.write (element).innerHTML HTML modification to behavior change (element).src (in certain elements) Execution Related sinks eval setTimout / setInterval execScript Popular Sources document.URL document.documentURI location.href location.search location.* window.name document.referrer

8 Spotting the Sin during Code Review
At a minimum, you should look for the following constructs. document.url document.location Web.Network.createRequest XMLHttpRequest Testing Techniques Use a proxy that injects random XSS snippets into the incoming data stream and see if the results are rendered by the gadget.

9 Redemption Techniques- Don’t trust the input
var MAX_TICKER_LEN = 6; var MAX_RESPONSE_LEN = 64; ... function getStockInfo(ticker) { if (ticker.length > MAX_TICKER_LEN) return "Invalid"; xhr = new XMLHttpRequest(); xhr.open("GET", " false); xhr.send(); if (xhr.readyState == 4) { if (xhr.statusText == "OK") { var response = xhr.responseText; if (response.length <= MAX_RESPONSE_LEN) { return response; } return "Invalid!";

10 Consider using a regular expression to validate the data before displaying it.
function isValidStockInfo(stock) { var re = /^[A-Z0-9\.\,\"\s]{1,18}$/ig; return re.test(stock); } Using SSL/TLS correctly for your network requests (as by using HTTPS rather than HTTP) can mitigate man-in-the-middle attacks. Replace Insecure Constructs with More Secure Construct Use innerHTML but use innerText instead, which is much safer.

11 Conclusion Do validate all external network data.
Do validate all external URL-based data Do not trust any data coming into your web page or gadget. Do not use eval() unless there is no other way to write your application. Consider using SSL/TLS for web server connections.

12 References R Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies and Martin Johns, From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting, in 22th ACM Conference on Computer and Communications Security (ACM CCS'15), October 2015 M. Howard, D. LeBlanc, and J. Viega, 24 deadly sins of software security: programming flaws and how to fix them. New York: McGraw-Hill, 2010.

Download ppt "XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)"

Similar presentations

Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
An Evaluation of the Google Chrome Extension Security Architecture

An Evaluation of the Google Chrome Extension Security Architecture
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
1 JavaScript & AJAX CS 236607, Spring 2008. 2 JavaScript.

1 JavaScript & AJAX CS , Spring JavaScript.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.

 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
4.1 JavaScript Introduction

4.1 JavaScript Introduction
HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.

HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Similar presentations

Ads by Google