Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.portcullis-security.com Portcullis Computer Security.

Published byColeen Thompson Modified over 10 years ago

Similar presentations

Presentation on theme: "Www.portcullis-security.com Portcullis Computer Security."— Presentation transcript:

1 www.portcullis-security.com Portcullis Computer Security

2 2 April 2008Portcullis Computer Security Limited 2007 2 How to detect and exploit %99 of XSS Vulnerabilities

3 2 April 2008Portcullis Computer Security Limited 2007 3 XSS? So What? Recently XSS has proven to be dangerous enough to consider.Recently XSS has proven to be dangerous enough to consider. And it allows you to jump into VPN or it allows you to bypass firewall rules via XSS Tunnelling.And it allows you to jump into VPN or it allows you to bypass firewall rules via XSS Tunnelling.

4 2 April 2008Portcullis Computer Security Limited 2007 4 What is it about? It’s all about where output goes…It’s all about where output goes… Straight into HTMLStraight into HTML Into Javascript / VbScript blockInto Javascript / VbScript block As tag attributeAs tag attribute And some other rare, strange places…And some other rare, strange places…

5 2 April 2008Portcullis Computer Security Limited 2007 5 Understanding exploiting XSS It’s like SQL injection but now our subsystem is not a database it’s a browser and instead of a single quote we’ve got some new meta characters.It’s like SQL injection but now our subsystem is not a database it’s a browser and instead of a single quote we’ve got some new meta characters.

6 2 April 2008Portcullis Computer Security Limited 2007 6 Ultimate Challenge Ultimate challenge of XSS issues is able to escape current block and make browsers render your piece of code.Ultimate challenge of XSS issues is able to escape current block and make browsers render your piece of code.

7 2 April 2008Portcullis Computer Security Limited 2007 7 XSS Types These are most common XSS examples which you are going to see in the wild. I’ll try to show a demo to exploit them. HTML – NormalHTML – Normal HTML – Attribute without quotesHTML – Attribute without quotes HTML – Attribute with single quotesHTML – Attribute with single quotes HTML – In CommentsHTML – In Comments HTML – In Javascript BlocksHTML – In Javascript Blocks DOM based XSSDOM based XSS Flash based XSSFlash based XSS Direct LinkingDirect Linking

8 2 April 2008Portcullis Computer Security Limited 2007 8 Not Covered Before jumping into exploiting these specific issues; Following rare but has seen concepts are not covered in this talk. XAS – Cross Application ScriptingXAS – Cross Application Scripting Security Zones of IESecurity Zones of IE Client-Site issues like.jar problemClient-Site issues like.jar problem Advanced Flash Analyzes for XSSAdvanced Flash Analyzes for XSS Exploiting XSS in real worldExploiting XSS in real world Bypassing HTML parsing based XSS filters like gmail, myspace etc.Bypassing HTML parsing based XSS filters like gmail, myspace etc.

9 2 April 2008Portcullis Computer Security Limited 2007 9 HTML - Normal Most common XSS type, At least it was the most common one. But nowadays most of the developers aware of it.Most common XSS type, At least it was the most common one. But nowadays most of the developers aware of it. In this demo we assumed there is no filtering in the server-side.In this demo we assumed there is no filtering in the server-side.

10 2 April 2008Portcullis Computer Security Limited 2007 10 HTML - Normal DEMO<script>alert(0x1)</script>

11 2 April 2008Portcullis Computer Security Limited 2007 11 HTML – Attributes without Quotes When output used as an HTML attribute in the application, if it’s coded in a sloppy HTML which has no quotes around it even if there is a server-side filtering we can bypass it!When output used as an HTML attribute in the application, if it’s coded in a sloppy HTML which has no quotes around it even if there is a server-side filtering we can bypass it!

12 2 April 2008Portcullis Computer Security Limited 2007 12 HTML – Attributes without Quotes DEMO %20onload=alert(0x2)%20 %20onload=alert(0x2)%20

13 2 April 2008Portcullis Computer Security Limited 2007 13 HTML – Attributes with Single Quotes Wrapping HTML attributes with a single quote is quite common, valid but a poor practice.Wrapping HTML attributes with a single quote is quite common, valid but a poor practice. Since single quote is not considered as HTML meta character is not encoded by any of default XSS filter functions like html_entities() or Server.HTMLEncode()‏Since single quote is not considered as HTML meta character is not encoded by any of default XSS filter functions like html_entities() or Server.HTMLEncode()‏

14 2 April 2008Portcullis Computer Security Limited 2007 14 HTML –Attributes with Single Quotes DEMO ’ onload=alert(0x3)‏ ’ onload=alert(0x3)‏

15 2 April 2008Portcullis Computer Security Limited 2007 15 HTML – In Comments If output goes into an HTML comment we need “>” closing tag.If output goes into an HTML comment we need “>” closing tag. This will be encoded by default filters, so it should be unfiltered.This will be encoded by default filters, so it should be unfiltered.

16 2 April 2008Portcullis Computer Security Limited 2007 16 HTML – In Comments DEMO --!> alert(0x4) --!> alert(0x4)

17 2 April 2008Portcullis Computer Security Limited 2007 17 HTML – Javascript Blocks Javascript blocks are too dangerous because meta characters are changing in there. If output goes into javascript we are not tag opener any more or double quotes.Javascript blocks are too dangerous because meta characters are changing in there. If output goes into javascript we are not tag opener any more or double quotes. It all depends where it goes in Javascript, we may need a single quote, may need a double quotes or maybe only a space or semi column.It all depends where it goes in Javascript, we may need a single quote, may need a double quotes or maybe only a space or semi column.

18 2 April 2008Portcullis Computer Security Limited 2007 18 HTML – In Comments DEMO;alert(0x5)‏

19 2 April 2008Portcullis Computer Security Limited 2007 19 HTML – DOM Based This is one of the most rare and hard to spot XSS types.This is one of the most rare and hard to spot XSS types. You need a simple source code analyse over the script code.You need a simple source code analyse over the script code. Most of DOM based XSS issues can not be identified by automated scanners (to be honest non of them!)‏Most of DOM based XSS issues can not be identified by automated scanners (to be honest non of them!)‏

20 2 April 2008Portcullis Computer Security Limited 2007 20 HTML – In Comments DEMO#alert(0x6)‏

21 2 April 2008Portcullis Computer Security Limited 2007 21 HTML – Flash Based XSS It’s being more and more popularIt’s being more and more popular There are several ways to see an XSS issue in Flash but most common onesThere are several ways to see an XSS issue in Flash but most common ones Remote flash file loadingRemote flash file loading Direct LinkingDirect Linking Flash application generally load remote resources and if this resources can be controlled by parameters then it can be called directly and can be forced to call a remote malisious flash object.Flash application generally load remote resources and if this resources can be controlled by parameters then it can be called directly and can be forced to call a remote malisious flash object.

22 2 April 2008Portcullis Computer Security Limited 2007 22 HTML – Flash Based XSS DEMOvuln.swf?player=http://example.com/xss.swf_getURL(‘javascript:alert(0x7)’)‏

23 2 April 2008Portcullis Computer Security Limited 2007 23 HTML – Direct Linking If linking functionality exist almost, always vulnerable to this attack!If linking functionality exist almost, always vulnerable to this attack! It can be something likeIt can be something like Your e-mail addressYour e-mail address Homepage URLHomepage URL Your photo URL etc….Your photo URL etc….

24 2 April 2008Portcullis Computer Security Limited 2007 24 HTML – Flash Based XSS DEMOjavascript:alert(0x8)‏

25 2 April 2008Portcullis Computer Security Limited 2007 25 Final Words If a XSS issue is exploitable in Internet Explorer it’s highly possibly exploitable in Mozilla based browser, attack vector may differs.If a XSS issue is exploitable in Internet Explorer it’s highly possibly exploitable in Mozilla based browser, attack vector may differs. CSS expression() and –moz-binding can allow you to trigger XSS payloads onloadCSS expression() and –moz-binding can allow you to trigger XSS payloads onload

26 2 April 2008Portcullis Computer Security Limited 2007 26 Final Words Know what you send…Know what you send… Your browser can do some encoding which may invalidate your XSS testYour browser can do some encoding which may invalidate your XSS test To able to exploit target server you may need to send HTML characters without proper encodingTo able to exploit target server you may need to send HTML characters without proper encoding Confirm what you send from your proxy and be sure you tested it with encoding and without encodingConfirm what you send from your proxy and be sure you tested it with encoding and without encoding

27 2 April 2008Portcullis Computer Security Limited 2007 27 vbscript:msgbox(‘An y Questions?’)

Download ppt "Www.portcullis-security.com Portcullis Computer Security."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?

Attacking and defending Flash Applications. Flash Security I’ll talk about; o RIA, Web 2.0 and Security o What is Crossdomain.xml? Why does it exist?
Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.

Protecting Browsers from Cross-Origin CSS Attacks Lin-Shung Huang, Zack Weinberg Carnegie Mellon University Chris Evans Google Collin Jackson Carnegie.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.

17 th ACM CCS (October, 2010).  Introduction  Threat Model  Cross-Origin CSS Attacks  Example Attacks  Defenses  Experiment  Related Work 2 A Presentation.
1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.

1 MTvScan (Malware, Trojan, Viruses Scanner) Enterprise Class Security Scanner.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Project 7 Discussion Section XSS and SQL Injection in Rails.

Project 7 Discussion Section XSS and SQL Injection in Rails.
Misc. Announcements Backup your work! Document team members’ contributions (so that if there is any dispute …) More Bonus credits: Create screencasts for.

Misc. Announcements Backup your work! Document team members’ contributions (so that if there is any dispute …) More Bonus credits: Create screencasts for.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Similar presentations

Ads by Google