Presentation is loading. Please wait.

Presentation is loading. Please wait.

Presented to OWASP San Antonio at Denim Group Introduction to Cross-Site Scripting with BeEF Created by: Charles Neill Modified Date: 2/5/2015.

Published byClifford Ralph Pierce Modified over 8 years ago

Similar presentations

Presentation on theme: "Presented to OWASP San Antonio at Denim Group Introduction to Cross-Site Scripting with BeEF Created by: Charles Neill Modified Date: 2/5/2015."— Presentation transcript:

1 Presented to OWASP San Antonio at Denim Group Introduction to Cross-Site Scripting with BeEF Created by: Charles Neill Modified Date: 2/5/2015

2 What is cross-site scripting? Cross-Site Scripting (referred to as XSS) is a type of web application attack where malicious client-side script is injected into the application output and subsequently executed by the user’s browser TL;DR: Not filtering out HTML and JavaScript in user input = bad It can be used to take over a user’s browser in a variety of ways 2

3 Why should I care about cross-site scripting? There was a time not too long ago when XSS was considered a low-risk type of security issue, because when compared to a server-side exploit, it seemed relatively benign As other issues like PHP remote file inclusions have become harder to exploit, XSS attacks have increased in prominence and sophistication Trick question: Which is worse, popping up an alert box or popping root on a server? 3

4 Who’s affected by cross-site scripting? Everyone. No, really – almost every site you can think of has had XSS problems at one time or another (and probably still does) Don’t believe me? Universal XSS in Internet Explorer (2015) [1] Tweetdeck (2014) [2]Tweetdeck PayPal (2013) – BONUS: discovered by a 17 year old kid [3]PayPal Google Finance (2013) [4]Google Finance 25 “Verasign-secured” online stores (2012) [5]25 “Verasign-secured” online stores McAfee (2011) [6]McAfee Visa (2010) [7]Visa 4

5 5 www.rackspace.com Some sites you might recognize http://www.xssed.com/files/image/News/paypalevsslxss.PNG

6 Object Placeholder 6 www.rackspace.com Some sites you might recognize http://3.bp.blogspot.com/-IpLMWEVPnRc/UmYV_19hnNI/AAAAAAAADfc/caJdmBEsyaE/s1600/1.png

7 Object Placeholder 7 Some sites you might recognize https://isc.sans.edu/diaryimages/youtube.png

8 Boooooring… The classic proof-of-concept for XSS is a little alert box with some arbitrary text in it, or a picture of something silly. This doesn’t seem nearly dangerous enough to warrant concern. What else you got? 8

9 Introducing: BeEF What’s BeEF? From their website (beefproject.com):beefproject.com “BeEF is short for The Browser Exploitation Framework… BeEF looks past the hardened network perimeter and client system, and examines exploitability within the context of the one open door: the web browser.” 9

10 That description sounds scary, but what does it mean? Think of BeEF as a one-stop-shop to gain and retain control over a user’s browser, and do whatever you want with it This is like Metasploit (metasploit.com) for the browsermetasploit.com –You can even use Metasploit’s “browser_autopwn” tests to try to take over the browser How does one use BeEF? This is all it takes to insert into a page: Where’s the BeEF? 10 www.rackspace.com

11 11 The BeEF Dashboard www.rackspace.com Monitor users by their IP, browser, OS See logs of their activity Trick the user into downloading malicious files Perform network reconnaissance And much more..

12 12 www.rackspace.com DEMO TIME! (Get excited)

13 So many attacks, so little time

14 Steal cookies Play a sound Get user-agent string See enabled plugins (e.g. Chrome PDF viewer, Java, etc.) 14 Basic Client-side Attacks www.rackspace.com

15 Man-in-the-browser Forge user requests Get form values / HTML contents Fake notifications (Chrome plugin bar, LastPass login, etc.) Tabnabbing 15 More Advanced Client-Side Attacks www.rackspace.com

16 Port scanning Network mapping Execute local Redis commands 16 Lateral Movement / Network Exploration www.rackspace.com

17 Never trust the user So what should I do to prevent XSS? 17 www.rackspace.com

18 THANK YOU RACKSPACE® | 1 FANATICAL PLACE, CITY OF WINDCREST | SAN ANTONIO, TX 78218 US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM © RACKSPACE LTD. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM

19 Almost all client-side script injection comes down to the following characters: ( ) { } [ ] " ' ; / \ There are various ways to take care of these characters, but it is too context- dependent to give a one-size-fits-all answer The shortest answer is, make sure you’re only getting characters you expect when a user enters any kind of information - make sure you never display a user-entered string without properly encoding it Check out the links at the end of this presentation to learn more So what should I do to prevent XSS? (No, really) 19 www.rackspace.com

20 Here’s some sample vulnerable JavaScript. See if you can spot the bad part. var lol = function () { var a = document.getElementById('a').value; document.write(a); } 20 Examples of XSS in code www.rackspace.com

21 Hmm, there’s the problem… var lol = function () { var a = document.getElementById('a').value; document.write(a); // Too easy } 21 Examples of XSS in code www.rackspace.com

22 Now for something a little more interesting. Remember, you also have to remember the third-party libraries you’re using. Some innocent-looking jQuery code: $(location.hash) // Wait, that’s it? 22 Examples of XSS in code www.rackspace.com

23 But you’re not only securing the code you write, but all the code you used… $(location.hash) // WHERE’S THE VULNERABLE PART?! Well, if we’re using jQuery 1.6.1 and we visit the page http://app/# …this will pop up one of those alert boxes [8]. 23 Examples of XSS in code www.rackspace.com

24 Here are some examples of how to filter HTML characters in a few simple scenarios in PHP (there should be similar functions in any language; check the links at the end of the PPT) $int = intval($_GET['a']); // This will never return anything other than an integer $str = htmlentities($_GET['b']); // This will encode any character for which there is // an HTML entity equivalent (e.g. > < ") // This is NOT always enough! [9] 24 Tips for filtering XSS www.rackspace.com

25 Pop quiz! What’s wrong with this PHP code: echo(' link '); 25 Getting around prevention measures www.rackspace.com

26 Pop quiz! What’s wrong with this PHP code: echo(' link '); What if we set $_GET['var'] to javascript:alert(/xss/); 26 Getting around prevention measures www.rackspace.com

27 27 www.rackspace.com

28 QUESTIONS? 28 www.rackspace.com

29 OWASP Links –Guide to Cross-site Scripting - https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)https://www.owasp.org/index.php/Cross-site_Scripting_(XSS) –XSS Prevention Cheat Sheet - https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheethttps://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet –DOM based XSS Prevention Cheat Sheet - https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheethttps://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet 29 Resources www.rackspace.com

30 [1] http://seclists.org/fulldisclosure/2015/Feb/0http://seclists.org/fulldisclosure/2015/Feb/0 [2] http://techcrunch.com/2014/06/11/tweetdeck-fixes-xss-vulnerability/http://techcrunch.com/2014/06/11/tweetdeck-fixes-xss-vulnerability/ [3] http://threatpost.com/paypal-site-vulnerable-to-xss-attackhttp://threatpost.com/paypal-site-vulnerable-to-xss-attack [4] http://miki.it/blog/2013/7/30/xss-in-google-finance/http://miki.it/blog/2013/7/30/xss-in-google-finance/ [5] http://nakedsecurity.sophos.com/2012/02/28/verisign-xss-holes/http://nakedsecurity.sophos.com/2012/02/28/verisign-xss-holes/ [6] http://www.scmagazine.com/mcafee-working-to-fix-xss-information-disclosure-flaws/article/199505/http://www.scmagazine.com/mcafee-working-to-fix-xss-information-disclosure-flaws/article/199505/ [7] http://news.softpedia.com/news/XSS-Weakness-Found-on-Visa-USA-Website-157115.shtmlhttp://news.softpedia.com/news/XSS-Weakness-Found-on-Visa-USA-Website-157115.shtml [8] http://ma.la/jquery_xss/http://ma.la/jquery_xss/ [9] http://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_referenceshttp://en.wikipedia.org/wiki/List_of_XML_and_HTML_character_entity_references 30 References www.rackspace.com

31 THANK YOU RACKSPACE® | 1 FANATICAL PLACE, CITY OF WINDCREST | SAN ANTONIO, TX 78218 US SALES: 1-800-961-2888 | US SUPPORT: 1-800-961-4454 | WWW.RACKSPACE.COM © RACKSPACE LTD. | RACKSPACE® AND FANATICAL SUPPORT® ARE SERVICE MARKS OF RACKSPACE US, INC. REGISTERED IN THE UNITED STATES AND OTHER COUNTRIES. | WWW.RACKSPACE.COM

Download ppt "Presented to OWASP San Antonio at Denim Group Introduction to Cross-Site Scripting with BeEF Created by: Charles Neill Modified Date: 2/5/2015."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross Site Scripting (XSS)

Cross Site Scripting (XSS)
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.

COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
9/9/2005 Developing Secure Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.

9/9/2005 Developing "Secure" Web Applications 1 Methods & Concepts for Developing “Secure” Web Applications Peter Y. Hammond, Developer Wasatch Front Regional.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.

Sara SartoliAkbar Siami Namin NSF-SFS workshop July 14-18, 2014.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 14 Implementation Flaws Part 2: Malicious Input and Data Validation Issues.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.

Lecture 16 Page 1 CS 236 Online Cross-Site Scripting XSS Many sites allow users to upload information –Blogs, photo sharing, Facebook, etc. –Which gets.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

Similar presentations

Ads by Google