What is XSSCross Site Scripting

What is Cross Site ScriptingCross Site Scripting (XSS) is a security exploit where malicious scripts are injected into the URL (query strings?) or form fields of a site and then run by unsuspecting victims.

Reflected StoredLocal

Email with Malicious Link

Hacker

Victim

What is XSSNon-Persistent/ReflectedHacker Persuades Victim to click on a URLVictim Clicks LinkScript Embedded in URL Steals Sensitive Info

MaliciousWeb Page

What is XSSNon-Persistent/Reflected- Example

<HTML> <HEAD><TITLE>Search Example</TITLE> <META http-equiv="content-type" content="text/html; charset=utf-8"> </HEAD> <BODY> <H1>Search Results</H1> for

<SCRIPT>alert("Running!")</SCRIPT> <BR> <BR> <h2>Sorry, no results were found.</h2> <BR> <FORM name=search> <INPUT type=text name="keyword" value=“<SCRIPT>alert(&quot;Running!&quot;)</SCRIPT> <INPUT type=submit value="Go"> </FORM> </BODY> </HTML>

http://myserver/search.aspx?keyword=<SCRIPT>alert("Running!")</SCRIPT>

What is XSSNon-Persistent/Reflected- Defenses

Input ValidationClient side??Request Validation Attribute

Output EncodingHTMLEncode – Black listingMicrosoft Anti-Cross Site Scripting Library - Whitelisting

Guest BookName

Greeting

Guest BookName

Greeting

Hacker

Victim

What is XSSPersistent/StoredHacker Injects Script to DatastoreWhen Victim visits, it is run on their machine

First Name

Last Name

Comments

What is XSS Persistent/Stored - Example

<script> Anything</script>

What is XSS Persistent/Stored - Defenses

Input ValidationClient side??Request Validation Attribute

Output EncodingHTMLEncode – Black listingMicrosoft Anti-Cross Site Scripting Library - Whitelisting

What is XSSDom Based/Local

Email with Malicious Link

Hacker

Victim

Local Page

Hacker Injects Script to DatastoreWhen Victim visits, it is run on their machine

XNever goesTo server

What is XSSNon-Dom Based\Local - Example

<HTML><TITLE>Welcome!</TITLE>Hi<SCRIPT>var pos=document.URL.indexOf("name=")+5;document.write(document.URL.substring(pos,document.URL.length));</SCRIPT><BR>Welcome to our system…</HTML>

http://www.vulnerable.site/welcome.html#name=<script>alert(document.cookie)<script>

What is XSSNon-Dom Based\Local - DefensesJavascript Hardening

Analyze Dom ModificationsdocumentwindowEval() (don’t use)

Regular ExpressionsRemember

Hacker can see your javascriptUse a JSON Parser instead of Eval() (www.json.org)

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,

it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.