The OWASP Foundation OWASP XSS Remediation Cassia Martin Romain Gaucher April 7 th, 2011.

Slides:

Advertisements

Similar presentations

Nick Feamster CS 6262 Spring 2009

Advertisements

Cross Site Scripting (XSS)

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

PHP Hypertext Preprocessor Information Systems 337 Prof. Harry Plantinga.

THE BROKEN WEB A Systematic Analysis of XSS Sanitization in Web Application Frameworks.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

Bypassing Client-Side Protection CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

Cross Site Scripting & SQL injection

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

Team Members: Brad Stancel,

Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.

Server-Side vs. Client-Side Scripting Languages

Web Database Programming Input Validation. User Input on the Web Web browser built-in mechanisms –HTML Forms HTTP POST method –Hyperlinks HTTP GET method.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

The OWASP Foundation Cross Site Scripting JavaScript Injection Contextual Output Encoding.

Workshop 3 Web Application Security Li Weichao March

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Java for enterprise networks Version 2.3 Feb 2008 JSP Validation and Exception handling Why validate? Client side validation.

Tutorial 14 Working with Forms and Regular Expressions.

Prevent Cross-Site Scripting (XSS) attack

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

AJAX Without the “J” George Lawniczak. What is Ajax?

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Web 2.0 Security James Walden Northern Kentucky University.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.

INTRODUCTION TO JAVASCRIPT AND DOM Internet Engineering Spring 2012.

© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

October 3, 2008IMI Security Symposium Application Security through a Hacker’s Eyes James Walden Northern Kentucky University

SQL INJECTIONS Presented By: Eloy Viteri. What is SQL Injection An SQL injection attack is executed when a web page allows users to enter text into a.

ASP (Active Server Pages) by Bülent & Resul. Presentation Outline Introduction What is an ASP file? How does ASP work? What can ASP do? Differences Between.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Scripting Languages Client Side and Server Side. Examples of client side/server side Examples of client-side side include: JavaScript Jquery (uses a JavaScript.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

HTML FORMS The TEXT Object Presented By: Ankit Gupta.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

EECS 354: Network Security Group Members: Patrick Wong Eric Chan Shira Schneidman Web Attacks Project: Detecting XSS and SQL Injection Vulnerabilities.

XSS Horror Show scary XSS vectors About me Researcher for Portswigger (makers of Burp suite) JavaScript XSS hacker I love JavaScript sandboxes Built.

PHP Form Processing * referenced from

Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.

Text INTRODUCTION TO ASP.NET. InterComm Campaign Guidelines CONFIDENTIAL Simply Server side language Simplified page development model Modular, well-factored,

JavaScript and Ajax (JavaScript Environment) Week 6 Web site:

By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

National College of Science & Information Technology.

Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Cross-Site Scripting Travis Deyarmin.

Handling Exceptionally Sticky Problems

Example – SQL Injection

MIS Professor Sandvig MIS 324 Professor Sandvig

JavaScript an introduction.

A second look at JavaScript

XML Problems and Solutions

Handling Exceptionally Sticky Problems

Lecture 27 Security I April 4, 2018 Open news web sites.

Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago

Presentation transcript:

The OWASP Foundation OWASP XSS Remediation Cassia Martin Romain Gaucher April 7 th, 2011

OWASP 2 What is XSS?  XSS is an attacker injecting JavaScript into your page  The 3 types:  Stored –  attacker stored payload in your app  Reflected –  attacker cons user into clicking link with payload  DOM based –  Like reflected, but payload never hits server

OWASP 3 How do we fix it?  Only two choices – use both  Input Validation  Output Encoding  My religion:  No WAF solution  No blacklist

OWASP 4 Input Validation  Input Validation  Limit the attack surface by constraining input  Whitelist: If a field in an app is intended to be a zip code, no need to increase the attack surface by accepting arbitrary input.  Just limit to 5 numbers  "Picklist": Only accept states  Blacklist: Reject '<>";  Sure, you can block  What about onLoad(), eval()  You can block " '  What about %3C, &#60, \x3C, \u003c

OWASP Input Validation (cont’d)  Client side input validation is evil  Do validation checks server side  In JSP, You entered zipcode:  Not: You entered zipcode: validateZip(zipcode)  Why client side validation?  Save time and bandwidth  Improve UI  Won’t prevent attacks. 5

OWASP Input Validation (cont’d)  Implement both syntactic and semantic validation checks  Syntactic  Often charset checking  i.e., in Credit card field, Only allow numbers  Semantic  Well, what else do we know about credit cards…  15 or 16 characters  Pass the “Luhn” check  If user selected Visa, starts with a 4  Etc. 6

OWASP 7 Output Encoding  Often, you can’t narrowly constrain input  Boss’s name: O’Malley  Even if you can, aim for defense in depth  “Separate data plane from control plane”  Output Encoding is the name for transforming control characters into data  Different encoding required for different contexts

OWASP HTML Context  HTML code: alert(1)  In an HTML context, HTML encoding is the answer! 8

OWASP HTML Context Fix – HTML Encoding  Transform possible html code into data  Turns < into > 9 alert(1) <script>aler t(1)</script&gt

OWASP HTML Attribute context  HTML attributes (JavaScript events): " onmouseover="alert('w00t') 10

OWASP HTML Attribute Context fix  HTML Attribute encoding  Very similar to HTML Encoding, larger scope  OWASP recommendation  Any ASCII character under 256 should be rewritten to &#xHH;  Most common mistake:  not encoding " and ' 11

OWASP HTML URI location context  HTML URI locations: click me  Base64 decode:  " alert('woot') " 12

OWASP HTML URI location control fix  URI:  Full control of the URI: whitelist  Also protects against Open Url Redirect  Partial control (inject in the path, etc.): URL encoding  Transforms ' -> %27 13 action.php?para m= alert (1) action.php%3fparam %3d%3cscript%3ealer t(1)%3c%2fscript%3e

OWASP Javascript/JSON context  JavaScript/JSON: ");alert('w00t');/* or "};alert('w00t');/* 14

OWASP Javascript/DOM context  JavaScript/DOM Vulnerable code: document.write(location.hash. substring(1));  Attack Url: alert(/1/) 15

OWASP Javascript context fix  JavaScript context:  Inside strings: use Unicode strings (\u003e\u004f)  Outside strings: don’t blacklisting _"()+[ ]-{}'/. is currently okay, probably. not good security philosophy and not futureproof. If you need this, whitelist. e.g., /[\w]+/  DOM: same as above, but in JavaScript: tainted.replace(/[^\w]/g, "")  JSON:  Need not to be JSON-injectable, plus safe JSON parsing function e.g., not eval() 16

OWASP var a = " alert('xss'); "; 17

OWASP CSS context  CSS: border:1px solid; expression(alert('w00t'))}/* 18

OWASP CSS context fix  CSS:  Consider this to be: JavaScript context, outside strings  Alternatively, block expression, using a full CSS parser  Don’t just block expression  CSS accepts html encoded keywords + comments  exp/**/ression will evade your blacklist. 19

OWASP Other contexts  Flash, XML, SVG, PDF, GIF comments, etc.  Client-side technologies such as Flash, Silverlight, etc. need to employ the same validation/encodings schemes 20

OWASP Libraries  ESAPI  Reference implementations for: Java,.NET, PHP, Classic ASP, Cold Fusion, Python, and Haskell.  ripting)_Prevention_Cheat_Sheet ripting)_Prevention_Cheat_Sheet  Reform  Java,.NET v1/v2, PHP, Python, Perl, JavaScript, ASP  ncoding_Project ncoding_Project  AntiXSS Microsoft Web Protection Library –.Net   Platform specific solutions 21

OWASP ESAPI Functions  ESAPI.encoder().encodeForHTML( request.getParameter( "input" ) );  ESAPI.encoder().encodeForHTMLAttribute( request.getParameter( "input" ) );  ESAPI.encoder().encodeForJavaScript( request.getParameter( "input" ) );  ESAPI.encoder().encodeForCSS( request.getParameter( "input" ) );  ESAPI.encoder().encodeForURL( request.getParameter( "input" ) ); 22

OWASP Further thoughts  We only talked about first-order encodings here (what happens when your payload goes through an XML based WS?)  Finally, XSS is easy to fix in one location, difficult across one application 23