XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)

Slides:



Advertisements
Similar presentations
Past, Present and Future By Eoin Keary and Jim Manico
Advertisements

Hossain Shahriar Mohammad Zulkernine. One of the worst vulnerabilities in web applications It involves the generation of dynamic HTML contents with invalidated.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
An Evaluation of the Google Chrome Extension Security Architecture
EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.
1 JavaScript & AJAX CS , Spring JavaScript.
 Proxy Servers are software that act as intermediaries between client and servers on the Internet.  They help users on private networks get information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
4.1 JavaScript Introduction
HTML5 Group 3: Dongyang Zhang, Wei Liu, Weizhou He, Yutong Wei, Yuxin Zhu.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
Prevent Cross-Site Scripting (XSS) attack
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.
Cross Site Scripting (XSS) Chaitanya Lakshmi
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
Top Five Web Application Vulnerabilities Vebjørn Moen Selmersenteret/NoWires.org Norsk Kryptoseminar Trondheim
Lecture 9: AJAX, Javascript review..  AJAX  Synchronous vs. asynchronous browsing.  Refreshing only “part of a page” from a URL.  Frameworks: Prototype,
Cross Site Scripting and its Issues By Odion Oisamoje.
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
 AJAX – Asynchronous JavaScript and XML  Ajax is used to develop fast dynamic web applications  Allows web pages to be updated asynchronously by transferring.
SE-2840 Dr. Mark L. Hornick 1 Introduction to Ajax Asynchronous Javascript And XML.
 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.
© 2011 IBM Corporation Hybrid Analysis for JavaScript Security Assessment Omer Tripp Omri Weisman Salvatore Guarnieri IBM Software Group Sep 2011.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
JavaScript and Ajax (JavaScript Environment) Week 6 Web site:
Security Tool to Detect Vulnerabilities at Application Level Sendurr Selvaraj Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina.
Security Tool to Detect Vulnerabilities at Application Level Krishna Sai Mulpuri Naga Sri Charan Pendyala Rama Krishna Chaitanya Somavajhala Srujana Bollina.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
Web Application with AJAX CS 526 advanced interned and Web system Presenters Faris Kateb Mohammed AbdulAziz Omar Alzahrani.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
Web Security (cont.) 1. Referral issues r HTTP referer (originally referrer) – HTTP header that designates calling resource  Page on which a link is.
Srinivas Balivada USC CSCE548 07/22/2016.  Cookies are generally set server-side using the ‘Set-Cookie’ HTTP header and sent to the client  In PHP to.
A CSCE 548 presentation: Trusting Network Name Resolution
Javascript worms By Benjamin Mossé SecPro
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Group 18: Chris Hood Brett Poche
Web Application Security
CSCE 548 Student Presentation Ryan Labrador
An Introduction to Web Application Security
Tonga Institute of Higher Education IT 141: Information Systems
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
World Wide Web policy.
Udaya Shyama Pallathadka Ganapathi Bhat CSCE 548 Student Presentation
Static Detection of Cross-Site Scripting Vulnerabilities
Failure to protect stored data
CSCE 548 Secure Software Development Final Exam – Review 2016
Web Applications Security XSS
Cross Sight scripting: Type-2
Tonga Institute of Higher Education IT 141: Information Systems
Dave Weston Senior SDET Microsoft Corporation
Tonga Institute of Higher Education IT 141: Information Systems
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Active Man in the Middle Attacks
An Introduction to JavaScript
Protecting Against Common Web Application Vulnerabilities
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Client-Server Model: Requesting a Web Page
Advanced Cross Site Scripting Evil XSS
Exploring DOM-Based Cross Site Attacks
Security and JavaScript
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016) RAMA KRISHNA CHAITANYA SOMAVAJHALA

What is Cross-Site Scripting? (CSS/XSS) An attacker is able to inject his own JavaScript code into a web application, in such a way that the code is executed within a victim’s browser in the context of application. Types: Persistent XSS (Stored XSS) Reflected XSS (Non-Persistent XSS) DOM-based XSS (Local XSS) Players Include: An Attacker Web Application Client Server side Client side

The Sin Explained DOM XSS is a bug that allows an attacker to manipulate the DOM through untrusted input. var lists = document.body.all.tags('A'); for( var i =0; i< lists.length;i++) { lists[i].href="http://www.example.com"; } Code walks through the DOM for current web page or gadget and changes every anchor tag <a> to point to http://www.example.com. Studies have shown that one in ten websites are vulnerable to XSS attack

Cross-Site Scripting: Problem statement Main problem: attacker‘s content ends in document and is not properly filtered/encoded Flow of data: from attacker-controllable source to security-sensitive sink Sources: e.g. the URL Sinks: e.g. document.write XMLHttpRequest object, often used in gadgets and AJAX applications, can read from files, not just make HTTP requests.

Examples of XSS Vulnerabilities <script> alert(“Hacked..!!”) </script>

<img src=x onerror="alert('Pop-up window via stored XSS');“

DOM XSS will appear when a source that can be controlled by the user is used in a dangerous sink. Popular Sinks HTML Modification sinks document.write (element).innerHTML HTML modification to behavior change (element).src (in certain elements) Execution Related sinks eval setTimout / setInterval execScript Popular Sources document.URL document.documentURI location.href location.search location.* window.name document.referrer

Spotting the Sin during Code Review At a minimum, you should look for the following constructs. document.url document.location Web.Network.createRequest XMLHttpRequest Testing Techniques Use a proxy that injects random XSS snippets into the incoming data stream and see if the results are rendered by the gadget.

Redemption Techniques- Don’t trust the input var MAX_TICKER_LEN = 6; var MAX_RESPONSE_LEN = 64; ... function getStockInfo(ticker) { if (ticker.length > MAX_TICKER_LEN) return "Invalid"; xhr = new XMLHttpRequest(); xhr.open("GET", "http://download.finance.yahoo.com/d/?s="+ticker+"&f=sl1", false); xhr.send(); if (xhr.readyState == 4) { if (xhr.statusText == "OK") { var response = xhr.responseText; if (response.length <= MAX_RESPONSE_LEN) { return response; } return "Invalid!";

Consider using a regular expression to validate the data before displaying it. function isValidStockInfo(stock) { var re = /^[A-Z0-9\.\,\"\s]{1,18}$/ig; return re.test(stock); } Using SSL/TLS correctly for your network requests (as by using HTTPS rather than HTTP) can mitigate man-in-the-middle attacks. Replace Insecure Constructs with More Secure Construct Use innerHTML but use innerText instead, which is much safer.

Conclusion Do validate all external network data. Do validate all external URL-based data Do not trust any data coming into your web page or gadget. Do not use eval() unless there is no other way to write your application. Consider using SSL/TLS for web server connections.

References R Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies and Martin Johns, From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting, in 22th ACM Conference on Computer and Communications Security (ACM CCS'15), October 2015 M. Howard, D. LeBlanc, and J. Viega, 24 deadly sins of software security: programming flaws and how to fix them. New York: McGraw-Hill, 2010.