The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

Slides:



Advertisements
Similar presentations
February 2012 Top Ten Controls v1 Eoin Keary and Jim Manico Page 1 OWASP Foundation – Los Angeles Chapter
Advertisements

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009
Cross Site Scripting (XSS)
Past, Present and Future By Eoin Keary and Jim Manico
Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
Past, Present and Future
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
DOM Based XSS and Proper Output Encoding By Abraham Kang Principal Security Researcher HP Fortify.
0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the Creative Commons Attribution-ShareAlike.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
EECS 354 Network Security Cross Site Scripting (XSS)
COMP 321 Week 12. Overview Web Application Security  Authentication  Authorization  Confidentiality Cross-Site Scripting Lab 12-1 Introduction.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Blackbox Reversing of XSS Filters Alexander Sotirov ekoparty 2008.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Presented by Paul Gilzow Web Communications University of Missouri #hew08xss.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
The OWASP Foundation Cross Site Scripting JavaScript Injection Contextual Output Encoding.
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.
Prevent Cross-Site Scripting (XSS) attack
+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.
BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.
Chapter 9 Web Applications. Web Applications are public and available to the entire world. Easy access to the application means also easy access for malicious.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University
Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Cross Site Scripting (XSS) Chaitanya Lakshmi
Srikar Nadipally. Outline Finding and Exploiting XSS Vulnerabilities Standard Reflected XSS Stored XSS DOM based XSS Prevention of XSS attack Reflect.
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. 1 RubyJax Brent Morris/
Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.
OWASP Top Ten #1 Unvalidated Input. Agenda What is the OWASP Top 10? Where can I find it? What is Unvalidated Input? What environments are effected? How.
CIT 380: Securing Computer SystemsSlide #1 CIT 380: Securing Computer Systems Web Security.
Web Applications Testing By Jamie Rougvie Supported by.
Building Secure Web Applications With ASP.Net MVC.
© 2009 Stephen Wolff Application Security 1 Spring, 2009 OWASP Top Ten  Ten most critical WebApp security flaws. The top 2 are: 1. XSS – Cross Site Scripting.
Web Application Vulnerabilities ECE 4112 Internetwork Security, Spring 2005 Chris Kelly Chris Lewis April 28, 2005 ECE 4112 Internetwork Security, Spring.
What Is XSS ? ! Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to.
Introduction of XSS:-- Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted.
Example – SQL Injection MySQL & PHP code: // The next instruction prompts the user is to supply an ID $personID = getIDstringFromUser(); $sqlQuery = "SELECT.
By Collin Donaldson. Hacking is only legal under the following circumstances: 1.You hack (penetration test) a device/network you own. 2.You gain explicit,
PHP: Further Skills 02 By Trevor Adams. Topics covered Persistence What is it? Why do we need it? Basic Persistence Hidden form fields Query strings Cookies.
The OWASP Foundation OWASP XSS Remediation Cassia Martin Romain Gaucher April 7 th, 2011.
SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.
XSS 101 Jason Clark 12/20.
Google’s Gruyere1 : An XSS Example Presented by: Terry Gregory
Group 18: Chris Hood Brett Poche
CSCE 548 Student Presentation Ryan Labrador
An Introduction to Web Application Security
Web Application Vulnerabilities, Detection Mechanisms, and Defenses
Cross-Site Scripting Travis Deyarmin.
A Security Review Process for Existing Software Applications
CSC 495/583 Topics of Software Security Intro to Web Security
Oklahoma City.
WWW安全 國立暨南國際大學 資訊管理學系 陳彥錚.
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Exploring DOM-Based Cross Site Attacks
Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago
Presentation transcript:

The XSS Files Find, Exploit, and Eliminate

Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application support, developer relations, and application review. OWASP Detroit Chapter Leader & a #misec founding member GSEC, CISSP in limbo 2

What is a XSS flaw? XSS = ‘Cross Site Scripting’ Injection of arbitrary code into a user’s browser session #2 on the 2010 OWASP Top 10 and has been on the list since the beginning 3

Causes of XSS Flaws Failure of the application to properly sanitize output to the user’s browser. Improper trust of of user supplied data. 4 $a = $_GET['search']; print 'Your search results '.$a;

Effects of XSS Theft of session cookies Arbitrary HTML or Javascript injection Exploit injection Keystroke Logging BeEF & Metasploit can be used to show effects of XSS 5

Reflective vs. Persistent Reflective – Payload tied to specific URL. Visit the link, hit the payload. Persistent – Embeds the payload into the page (think comments, forum posts, etc.) 6

DOM Based XSS XSS based on the DOM's (Document Object Model) response to the incoming code and other page/request elements. Does not require dynamic server-side code. 7 document.write("Site is at: " + document.location.href + ".");

Finding XSS Flaws Basic test: Determine how application handles 'special' characters such as " ' If the application returns these characters unencoded, it's possibly (and probably) vulnerable. 8

9 Automated scanning – Can test a large number of test cases quickly. Not complete, but a good method to find low-hanging fruit quickly. Source Code Review – Unsanitized use of input is fairly self evident in code review. Time consuming, however, and complex code can make it difficult to follow input paths. As with other flaws, a multi-pronged approach is best.

Preventing XSS Input whitelisting Context sensitive output encoding Javascript, Actionscript, HTML, CSS, etc. must all be treated differently. Just encoding for HTML will not prevent all issues. 10

Context is Key HTML Body HTML Attributes Context URL Context 11 *courtesy of Jim Manico

12 Data TypeContextDefense Numeric, Type safe languageDoesn’t MatterCast to Numeric StringHTML BodyHTML Entity Encode StringHTML Attribute, quotedMinimal Attribute Encoding StringHTML Attribute, unquotedMaximum Attribute Encoding StringGET ParameterURL Encoding StringUntrusted URLURL Validation, avoid javascript: URL’s, Attribute encoding, safe URL verification StringCSSStrict structural validation, CSS Hex encoding, good design HTMLHTML BodyHTML Validation (JSoup, AntiSamy, HTML Sanitizer) AnyDOMDOM XSS Cheat sheet Untrusted JavaScriptAnySandboxing JSONClient parse timeJSON.parse() or json2.js *courtesy of Jim Manico

13 To be truly successful, sanitization should be part of the development framework and not optional. Most successful when the decision on whether to apply sanitization is not up to the individual developer but enforced by the development environment.

Anti-XSS Frameworks.NET – MS AntiXSS Library JAVA,.NET – OWASP AntiSAMY my_Project my_Project Javascript – Google CAJA

Browser Based Defenses Most modern browsers have some form of XSS protection either built-in or via a 3 rd party plugin (i.e. NoScript) Bad code is still bad code – don't rely on the browser for defense. 15

DEMOS Basic XSS Examples 16

Demos All demos are available at Feel free to play with them and use them in additional demonstrations. 17

#1 Basic XSS & Mitigation Strategies Mitigation Strategies: Basic – Strips tags Good – Encodes output within HTML context Textarea – Encloses error message in a tag 18

#2 Attacking incomplete filtering No input written to page body, so we're safe, right? Search term written to tag without sanitization 19

#3 XSS with Style Don't confuse limited means of input with limited input Some apps respond to multiple HTTP methods Cookies can provide a method of persistence within a user's browser session. 20

#4 DOM Based XSS Site builds comment link with ref to current URL. # tag in URL before payload prevents attack from showing up in server logs 21

#5 XSS through POST Apps using only the POST method are not immune to XSS Requires the use of secondary page to build & submit the exploitable form 22

QUESTIONS? 23

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.