Presentation is loading. Please wait.

Presentation is loading. Please wait.

XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)

Similar presentations


Presentation on theme: "XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)"— Presentation transcript:

1 XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)
RAMA KRISHNA CHAITANYA SOMAVAJHALA

2 What is Cross-Site Scripting? (CSS/XSS)
An attacker is able to inject his own JavaScript code into a web application, in such a way that the code is executed within a victim’s browser in the context of application. Types: Persistent XSS (Stored XSS) Reflected XSS (Non-Persistent XSS) DOM-based XSS (Local XSS) Players Include: An Attacker Web Application Client Server side Client side

3 The Sin Explained DOM XSS is a bug that allows an attacker to manipulate the DOM through untrusted input. var lists = document.body.all.tags('A'); for( var i =0; i< lists.length;i++) { lists[i].href=" } Code walks through the DOM for current web page or gadget and changes every anchor tag <a> to point to Studies have shown that one in ten websites are vulnerable to XSS attack

4 Cross-Site Scripting: Problem statement
Main problem: attacker‘s content ends in document and is not properly filtered/encoded Flow of data: from attacker-controllable source to security-sensitive sink Sources: e.g. the URL Sinks: e.g. document.write XMLHttpRequest object, often used in gadgets and AJAX applications, can read from files, not just make HTTP requests.

5 Examples of XSS Vulnerabilities
<script> alert(“Hacked..!!”) </script>

6 <img src=x onerror="alert('Pop-up window via stored XSS');“

7 DOM XSS will appear when a source that can be controlled by the user is used in a dangerous sink.
Popular Sinks HTML Modification sinks document.write (element).innerHTML HTML modification to behavior change (element).src (in certain elements) Execution Related sinks eval setTimout / setInterval execScript Popular Sources document.URL document.documentURI location.href location.search location.* window.name document.referrer

8 Spotting the Sin during Code Review
At a minimum, you should look for the following constructs. document.url document.location Web.Network.createRequest XMLHttpRequest Testing Techniques Use a proxy that injects random XSS snippets into the incoming data stream and see if the results are rendered by the gadget.

9 Redemption Techniques- Don’t trust the input
var MAX_TICKER_LEN = 6; var MAX_RESPONSE_LEN = 64; ... function getStockInfo(ticker) { if (ticker.length > MAX_TICKER_LEN) return "Invalid"; xhr = new XMLHttpRequest(); xhr.open("GET", " false); xhr.send(); if (xhr.readyState == 4) { if (xhr.statusText == "OK") { var response = xhr.responseText; if (response.length <= MAX_RESPONSE_LEN) { return response; } return "Invalid!";

10 Consider using a regular expression to validate the data before displaying it.
function isValidStockInfo(stock) { var re = /^[A-Z0-9\.\,\"\s]{1,18}$/ig; return re.test(stock); } Using SSL/TLS correctly for your network requests (as by using HTTPS rather than HTTP) can mitigate man-in-the-middle attacks. Replace Insecure Constructs with More Secure Construct Use innerHTML but use innerText instead, which is much safer.

11 Conclusion Do validate all external network data.
Do validate all external URL-based data Do not trust any data coming into your web page or gadget. Do not use eval() unless there is no other way to write your application. Consider using SSL/TLS for web server connections.

12 References R Ben Stock, Stephan Pfistner, Bernd Kaiser, Sebastian Lekies and Martin Johns, From Facepalm to Brain Bender: Exploring Client-Side Cross-Site Scripting, in 22th ACM Conference on Computer and Communications Security (ACM CCS'15), October 2015 M. Howard, D. LeBlanc, and J. Viega, 24 deadly sins of software security: programming flaws and how to fix them. New York: McGraw-Hill, 2010.


Download ppt "XSS (Client-side) CSCE 548 Building Secure Software(07/20/2016)"

Similar presentations


Ads by Google