Presentation is loading. Please wait.

Presentation is loading. Please wait.

An Introduction to Web Application Security

Published byCrystal Gallagher Modified over 6 years ago

Similar presentations

Presentation on theme: "An Introduction to Web Application Security"— Presentation transcript:

1 An Introduction to Web Application Security
Class 4: Cross Site Scripting December 18th 2014 Daniel Somerfield Lead Consulting Developer ThoughtWorks

2 This Week’s Agenda December 15th: Introduction to AppSec December 16th: Injection December 17th: Vulnerable Authentication & Session Management December 18th: Cross-Site Scripting December 19th: Secure Development Process

3 What is XSS? Cross-site scripting (XSS) occurs when an attacker maliciously submits data that the application renders to users in a context that alters the behavior or presentation of the site in a way not intended by the application developer.

4 What is XSS? The simple definition.
JavaScript, HTML, or CSS where it doesn’t belong messing with your app.

5 What’s the threat? Confidentiality ✓ Integrity ✓ Availability

6 Types of XSS Persistent XSS Server Reflected XSS
Client Reflected or DOM-based XSS

7 Persistent XSS Attacker User Server DB 1. POST
<script>myEvilJS();</script> 3. GET /corrupted-page.html 5. RENDER <script>myEvilJS();</script> Server 2. INSERT <script>myEvilJS();</script> 4. SELECT <script>myEvilJS();</script> DB

8 Reflected XSS Attacker User Server
1. Send URL: Attacker User 3. RENDER <script>myEvilJS();</script> 2. GET Server

9 https://github.com/danielsomerfield/app-sec-demo
Authentication Demo Demo pages: Source code:

10 XSS Demo: Reflected XSS

11 XSS Demo: Reflected XSS

12 XSS Demo: Reflected XSS
Google\ Chrome --user-data-dir=/tmp/dummy --disable-xss-auditor

13 Defending against XSS Input validation Output encoding
Safe script includes Avoid mixed contexts Avoid "unsafe" JavaScript like eval() and innerHTML

14 Input Validation, Basic Case
Decimal to hex converter Input Output 42 2a 2001 7da <script>alert(“gotcha”);</script> ???

15 “Foo bar” is not an acceptable input. Please enter a decimal number.
Being too helpful “Foo bar” is not an acceptable input. Please enter a decimal number. OK

16 More complex cases A web-based email client A web-based ssh client
Or, heaven help you, a web-based HTML editor

17 Browser Rendering Contexts
HTML context HTML attribute context JavaScript context JavaScript string context CSS context JSON entity context URL context

18 What is Output Encoding
Escaping characters and sequences so they do not render in the wrong context

19 HTML Output Encoding $attackerInput = "<img src=' <p>$attackerInput</p> Un-encoded: <p><img src=' Encoded: <p>lt;img src='

20 JavaScript String Output Encoding
$attackerInput="\"); alert('gotcha');//" <script> doSomething("$attackerInput"); </script> Unescaped doSomething(""); alert('gotcha');//"); Escaped doSomething("\x22\x29\x3B\x20alert\x28\x27gotcha\x27\x29\x3B\x2F\x2F");

21 What is CSRF? Cross Site Request Forgery: using the existing browser session to perform a privileged operation the user doesn't intend or expect.

22 Defending Against CSRF
Tokenizer pattern Built in CSRF protection is included in many frameworks Double submission Avoid POST, GET for modifying operations

23 References OWASP XSS Cheat Sheethttps:// OWASP CSRF Cheat Sheethttps:// OWASP Top 10 - A3 – Cross-Site Scriptinghttps:// OWASP Top 10 - A8 – Cross-Site Request Forgeryhttps://

24 This Week’s Agenda December 15th: Introduction to AppSec December 16th: Injection December 17th: Vulnerable Authentication & Session Management December 18th: Cross-Site Scripting December 19th: Secure Development Process

Download ppt "An Introduction to Web Application Security"

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
Appeared in 30 th IEEE Symposium on Security and Privacy, May 2009. Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.

Appeared in 30 th IEEE Symposium on Security and Privacy, May Authors: Mike Ter Louw and V.N. Venkatakrishnan Dept. of Computer Science: University.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.

The XSS Files Find, Exploit, and Eliminate. Josh Little Security Engineer at global vertical market business intelligence company. 9 years in application.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?

CROSS SITE SCRIPTING..! (XSS). Overview What is XSS? Types of XSS Real world Example Impact of XSS How to protect against XSS?
Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.

Injection Attacks by Example SQL Injection and XSS Adam Forsythe Thomas Hollingsworth.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report 2014 https://info.cenzic.com/2013-Application-Security-Trends-Report.html.

Cosc 4765 Server side Web security. Web security issues From Cenzic Vulnerability report
Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Cross-Site Scripting Vulnerabilities Adam Doupé 11/24/2014.

Similar presentations

Ads by Google