Download presentation
Presentation is loading. Please wait.
Published byKory Gibbs Modified over 9 years ago
1
Introduction to the OWASP Top 10
2
Cross Site Scripting (XSS) Comes in several flavors: Stored Reflective DOM-Based
3
Stored XSS Malicious code is posted to a site (blog, guestbook, etc) which will be displayed back to other site visitors Code is executed by the browser whenever someone views the page with the stored XSS code
4
Reflective XSS Malicious code is embedded into a URL Following the URL sends the code to the server, which displays (reflects) the code back to the browser The browser trusts the code because it comes from a “trusted” source Normally this requires a web form using GET method, but there is a workaround
5
DOM-Based XSS Modification to Document Object Model object within the client’s browser Server may never handle malicious code Malicious code is embedded in a DOM parameter modification Ex: http://www.some.site/page.html#language= alert(document.cookie) Payload is executed by client when document.location.href.indexOf(“language=") is processed
6
XSS Risks Display an alert box – pretty benign Redirect the user to another server Pass session and other cookies to another server Hijack the user’s session
7
XSS Defenses Never use untrusted data within tags,,, or Escape all untrusted content to be used in HTML context “whitelist” input validation Only allow input from a predefined set Your Framework may do some or all of this for you Libraries are available as well
8
References OWASP XSS Wiki Page http://www.owasp.org/index.php/Top_10_2010-A2 http://www.owasp.org/index.php/Top_10_2010-A2 DOM XSS http://www.webappsec.org/projects/articles/071105.sh tml http://www.webappsec.org/projects/articles/071105.sh tml Anatomy of a XSS Attack http://www.infosecwriters.com/hhworld/hh8/csstut.ht m http://www.infosecwriters.com/hhworld/hh8/csstut.ht m XSS Prevention http://www.owasp.org/index.php/XSS_(Cross_Site_Sc ripting)_Prevention_Cheat_Sheet http://www.owasp.org/index.php/XSS_(Cross_Site_Sc ripting)_Prevention_Cheat_Sheet
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.