Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Similar presentations


Presentation on theme: "Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based."— Presentation transcript:

1 Introduction to the OWASP Top 10

2 Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based

3 Stored XSS  Malicious code is posted to a site (blog, guestbook, etc) which will be displayed back to other site visitors  Code is executed by the browser whenever someone views the page with the stored XSS code

4 Reflective XSS  Malicious code is embedded into a URL  Following the URL sends the code to the server, which displays (reflects) the code back to the browser  The browser trusts the code because it comes from a “trusted” source  Normally this requires a web form using GET method, but there is a workaround

5 DOM-Based XSS  Modification to Document Object Model object within the client’s browser  Server may never handle malicious code  Malicious code is embedded in a DOM parameter modification  Ex: http://www.some.site/page.html#language= alert(document.cookie)  Payload is executed by client when document.location.href.indexOf(“language=") is processed

6 XSS Risks  Display an alert box – pretty benign  Redirect the user to another server  Pass session and other cookies to another server  Hijack the user’s session

7 XSS Defenses  Never use untrusted data within tags,,, or  Escape all untrusted content to be used in HTML context  “whitelist” input validation  Only allow input from a predefined set  Your Framework may do some or all of this for you  Libraries are available as well

8 References  OWASP XSS Wiki Page  http://www.owasp.org/index.php/Top_10_2010-A2 http://www.owasp.org/index.php/Top_10_2010-A2  DOM XSS  http://www.webappsec.org/projects/articles/071105.sh tml http://www.webappsec.org/projects/articles/071105.sh tml  Anatomy of a XSS Attack  http://www.infosecwriters.com/hhworld/hh8/csstut.ht m http://www.infosecwriters.com/hhworld/hh8/csstut.ht m  XSS Prevention  http://www.owasp.org/index.php/XSS_(Cross_Site_Sc ripting)_Prevention_Cheat_Sheet http://www.owasp.org/index.php/XSS_(Cross_Site_Sc ripting)_Prevention_Cheat_Sheet


Download ppt "Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based."

Similar presentations


Ads by Google