Presentation is loading. Please wait.

Presentation is loading. Please wait.

Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Published byBuck Hopkins Modified over 9 years ago

Similar presentations

Presentation on theme: "Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."— Presentation transcript:

1 Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP http://www.owasp.org Cross Site Scripting (XSS) Module (to be combined) Education Project

2 OWASP 2 Cross-Site Scripting (XSS)  Occurs any time…  Raw data from attacker is sent to an innocent user  Raw data…  Stored in database  Reflected from web input (form field, hidden field, url, etc…)  Sent directly into rich JavaScript client  Virtually every web application has this problem  Try this in your browser – javascript:alert(document.cookie)

3 OWASP 3  Allows to embed malicious code:  JavaScript (AJAX!), VBScript, ActiveX, HTML, or Flash  Threats: phishing, hijacking, changing of user settings, cookie theft/poisoning, false advertising, execution of code on the client,...

4 OWASP 4 XSS Types  Reflected  Link in other website / e-mail link  Stored  e.g. bulletin board, forum  DOM-Based

5 OWASP 5 Cross-Site Scripting Illustrated Application with stored XSS vulnerability 3 2 Attacker sets the trap – update my profile Attacker enters a malicious script into a web page that stores the data on the server 1 Victim views page – sees attacker profile Script silently sends attacker Victim’s session cookie Script runs inside victim’s browser with full access to the DOM and cookies Custom Code Accounts Finance Administration Transactions Communication Knowledge Mgmt E-Commerce Bus. Functions

6 OWASP 6 Example

7 OWASP 7 Protection  Input validation  Output Encoding:  >  ( ( ) )  # # & &  Do not use "blacklist" validation  Specify the output encoding

8 OWASP 8 1. Cross-Site Scripting (XSS)  References  OWASP – Cross site scripting, http://www.owasp.org/index.php/Cross_Site_Scripting http://www.owasp.org/index.php/Cross_Site_Scripting  OWASP – Testing for XSS, http://www.owasp.org/index.php/Testing_for_Cross_site_scripting http://www.owasp.org/index.php/Testing_for_Cross_site_scripting  OWASP Stinger Project (A Java EE validation filter) – http://www.owasp.org/index.php/Category:OWASP_Stinger_Project http://www.owasp.org/index.php/Category:OWASP_Stinger_Project  OWASP PHP Filter Project - http://www.owasp.org/index.php/OWASP_PHP_Filters http://www.owasp.org/index.php/OWASP_PHP_Filters  OWASP Encoding Project - http://www.owasp.org/index.php/Category:OWASP_Encoding_Project http://www.owasp.org/index.php/Category:OWASP_Encoding_Project  RSnake, XSS Cheat Sheet, http://ha.ckers.org/xss.htmlhttp://ha.ckers.org/xss.html  Klein, A., DOM Based Cross Site Scripting, http://www.webappsec.org/projects/articles/071105.shtml http://www.webappsec.org/projects/articles/071105.shtml .NET Anti-XSS Library - http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff- 4f82-bfaf-e11625130c25&DisplayLang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=efb9c819-53ff- 4f82-bfaf-e11625130c25&DisplayLang=en

Download ppt "Copyright 2007 © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP."

Similar presentations

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.

Cross-Site Scripting (XSS) Vulnerability in AJAX and Adobe Flex Applications Danielle Cauthen 04/09/2010 COMS E6125 – Web enHanced Information Management.
Past, Present and Future By Eoin Keary and Jim Manico

Past, Present and Future By Eoin Keary and Jim Manico
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Hands on Demonstration for Testing Security in Web Applications

Hands on Demonstration for Testing Security in Web Applications
Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.

Creating Stronger, Safer, Web Facing Code JPL IT Security Mary Rivera June 17, 2011.
A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.

A NTI S AMY J AVA I NTRODUCTION Wang Wenjun June 2011.
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
Cross Site Scripting & SQL injection

Cross Site Scripting & SQL injection
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)

By Philipp Vogt, Florian Nentwich, Nenad Jovanovic, Engin Kirda, Christopher Kruegel, and Giovanni Vigna Network and Distributed System Security(NDSS ‘07)
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
EECS 354 Network Security Cross Site Scripting (XSS)

EECS 354 Network Security Cross Site Scripting (XSS)
Team Members: Brad Stancel,

Team Members: Brad Stancel,
Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.

Cross Site Scripting a.k.a. XSS Szymon Siewior. Disclaimer Everything that will be shown, was created for strictly educational purposes. You may reuse.
IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

IDAsec copyright - all rights reserved1 Web Vulnerabilities in the real world.

Similar presentations

Ads by Google