Web Audit Vulnerability cross-site scripting (XSS) concerns by Ron Widitz.
XSS- an application security vulnerability
-
Upload
soumyasanto-sen -
Category
Technology
-
view
509 -
download
3
Transcript of XSS- an application security vulnerability
![Page 1: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/1.jpg)
XSS (Cross-Site Scripting) - An application security vulnerability from Developers point of view
Soumyasanto Sen, #sitMUC
@soumyasanto
![Page 2: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/2.jpg)
Wikipedia says "XSS enables attackers to inject client-side script into web pages viewed by other
users".
OWASP(the free and open software security community) says "Cross-Site Scripting attacks are a type of injection problem, in which malicious
scripts are injected into the otherwise benign and trusted web sites."
"An XSS attack occurs when a script from an untrusted source is executed in rendering a page"
#sitMUC
Definition
![Page 3: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/3.jpg)
#sitMUC
What is XSS?
Client side vulnerability but can Server side one. Based on injection through
JavaScript, VBScript, Flash, HTML, JSON, ActiveX etc.
Due to insufficient validation and sanitization.
Attacker’s Paradise Stealing Credentials, Private Info. Execute commands (CSRF), malicious scripts Redirection to malicious site Port Scanning, Phishing, Keylogging etc.
![Page 4: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/4.jpg)
#sitMUC
What is XSS?
![Page 5: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/5.jpg)
#sitMUC
According to latest White-hat Security report, 47% of web applications have XSS vulnerability
Why XSS?
![Page 6: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/6.jpg)
#sitMUC
According to Google Vulnerability Reward Program's Statistics, XSS is the most reported issue
Why XSS?
![Page 7: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/7.jpg)
#sitMUC
According to "Open Sourced Vulnerability Database" XSS is at #1
Why XSS?
![Page 8: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/8.jpg)
#sitMUC
TrustWave Global Security Report says XSS is again the highest
Why XSS?
![Page 9: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/9.jpg)
#sitMUC
No Monkey Testing
Example: Based on Testing
![Page 10: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/10.jpg)
Injection Points: Through which the Attacker can enter or injects scripts Insert /Edit Text Insert/Edit Image Insert/Edit URL Set Attributes Insert/Upload File Insert/Upload Video
What is Context? Context is an environment where user-supplied input or input from other application(s) eventually ends-up or starts living.
“Context Is King for All Areas of IT Security”#sitMUC
Example: Based on Testing (Definitions)
![Page 11: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/11.jpg)
#sitMUC
http://www.ea.com/search?q=“XYZ
Example: Based on Testing (Contexts)
![Page 12: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/12.jpg)
#sitMUC
http://www.ea.com/search?q=“JUNK
Example: Based on Testing (Contexts)
![Page 13: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/13.jpg)
#sitMUC
http://search.health.com/results.html?Ntt=xxxxxxxxxx
Single Quotes Case
Double Quotes Case
Example: Based on Testing (Contexts)
![Page 14: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/14.jpg)
#sitMUC
https://www.froala.com/wysiwyg-editor
Example: Based on Testing (Contexts)
![Page 15: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/15.jpg)
#sitMUC
Example: Based on Testing (Contexts)
![Page 16: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/16.jpg)
#sitMUC
Example: Based on Testing (Summary of Contexts)
![Page 17: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/17.jpg)
#sitMUC
ATTACK METHODOLOGY
• Systematic in nature• Easy to understand• Context-Specific• Attack methodology is `complete` and one can guarantee that there is an XSS
or no XSS in a particular injection point.• With the help of attack methodology, one can make a secure per-context XSS
sanitizer• Can be applied to other server-side languages
Example: Based on Testing (Attack Methodology)
![Page 18: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/18.jpg)
#sitMUC
SCRIPT CONTEXT ATTACK METHODOLOGY
Example: Based on Testing (Attack Methodology)
Demohttp://jsfiddle.net/4eqK4/5/
![Page 19: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/19.jpg)
#sitMUC
ATTRIBUTE CONTEXT ATTACK METHODOLOGY
Example: Based on Testing (Attack Methodology)
Demohttp://www.drudgereportarchives.com/dsp/search.htm
http://jsfiddle.net/9t8UM/3/
![Page 20: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/20.jpg)
#sitMUC
STYLE CONTEXT ATTACK METHODOLOGY
Example: Based on Testing (Attack Methodology)
![Page 21: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/21.jpg)
#sitMUC
URL CONTEXT ATTACK METHODOLOGY
Example: Based on Testing (Attack Methodology)
![Page 22: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/22.jpg)
#sitMUC
<a href="url">link text</a> <a href=javascript:alert(1)>link text</a> <img src="pic_mountain.jpg"> <img src=javascript:while(1){}>
Example: Based on Testing (Attack Methodology)
![Page 23: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/23.jpg)
#sitMUC
Encoding will not help in breaking the script context unless developers are doing some sort of explicit decoding.
Example: Based on Testing (Attack Methodology)
![Page 24: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/24.jpg)
#sitMUC
Two arrays of black-listed keywordsOther names filterXSS and noXSS
Example: Based on Testing (Customized XSS Solutions)
![Page 25: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/25.jpg)
#sitMUC
Two arrays of black-listed keywords
Example: Based on Testing (Customized XSS Solutions)
Bypass:<img src=x id=confirm(1) onerror=eval(id)
![Page 26: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/26.jpg)
#sitMUC
The goal of this function is to stop JavaScript execution via style.
Example: Based on Testing (Customized XSS Solutions)
Bypass: width:expression(alert(1))
![Page 27: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/27.jpg)
#sitMUC
Example: Based on Testing (Customized XSS Solutions)
Another popular customized XSS protection solution
![Page 28: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/28.jpg)
#sitMUC
Example: Based on Testing (Summary of Bypasses)
![Page 29: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/29.jpg)
#sitMUC
Example: Based on Testing (Real Solutions)
![Page 30: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/30.jpg)
#sitMUC
Example: Based on Testing (Real Solutions)
Protection against JavaScript execution via `url` e.g., img'ssrc and/or anchor's href attribute Implementation of `urlContextCleaner()`
![Page 31: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/31.jpg)
#sitMUC
Example: Based on Testing (Solutions -Make it Simple)
WYSIWYGWhat You See Is What You Get
· Forum Post· Private Messaging· Wiki Post· Support Ticket· Signature Creation· Comments
![Page 32: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/32.jpg)
#sitMUC
Example: Based on Testing (Solutions -Make it Simple)
WYSIWYGWhat You See Is What You Get
![Page 33: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/33.jpg)
#sitMUC
Example : Based on Real(Bypassing)
ABAP Case Study: ABAP Case
![Page 34: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/34.jpg)
#sitMUC
Demo: Based on Games(Bypassing)
https://xss-game.appspot.com/
http://xssplaygroundforfunandlearn.netai.net/series1.html
https://html5sec.org/innerhtml/ (Mario Heiderich's Utility)
![Page 35: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/35.jpg)
#sitMUC
Tools & Testing
![Page 36: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/36.jpg)
XSS (Cross Site Scripting) Prevention Cheat Sheet from OWASP (HTML5 Security Clean Sheet)
Validation on XSS Input. Use White-Listing, Escaping and sanitization method.(Use Sanitizers)
“Do not trust anything ever, specially when it comes to user input”
Understanding common browser behaviors that lead to XSS
Learning the best practices for your technology
#sitMUC
Preventions
![Page 37: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/37.jpg)
#sitMUC
Latest News
Salesforce plugs silly website XSS hole, hopes nobody spotted it (Mid August)
Critical PayPal XSS vulnerability left accounts open to attack (Late August)
eBay Fixes XSS Flaw in Subdomain (Early September)
Netflix Sleepy Puppy Awakens XSS Vulnerabilities in Secondary Applications (Early September)
Attackers exploit vulnerabilities in two WordPress plugins (Early May)
![Page 38: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/38.jpg)
#sitMUC
Latest News
0-day XSS vulnerability on SAP website put customers’ data at risk of theft by hackers (Early
May)
SAP HANA Databases Vulnerable to XSS and SQL Injections (Late June)
Overall:Almost ALL websites have serious security vulnerabilities, study
shows
![Page 39: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/39.jpg)
Lack enough Pen. Test
( 92% of the respondents perform penetration testing. 21% perform it annually, 26% perform it quarterly and 8% never perform penetration testing.)
Taking responsibility from the Developers
Unawareness of XSS vulnerability
Not taking seriously
#sitMUC
Challenges
![Page 40: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/40.jpg)
XSS is unavoidable at least nowadays !Now its your job to raise the bar for attacker.
“XSS is Everywhere”(Short and Simple)
Use Prevention, Go for Solutions in the forms of layers, Keep Updated & Do regular Penetration Testing
#sitMUC
Conclusion
![Page 41: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/41.jpg)
#sitMUC
Learning
![Page 42: XSS- an application security vulnerability](https://reader036.fdocuments.us/reader036/viewer/2022070519/58efbc841a28ab657e8b45fd/html5/thumbnails/42.jpg)
Thank You Soumyasanto Sen
@soumyasantoDr. Ashar Javed : http://slides.com/mscasharjaved/