Xss.e xopresentation from eXo SEA
-
Upload
thuydang -
Category
News & Politics
-
view
602 -
download
4
description
Transcript of Xss.e xopresentation from eXo SEA
![Page 1: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/1.jpg)
www.exoplatform.com
Copyright 2011 eXo Platform1
XSS and eXo Products
Portal & TQA teamsOct 2011
![Page 2: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/2.jpg)
2www.exoplatform.com
Copyright 2011 eXo Platform
Agenda
» Introduction to XSS
» XSS sample cases
» Preventing XSS Attacks
» XSS in eXo products
![Page 3: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/3.jpg)
www.exoplatform.com
Copyright 2011 eXo Platform3
3
Introduction to XSS
![Page 4: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/4.jpg)
4www.exoplatform.com
Copyright 2011 eXo Platform
What is XSS?
» XSS stand for Cross Site Scripting
» Allows execution of arbitrary code
» Often involves tricking the end user
» Over 70% of websites may be vulnerable
![Page 5: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/5.jpg)
5www.exoplatform.com
Copyright 2011 eXo Platform
How Does XSS Work?
» Scenario 1:
• You get an email with an URL looks like
http://example.com?username=%3C%53%43%52%49%50%54%3E%61%6C%65%72%74%28%22%58%53%53%22%29%3B%3C%2F%53%43%52%49%50%54%3E
• Click on it and the web page display the username with result as
![Page 6: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/6.jpg)
6www.exoplatform.com
Copyright 2011 eXo Platform
How Does XSS Work?
» Scenario 2:
• There is a comment form on a web page. You paste the String into the form
This is my comment <SCRIPT>alert(“XSS”);</SCRIPT>
• Every user who visit the page will get the alert
![Page 7: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/7.jpg)
www.exoplatform.com
Copyright 2011 eXo Platform7
7
XSS Sample Cases
![Page 8: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/8.jpg)
8www.exoplatform.com
Copyright 2011 eXo Platform
XSS Cases
Sample video
![Page 9: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/9.jpg)
9www.exoplatform.com
Copyright 2011 eXo Platform
XSS types
» Non-persistent (reflected)
• The most common type of XSS injection
• Requires server side interpretation of the query
• Third-party required
» Persistent (stored)
• The most dangerous type of XSS injection
• Requires server side interpretation of the query and data storing
• Third-party may not be required
» DOM-Based
• The newest type of XSS injection
• Requires client side interpretation
• Usually non-persistent
![Page 10: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/10.jpg)
10www.exoplatform.com
Copyright 2011 eXo Platform
The Impact of XSS
» Redirection
» Clickjacking
» URL Spoofing
» Session Hijacking
» Cookie Stuffing
» Ad Hijacking
» History stealling
» Key & Mouse logging
![Page 11: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/11.jpg)
11www.exoplatform.com
Copyright 2011 eXo Platform
The Impact of XSS
» Redirection
» Redirect your victim. Ex, document.localtion = http://xxxsite.com
» Create fake traffic
» Popular
» Clickjacking
» Describes one websites that poses as another
» Used in phishing, gives high credibility
» Extremely popular
![Page 12: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/12.jpg)
12www.exoplatform.com
Copyright 2011 eXo Platform
The Impact of XSS
» Session Hijacking
» Also known as ‘Cookie Stealling’
» Usually use with document.cookie
» Help you to gain control over other logged session
» Needs a cookie grabber
» Cookie Stuffing
» Also known as ‘Cookie Dropping’
» Used in black hat online marketing
» Generates illegitimate affiliate sellings by hijacking cookies
» Uses popups, frames and iframes, images, js, css or flash for accomplising cookie dropping
![Page 13: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/13.jpg)
13www.exoplatform.com
Copyright 2011 eXo Platform
The Impact of XSS
» Key & Mouse logging
» Log all keystrokes or mouse moves and send remotely
» document.onkeypress / document.onmousemove event
![Page 14: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/14.jpg)
14www.exoplatform.com
Copyright 2011 eXo Platform
The Impact of XSS
» And many, many dangerous thing come from XSS issue......
![Page 15: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/15.jpg)
www.exoplatform.com
Copyright 2011 eXo Platform15
15
Preventing XSS attacks
![Page 16: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/16.jpg)
16www.exoplatform.com
Copyright 2011 eXo Platform
Preventing XSS attacks
» Filtering
» Never trust user input and always filter metacharacters
» This method is less effective on the input side because content can be entered into a DB via methods other than HTTP.
Filtering should be done as part of the data output process, just before it’s rendered
» Encoding
» It’s recommended because it does not require dev to make a decision about what characters could legitimately be entered and need to be pass through
» May be a performance impact on some web servers
» Rely on org.exoplatform.commons.utils.HTMLEntityEncoder# encodeHTML(String) or
» org.exoplatform.commons.utils.HTMLEntityEncoder# encodeHTMLAttribute(String)
![Page 17: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/17.jpg)
17www.exoplatform.com
Copyright 2011 eXo Platform
Preventing XSS attacks
» Secure cookies using the HttpOnly attribute
» Associate session with IP addresses
» Install an application firewall
» Educate users
![Page 18: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/18.jpg)
www.exoplatform.com
Copyright 2011 eXo Platform18
18
XSS in eXo Products
Examples of how to detect XSS vulnerabilities
![Page 19: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/19.jpg)
19www.exoplatform.com
Copyright 2011 eXo Platform
Use case of Reflected XSS
Package: WCM 2.2.0
Attack steps:
See defect description in this link
https://jira.exoplatform.org/browse/ECMS-1773
Browsers: Internet Explorer 7, Firefox 3
Consequence: session hijacking & more
![Page 20: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/20.jpg)
20www.exoplatform.com
Copyright 2011 eXo Platform
Use case of Stored XSS
Package: Social 1.2.0
Attack steps:
See defect description in this link
https://jira.exoplatform.org/browse/SOC-1532
Browsers: Internet Explorer 7, Firefox 3
Consequence: session hijacking & more
![Page 21: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/21.jpg)
21www.exoplatform.com
Copyright 2011 eXo Platform
Use case of DOM-based XSS
Package: ECMS 2.3.x
Attack steps:
See defect description in this link
https://jira.exoplatform.org/browse/ECMS-2791
Browsers: Internet Explorer 7, Firefox 3
Consequence: session hijacking & more
![Page 22: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/22.jpg)
22www.exoplatform.com
Copyright 2011 eXo Platform
XSS exploit basing on logic vulnerability
Package: PLF 3.5.0
Attack steps:
See defect description in this link
https://jira.exoplatform.org/browse/ECMS-2723
https://jira.exoplatform.org/browse/ECMS-2736
Browsers: Internet Explorer 7, Firefox 3
Consequence: session hijacking & more
Question for listeners:
what is the best solution for this situation?
![Page 23: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/23.jpg)
23www.exoplatform.com
Copyright 2011 eXo Platform
References for audiences
1. Guideline of Secure coding standards
http://www.oracle.com/technetwork/java/seccodeguide-139067.html#6-1
2. EXOWiki security links
EXO-RedHat Collaboration Study
https://wiki-int.exoplatform.org/display/rhcollab/XSS
TQA Security Test
https://wiki-int.exoplatform.org/display/TQA/SECURITY
Deployment & Configuration rules (ITOP)
https://wiki-int.exoplatform.org/display/ITOP/eXo+Applications+and+security
![Page 24: Xss.e xopresentation from eXo SEA](https://reader035.fdocuments.us/reader035/viewer/2022062303/554f53a3b4c905b9508b4f13/html5/thumbnails/24.jpg)
www.exoplatform.com
Copyright 2011 eXo Platform24
DISCUSSION