XSS Injection Vulnerabilities

Uploaded on

This presentation explores on how to test Cross site scripting Injection Vulnerabilities, prevention, Best practice, small lab(introduction to web …

This presentation explores on how to test Cross site scripting Injection Vulnerabilities, prevention, Best practice, small lab(introduction to web
goat) etc.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On Slideshare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. XSS Cross site scripting
  • 2. Pankaj Dey, Mindfire
  • 3. Who knows XSS?
  • 4. What is cross site scripting XSS is a vulnerability that allows an attacker to run arbitrary JavaScript in the context of the vulnerable website
  • 5. Traditional XSS
  • 6. Is XSS Dangerous? Big Yes.(OWASP Top 2)Just think, any JavaScript you want will be run in the victim’s browser in the context of the vulnerable web page what can you do with JavaScript?
  • 7. what can you do with JavaScript? Pop-up alerts and prompts 1. Access/Modify DOM 2. Access cookies/session tokens 3. “Circumvent” same-origin policy Virtually deface web page Detect installed programs Detect browser history Capture keystrokes (and other trojan functionality) Port scan the local network Induce user actions…………………So on..
  • 8. Types of XSS • • • Reflected XSS Stored XSS (a.k.a. “Persistent XSS”) DOM Based XSS
  • 9. Reflected XSS Exploit URL: http://www.nikebiz.com/search/?q=<script>alert('XSS') </script>&x=0&y=0 HTML returned to victim: <div id="pageTitleTxt"> <h2><span class="highlight">Search Results</span><br /> Search: "<script>alert('XSS')</script>"</h2>
  • 10. Stored XSS JavaScript supplied by the attacker is stored by the website (e.g. in a database) Doesn’t require the victim to supply the JavaScript somehow, just visit the exploited web page More dangerous than Reflected XSS Has resulted in many XSS worms on high profile sites like MySpace and Twitter
  • 11. DOM Based XSS DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner https://www.owasp.org/index.php/DOM_Based_XSS
  • 12. Webgoat
  • 13. Tools we need.. XSS-Proxy - http://xss-proxy.sourceforge.net/ ratproxy - http://code.google.com/p/ratproxy/ Burp Proxy - http://portswigger.net/proxy/ OWASP Zed Attack Proxy (ZAP) - OWASP_Zed_Attack_Proxy_Project HackVertor - http://www.businessinfo.co.uk/labs/hackvertor/hackvertor.php PHP Charset Encoder(PCE) - http://h4k.in/encoding [mirror: http://yehg.net/e ] https://www.owasp.org/index.php/OWASP_Xenotix_XSS_Exploit_Framework DOM Based XSS tools
  • 14. Limitations Often fail to test a substantial fraction of a web application’s logic .. Especially when this logic is invoked from pages that can only be reached after filling out complex forms that check the correctness of the provided values.
  • 15. Testing guide Black Box testing 1. Detect input vectors. 2. Analyze each input vector to detect potential vulnerabilities. XSS Filter Evasion Cheat Sheet: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet 3. For each test input attempted in the previous phase, the tester will analyze the result and determine if it represents a vulnerability that has a realistic impact on the web application's security. Gray Box testing Gray Box testing is similar to Black box testing with partial knowledge of the application. https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)
  • 16. Script. Where it can be executed..!! <a href="javas&#99;ript&#35;[code]"> <div onmouseover="[code]"> <img src="javascript:[code]"> [IE] <img dynsrc="javascript:[code]"> [IE] <input type="image" dynsrc="javascript:[code]"> [IE] <bgsound src="javascript:[code]"> &<script>[code]</script> [N4] &{[code]}; [N4] <img src=&{[code]};> <link rel="stylesheet" href="javascript:[code]"> [IE] <iframe src="vbscript:[code]"> [N4] <img src="mocha:[code]"> [N4]<img src="livescript:[code]"> <a href="about:<s&#99;ript>[code]</script>"> <meta http-equiv="refresh" content="0;url=javascript:[code]"> <body onload="[code]"> <div style="background-image: url(javascript:[code]);"> [IE] <div style="behaviour: url([link to code]);"> [Mozilla] <div style="binding: url([link to code]);"> [IE] <div style="width: expression([code]);"> [N4] <style type="text/javascript">[code]</style> [IE] <object classid="clsid:..." codebase="javascript:[code]"> <style><!--</style><script>[code]//--></script> <![CDATA[<!--]]><script>[code]//--></script> <!-- -- --><script>[code]</script><!-- -- --> <<script>[code]</script> <img src="blah"onmouseover="[code]"> <img src="blah>" onmouseover="[code]"> <xml src="javascript:[code]"> <xml d="X"><a><b>&lt;script>[code]&lt;/script>; </b></a> </xml> <div datafld="b" dataformatas="html" datasrc="#X"></div> [UTF-8; IE, Opera] [xC0][xBC]script>[code][xC0][xBC]/script>
  • 17. Developer Guide Validate Output Encode HTML Output If data came from user input, a database, or a file Response.Write(HttpUtility.HtmlEncode(Request.Form["name"])); Not 100% effective but prevents most vulnerabilities Encode URL Output If returning URL strings Response.Write(HttpUtility.UrlEncode(urlString)); How To: Prevent Cross-Site Scripting in ASP.NET http://msdn.microsoft.com/en-us/library/ms998274.aspx XSS Prevention Cheat Sheet: http://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_ Cheat_Sheet
  • 18. How to safely render untrusted data
  • 19. Conclusion XSS vulnerabilities are bad. Don’t satisfy with black box scanner.. Hacker don’t. Avoid introducing XSS vulnerabilities in your code. Beware while clicking on a phishing link..