Your SlideShare is downloading. ×
XSS Injection Vulnerabilities
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

XSS Injection Vulnerabilities


Published on

This presentation explores on how to test Cross site scripting Injection Vulnerabilities, prevention, Best practice, small lab(introduction to web …

This presentation explores on how to test Cross site scripting Injection Vulnerabilities, prevention, Best practice, small lab(introduction to web
goat) etc.

Published in: Technology

  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. XSS Cross site scripting
  • 2. Pankaj Dey, Mindfire
  • 3. Who knows XSS?
  • 4. What is cross site scripting XSS is a vulnerability that allows an attacker to run arbitrary JavaScript in the context of the vulnerable website
  • 5. Traditional XSS
  • 6. Is XSS Dangerous? Big Yes.(OWASP Top 2)Just think, any JavaScript you want will be run in the victim’s browser in the context of the vulnerable web page what can you do with JavaScript?
  • 7. what can you do with JavaScript? Pop-up alerts and prompts 1. Access/Modify DOM 2. Access cookies/session tokens 3. “Circumvent” same-origin policy Virtually deface web page Detect installed programs Detect browser history Capture keystrokes (and other trojan functionality) Port scan the local network Induce user actions…………………So on..
  • 8. Types of XSS • • • Reflected XSS Stored XSS (a.k.a. “Persistent XSS”) DOM Based XSS
  • 9. Reflected XSS Exploit URL:<script>alert('XSS') </script>&x=0&y=0 HTML returned to victim: <div id="pageTitleTxt"> <h2><span class="highlight">Search Results</span><br /> Search: "<script>alert('XSS')</script>"</h2>
  • 10. Stored XSS JavaScript supplied by the attacker is stored by the website (e.g. in a database) Doesn’t require the victim to supply the JavaScript somehow, just visit the exploited web page More dangerous than Reflected XSS Has resulted in many XSS worms on high profile sites like MySpace and Twitter
  • 11. DOM Based XSS DOM Based XSS (or as it is called in some texts, “type-0 XSS”) is an XSS attack wherein the attack payload is executed as a result of modifying the DOM “environment” in the victim’s browser used by the original client side script, so that the client side code runs in an “unexpected” manner
  • 12. Webgoat
  • 13. Tools we need.. XSS-Proxy - ratproxy - Burp Proxy - OWASP Zed Attack Proxy (ZAP) - OWASP_Zed_Attack_Proxy_Project HackVertor - PHP Charset Encoder(PCE) - [mirror: ] DOM Based XSS tools
  • 14. Limitations Often fail to test a substantial fraction of a web application’s logic .. Especially when this logic is invoked from pages that can only be reached after filling out complex forms that check the correctness of the provided values.
  • 15. Testing guide Black Box testing 1. Detect input vectors. 2. Analyze each input vector to detect potential vulnerabilities. XSS Filter Evasion Cheat Sheet: 3. For each test input attempted in the previous phase, the tester will analyze the result and determine if it represents a vulnerability that has a realistic impact on the web application's security. Gray Box testing Gray Box testing is similar to Black box testing with partial knowledge of the application.
  • 16. Script. Where it can be executed..!! <a href="javas&#99;ript&#35;[code]"> <div onmouseover="[code]"> <img src="javascript:[code]"> [IE] <img dynsrc="javascript:[code]"> [IE] <input type="image" dynsrc="javascript:[code]"> [IE] <bgsound src="javascript:[code]"> &<script>[code]</script> [N4] &{[code]}; [N4] <img src=&{[code]};> <link rel="stylesheet" href="javascript:[code]"> [IE] <iframe src="vbscript:[code]"> [N4] <img src="mocha:[code]"> [N4]<img src="livescript:[code]"> <a href="about:<s&#99;ript>[code]</script>"> <meta http-equiv="refresh" content="0;url=javascript:[code]"> <body onload="[code]"> <div style="background-image: url(javascript:[code]);"> [IE] <div style="behaviour: url([link to code]);"> [Mozilla] <div style="binding: url([link to code]);"> [IE] <div style="width: expression([code]);"> [N4] <style type="text/javascript">[code]</style> [IE] <object classid="clsid:..." codebase="javascript:[code]"> <style><!--</style><script>[code]//--></script> <![CDATA[<!--]]><script>[code]//--></script> <!-- -- --><script>[code]</script><!-- -- --> <<script>[code]</script> <img src="blah"onmouseover="[code]"> <img src="blah>" onmouseover="[code]"> <xml src="javascript:[code]"> <xml d="X"><a><b>&lt;script>[code]&lt;/script>; </b></a> </xml> <div datafld="b" dataformatas="html" datasrc="#X"></div> [UTF-8; IE, Opera] [xC0][xBC]script>[code][xC0][xBC]/script>
  • 17. Developer Guide Validate Output Encode HTML Output If data came from user input, a database, or a file Response.Write(HttpUtility.HtmlEncode(Request.Form["name"])); Not 100% effective but prevents most vulnerabilities Encode URL Output If returning URL strings Response.Write(HttpUtility.UrlEncode(urlString)); How To: Prevent Cross-Site Scripting in ASP.NET XSS Prevention Cheat Sheet: Cheat_Sheet
  • 18. How to safely render untrusted data
  • 19. Conclusion XSS vulnerabilities are bad. Don’t satisfy with black box scanner.. Hacker don’t. Avoid introducing XSS vulnerabilities in your code. Beware while clicking on a phishing link..